Measures to protect patient information


1- Administrative safeguards:
a. Implementing practices to reduce identified risks;
b. Instituting a system to regularly review records of information system activity, such as
i. audit logs,
ii. access reports,
iii. and security incident tracking reports;
c. Developing a policy to sanction staff members who violate the offices security procedures;
d. Designating one staff person to be the Security Officer (similar to the designation of a Privacy Office as required by the HIPAA Privacy Rule);
e. Establishing who on staff has appropriate need to access patient records, and who does not;
f. Establishing and providing a security-training program for office staff.

2- Physical safeguards:
a. Hospital departments should be kept secure from intruders—with locks, alarm systems and other security devices and systems –the department is not open for business;
b. When the department is open for business, unattended areas are still kept secure with locks and other devices if possible, but at least closed doors;
c. Physical access to filing cabinets, computers and printers, photocopiers, fax machines and any other areas or equipment where patient information may be present should be controlled and monitored;
d. All workers should wear the organization identification badges at all times;
e. Patients and visitors should be appropriately escorted to ensure that they do not access restricted areas, and unidentified persons in restricted areas are (politely) challenged for identification;
f. When a person no longer works at the organization, keys and identification badge should be returned, alarm codes are changed, and computer access should be removed within one day.

3- Technical safeguards:
a. Computer passwords should be kept secure, and changed regularly;
b. Computer access tokens (such as key cards or USB keys), if used, should also be kept secure;
c. Computer screens should not be in plain view, where anyone other than staff can easily see them;
d. Users should log in to computer systems or terminals only with their own user ID, password or token; these only may be shared in extraordinary situations.
e. If there is no password-protected screensaver on the computer, log off when a computer system or terminal is unattended, even if it is only for a short time.
f. Computer systems should be used only for work-related functions (“playing” can provide a way in for viruses and other computer bugs);
g. Portable computing devices (laptops, PDAs) should be kept secure by remaining in the department or by password protection.
h. When a person no longer works in the organization, his/her computer use IDs and passwords should be immediately deleted, and any access tokens should be returned.
i. Use of computer-based patient information should be limited to the minimum necessary to get the job done. (Minimal security rule)
j. PHI (protected health information) should be stored on the secure servers in secure zone.


Tags: , ,

%d bloggers like this: