Security Requirement

Are You Complying with this HIPAA Security Requirement?

Your patients put a significant amount of trust into things outside of their control to protect them and the things important to them. They trust banking systems to protect their money, electronic systems to protect their homes and software to protect their computers. Also, they trust you and your healthcare to abide by the HIPAA security requirement that protects the safeguarding of their personal health information.

With this reality in mind, can you honestly say that you are doing everything you should be doing to ensure that you’re fully defending all that they entrust to you? Are you abiding by the HIPAA security requirements related to protecting their personal health information?


The Health Insurance Portability and Accountability Act (HIPAA) is the enforceable national standard for protecting the confidentiality, integrity and security of individuals’ Personal Health Information (PHI).

The U.S. Health and Human Services (HHS) established the HIPAA Security Rule as a method of ensuring healthcare providers establish necessary safeguards to guard against security breaches or other incidents that could threaten the safety of their patients’ PHI or electronic PHI (ePHI).

According to the HIPAA Journal, “Under HIPAA, protected health information is considered to be individually identifiable information relating to the health status of an individual, the provision of healthcare, or individually identifiable information that is created, collected, or transmitted by a HIPAA-covered entity in relation to payment for healthcare services.”

This data could include medical records, prescriptions, hospital bills and treatment information. It also may include physical records and any PHI that is created, sent or received electronically that shows identification records or demographic information. This includes birth dates, sex, ethnicity, contact information or any emergency contact information. Healthcare sources have a responsibility to meet the requirements of these Rules for the lifetime of maintaining their patients’ records.


Eventually, healthcare providers will find it necessary to dispose of PHI and ePHI records. Thus, the HIPAA Security Rule requires that all HIPAA-covered entities have established policies prepared for the destruction of these contents when needed. These Rules do not specifically identify any one particular method of disposal. However, they do indicate that providers should determine a “reasonable” approach that will provide the most secure disposal of both PHI and ePHI.

When regarding ePHI, these “reasonable means” do not include throwing computer hard drives into dumpsters nor any other disposal sites that could be used by the public. This stands true, even if the hard drive has been broken in half or attempted to have been electronically wiped. Due to the recovery technology that currently exists, and the extreme value of the contents contained on these hard drives, these approaches still allow for too many potential risks of violated patient privacy. They also lack adequate information security.

Rather, for the purpose of complying with the HIPAA security requirement for protecting ePHI, hard drives that contain private patient information should be physically and fully destroyed in such a way that the disks inside cannot possibly be recreated, retrieved or read from. This can be accomplished at the highest degree only by a professional, bonded and licensed hard drive crushing company.

The proper hard drive crushing process should begin with the serial number of the drive being recorded. The drive should then be completely crushed and the responsible ISO14001-certified recycling company should recycle the crushed pieces. The company should then provide a certificate of destruction signifying the complete destruction of the drive and a guarantee of being backed by a $2M Professional Liability (E&O) policy.


Security Requirement

Understandably, all HIPAA-covered health care providers must also maintain physical hardcopies of all ePHI for the purpose of avoiding the inability to continue interacting with patients in the event of an electrical failure, downed computer system, or during a disaster recovery effort. “Reasonable methods” for destroying patients’ PHI on paper must also be established in order to ensure compliance with HIPAA. These plans should include on-site or off-site professional shredding, burning or pulping the documents. This renders the records as fully unreadable, making it impossible to reconstruct them. Once again, the licensed and bonded company should provide a certificate of destruction signifying the complete destruction of the drive and provide a valid $2M Professional Liability (E&O) policy.


Your patients must be able to trust you and be fully confident that you are complying with the HIPAA security requirement that protect their PHI and ePHI. To ensure your healthcare practice stands in full compliance with the HIPAA Security Rule, contact Secure Destruction today to schedule an onsite or off-site hard drive crushing and/or document shredding date.


What to Know about Online Health Records & Security

What Every Individual Should Know

We live in a tech-savvy culture. Handwriting has transitioned to typewriters; typewriters became computers; computers turned into tablets; and the tech-advancements train isn’t slowing down anytime soon. This reality is reflected in the healthcare industry, as written doctors’ notes and screeching fax machines have gone to electronic health records that are created, stored and tracked by all kinds of electronic means. With this age of technology comes challenges as well, such as protecting your clients’ security.

But what does this mean for healthcare providers who must protect the safety and confidentiality of the personal health information of each patient? For instance, guarding your clients from potential security breaches.

