Chapter 2: HIPAA for Mental Health Practitioners
Part 2: So How Should You Protect e-PHI, Anyway?
When it comes to protecting e-PHI, "reasonable steps" doesn't offer much guidance. And that's where HIPAA's security standards can help. They provide the following guidelines on how to keep your patients' healthcare information safe from prying eyes:
- Analyze the risks. You have to know where the vulnerabilities are before you can create effective safety protocols. It's best to document the potential risks for e-PHI exploitation and any security measures you adopt to address those risks. Be sure to update your risk management approach when necessary.
- Put administrative safeguards in place. This means designating a security official who is responsible for developing and overseeing security procedures, limiting disclosures of PHI, and training your employees on the proper management of e-PHI.
- Put physical safeguards in place. Limit physical access to the facilities where e-PHI is stored and only allow authorized access to these areas. Be sure to create and follow procedures that outline the proper use of workstations and electronic media. Your policies should also detail how to safely transfer, remove, and dispose of e-PHI or the devices that store it.
- Put technical safeguards in place. Only allow authorized personnel to access e-PHI. Use hardware, software, and procedural mechanisms to keep track of who accesses e-PHI on your systems. Lastly, implement network security measures that block unauthorized access to e-PHI that is being transmitted over your network.
For a more exhaustive and detailed exploration of the guidelines, check out the HHS's Summary of the HIPAA Security Rule and Privacy Rule .
Next: Part 3: Why HIPAA Matters for Mental Health Practitioners