With the move to electronic health records (EHR), physicians are generally aware that the Health Insurance Portability and Accountability Act (HIPAA) has certain IT security requirements. See HIPAA Final Security Rule, Section 164.308(a)(7).
Those requirements now apply to certain subcontractors and business associates of health care providers.
HIPAA requires a medical practice to have policies and procedures in place that establish how the practice will respond to any breach to the systems where personal health information (PHI) is stored. In order to develop appropriate and effective responses to IT threats, HIPAA covered entities should be aware of the most common areas where they are vulnerable. For example:
- Intentional attacks.
- Interference due to natural disasters.
- Computer viruses.
- Access by those without authorization.
- Data integrity loss.
- Damage due to natural disasters.
- Loss of communication.
Providers must establish procedures to deal with any damage to systems that contain their patient’s PHI. The procedures must include both notification and contingency plans. The starting place for developing these plans is to identify and specifically include in the plan:
- The resources that will be necessary to restore the functions and operations of the system at the locations where the PHI is located.
- The contact information of all those who will be needed to restore the availability and confidentiality of the system.
HIPAA requires physicians to have a contingency plan
In order to be HIPAA compliant, health care providers are required to have specific contingency plans in place establishing how they will respond to any breach or damage to the confidentiality, integrity and even availability of PHIs. Physicians need to be aware of the requirements and should ask their IT providers specific questions to be sure the correct precautions are being taken.
- How is the data backed up so it is not lost if there is an IT security breach?
- What will happen to the data in the event of a natural disaster?
- If the data is destroyed, what happens next?
- Is there a mechanism in place such as an audit log that can identify a potential threat before there is actual damage?
It may seem cumbersome to physicians who want to concentrate on patient care, but it is important to take precautions to minimize IT security threats and prevent breaches. This will also avoid HIPAA fines that may be imposed on health care providers when such breaches occur in avoidable circumstances were simple precautions were not taken.
More information concerning the requirements for individual medical practices has been published by the Office of Management and Budget (OMB), Circular A-130, Management of Federal Information Resources, Appendix III, November 2000.
