In healthcare information technology, we may refer to the Healthcare Insurance Portability and Accountability Act (HIPAA) to set the tone for addressing concerns over safeguarding individually identifiable health information. HIPAA rules actually address two unique factions of safeguarding patient health information; Privacy and Security. The HIPAA Privacy Rule covers protected health information (PHI) in any medium, while the HIPAA Security Rule specifically covers electronic protected health information (ePHI). While many EHR vendors may claim to offer “HIPAA compliant” software, it is important to remember that not all HIPAA compliancy matters can be addressed by the EHR software alone. Some important measures are related to the total security of your network and other technology, your organizational policies, and even the facility where your practice is located. The main components of the HIPAA Security Rule fall under 5 unique themes for risk management; physical, administrative, technical, policies and procedures, and organizational.

Physical Safeguards
Physical safeguards include a range of practical security matters, such as installing a building alarm system, storing PHI in a locked office, and shielding screens from peripheral view. Some EHR software products, such as MacPractice, may have a feature to quickly access “HIPAA mode”, which automatically de-identifies the data displayed on the screen so that nothing visible is individually identifiable (the definition of “protected health information.")  

Physical Safeguard Tip: Store your server in a locked room accessible only to authorized staff. Position computer screens away from high traffic areas. Use the screen blocking/locking features of your EHR software or Operating System to keep PHI from casual view.

Administrative Safeguards

Administrative Safeguards include mostly personnel matters and organizational policies outside of the purview of your EHR software vendor, such as designating a security officer and providing PHI safety training and policy enforcement. Some EHR vendors offer administrative safeguards in the form of customizable information access controls. MacPractice “User Group Privileges” allow you to establish which software features are accessible to roles within the office. This feature allows you to create user groups and allow those groups very specific or limited privileges in any area of the software that is unnecessary in their work. Individuals are then added to these groups, so that privileges are easy to manage across the organization.

Administrative Safeguard Tip: Notify your office staff that you are required to randomly monitor their use of the EHR. Make sure that all staff understand that personal passwords should never be shared, even with each other.  

Technical Safeguards

Technical Safeguards include many of the features your EHR vendor refers to in its claim to HIPAA compliancy. These features likely include audit logs, allowing secure credentials, automatic data encryption, and more. There are also important vulnerabilities outside of the EHR software of which you should be aware. For example, the audit log feature should be used to perform routine audits of access and changes to patient records, anti-malware software installed, and a strict secure user password policy should be enforced.

Technical Safeguard Tip: Remove the hard drive from any computer and destroy old disk backups before you dispose of them.

Organizational Safeguards

Organizational standards are matters related to your Covered Entity status as a healthcare practice and are likely entirely outside of the scope of your EHR software. As a Covered Entity, you are required to form breach notification policies and maintain Business Associate (BA) agreements with any company with whom you do business that may come in contact with PHI.

Organizational Safeguard Tip: Conduct regular audits and reviews and update your policies accordingly.

Policies and Procedures

Policies and Procedures refer to the written policies and procedures to ensure HIPAA security compliance. While not directly related to your EHR software, you might make a formal procedure list of the specific security features available within the software and provide regular training and monthly reviews to enforce their use.  

Policies and Procedures Tip: Provide ongoing staff training and security reviews. Make sure any emergency “ad hoc” security methods are quickly replaced by formal policies.  Routine updates to the documentation of these security measures is highly recommended.