Determining What Needs to Be Included in Your HIPAA Policies

When developing HIPAA security policies and procedures at your medical practice, you need to consider all the places that you and your workforce members access, input, transmit and store patient information.  Sounds simple enough, but the implications can be huge! 

To demonstrate, let’s follow the footprint of a hypothetical document.  Let’s say you prepare a report on your office computer showing what percentage of patients come into the office for annual health check-ups and health screenings. You plan to present the report at a staff meeting in two days. 

By the end of your day, you still have not completed the report, so you save a draft on the office network drive.  You go home, grab a quick bite for dinner, log in remotely to the office network and start working. 

You finish the final draft of the report in the morning, save it to the shared drive in the cloud, ping it to a coworker, and ask him to do a quick walk through of the report to make sure you didn’t miss anything. It is all good. 

You send a calendar reminder to the staff about the meeting and e-mail the report to attendees.  One of the meeting attendees gets the e-mail and takes a look at the report on her cell phone.  She has a question about the report and leaves a message on your office phone. 

Before the meeting, another staff member makes 10 copies of the report to pass out at the meeting, and you save a copy of the report to a USB drive so you can readily pull it up on the meeting room computer during the meeting. 

During the meeting you make notes on the report, and after the meeting you put the report and your notes in a file in your office desk.  You shove the USB drive into your briefcase. 

Now, think of all the ways you stored, accessed, and shared that document.

This document was:

• Created on a desktop computer
• Saved to a network server
• Accessed remotely
• Saved to a cloud shared drive
• Entered on the office shared calendar
• Transmitted via e-mail
• Downloaded on a smartphone
• Printed on a copier
• Saved to a USB drive
• Put in a desk file drawer
And, information from it was recorded on an office voicemail.

You can assume with modern technology that a footprint is left on every device.  Once information is downloaded on a smartphone, the information resides on the smartphone.  Once a document is copied on a copier, there is a stored memory copy of the document. 

As part of your HIPAA compliance program, you need to identify all the means and modes of input, transmission, and storage of patient information.  You must have policies and procedures for safeguarding the means and modes of the input, transmission, and storage of patient information.  

These policies must cover the physical locations and devices where the information is stored, inputted, and accessed.  You must have administrative policies governing the folks or workforce members that create, access, store, and transmit the information.  And, finally you must have technical policy safeguards. 

In the example above, the practice would need to have several policies in place to ensure HIPAA compliance. They include policies on:

1. Workstation log on and access
2. Network authorization
3. Remote access
4. Use of portable devices including smartphone and USB drives
5. Use of non-company owned devices
6. Cloud storage, document sharing, and website portals
7. Physical office security
8. Document retention
9. Device reuse and storage
10. E-mail and calendaring

These are just 10 policy considerations, and there are many more.  The HIPAA Security Rule has 17 security standards, and 42 required and addressable security implementation specifications entities must follow.  What seems simple enough at the beginning becomes complicated quickly. 

Mary Beth Gettins, managing attorney of Gettins’ Law, has more than 20 years of combined healthcare and legal experience.  Gettins’ Law offers healthcare privacy and security solutions and support for medical providers, health plans, and business associates.