Safeguarding ePHI Policy

Reference 45 CFR 164.530 Ver. No. 1.0

Doc ID Version # Process Owner(s) Effective Date

Version 1.0 CISO

Revision History

Ver. Date of Release Author(s) History of Changes Approver

No.

1.0 CISO First Baseline CISO

Objective
1.
This policy establishes guidelines to help safeguard Protected Health Information
(PHI) from being seen, heard or disclosed to those who are not authorized to see or
hear it as set forth by the HIPAA Privacy Rule (45 CFR 164.530(c)), a Covered Entities’
Business Associate Agreement, as well as other policies developed by (Company
name).

2. Scope
This policy applies to all (Company name) workforce members including, but not
limited to full-time employees, part-time employees, trainees, volunteers,
contractors, and temporary workers.

Page 1 of 5
 Safeguarding ePHI Policy
Reference 45 CFR 164.530 Ver. No. 1.0

3. Process Overview
The Process of Safeguarding the PHI defines the methodology followed by (Company
name) by means of various controls, to maintain Confidentiality, Availability and
Integrity of PHI. The process applies to PHI stored in various forms of media including
paper and electronic storage’s.

4. Policy
(Company name) employees must reasonably safeguard PHI to limit incidental uses
or disclosures. An incidental use or disclosure is a secondary use or disclosure that
cannot reasonably be prevented, is limited in nature, and occurs as a result of an
otherwise permitted use or disclosure. For example: a conversation that is
overheard despite attempts by the speakers to avoid being heard.

4.1 Process Details

a. Tasks
All employees must follow these guidelines in handling PHI:
Paper documents contained within (Company name) offices:
1. In self-contained work areas that are locked after business
hours, documents containing PHI must not be in plain sight.

2. Management will take reasonable steps to provide work areas,

which are not self-contained and locked, with lockable file
cabinets or storage bins, lockable desk drawers, or other
means to secure PHI during periods when the area is left
unattended.

Copying documents that contain PHI:

1. When copying documents that contain PHI for purposes of
disclosing to an external party, copy only the information that
is necessary to accomplish the task. This may require part of a
page to be masked.

Disposal of paper documents that contain PHI:

1. Paper documents that contain PHI must be disposed of in one
of the locked Security Containers located throughout the
building. Documents placed in the locked Security Containers

Page 2 of 5
 Safeguarding ePHI Policy
Reference 45 CFR 164.530 Ver. No. 1.0

will be shredded by a contracted vendor. Paper documents

containing PHI must never be thrown away in regular trashcans
or insecure recycle bins.

Printers:
1. Printers must be located in secure areas, where only
employees can access documents.
2. Employees must pick up printed documents that contain PHI
from the printers by the end of each day. Exception: home
analysts may print batch summary sheets to the Operations
printer after hours.

Workstation access and use:

1. Refer to (Company name)’s Security Policies, Workstation Use
and Workstation Security (Clear Screen Clear desk security
policy).

Remote office:
1. (Company name) employees may not take documents that
contain PHI out of the facility unless authorized to do so by
management.
2. Employees authorized to work from a home office must assure
that the home office complies with all applicable policies and
procedures regarding the security and privacy of PHI, including
these guidelines.
3. Do not store any electronic files that contain PHI on the home
computer’s hard drive (c: drive). Electronic files that contain
PHI should only be stored on network drives that can only be
accessed by an ID and password.

Transporting PHI documents outside of (Company name) Offices:

1. Employees who work from home must transport documents
that contain PHI in a locked container. Management is
responsible to provide locked containers to employees who
work from home.
2. Employees who occasionally transport documents that contain
PHI outside of (Company name) offices (i.e. from one building

Page 3 of 5
 Safeguarding ePHI Policy
Reference 45 CFR 164.530 Ver. No. 1.0

to another or to a home office), must take reasonable steps to

secure the documents. For example: If possible, documents
should be in a locked container. Documents must be in some
type of folder, bag, or container where PHI is not visible.
Documents must never be left in an unlocked unattended
vehicle.

Conversations:

1. Conversations concerning patients’ claims or other PHI must

be conducted in a way that reduces the likelihood of being
overheard by others. Example: Avoid discussing a patient with
a coworker or other authorized individual in a public area
(elevators, restaurants, etc.)
2. When discussing patient information in person with a patient
or a patient’s Personal Representative, do so in a location that
reduces the likelihood of being overheard by others. Example:
Do not hold a conversation with a patient regarding his or her
PHI in the lobby of the building.

Smart Phones and Tablets devices.

1. (Company name) privacy and security policies apply to PHI

stored on smart phones and tablets.
2. Users of smart phones and tablets are responsible for assuring
that the PHI on their devices is kept secure and private. This
includes password protecting the device and locking the
device when not in use.
3. Loss or theft of a device must be reported to the Information
Security Officer or Privacy Officer immediately.
Physical Security:
1. Refer to the building security policies and procedures for
(Company name) policy on employee, visitor and vendor
access to the building. (Perimeter Security)

Page 4 of 5
 Safeguarding ePHI Policy
Reference 45 CFR 164.530 Ver. No. 1.0

4.2 Retention:
Every policy and procedure revision/replacement will be maintained for a
minimum of six years from the date of its creation or when it was last in effect,
whichever is later. Other (Company name) requirements may stipulate a longer
retention. Log-in audit information and logs relevant to security incidents must
be retained for six years.
4.3 Compliance:
Failure to comply with this or any other privacy policy will result in disciplinary
actions. Legal actions also may be taken for violations of applicable regulations
and standards such as the HIPAA Privacy Rule and others.

4.4 References
 Omnibus HIPAA Final Rulemaking,
http://www.hhs.gov/ocr/privacy/hipaa/administrative/omnibus/index.html
 HIPAA Final Privacy Rule, 45 CFR Part 164.514(h), Department of Health and
Human Services,
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/August
14, 2002.
 HIPAA Breach Notification Rule:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule
/
 Health Information Privacy, Security, and EHR
http://www.healthit.gov/providers-professionals/ehr-privacy-security
 Achieve Meaningful Use: Protect Electronic Health Information
http://www.healthit.gov/providers-professionals/achieve-meaningful-
use/core-measures/protect-electronic-health-information
http://www.healthit.gov/providers-professionals/achieve-meaningful-
use/core-measures-2/protect-electronic-health-information

Page 5 of 5