Meeting HIPAA Security Standards in Your Clinic
Security is the systems used whether physical (paper, charts) or the electronic transmission of Individual Patient Identifiable Health Information. This is how to keep information confidential.
Security requirements for HIPAA can be subdivided into components:
- Workforce
- Computer
- Faxes
- Patient charts or files
- Emergencies
- Agreements
Workforce:
- The training in the security policies related to the individual job description of each employee
- The procedures to be followed and completed at the termination of the workforce (it must include the return of all keys and revocation of any and all computer access)
- Medical information and their transcriptions and how to keep them secure
- Janitorial staff (limited access of work and medical files and the areas where these are stored)
Computer:
- Each person must have user name (Log In)
- Password (changed every 60 days, between 6-9 characters
- You will need to maintain a user log (who used computer when; include this in your Compliance Manual)
- You will need to have a Virus Protection Program
- The computer will need to be in secure area out of view of publicly accessible areas
- You will need a firewall in your computer program
- You will need to store your backup material in a remote (i.e., not in your office) protected area
- You will need to use only authorized or licensed software
- There will need to be documentation maintained so ID could be audited
- You will need an emergency plan covering the protection of the computer records
- There must be a procedure for workforce termination and the revocation of computer access
- After business hours access should be limited
- Auto log off password screen saver
- Backup records must be stored in a safe protected area
- You may need a program to digitize signatures
Faxes:
If your office transmits anything by Fax you will need to:
- Make sure your fax machine is in a secure area (out of view from patients)
- Have all faxes relating to patient records stamped confidential
- Maintain a log of faxes sent and received
- Have an identifiable header on each sheet sent from your office
- Have a confidential statement on the bottom of each fax that includes any private patient information
- Have electronic-digitized signature
Copy of Fax Confidentiality Notice:
The information contained in this facsimile document is confidential and may have Clinic-Patient privileged information that is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received the facsimile in error please immediately notify us by phone or return the original message to us at the address above via the postal service. Thank you.
Security Standards for E-Mail:
- They must contain a confidentiality statement (formal policy for transfers of Patient Health Information outside the office)
- The workforce must be trained in a procedure for handling emails
Model Confidentiality Notice to be included in E-Mails:
The information contained in this electronic message may contain protected health information confidential under applicable law, and is intended only for the use of the individual or entity named above. If you are a recipient of this message and are not the intended recipient, you are hereby notified that any dissemination copy of disclosure of this communication is strictly prohibited. If you have received this communication in error, please notify (your office name, address and phone) and purge the communication immediately with making any copy of distribution.
Maintaining patient files:
- Protection against unauthorized access, tampering or theft
- Maintained in an orderly manner that electronically or physically allows for auditing
- There must be a policy and procedure for long-term storage
- No patient file is to be left unattended or open to any unauthorized workforce or individuals.
Security Standards for Emergencies:
- Patient Health Information must be protected during and after emergency events
- Procedures to identify, document, monitor and respond to security
- Report suspicious computer network activity to appropriate authority
Agreements
This section concerns your clinic agreements with any outside business entity that may advertently or inadvertently have access to Patient Private Health information such as Computer Tech Support companies, cleaning companies, etc. A business associate agreement for each such company must be included in your Compliance Manual.