“A covered entity must identify and analyze potential risks to e-phi, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.” [HHS Standards for professionals]
While the HIPAA standard quoted above requires covered entities to evaluate and mitigate against privacy risks, many states like Washington require a broad effort by everyone providing health care.
“…a health care provider, an individual who assists a health care provider in the delivery of health care, or an agent and employee of a health care provider may not disclose health care information about a patient to any other person without the patient’s written authorization.” [Wash Rev Code 70.02.020]
“A health care provider shall effect reasonable safeguards for the security of all health care information it maintains.” [Wash Rev Code 70.02.150]
No need to debate the meaning of “covered entity” or “electronic record” or “encryption.” Everyone has a responsibility to protect the privacy of patients.
Assessing the risks of unauthorized access to or destruction of patient information takes a little time.
You can find many explanations, tools, and guides from state and federal agencies and from various websites including this one.
You can’t protect what you don’t know you have. You can’t take “reasonable safeguards” when you haven’t thought about them.
If you haven’t done your risk assessment, do it now.
If you haven’t updated your risk assessment, do it now.
Adopt Policies and Procedures
The point in conducting a risk assessment is to react with appropriate measures and behaviors to eliminate or reduce the risk. You must take “reasonable safeguards” to protect patient information.
What’s reasonable? Certainly the things that are free or cheap like using a decent computer password or enabling Windows “Bitlocker” encryption.
How about locking filing cabinets or turning off electronic devices?
No one thing works for everyone.
You need to demonstrate that you gave the subject some thought and took the steps appropriate for a health care practice of your size and type.
The most important part is that you wrote it down and can prove you did it.
Your first policy can be – “Lock the office door when leaving for the day.”
Your first procedure can be – “Use the key.”