The murky waters of the HIPAA security rule

Laura Rose Lambert Electronic records, TWH blog 1 Comment

I apologize for the long delay in this article. This has been a good lesson in my limits of sifting through legalese and ability to produce something coherent from it. I think I’ll be avoiding this type of research in the future and instead focus on finding reliable resources to interpret this aspect of medical practice.

This is a long one, so I urge you to grab some tea or another favorite beverage and take a break if you feel your attention wondering. To facilitate returning to where you left reading, I have divided the article into four pages.

The beautiful lotus flower emerges from muddy waters. Lotus Flower by Mark Yang

The beautiful lotus flower emerges from muddy waters. Lotus Flower by Mark Yang

Many shades of gray

The Health Insurance Portability and Accountability Act (HIPAA) is not a black and white document; it is very gray and constantly shifting with every new medical practice and technology. It will be a long time before I delve into these murky waters again. For resources to help you navigate HIPAA please use the links throughout this article and the list at the end.

Disclaimer: I am not an attorney. I am not liable for any content, errors or omissions or inaccuracies. I cannot make any guarantees about the content. Please, please get legal services when you need them, they are the experts! 

Using cellphones, tablets and computers or services such as online scheduling or insurance billing is common place in many of our medical practices. While most of us have a clear understanding of how to handle patient’s physical charts and personal information according to HIPAA law, the integration of technology has increasingly confused how we treat patient information. With changes as recent as January 2013, rumors abound about the proper use of health information and technology.

After weeks of reading the source text for HIPAA, I struggled with concisely describing the expectations of the Privacy and Security rules of HIPAA. So many ‘experts’ interpret the law into a series of you have to or you must. Yes, there are aspects of HIPAA that require action but from my reading of it is more flexible and forgiving. A Portland, Oregon tech resource I recently found put it in a way I think we can all understand.

HIPAA never allows or disallows anything. HIPAA asks you to balance risks and cost, reduce risks to reasonable levels and comply with certain security standards. – Roy Huggins (Person Centered Tech)

Please keep in mind that there are no clear and fast answers about exactly what you should do in your medical practice to comply with HIPAA. In the end what technology looks like in your practice will look completely different in my own.

The players in the game

  • Office of the National Coordinator for Health Information: Established by the HITECH act, the ONC coordinates national efforts to implement and use the most advanced health information technology and the electronic exchange of health information. It is technically part of the Health & Human Services. Their website is full of helpful tips on integrating technology into a medical practice.

Security, privacy & technology in healthcare

The HIPAA privacy rule establishes a national set of security standards for protecting certain health information while the HIPAA

Hand Holding Laptop by Petr Kratochvil

Hand Holding Laptop by Petr Kratochvil

security rule is a national set of security standards for protecting certain health information that is held or transferred in electronic form. For the purposes of this article I used the simplified, merged text of the HIPAA privacy & security rules (.pdf) from the U.S. Department of Health and Human Services and the recently proposed modification to the security rule. (.pdf)

When it comes to using technology, our primary concern is the security rule. The security rule requires you to thoughtfully assess any technology you are using or considering that will handle electronic protected health information (ePHI). Anytime you think about using a service or piece of technology or if you have existing structures in place it is important to go through the process of evaluation.

After spending a good amount of time with the security rule, I can tell you this: Whatever you do, write it down. Throughout my education at OCOM, I heard several teachers & practitioners say, “If you don’t write it down, it didn’t happen.” The same applies to HIPAA policy and procedure.

The HIPAA security rule is like a study guide or A&P homework; the requirements force you sit down and think your process through. Homework forces the student to study for tests, the security rule forces the practitioner to think about how their systems use ePHI.

A step-by-step guide to HIPAA security rule

So get out your favorite medium to write on, be that pen and paper, stylus and tablet, or keyboard and screen you need to get started on creating a HIPAA notebook (please note I will only be addressing the security rule – you might consider putting other HIPAA related things in there too).

  1. Write down every piece of technology that possibly comes into contact with ePHI. This is daunting or easy depending on your practice and how much technology is already integrated. Start with devices, go to software and then internet related services. So for my practice I came up with this: (For the curious I’m using Notability on my iPad

Laura-Rose's list of technology

  1. Then mark which items on your list involve more then just you (marked by the asterisks in my list above). For physical devices this may mean you use it for work and personal tasks or perhaps more then one provider or family member uses the device. The entire section of internet services involve you and the providers of that service.

Okay let’s pause for a moment and discuss what some might be thinking, “Do I need a separate computer? or tablet for my medical practice? I can’t afford that!” Being new to a practice myself, I understand that costs need to be kept at a minimum. Let’s keep this part of the security rule in mind when discussing your use of technology:

164.306 1(b) Flexibility of Approach

HIPAA security rule excerpt

So don’t worry! Don’t try to stretch past your limits. The point is for technology to have a positive impact on your practice and your ability to care for patients. Keep this in mind.

  1. Continuing with your Security rule packet: You will need to make a section for the following:
    1. Administrative Safeguards (164.308)
    2. Physical Safeguards (164.310)
    3. Technical Safeguards (164.312)
    4. Organization Requirements (164.314)
    5. Policies & Procedures & Documentation requirements (164.316)

From here the process is quite tedious and a BIG project. The good news is that by make this notebook of HIPPA awesomeness you are completing the requirements of section 164.316 Policies & Procedures & Documentation. Luckily the Health & Human services has a lot of resources on the web to help us all with this process. I will be linking to many of their documents and if my language or explanations don’t make sense you can always refer to their documentation.

Comments 1

  1. Laura, what a wonderful breakdown of the HIPAA Security compliance process. I’m not just saying that because you quoted me, either. 😉

    I should point out that HIPAA is also not the only player in these processes. For example, clients are given leeway to accept the risks of email by HIPAA. State licensing boards or legislatures may have caveats or gotchas around that, though. My board, for example, requires email to be secured if I am to use it for therapeutic communications. Without security, I need to keep it to scheduling and other administrivia. HIPAA would let me send the client’s whole medical record by email if the client wanted it.

Leave a Reply

Your email address will not be published. Required fields are marked *