HIPAA Training – How to Ensure Appropriate Protection of Electronic Protected Health Information


The Health Insurance Portability and Accountability Act of 1996 was a United States federal law enacted by the 404th United States Congress and signed into law by former President Bill Clinton on August 21st, 1996. This Act is also known as HIPAA. The primary purpose of this Act is to provide health insurance providers with regulations and guidelines regarding their privacy policies regarding protected health information. Although not every state passed this Act, many did so shortly afterward.

One of the main reasons this Act was enacted was to strengthen the security standards that are put in place for electronic medical records and patient health information. These electronic medical records and patient health information systems were put into place to reduce the risk of identity theft and prevent the abuse of medical records by those wishing to access the information contained in these systems. Security standards were put into place to stop viruses and other harmful programs that could potentially damage or corrupt the electronic data. Most state laws now require all health care providers to be HIPAA compliant in order to maintain patient privacy.

An e-phi is a system used to protect clientele from unauthorized disclosure of confidential information by a covered entity. For example, if your child has his or her first doctor visit recorded on a website, it is important to ensure that the information is protected at all times. Likewise, if your employee’s social security number is compromised, the information could be used by those wishing to do harm to your child. Your HIPAA protection begins with the implementation of e-phi. E-phi is the primary means through which personal identification number (PIN) encryption and other integrity safeguards are put into place to ensure that only you and authorized parties have access to the medical information contained on your HIPAA covered entities’ computer networks.

As defined by the Privacy Rule, a covered entity is not permitted to disclose confidential or protected health information to an individual or entity not specifically authorized to receive such information. Therefore, if you work in the healthcare industry, it is extremely important that you are cognizant of what your legal responsibilities are regarding the disclosure of your patients’ private healthcare information. While the HIPAA Privacy Rule does not explicitly address the manner in which a covered entity may withhold privileged information, it does permit a covered entity to withhold certain personal health information to an individual who does not have a statutory right to receive the information. As a result, it is imperative that you learn what your legal responsibilities are under the HIPAA Privacy Rule and what your clients can expect when their private healthcare information is compromised. Additionally, you need to become aware of what your responsibilities are when you work with third-party vendors to implement e-phi in the healthcare environment.

Under the Security Rule, a covered entity is required to take measures to mitigate against security threats to personal health information. In the case of HIPAA security breaches, a covered entity is required to take reasonable steps to ensure that confidential or protected health information does not become readily accessible to unauthorized individuals. Accordingly, there are certain security measures that a covered entity may take to protect confidential healthcare information. However, these security measures do not apply to information that is already publicly available. A covered entity must first determine whether its security measures are adequate to protect the personal health information of its individual clients.

In order to comply with the Security Rule, a covered entity must establish and maintain effective safeguards for determining whether it has implemented appropriate safeguards to protect the privacy of individuals who access the covered entity’s data. One such safeguard is the use of an OCR or optical character recognition system. OCR systems are designed to identify all of the characters and symbols that appear in written materials – including medical documents – and make those characters recognizable within a format that can be identified and deciphered by trained personnel. Although OCR systems may prove successful in identifying a small number of medical documents that are not printed in standard font, they will typically fail when it comes to characters and symbols that are printed in healthcare provider handbooks and clinical directives. In addition, OCR systems may fail to recognize handwritten medical documents that contain black ink, which significantly reduces OCR’s effectiveness.

Another important element of HIPAA’s safety rules is that covered entities must conduct a risk analysis before releasing personal health information to an outside source. As noted in the previous section, HIPAA specifically addresses the use of electronic medical records and the receipt and proper authorization of those records through electronic means. HIPAA further requires covered entities to perform an annual security management review that must consider the risks of releasing sensitive personal health information to third parties. This section of the rule is often referred to as the QRIA or” Randall’s Privacy Rule.” Despite its name, however, the Privacy Rule does not affect employees’ ability to choose not to disclose any personal health information to third parties.

To comply with the Security Rule, a covered entity must provide its employees with training regarding how to determine the validity and accuracy of any electronic protected health information. The Rule does not require covered organizations to perform a security test on newly installed electronic protected data storage systems. Instead, it only requires that covered entities periodically review the security arrangements that they have in place to ensure that these arrangements are still effective to provide the necessary safeguards to protect the personal health information of its employees. This periodic review is also necessary to comply with the most current version of the Security Rule and comply with changes to the Protection Rule that may be implemented in the future.