Professional Documents
Culture Documents
Safeguarding ePHI Policy - HIPAA
Safeguarding ePHI Policy - HIPAA
Revision History
Objective
1.
This policy establishes guidelines to help safeguard Protected Health Information
(PHI) from being seen, heard or disclosed to those who are not authorized to see or
hear it as set forth by the HIPAA Privacy Rule (45 CFR 164.530(c)), a Covered Entities’
Business Associate Agreement, as well as other policies developed by (Company
name).
2. Scope
This policy applies to all (Company name) workforce members including, but not
limited to full-time employees, part-time employees, trainees, volunteers,
contractors, and temporary workers.
Page 1 of 5
Safeguarding ePHI Policy
Reference 45 CFR 164.530 Ver. No. 1.0
3. Process Overview
The Process of Safeguarding the PHI defines the methodology followed by (Company
name) by means of various controls, to maintain Confidentiality, Availability and
Integrity of PHI. The process applies to PHI stored in various forms of media including
paper and electronic storage’s.
4. Policy
(Company name) employees must reasonably safeguard PHI to limit incidental uses
or disclosures. An incidental use or disclosure is a secondary use or disclosure that
cannot reasonably be prevented, is limited in nature, and occurs as a result of an
otherwise permitted use or disclosure. For example: a conversation that is
overheard despite attempts by the speakers to avoid being heard.
Page 2 of 5
Safeguarding ePHI Policy
Reference 45 CFR 164.530 Ver. No. 1.0
Printers:
1. Printers must be located in secure areas, where only
employees can access documents.
2. Employees must pick up printed documents that contain PHI
from the printers by the end of each day. Exception: home
analysts may print batch summary sheets to the Operations
printer after hours.
Remote office:
1. (Company name) employees may not take documents that
contain PHI out of the facility unless authorized to do so by
management.
2. Employees authorized to work from a home office must assure
that the home office complies with all applicable policies and
procedures regarding the security and privacy of PHI, including
these guidelines.
3. Do not store any electronic files that contain PHI on the home
computer’s hard drive (c: drive). Electronic files that contain
PHI should only be stored on network drives that can only be
accessed by an ID and password.
Page 3 of 5
Safeguarding ePHI Policy
Reference 45 CFR 164.530 Ver. No. 1.0
Conversations:
Page 4 of 5
Safeguarding ePHI Policy
Reference 45 CFR 164.530 Ver. No. 1.0
4.2 Retention:
Every policy and procedure revision/replacement will be maintained for a
minimum of six years from the date of its creation or when it was last in effect,
whichever is later. Other (Company name) requirements may stipulate a longer
retention. Log-in audit information and logs relevant to security incidents must
be retained for six years.
4.3 Compliance:
Failure to comply with this or any other privacy policy will result in disciplinary
actions. Legal actions also may be taken for violations of applicable regulations
and standards such as the HIPAA Privacy Rule and others.
4.4 References
Omnibus HIPAA Final Rulemaking,
http://www.hhs.gov/ocr/privacy/hipaa/administrative/omnibus/index.html
HIPAA Final Privacy Rule, 45 CFR Part 164.514(h), Department of Health and
Human Services,
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/August
14, 2002.
HIPAA Breach Notification Rule:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule
/
Health Information Privacy, Security, and EHR
http://www.healthit.gov/providers-professionals/ehr-privacy-security
Achieve Meaningful Use: Protect Electronic Health Information
http://www.healthit.gov/providers-professionals/achieve-meaningful-
use/core-measures/protect-electronic-health-information
http://www.healthit.gov/providers-professionals/achieve-meaningful-
use/core-measures-2/protect-electronic-health-information
Page 5 of 5