- The security rule does not apply to them since they do not use an electronic medical record (EMR).
- Data security is not their responsibility as they have outsourced a lot of their business processes like data backup, transcription, billing etc., to a third party vendor.
- They have bought “HIPAA Compliant” technology and so they are all set.
Nothing can be further than the truth.
First of all, technology is not HIPAA compliant. Organizations are either HIPAA compliant or they are not!
Secondly, using third party vendors does not free you of your ePHI security responsibilities. As a covered entity you need to ensure that all your business associates are taking appropriates measures to secure your ePHI that they are handling.
Thirdly, securing protected electronic health information (ePHI) is not just about EMRs. Its’ about using the right technology in a secure manner. It takes the optimal combination of people, policies, procedures, training and technology to make an organization HIPAA compliant. Even though the ePHI in your EMR is secure, ePHI is also located outside the EMR in other places like emails, images or documents stored on the server, data on the hard drive of your printer etc. Your organization needs to protect this data as well.
Does your organization have:
- Appropriate policies and procedures in place that help minimize the risk of ePHI loss?
- Specific individuals within the organization responsible for maintaining security rule compliance and ensuring that all staff is adequately trained on their responsibilities under HIPAA to protect ePHI?
- Regular policy reviews to ensure that all security policies are accurate and up-to-date?
- Business associate agreements in place with all your third party vendors?
HIPAA security rule requires policies and procedures covering all the administrative, technical and physical safeguards, their different standards and implementation specifications. This documentation needs to be comprehensive, detailed, and accurate. Well written, accurate policies and procedures should cover everything, from where and how data is stored, how the data is transmitted, who has access to the data, audit controls, etc. Some examples include:
- Risk Management policy
- Security policies that address access control, data protection, acceptable use, workstation security
- Sanction policy
- Security Incident Management policy
- Data backup and disaster recovery policy
- Physical security policy
- Data destruction and media reuse policy
- Data transmission policy
- Internal control/internal audit policy
- User authentication policy
- Device and Media control policy
These policies and procedures give your staff a blue print of required as well as unacceptable actions with respect to ePHI within your organization. Having appropriate data security policies and procedures documentation provides the reader/auditor visibility in to your information security program and can mitigate organizational liabilities or penalties in the event of a data breach. Taking the time to develop, write and implement appropriate security policies to protect the ePHI in your organization is well worth the effort. After all its your data that is being protected.