In this lesson, we're going to cover the HIPAA Privacy Rule and the Security Rule. We'll dig into the three safeguards – administrative, physical, and technical – and include rules and examples for each.

The HIPAA Privacy Rule establishes standards for protecting patients' medical records and other protected health information (PHI). It specifies two important things:

  1. What rights patients have over their information and requires covered entities to protect that information.
  2. What usage and disclosures are authorized or required.

The privacy and security rules allow healthcare providers to share PHI electronically for treatment purposes as long as they apply reasonable safeguards when doing so.

A couple of examples of this would be when a physician consults with another physician by secured email regarding a patient's condition, or when a healthcare provider exchanges PHI through electronic medical records for patient care.

Covered entities need to engage in safeguards to protect this information. These safeguards include:

  • Administrative safeguards
  • Physical safeguards
  • Technical safeguards

Pro Tip #1: All covered entities need to perform risk analyses to determine what measures need to be taken to reduce risks and vulnerabilities to an appropriate level.

Administrative Safeguards

Administrative safeguards include office rules and procedures that help keep protected health data secure. To accomplish this, covered entities should designate security officials who are responsible for the following:

  • Developing and implementing that covered entity's security policies and procedures
  • Determining who should be authorized to access PHI
  • Training all staff in these security policies and procedures
  • Applying the appropriate sanctions against workforce members who violate those policies and procedures
  • Performing periodic risk assessments of how well the security policies and procedures are meeting the requirements of HIPAA's Security Rule

Example of Administrative Safeguard

An example of an administrative safeguard would be allowing only office managers to send protected health information in electronic form.

Physical Safeguards

Physical safeguards under the HIPAA Security Rule include the following:

  • Limiting physical access to all facilities while also ensuring that only authorized access is allowed
  • Implementing that covered entity's policies and procedures specify the proper use of access to computers and/or the position of screens and monitors in all patient areas
  • Putting into place policies and procedures regarding the physical transfer, removal, disposal, and reuse of all electronic media, such as computer hard drives

Example of Physical Safeguard

An example of a physical safeguard would be keeping all patient files in a locked room that only specified and authorized personnel have access to.

Technical Safeguards

Technical safeguards under the HIPAA Security Rule include the following:

  • Implementing all hardware, software, and/or procedural mechanisms to record and examine access and other activities in all information systems that contain or use protected health information
  • Implementing policies and procedures to ensure that electronic measures are put in place to confirm that all protected health information is not improperly altered or destroyed
  • Implementing technical security measures that guard against unauthorized access to all PHI that is transmitted over an electronic network

Example of Technical Safeguard

A couple of examples of technical safeguards would be using data encryption and also strong passwords to better protect files from unauthorized access.

Pro Tip #2: HIPAA's Privacy Rule gives much-needed flexibility to healthcare providers and plans to create their own privacy policies that are tailored to fit their size and needs. However, no matter the size of the covered entity, whether that entity is a small optometrist office or a large hospital with thousands of employees, each covered entity is required to have a written privacy policy.

In general, all covered entities must do everything they can to secure all patient records that contain personally identifiable information so that information isn't readily available to those people who do not need it. You may recall the list of those 18 PHI identifiers that we provided in the last lesson.

Also, covered entities must always release only as much protected health information as is necessary to address the specific needs of the entity that is requesting the information, or what the HIPAA regulation refers to as the minimum amount necessary to satisfy the inquiry.

You might also recall from the last lesson, that when it comes to transmitting or sharing protected health information, less is always more.