Reasonable Safeguards for PHI

Reasonable Safeguards for PHI
Reasonable Safeguards Are Important

Protecting  PHI

Reasonable Safeguards for PHI are precautions that a prudent person must take to prevent a disclosure of Protected Health Information.  To protect all forms of PHI: verbal, paper, and electronic, provides must apply these safeguards.  They help prevent unauthorized uses or disclosures of PHI.  In addition safeguards must be part of every privacy compliance plan.  Organizations must share this with all members of the organization.

Safeguards for Verbal PHI

Apply Reasonable Safeguards for PHI to all of your verbal disclosures of Protected Health Information. When you work with a patient, first determine who is with the patient before discussing PHI.  Secondly do not assume the patient permits disclosure of their PHI just because family or a friend is in the room with them. Ask who is with the patient and if the patient permits disclosure.  Finally you may ask the persons to leave the room providing the patient an opportunity to object.

Paper PHI

In addition, reasonable safeguards for PHI must apply to the use of all paper products to prevent these from reaching the wrong person.  Providers must dispose of all paper products that have PHI in a shredder once no longer used.  Personnel must make every effort to give the patients summary to the correct patient.  When a paper patient summary is given to a patient, every effort must be made to give it to the correct patient.

Electronic PHI

Password protect all computers in order to protect electronic PHI.  Employees must only use the computer medical accounts to which they are assigned.   One must consider the use of encryption of any email or texts that contains ePHI.

Use of Reasonable Safeguards for PHI Prevent Violations

In conclusion the use of reasonable safeguards may be the difference between an Office for Civil Rights finding of a privacy violation or a finding that an incidental disclosure occurred.   The latter is secondary to a permissible disclosure, and not a violation. Reasonable safeguards protect PHI and help prevent you from violating patient privacy.

For more information follow this link.

Read about Breaches.

Encryption of ePHI as a Safeguard

Encrypting of ePHI as a Safeguard
Encrypting ePHI May Help Your Program

 

HIPAA Security Rule

The decision to use encryption of ePHI as a safeguard depends on several factors.  The HIPAA Security Rule allows safeguarded electronic PHI transmission. After a careful analysis of their system, an organization may decide that Encryption of ePHI as a safeguard is in their best interest.  The healthcare provider may then decide to use encryption as the means of protection of sensitive ePHI. 

They defined the encryption standard as an addressable requirement and can be confusing.  Consequently, if it is a reasonable and appropriate safeguard for the protection of ePHI it should be implemented. The entity may determine it is the best safeguard in its risk management of the confidentiality integrity and availability of ePHI.  Consequently, an organization should consider the use of this and implement it in its management of ePHI.  Eventually, the entity must document this in the plan.

No Specific Requirements

When they enacted the Security Rule they recognized the rapid advances in technology. Consequently, it would be very difficult to give guidelines that change regularly. For this reason, they chose not to require specific safeguards.  It is up to the organization to do a careful risk assessment.   Based on this they may create the appropriate mechanism to protect ePHI.  Presently the use of encryption of ePHI is an effective tool.  It is a good safeguard for the safe transmission of email and texts through the cloud.  In many cases this has become the standard for the transmission of sensitive data in healthcare and in the business world.

Alternative to Encryption

Based on its security risk assessment a health care provider may determine that encryption isn’t reasonable and appropriate.   They may then present their alternative to protect ePHI.  They may also decide to do neither and determine the standard may otherwise be met.  The provider should document its reasons for its decision.