Technical Safeguards
Technical safeguards focus on risks that threaten electronic protected health information or EPHI. EPHI is defined as any protected health information (PHI) that is maintained in or transmitted by electronic media. All EPHI is also PHI.
For example, access controls and audit logs help to limit and monitor who on the staff can access files containing EPHI.
Another example is the use of encryption for PHI transmitted electronically, whether by email or text where it may be accessed by unauthorized individuals; however, organizations are permitted to choose any encryption method that meets HIPAA’s required specifications and standards.
Also, patients may choose to communicate with their providers by unencrypted means; this is permitted, as long as the provider complies with the HIPAA “duty to warn”. Before communicating using an unencrypted method, the provider must warn the patient that there is some level of risk, and obtain the patient’s written agreement. The warning and the agreement both need to be documented.
Ensuring Success with HIPAA Compliance: Physical Safeguards
The physical aspects of HIPAA require that any patient data is protected from unauthorized access and maintained securely. These include hard copy documents, electronic files, faxes, and even voicemail recordings. All PHI must be stored in a locked drawer or room where only authorized personnel have access. Printers should be in a secure area and workstations should be shielded.
You should also ensure that your organization takes all reasonable steps to prevent unauthorized access to records outside of your control, such as medical records being sent to third party vendors who are HIPAA business associates.
