Ensuring the security of protected health information (PHI) in your health
IT system requires that you institute measures to guard against unauthor-
ized use and disclosure of PHI. e Health Insurance Portability and
Accountability Act (HIPAA) Standards for the Protection of Electronic
PHI, known as the Security Rule, applies only to PHI in electronic form.
As with the Privacy Rule, the Security Rule requires covered entities to
have contracts or other arrangements in place with their business associ-
ates to ensure that the business associates will appropriately safeguard the
Descriptions and overviews of the administrative, physical, and technical
safeguards required for the security of PHI when using electronic health
IT are given below.
Administrative safeguards refer to the policies and procedures that exist
in your practice to protect the security, privacy, and condentiality of your
patients’ PHI. ere are administrative safeguards that are required by
both the HIPAA Privacy Rule and the HIPAA Security Rule. e admin-
istrative safeguards required under the HIPAA Security Rule include the
• Identifying relevant information systems
• Conducting a risk assessment
• Implementing a risk management program
426 • Appendix 13
• Acquiring IT systems and services
• Creating and deploying policies and procedures
• Developing and implementing a sanctions policy
Assessing the risk of unauthorized use or disclosure is an important step
in your overall plan for maintaining security within your system and is
especially important when treating patients with HIV/AIDS.
Physical safeguards for PHI and health IT refer to measures to protect the
hardware and the facilities that store PHI. Physical threats, whether in
electronic or paper form, aect the security of health information. Some
of the safeguards for electronic and paper-based systems are similar, but
some safeguards are specic to health IT. Policies and procedures must be
put in place to physically safeguard health IT. ese elements include the
• Facility access controls: Limitations for physical access to the facili-
ties where health IT is housed, while ensuring that the authorized
personnel are allowed to access.
• Workstation use: Specications for the appropriate use of worksta-
tions and the characteristics of the physical environment of worksta-
tions that can access PHI.
• Workstation security: Restrictions on access to workstations with PHI.
• Device and media controls: Receipt and removal of hardware and
electronic media that contain PHI into and out of the facility and the
movement of these items within a covered entity, including disposal,
reuse of media, accountability, and data backup and storage.
Technical safeguards are safeguards that are built into your health IT
system to protect health information and to control access to it. is
includes measures to limit access to electronic information, to encrypt