Jeb Molony

The HIPAA Omnibus Final Rule goes into effect less than a week from today and brings new considerations for doctors pertaining to electronic data. The Rule includes three distinct sections that apply to electronic data and what may be required of a practice. The first area deals with a patient's rights to request electronic copies of their records in an acceptable format the other two deal with the encryption of data. From a practice management standpoint these new rules must be understood and applied to any information technology (IT) plan.

The first rule dealing with electronic information is the patient has the right to ask for copies of their electronic medical records in electronic form. There are two issues here that are most important. First, the patient may request the data and the practice must produce it in a format that is usable. If your practice management software stores the patients' records in a database that does not allow for easy extraction into a common format such as a PDF then the practice may bear additional costs to alter data. Second the practice will have to produce the data on removable storage such as a thumb drive. Data should not be easily identifiable to an individual under HIPAA so a branded thumb drive may be a violation, and the external storage may require password protection.

The next two rules both deal with data encryption. The first set of standards is for data at rest and the second is for data in motion. Data at rest refers to data which is currently stored and not being actively used. The guiding rule for data at rest is the NIST Publication 800-111 which gives standards for security such as encryption and authentication necessary to properly safeguard data at rest. The second rule applies to the encryption and protection of data in motion.

These NIST standards include 800-52 and 800-77 and deal with the encryption and protection of data in motion. These standards give very specific detail as to the levels of encryption and authentication necessary to safeguard against the theft of e-PHI but the most important safeguard is simply not emailing anything that could be regarded as electronic protected health information.

While these standards are very specific and provide guidance to the requirements being placed on medical practices they do not protect against the greatest threat of all which is employees. The easiest way for a HIPAA violation to occur stems from employees accessing data and disseminating it to unauthorized personnel. From a practice management standpoint both points of vulnerability should be addresses. The three new rules pertaining to ePHI should be considered in the IT planning while the employee issue should be handled through training and monitoring.