What Safeguards are Required?
A covered entity must have in place appropriate administrative, technical, and physical safeguards that protect against uses and disclosures not permitted by the HIPAA Privacy Rule, as well as that limit incidental uses or disclosures. It is not expected that a covered entity’s safeguards guarantee the privacy of protected health information from any and all potential risks.
Reasonable safeguards will vary from covered entity to covered entity depending on factors, such as the size of the covered entity and the nature of its business. In implementing reasonable safeguards, covered entities should analyze their own needs and circumstances, such as the nature of the protected health information they hold, and assess the potential risks to patients’ privacy.
Covered entities should also take into account the potential effects on patient care and may consider other issues, such as the financial and administrative burden of implementing particular safeguards.
What are Specific Examples of Reasonable Safeguards?
Many health care providers and professionals have long made it a practice to ensure reasonable safeguards for individuals’ health information – for instance:
- By speaking quietly when discussing a patient’s condition with family members in a waiting room or other public area;
- By avoiding using patients’ names in public hallways and elevators, and posting signs to remind employees to protect patient confidentiality;
- By isolating or locking file cabinets or records rooms; or
- By providing additional security, such as passwords, on computers maintaining personal information.
What Does Implementing the Minimum Necessary Standard Involve?
As noted above, incidental disclosure is permitted only when covered entities have both developed reasonable safeguards AND implemented the minimum necessary standard.
Covered entities must implement the minimum necessary standard by implementing reasonable minimum necessary policies and procedures that limit how much protected health information is used, disclosed, and requested for certain purposes. These minimum necessary policies and procedures also must limit whom within the entity has access to protected health information, and under what conditions, based on job responsibilities and the nature of the business.
Note that the minimum necessary standard does not apply to disclosures, including oral disclosures, among health care providers for treatment purposes. For example, a physician is not required to apply the minimum necessary standard when discussing a patient’s medical chart information with a specialist at another hospital.
An incidental use or disclosure that occurs as a result of a failure to apply reasonable safeguards or the minimum necessary standard, where required, is not permitted under the HIPAA Privacy Rule.
For example: The minimum necessary standard requires that a covered entity limit whom within the entity has access to protected health information, based on who needs access to perform their job duties. If a hospital employee is allowed to have routine, unimpeded access to patients’ medical records (and thus, access to PHI), where such access is not necessary for the hospital employee to do his job, the hospital is not applying the minimum necessary standard. Therefore, any incidental use or disclosure that results from this practice, such as another worker overhearing the hospital employee’s conversation about a patient’s condition, would be an unlawful use or disclosure under the HIPAA Privacy Rule.
Compliancy Group Simplifies HIPAA Compliance
Compliancy Group was founded to help simplify the HIPAA compliance challenge. We give health care organizations everything they need to address the full extent of the HIPAA regulations.
Our ongoing support and web-based compliance app, The Guard™, gives health care organizations the tools to address the law so they can get back to confidently running their business.
Find out how Compliancy Group has helped thousands of organizations like yours Achieve, Illustrate, and MaintainTM their HIPAA compliance.