Scanning the Value of Electronic Health Records

In an article on the US National Library of Medicine website, Donna P. Manca, MD MClSc FCFP, identifies the value of utilizing electronic health records, saying, “Electronic medical records improve quality of care, patient outcomes, and safety through improved management, reduction in medication errors, reduction in unnecessary investigations, and improved communication and interactions among primary care providers, patients, and other providers involved in care.”

Medical Security

Dr. Manca continued, “Electronic medical records improve the work lives of family physicians despite some subjective concerns about implementation costs and time. Electronic medical records have been demonstrated to improve efficiencies in work flow through reducing the time required to pull charts, improving access to comprehensive patient data, helping to manage prescriptions, improving scheduling of patient appointments, and providing remote access to patients’ charts.”

Further Proof of Value to Security

The Office of the National Coordinator for Health Information Technology also identifies the many monumental benefits of healthcare providers’ use of electronic medical records, saying:

“Electronic medical records (EHRs) and the ability to exchange health information electronically can help you provide higher quality and safer care for patients while creating tangible enhancements for your organization. EHRs help providers better manage care for patients and provide better health care by:

  • Providing accurate, up-to-date, and complete records about patients at the point of care
  • Enabling quick access to patient records for more efficient care
  • Securely sharing electronic information with patients and other doctors
  • Helping providers more effectively diagnose patients, reduce medical errors, and provide safer care
  • Improving patient and provider interaction and communication, as well as health care convenience
  • Enabling safer, more reliable prescribing
  • Helping promote legible, complete filing and accurate, streamlined coding and billing
  • Enhancing privacy and security of patient data
  • Helping providers improve productivity and work-life balance
  • Enabling providers to improve efficiency and meet their business goals
  • Reducing costs through less paperwork, raised safety, reduced duplication of testing, and improved health.

Appreciate the Good, Guard Against the Bad

Along with all the benefits of electronic medical records, however, their use also ups the ante on ensuring the safety and security of the private health information they contain. For this reason, the U.S. Department of Health and Human Services (HHS) implemented the HIPAA Security Rule as a way to help healthcare providers to guard against – and to be better prepared to react against – potential security breaches or incidents.

This could events such as:

  • The compromised integrity of data
  • Theft or misuse of information
  • Lost or stolen computers or other forms of media storage
  • Natural or physical disasters
  • Identity theft or hackers.

The Necessity of an ePHI Risk Analysis

Online Security

The HIPAA Security Rule requires that a risk analysis of electronic personal health information (ePHI) is completed to establish security measures that could reduce the occurrence and impact of such risks that could be anticipated.

Sourcing HHS, an ePHI risk analysis basically requires:

  • The review of the presence of all electronic medical records that your organization creates, receives, maintains or sends. This can include hard drives, laptop computers, backups, smart cards, and all other forms of electronic media.
  • The documentation of all data collection, including how ePHI (as shown in HIPAA regulations) is stored, received, sent and accessed; who has access to it; and how they go about accessing it.
  • The assessment of current security measures, and based on the relevant data collected, all possible threats (human, natural, environmental, etc.) and any potential weaknesses (lack of strong security controls, inconsistent or non-existent policies, etc.) must be recorded.
  • These risks and weaknesses must then be categorized into high, medium and low risk levels to determine the most likely threats to guard against and the impact that each of those threats could have.
  • At that point a list of corrective actions – policies in place, training on new processes, physical safeguards, etc. – should be implemented, reviewed and regularly updated.

The Consequences of Failing

The risk analysis process is extensive and very time consuming, which initially caused some resistance to using the process. However, one key way that HHS enforces the importance of abiding by this rule is by necessitating it prior to receiving Medicare and Medicaid EHR incentive payments. These “Meaningful Use” payments are only provided after a risk analysis has been completed, identified security holes have been corrected and you have attested to their conclusion.

Furthermore, the rewards for adopting and demonstrating meaningful use of electronic health records could look like eligible physicians and other health care professionals receiving up to $63,750. However, the failure to demonstrate meaningful use can result in penalties – starting at 1% of Medicare Part B reimbursements and increasing each year to a maximum of 5%. In 2017, more than 170,000 U.S. healthcare providers faced these type of penalties.

You are Not Alone – SecureMed has Your Back!

Although the implementation of a risk analysis for ePHI can seem overwhelming to even small or medium-sized healthcare facilities, there is help available! Especially with the increased document and data security measures implemented in Alabama in 2018, now – more than ever before – consider contacting SecureMed to discover on how you can minimize your risks of ePHI getting into the wrong hands. Learn how to reduce the impact of data breaches and increase your reasonable efforts to protect your patients’ electronic health records!

Personal Shredders - Secure Destruction Service

Personal Shredders: Is Your Client’s Information Under Your Desk?