What Physical, Technical, Organizational, and Administrative Safeguards
What physical, technical, organizational, and administrative safeguards did that office use to protect your ePHI?
The Health Insurance Portability and Accountability Act was enacted in 1996 requiring the Department of Health and Human Services, the HHS, to develop regulations that will protect the privacy and security of electronic health information. There are several measures taken from the perspectives of physical, technical, organizational, and administrative safeguards to protect this information.
Physical safeguards used to protect ePHI include facility access controls, the use of workstations, and device/media controls. Generally, medical records are kept in a central location . However, from time to time, there may be a few records that can be in other areas within the clinic. Measures must be taken to ensure these records be returned to the central location which is secured by a locked door controlling access.
With regards to the use of workstations, there is no access to personal email permitted. The workstations should be locked whenever not in use . Therefore, if an employee is working with any ePHI, or conducting any business relating to any pertinent patient information, they should lock the workstation prior to going on lunch break. The use of personal phones and portable devices are not allowed unless otherwise authorized and approved so as to prevent unwanted infiltration via worms and viruses.
As for Technical safeguards, each fulltime employee has their unique credentials allowing them to get authenticated into the system. Care must be taken to remove resigned or inactive employees from the system so that they can no longer access the network once they are no longer associated with the company. Additionally, there are varying levels of employee access based on roles. In other words, someone at the front desk may only have permission to view patient demographic information, while the physician will have access to much more patient information, like diagnoses and other patient chart information.
Included in technical safeguards are audit controls and integrity. There should be measures implemented to record as well as examine all activities in any system that uses electronic patient information. This is a good measure to identify what areas were accessed and by whom.
The administrative safeguards involve the monitoring of all activity logs within the system. There are other measures to monitor the entire network via the use of antivirus software and other malware detection tools as per directive in the security policy administered by the IT office.
The IT department is in charge of all the policies that need to be implemented and revised. They also have the responsibility of system updates and any other security related system issue. Also, the IT department has outlined the policies and procedures that deals with information access; they