Important Ways to Safeguard Protected Health Information

HIPAA demands that all Covered-Entities (CEs) implement the necessary physical, administrative and technical controls to safeguard Protected Health Information. Healthcare organizations must ensure that all of the necessary controls are in place to reduce the potential for a data breach in order not to fall afoul of HIPAA Rules.

Safeguard Protected Health Information by Addressing All Security Vulnerabilities

In order to address security vulnerabilities, a CE must first determine what they are and where they exist. The only way to ensure that all potential security vulnerabilities are identified, is to conduct a thorough risk assessment. Any person, machine, or process requiring access to PHI – or in the case of computer software; that has potential to touch PHI – must be assessed for security risks.

It is important to be thorough, but also realistic. A risk assessment will no doubt highlight many potential security vulnerabilities. These need to be analyzed and assessed, and ranked according to risk. Efforts to address the vulnerabilities and safeguard protected health information can then be concentrated on the most pressing security issues.

Consider employing an external certified security company to conduct a risk assessment. It is important that no stones are left unturned. Hackers will look for any vulnerability that they can exploit.

Business Associates are a Security Risk

A CE can implement all of the necessary controls to safeguard Protected Health Information, but oftentimes certain processes and procedures must be outsourced to specialist firms. Billing services, data management, cloud service providers, to name but a few, all need access to PHI. Any disclosure of information is a risk, which is why all vendors and BAs must be carefully assessed to ensure they are adhering to the same strict standards of data security as the CE.

The introduction of the HIPAA Omnibus Rule brought a number of changes to vendor relationships, and new requirements on CEs, their BAs and subcontractors. All must agree to safeguard protected health information before access to that information is permitted.

Some vendors may object to the new, stricter data security standards imposed by HIPAA; or may not believe they should be classed as a BA.

Any vendor is classed as BA under HIPAA if contact with PHI is required. If a Business Associate Agreement (BAA) will not be signed or cannot be obtained, there is an unacceptable risk of PHI exposure and a new vendor must therefore be found.

All Data Security Efforts Must Be Documented

Not only must all the risks to PHI integrity and confidentiality be assessed and addressed, all assessments, actions, decisions, procedures and processes must be fully documented. The Department of Health and Human Services’ Office for Civil Rights assesses compliance with HIPAA Rules, and its auditors and assessors need to see evidence of HIPAA in action.

CEs that are unable to provide proof that a risk assessment has taken place and show that security vulnerabilities have been identified and procedures put in place to address risks, are likely to receive a heavy financial penalty; even if all security risks have been identified and are in the process of being dealt with.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of