HIPAA, HITECH And Medical Transcription, Part 3: Protecting ePHI - Physical Safeguards
Quoting from HIPAA Regulation: §164.312
A covered entity must, in accordance with §164.306:
(a) (1) Standard: Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
(2) Implementation specifications:
(i) Contingency operations (Addressable). Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
(ii) Facility security plan (Addressable). Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
(iii) Access control and validation procedures (Addressable). Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
(iv) Maintenance records (Addressable). Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).
(b) Standard: Workstation use. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.
(c) Standard: Workstation security. Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.
(d) (1) Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.
(2) Implementation specifications:
(i) Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.
(ii) Media re-use (Required). Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.
(iii) Accountability (Addressable). Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
(iv) Data backup and storage (Addressable). Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.
As you can see, much of this information seems geared more toward larger facilities than on home-based or small office-based transcription service providers; clearly we have to find ways to adapt these regulations to the specifics of each operation. But in general, the physical safeguards section of the HIPAA Security Rule deals with the physical aspects of maintaining security when dealing with electronic protected health information (ePHI). We're talking about things like how you go about providing access to the computer(s) where ePHI will be maintained for any length of time. Is it in a room with a lock on the door? Who has a key? Is the computer in a cabinet or desk that can be locked in some fashion? As I read the regulations, it is necessary to not only have the means to control access to equipment containing ePHI, but you must document that plan and have a way to track every person who accesses equipment where ePHI is stored. This would include the individual(s) performing transcription, of course, but it would also include anyone else who has access to that computer, including anyone performing repairs or maintenance on the equipment. That in itself should be all the incentive you need to make sure you have a dedicated computer that cannot be accessed by anyone not covered under your business associate (BA) agreement with the covered entity (CE). Obviously the fewer people who have access to your equipment, the less onerous your recordkeeping procedures will be.
Notice also that this section of the HIPAA regulations deals with such issues as having a disaster recovery and emergency operations mode plan. What are your provisions for backup and restoration of ePHI in case of power outage, equipment failure, etc.? Furthermore, this rule requires you to have and document a policy regarding removable media which may be used to store ePHI, including USB flash drives, CD-ROMs, DVD-ROMs, portable hard drives, etc. What precautions do you take in regards to any removable media containing ePHI that leaves the workstation? Do you have a log of the who, what and when of such events? Finally, this rule requires that a policy be in place that deals with the destruction/deletion of ePHI when you no longer have reason to maintain it in your possession. How do you go about removing ePHI from your hard drive and/or removable media? How long do you keep ePHI, and do you have a specific procedure in place to make sure files with ePHI are deleted in a timely manner according to your policy?
It's important to note that the HIPAA regulations, in many instances, do not specifically dictate HOW you must physically safeguard ePHI, so there is a certain amount of flexibility inherent in the rule. However, it seems clear to me that the intent of all these regulations is to ensure that, A) the policies and procedures that are put into place do in fact adequately protect ePHI; B) those policies and procedures are in writing; C) all personnel handling ePHI are familiar with these policies and procedures (with documentation to prove it, of course); and D) there is documentation to demonstrate that the policies and procedures are in fact consistently carried out in the BA's day-to-day operations. In my opinion, these four steps are the key to successfully complying with all the provisions of the HIPAA Security Rule regarding ePHI.
In my next post, I'll talk about the HIPAA Security Rule regulation dealing with technical safeguards for ePHI, which is probably the area of greatest concern for MT service owners and independent contractors, who use the Internet to send and receive files containing electronic protected health information.