How to Keep Your Patients’ ePHI Secure
An EHR alters the mix of security needed to keep patient health information secure, and it brings new responsibilities for safeguarding your patients’ health information in an electronic form.
The HIPAA Security Rule establishes national standards to protect individuals’ electronic protected health information (e-PHI) that is created, received, used, or maintained by a HIPPA covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of ePHI.
These safeguards, when applied well, can help you avoid some of the common security gaps that lead to cyber attack or data loss. They can protect the people, information, technology, and facilities that you may depend on to carry out your primary mission: helping your patients.
The HIPAA Security Rule requires covered providers to implement security measures, which help protect patients’ privacy by creating the conditions for patient health information to be available but not be improperly used or disclosed.
What to do in Case of a Breach of Unsecured PHI
A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHI such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.
The Breach Notification Rule requires covered providers to promptly notify individuals and the Secretary of the HHS of the loss, theft, or certain other impermissible uses or disclosures of unsecured PHI. Health care providers must also promptly notify the Secretary of HHS if there is any breach of unsecured protected health information if the breach affects 500 or more individuals, and notify the media if the breach affects more than 500 individuals of a State or jurisdiction.
Your Practice & the HIPAA Rules
Failure to comply with the HIPAA Rules can result in civil and criminal penalties.
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) is responsible for administering and enforcing the HIPAA Privacy and Security Rules and conducts associated complaint investigations, compliance reviews, and audits. OCR may impose fines on covered providers for failure to comply with the HIPAA Rules.
State Attorneys General may also enforce provisions of the HIPAA Rules.
Learn more about OCR’s HIPAA enforcement, and HIPAA Privacy & Security Audit Program.
The U.S. Department of Justice (DOJ) may enforce criminal penalties for HIPAA violations.