The final rule adopting HIPAA standards for the security of electronic health information was published in the Federal Register on Feb. 20, 2003 [and goes into effect April 21, 2005]. This final rule specifies a series of administrative, technical and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information. The standards are delineated into either required or addressable implementation specifications.
– Statement on the Centers for Medicare & Medicaid Services Web site regarding the Health Insurance Portability and Accountability Act1
As family physician Dan Brewer, MD, once wrote on an e-mail discussion list, “I believe I would rather eat live cockroaches than learn about HIPAA security.” Nothing, it seems, could be more boring and less related to the practice of family medicine than computer security.
But don’t be fooled into complacency. You and your patients are probably more familiar with security risks and the costs or hassles associated with inadequate protection than you realize.
Consider these examples:
Have you ever been the victim of a computer virus, or do you know someone who has?
Are you concerned about what would happen if the computer hard disk storing your patients’ medical information failed?
Do you worry that someone might eavesdrop on your wireless communications?
Were you concerned when a major pharmaceutical company unintentionally distributed the e-mail addresses of hundreds of patients taking an antidepressant medication?
The HIPAA security standards apply to protected health information (PHI) that is either stored or transmitted electronically. PHI is health information in any form that personally identifies a patient. (For more on PHI, see an earlier security article I wrote for FPM: “A Problem-Oriented Approach to the HIPAA Security Standards,” July/August 2001, page 37.)
The bottom line is this: Computer security is a requirement for any sound business, including your medical practice. Computer security is needed to protect the privacy of those whose information you store and manage. It is also needed to protect you and your practice from the risk of penalty and legal liability if private information is used or released by your practice.
You have two choices: Either delay learning about computer security and risk playing catch-up when an attack or accident causes harm to a patient or your practice, or be proactive and begin to install protections that will allow you to detect and prevent trouble down the road.