In my former life as a youth pastor, I encountered many families that had one problem child. This was the child that always got in trouble. This was the child that always seemed to demand all of their parent’s energy and attention as they tried to keep this child under control. With all of the attention focused on the one problem child, the other children don’t get the attention they need and often times end up causing unexpected problems for parents who are caught unaware.
In regard to HIPAA, maintaining the confidential nature of electronic Protected Health Information (ePHI) seems to be the problem child that captures all of the attention of covered entities while there are two other children of HIPAA that fly below the radar yet are just as critical to the Security Rule and can cause big problems if not given the appropriate level of attention: Availability and Integrity.
Maintaining the confidentiality of ePHI is an important part of the Security Rule, but what safeguards are in place to make sure the appropriate people have the appropriate access level to the ePHI. For example: The results of a blood test would be necessary for a doctor to see but would not be necessary for the billing clerk to see. The billing clerk simply needs to know there were blood tests, not the results of those tests. Delineating those levels of security is one of the primary areas covered by the Availability Section of the Security Rule.
Addressing Availability forces you to look at how you limit the physical accessibility of ePHI. How do you keep ePHI out of the hands of people who shouldn’t have physical access to it? For example: Is there a practice for locking computers when not in use or when the individual with access to ePHI walks away from the screen? Do visitors to your facility need passes or to walk accompanied by a company representative to limit the physical access to ePHI?
Integrity in regard to HIPAA refers to the completeness of the ePHI and specifically how you ensure that the data contained in the ePHI does not get accidentally deleted or altered in any way. Do you as a company have safeguards in place to limit access to change ePHI? How do you track the changes to ePHI?