Safeguarding Data: Preventative Medicine

Be safe, not sorry…

The life of a physician rarely allows for extracurricular studies in operational system security. However, a practice’s professional health relies on being HIPAA compliant. Even though you think you are HIPAA compliant, you have a nagging fear that your sensitive patient information (PHI) could be at risk or compromised. Time isn’t a luxury for you, and information technology isn’t your wheelhouse, so safeguarding data continues to feel like an albatross slowly choking your air supply…

 Knowing what safeguards are in place to defend you against security breaches is the first step in breathing easy.

HIPAA was born of a need to protect patient records, as well as to develop standards for consistency in the health care industry. Under HIPAA, organizations adhere to standards related to protecting their information systems, allowing patients to relax knowing their personal medical information will stay confidential. This act applies to any health care provider, health plan or clearinghouse (collectively “Covered Entities”) that electronically maintains or transmits health information pertaining to patients. The Security Rule requires health care providers to put in place certain administrative, physical and technical safeguards for electronic patient data.

Why comply?

Health Information Technology for Economic and Clinical Health (“HITECH”) Act

In 2009, Congress passed the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, which implemented stricter penalties for HIPAA violations and expands the organizations bound by HIPAA regulations to include business associates of medical offices.

HITECH act can extend up to $250,000 with repeat/uncorrected violations up to $1.5 million, criminal penalties that include not just said fines, but prison sentences as well. Non-compliant organizations stand to lose something more critical-loss of customers and business partners who recognize the bad business of those who do not sufficiently safeguard their electronic protected health information. Game over. Thanks for playing, and remember-the housealways wins…

 The HIPAA Omnibus Rule

 Announced January 17, 2013, the HIPAA final omnibus rule implemented a number of new privacy protections, expanding some of the obligations of Covered Entities to “Business Associates”. These associates are defined by the Department of Health and Human Services (HHS) defined as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”  Essentially, any person or persons who has needed to access your information is held responsible. What happens when your practice experiences a simple human error and a system of safeguards isn’t in place?


Your first lines of safeguarding data should be:

  •  Administrative Safeguards – Establishing a risk analysis process, with periodic reviews, assigning security management responsibilities, formulating security policies and procedures and establishing appropriate workforce security training.

  •  Physical Safeguards – Securely controlling physical access to data processing facilities, workstations and devices as well as physical containing PHI (personal health information)

  • Technical Safeguards – Establishing specific technical security controls which aim to protect PHI via the following key aspects: data access control, data & access auditing, integrity and transmission security.


In the next article of this series, we will delve deeper into the methodologies that apply to these Safeguards including Data Backup Plans, Disaster Recovery Plans, and Emergency Mode Operation Plans.