All doctors' offices must have HIPAA Security requirements in place to protect and secure your confidential information in your medical files. This includes information being stored in paper or electronic files, as well as when the information is held on or accessed remotely through a web portal, PDA or smart phone. In today's medical environment, there are more and more electronic tools used in doctors' offices that hold patients' confidential medical information. Many doctor's offices have electronic health records where they enter data in the computer as they talk to you. A growing number of doctors are using web portals to schedule appointments and to deliver your test results to you. Additionally, these electronic systems may allow you to send your physician an email for a prescription renewal.
Both HIPAA security and HIPAA privacy state that uses of your confidential information must be both protected and secure! However, most of the changes and adjustments your doctor's office has made to implement HIPAA security are so small that you probably do not even notice them.
There are many ways your doctor's office keeps your confidential information secure, some you can see and others you cannot see.
Some changes you can see if you look closely during your next visit are:
- The patient sign in sheet holds only limited information;
- Medical charts that are not being used are not on counter tops and in areas where a patient might see the confidential information;
- The office does not have patient schedules posted in a public places;
- Confidential conversations happen in a private place;
- Computer screens do not face patients;
- The medical files storage area is not accessible to patients;
- The fax machine and printer are not accessible to patients; and
- There is a private and quiet area to make and receive phone calls.
Some changes you cannot see are:
- Computer passwords are changed often;
- There are safeguards in place when they transfer your confidential information on paper or electronically, including images and lab specimens;
- Anti-virus and firewall controls protect all electronic files;
- There are keys, key cards and strong locks for entry to the office area and possibly to various parts of the office that are not "common areas";
- Secure internet transmissions are used when sending or receiving your confidential information; and
- Secure e-mail transmissions may be used when sending or receiving your confidential information
- Policies and procedures that are the "rules of the road" for using and moving your confidential information;
- A contingency plan to put in place if there is no electricity or the computer system is not functioning;
- Storage of both paper and electronic files off-site in secure locations;
- Employee training manuals and lessons dedicated to HIPAA security and HIPAA privacy; and
- An employee handbook that includes sanction and termination policies and procedures for when your confidential information is misused or inappropriately shared.
Many doctors carry a PDA and a smart phone that are used in patient care. They will often have their schedule and may be able to do ePrescribing from these tools. In other words, they can type in your name and your patient number and place a renewal order for your allergy medication and send it to your pharmacy. Electronic tools that hold or access any of your confidential information are required to have the same security safeguards in place as the systems in the office. You can be confident that when they use or transfer your confidential information electronically that it is as safe as when they use the computer in the office or the fax machine in the office.
No matter where or in what form your confidential medical information is held, it is to be protected by the HIPAA security requirements.