Dentists and their staffs hear prescriptive information about safeguarding patient information, for example, “paper records must be kept in locking file cabinets” and “sign-in sheets cannot be used.” Prescriptive information is clearly stated and easy to understand, but is it all really required by HIPAA? Following is 45 CFR §164.530(c) on safeguards required by HIPAA. It is applicable to all forms of protected health information (PHI) — hard copy, oral, and electronic.
As you can see, there is little detail on how to comply. The HIPAA Privacy Rule does not prescribe any specific practices or actions (generally referred to as “safeguards”). However, the HIPAA Security Rule, which became effective a few years after the Privacy Rule did, does require specific safeguards. Both rules allow a covered entity to take a flexible approach when considering how to protect patient information. A covered entity needs to consider its particular circumstances, such as impact on patient care, the size of its organization, and the financial and administrative burden of implementing a specific safeguard. A covered entity is not expected to absolutely protect patient health information from all threats and risks, but is expected to implement reasonable safeguards.
Following is an example of a deliberative process to determine what may be reasonable safeguards for paper chart storage in a dental practice. Dr. Gray is a solo practitioner with one front desk staff and one dental assistant. Her practice has been located for the past 15 years in a strip mall. Charts are stored in non-locking file cabinets located behind the front desk/counter. There is not a lot of extra space in the practice or in the front desk/counter area. The front desk/counter is situated behind a wall with a window and a door to the waiting room. The window is opened when patients check in or when staff communicates with individuals in the waiting room. The door is closed but unlocked during business hours. The area where charts are stored is observed by the dentist or staff during business hours. Both the front door and the door leading to the treatment area are locked when the practice is closed. Does Dr. Gray need to buy locking file cabinets for the charts?
Before answering the question, consider the following:
Also consider how the analysis changes if Dr. Gray is planning to expand her practice and take over the space next to hers, if the strip mall provides after-hours security, or if there is a history of break-ins in the neighborhood. What if one staff member is absent and the front desk/counter is left unattended for a period – what should Dr. Gray do?
The covered entity must assess risk then determine reasonable and appropriate safeguards to implement. Consider another situation—the transportation of non-electronic patient information from one office to another. A covered entity must identify risks (theft and accident in this instance) and determine reasonable and appropriate policies and procedures for safeguarding the information.
Yet another situation to consider is the fax machine and opportunities for impermissible disclosures. To minimize the risk of an impermissible disclosure, a covered entity may consider the following safeguards:
Remember, HIPAA regulations are intended to be flexible and scalable. A covered entity is not expected to absolutely protect patient health information from all threats and risks, but is expected to implement reasonable safeguards.
When a covered entity decides not to implement a privacy safeguard or an addressable security safeguard that offers the best protection, the covered entity should document the rationale for the decision. Determining what safeguards to implement can be a multi-factorial process. HIPAA does not require every dental practice to implement the exact same safeguards adopted by every other dental practice. Some privacy safeguards, such as keeping voices low when speaking about patient health information in places where the information can be overheard, can be universally implemented. Other safeguards, especially the addressable safeguards in the HIPAA Security Rule, can be assessed before determining whether to implement them.
The HIPAA Security Rule has 19 required safeguards and 16 addressable safeguards. Addressable safeguards should be implemented if a covered entity, after it conducts its risk analysis, deems the safeguard reasonable, appropriate and applicable.
The safeguarding of electronic PHI, however, does have specific requirements which can be found in 45 CFR §§ 164.306, 164.308 164.310, and 164.312. The required Security Rule safeguards are:
Already a CDA Member?
to keep exploring our resource library.
Learn more about CDA Member Benefits.
Go back to the previous page.