Safeguards to Reduce Risks to PHI in the Medical Office

Woman holding medical record in her hands, sitting at her desk

Hero Images / Getty Images

With the increased use of information technology in healthcare, your medical office must continue to find ways to maintain the security of the protected health information (PHI) of the patients they serve.

What Is HIPAA Security?

Health Insurance Portability and Accountability Act (HIPAA) security refer to establishing safeguards for PHI in any electronic format. This includes any information used, stored or transmitted electronically. Any facility defined by HIPAA as a covered entity has the responsibility to ensure the privacy and security of its patient’s information as well as maintaining the confidentiality of their protected health information.

Covered entities are, by law, required to develop policies and procedures that comply with the security rule and maintain written records of these policies and procedures and records of access, actions, activities, and assessments required by the security rule.

Rules for Maintaining HIPAA Security

The rules for maintaining HIPAA security include safeguards for three key areas.

Administrative Safeguards

  • Develop a formal security management process including the development of policies and procedures, internal audits, contingency plan and other safeguards to ensure compliance by medical office staff.
  • Assign responsibility for security to a designated person to manage and supervise the use of security measures and the conduct of the staff.
  • Implement features that ensure the staff has proper training and proper authorization to access protected health information.
  • Define levels of access for all staff and determine how it is granted.
  • Require that all medical office staff including management undergo security training and have periodic reminders and user education so they stay current on the laws and guidelines.

Physical Safeguards

  • File protected health information in a secure location and workspaces for employees (this includes the use of locks, keys, and badges that unlock doors) that restrict access to unauthorized persons and intruders.
  • Develop policies for verifying access authorizations, equipment control, and the handling of visitors. Develop and provide documentation including instructions on how your medical office can help to protect protected health information (for example, logging off the computer before leaving it unattended)
  • Provide protection against fire and other hazards
  • Develop policies and procedures for the transfer, removal, disposal, and reuse of electronic protected health information.

Technical Safeguards

  • Establish unique user identification including passwords and pin numbers.
  • Adopt an automatic logoff control.
  • Record and examine system activity for auditing purposes.
  • Utilize encryption controls to protect transmitted data over a network.
  • Allow only authorized users to access protected health information.
  • Guard against unauthorized access to protected health information.

Get More Information on the HIPAA Security Rule

While the HIPAA Security Rule offers many guidelines on the administrative, physical, and technical safeguards that should be in place, it doesn't address every detail. ​ provides educational papers designed to give insight into security standards. Additional information provided:

  • Security 101 for covered entities
  • Requirements for policies, procedures, and documentation
  • Risk analysis and risk management
  • Security standards for small providers
Was this page helpful?