The goal of the security rules of HIPAA is to establish standard protections for the electronic (computerized) storage and transmission of protected health information. The rules are guided by three main principles:

 

Compliance with these rules falls in large part to professionals who maintain computer systems for healthcare organizations.

 

HIPAA requires healthcare institutions to appoint a security officer who establishes policies and practices that meet minimum standards of information security. Such common practices as password protections on computers that store patient care information are required under HIPAA rules of security. The security officer also oversees creation of procedures that protect electronic information in the event of a disaster, including the continual physical security of hardware as well as software.⁴

 

The effectiveness of security practices depends on your understanding and cooperation. Your computer sign-on code, for example, is a cornerstone of a secure health information system. Your security officer, in addition to setting up the password system, is responsible for providing education for you and for all employees about safe practices that ensure the confidentiality, integrity and continued availability of critical healthcare information. Whenever you begin work at a new facility, you can expect to hear about that facility’s practices to ensure a secure health information system.⁴

 

 

The “minimum necessary” rule. The “minimum necessary” rule can help you make on-the-spot decisions about whether to share or discuss a client’s protected health information. The rule guides providers to use only the minimum amount of information necessary to get the job done. For example, if you order a wheelchair for a patient, you might need to share information about the physical characteristics of the patient, such as height and weight. But the actual diagnosis of the patient is not necessary in order for the correct wheelchair to be delivered. The patient may have become nonambulatory because of brain abscesses resulting from AIDS, for example, but the vendor doesn’t have to know the patient’s HIV status in order to provide the right wheelchair.³

 

Telephone requests for personal health information. Healthcare professionals are familiar with the privacy issues that arise when telephone inquiries come into a work station inside a hospital. How can a nurse or clerk be sure of the identity of a caller who asks about a patient? What is the best way to support the family and loved ones of patients while still protecting patients’ confidentiality? HIPAA suggests that when a caller asks for a patient, the provider can verify whether that person is in the hospital, but only if the caller asks for the patient by name. If a caller asks for specific information about a patient, only minimal information about general status should be communicated. The caller can be directed to speak to the patient or family for any further details. If the caller asks for a list of patients or for a broad category (“Do you have any of the schoolchildren involved in the accident?”), the nurse or clerk should not respond in any detail. An exception to this rule would be a member of the clergy who calls asking, for example, for all people who indicate a certain faith preference at the time of admission. A second exception would be a patient who specifically requests anonymity upon admission. The privacy officer will establish a system of notification in the patient rosters to alert all employees to this special status.³

 

E-mail and faxes. E-mail and faxes are convenient, but information can be sent to the wrong destination without the sender being aware of it. To reduce the vulnerability of accidental error in identifying the recipient, e-mails and faxes that contain protected health information should have a disclaimer explaining the confidential nature of the information included in the transmission. The disclaimer should explain how to reach the sender to notify him or her of any errors. The “minimum necessary” rule is relevant to e-mails and faxes as an added level of security.³

 

The discarding of protected health information. Often in busy healthcare settings, protected health information appears on documents that do not end up in the medical record. Patient assignment lists, unused labels, notes taken at change of shift — all these documents represent a potential source for violation of privacy. HIPAA does not directly address this type of privacy violation, but many facilities take steps to guard against it. At some facilities, these documents are discarded in special locations or sent to a shredder. You should ask your employer how to handle the safe disposal of any documents containing protected health information.³

 

Hallway conversations. Talking about patient information in public places is problematic. Although HIPAA does not address this problem specifically, its privacy principles reinforce the professional commitment to use care in such situations to avoid unintentional disclosure of information. Talking in elevators, discussing a case over lunch, discussing a difficult situation with friends over dinner — all of these situations raise the possibility that a client’s protected health information will be revealed inappropriately. Certainly, professionals may discuss, and should discuss, difficult situations in a healthy atmosphere of learning and problem solving. Again, the “minimum necessary” rule will help to guide these discussions. Remembering to delete identifying information when possible, exchanging only enough information to further the discussion, and holding such conversations away from busy public places will improve the ability to protect patient confidentiality.

 

Computer passwords. Your computer password is key to the security of electronic protected health information. You should never give out your password or write it down. If someone asks you for your password, refer that person to your charge nurse or supervisor for help in obtaining a password. Most computer systems employ a protective device with which access to personal health information can be traced back to the user’s password. If you give out your password, you will be vulnerable to the consequences of any violations committed under your password.⁴

 

The “delete” button. When you delete personal health information from a computer screen, you delete the information only from the screen. The information remains available to “hackers” or professional investigators on the hard drive or within the software. For this reason, most healthcare providers take special precautions when selling or donating old computers to users outside the healthcare institution. If you use a PDA or a laptop, you should be aware of this vulnerability and proceed with caution if you remove the PDA or the laptop from the facility. Your security officer can help you learn to encrypt such information, or protect it with passwords if you frequently use your PDA or laptop outside the workplace.⁴

 

Computer viruses. Computer viruses can damage or paralyze a system, making access to vital patient information impossible. Viruses can also allow for violations of confidentiality by allowing unauthorized personnel access to confidential information. You can help protect the integrity of your organization’s information by practicing caution with your e-mails. You should not open e-mail attachments from unknown senders. E-mail attachments can contain viruses that spread quickly throughout a system just by your opening the documents on your computer. Unauthorized software can also contain viruses that damage a computer system. You can introduce harmful viruses simply by downloading infected programs from the Internet or from software you bring from home. The safety officer will help you determine the safety of any software programs you contemplate installing.⁴

 

 

 

 

Whenever you change jobs, you can expect to receive a review of your new employer’s efforts to comply with HIPAA. Who is your privacy officer? Who is your security officer? Ask to see a copy of your employer’s notice of privacy practices so you can be familiar with the information your patients will receive. Get to know the systems your employer uses to protect electronically protected health information. Expect to receive education about passwords and other means to secure the safety of computer systems at your new workplace.

 

The protection of patient confidentiality is not a new concept. HIPAA supports behaviors that have been a part of the healthcare profession for decades.⁵ What has changed dramatically is the way we collect and store patient information. The systems we develop to practice healthcare may change over time, but the fundamental commitment to protection of confidentiality endures.