Physical Security in the Privacy World

The Health Information Technology for Economic and Clinical Health (HITECH) Act, has expanded many of the requirements promulgated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  Essentially, HITECH was enacted to further safeguard the privacy and security of protected health information (PHI).  The enhanced privacy and security standards set forth by HITECH went into effect on February 17, 2010, and they now apply to both covered entities as well as business associates (as that term is defined under the Act).  The new standards include mandatory breach notifications and enhanced civil and criminal penalties for non-compliance.

A recent study found that eighty-five (85%) of all PHI breaches are caused by employee actions. These breaches can include: employee “sneak peaks” at email or faxes containing PHI sent to wrong recipients; positing private information on social networking sites; papers found by unauthorized persons; and theft or loss of unencrypted portable electronic devices.

The use and tracking of portable electronic devices, for instance, is a common gap in the physical security of a medical practice.  In this age of cell phones with cameras, flash drives, laptops and other portable internet devices, it is all too easy for significant amounts of PHI to escape the safeguards of your office.  An unencrypted flash drive could easily contain PHI of 500 or more patients.  Once lost or misplaced, a mandatory notification of the breach must be reported to the HHS Secretary as well as to the press, and your practice may be subject to substantial civil and criminal penalties.

In this new HITECH privacy world, healthcare providers must have a comprehensive physical security plan to protect their patient’s health information.  A good plan should include policies and standard procedures addressing:

1) Physical Access – building access, workspace security, locking of doors and cabinets;

2) Information Handling – desktop policies (i.e. papers, stickies, monitors);

3) Mailing Procedures – guidelines for printing/faxing/emailing sensitive information, as well as for its storage;

4) Portable Equipment – policies for issuance, tracking, media disposal and reuse (i.e. for laptops, USB devices and CDs);

5) Contingency Plan – policies for dealing with both business continuity and disaster recovery;

6) Employment Security – background screening;

7) Access Auditing  – guidelines for tracking and policing which employees or other parties are looking at secured information.

A quick way to get started on formulating a comprehensive policy is to make a list of your current policies and procedures and then identify any potential gaps in security.  You can then create a policy checklist of steps to take to reduce the risk of a security breach and to implement standard procedures.  With the passage of HITECH, it is now more important than ever that you take the proper steps to address any potential gaps or deficiencies in the physical security of your practice.