HIPAA Consult

Privacy vs securityQ. My practice is fully compliant with the privacy rule, but now I'm receiving solicitations from consultants who want to come in and assess our compliance with the new security rule. Can you explain the difference between these two parts of HIPAA?

The security rule, on the other hand, pertains only to medical information that's stored or transmitted electronically. Unlike the privacy rule, it defines the administrative, physical, and technical safeguards that doctors, among others, must put into place to protect restricted information. (These safeguards extend to personal computers, PDAs and other handheld devices, but not to conventional fax machines or voice mail.) If you store medical information in your office computer, for example, you must institute the proper safeguards, so that only authorized persons have access to it.

Internal security threatsQ. I recently caught a staff member who isn't authorized to view protected information looking up the electronic medical record of a patient whom she knows socially. Was this a violation of the security rule?

A. Yes. If you transmit or store protected data electronically, you must take steps to guard against internal threats to electronic patient information. Fortunately, many internal security threats can be dealt with effectively simply by having the proper policies and procedures in place, including passwords that restrict unauthorized computer access.

The security rule also requires that you take appropriate actions to guard against external threats-such as a hacker intercepting a confidential e-mail you've recently sent to a patient. These actions may be more difficult, because you must consider whether the implementation of certain technical measures-such as the use of encryption to secure e-mails or e-mail attachments-is called for.

Small-practice requirementsQ. I'm an FP in a three-person practice. Under the security rule, must I implement the same safeguards as a larger practice?

A. No. The security rule allows for "scalability," which, in simple terms, means that one size doesn't fit all. After all, entities affected by the rule range from small practices like yours, with rudimentary technology, limited resources, and low risk exposure, to large private and university health systems, with quite developed information technology, broad resources, and very high risk exposure. Given this range, the government allows flexibility in the security rule, depending on specific circumstances.

Consider, for example, one of the data security standards. It not only requires that you back up data, but that you store this backed up data in a secure location, with controlled access. A large provider-a hospital system, say-may achieve compliance by storing its backed-up information off site, in a secure computer facility. A smaller practice like yours, however, may simply need to back up data on CDs or other media and store these in a locked closet or room, preferably off site.

"Addressable" itemsQ. I know that I must implement certain safeguards as part of the security rule. But what am I required to do about measures that the rule labels as "addressable"?