• Revenue Cycle Management
  • COVID-19
  • Reimbursement
  • Diabetes Awareness Month
  • Risk Management
  • Patient Retention
  • Staffing
  • Medical Economics® 100th Anniversary
  • Coding and documentation
  • Business of Endocrinology
  • Telehealth
  • Physicians Financial News
  • Cybersecurity
  • Cardiovascular Clinical Consult
  • Locum Tenens, brought to you by LocumLife®
  • Weight Management
  • Business of Women's Health
  • Practice Efficiency
  • Finance and Wealth
  • EHRs
  • Remote Patient Monitoring
  • Sponsored Webinars
  • Medical Technology
  • Billing and collections
  • Acute Pain Management
  • Exclusive Content
  • Value-based Care
  • Business of Pediatrics
  • Concierge Medicine 2.0 by Castle Connolly Private Health Partners
  • Practice Growth
  • Concierge Medicine
  • Business of Cardiology
  • Implementing the Topcon Ocular Telehealth Platform
  • Malpractice
  • Influenza
  • Sexual Health
  • Chronic Conditions
  • Technology
  • Legal and Policy
  • Money
  • Opinion
  • Vaccines
  • Practice Management
  • Patient Relations
  • Careers

HIPAA Consult


Answers to your questions about...privacy vs. security; internal security threats; small-practice requirements; "addressable" items

Privacy vs securityQ. My practice is fully compliant with the privacy rule, but now I'm receiving solicitations from consultants who want to come in and assess our compliance with the new security rule. Can you explain the difference between these two parts of HIPAA?

The security rule, on the other hand, pertains only to medical information that's stored or transmitted electronically. Unlike the privacy rule, it defines the administrative, physical, and technical safeguards that doctors, among others, must put into place to protect restricted information. (These safeguards extend to personal computers, PDAs and other handheld devices, but not to conventional fax machines or voice mail.) If you store medical information in your office computer, for example, you must institute the proper safeguards, so that only authorized persons have access to it.

Internal security threatsQ. I recently caught a staff member who isn't authorized to view protected information looking up the electronic medical record of a patient whom she knows socially. Was this a violation of the security rule?

A. Yes. If you transmit or store protected data electronically, you must take steps to guard against internal threats to electronic patient information. Fortunately, many internal security threats can be dealt with effectively simply by having the proper policies and procedures in place, including passwords that restrict unauthorized computer access.

The security rule also requires that you take appropriate actions to guard against external threats-such as a hacker intercepting a confidential e-mail you've recently sent to a patient. These actions may be more difficult, because you must consider whether the implementation of certain technical measures-such as the use of encryption to secure e-mails or e-mail attachments-is called for.

Small-practice requirementsQ. I'm an FP in a three-person practice. Under the security rule, must I implement the same safeguards as a larger practice?

A. No. The security rule allows for "scalability," which, in simple terms, means that one size doesn't fit all. After all, entities affected by the rule range from small practices like yours, with rudimentary technology, limited resources, and low risk exposure, to large private and university health systems, with quite developed information technology, broad resources, and very high risk exposure. Given this range, the government allows flexibility in the security rule, depending on specific circumstances.

Consider, for example, one of the data security standards. It not only requires that you back up data, but that you store this backed up data in a secure location, with controlled access. A large provider-a hospital system, say-may achieve compliance by storing its backed-up information off site, in a secure computer facility. A smaller practice like yours, however, may simply need to back up data on CDs or other media and store these in a locked closet or room, preferably off site.

"Addressable" itemsQ. I know that I must implement certain safeguards as part of the security rule. But what am I required to do about measures that the rule labels as "addressable"?

Recent Videos
Scott Dewey: ©PayrHealth
Scott Dewey: ©PayrHealth
Scott Dewey: ©PayrHealth
Scott Dewey: ©PayrHealth
Scott Dewey: ©PayrHealth
Scott Dewey: ©PayrHealth
Scott Dewey: ©PayrHealth