HIPAA Regulations for Record Storage in a Home Office

Administrative Safeguards

• The OCR's Security Rule defines administrative safeguards as "administrative

  actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic (or written) protected health information (PHI)." Policies and procedures are required to prevent and correct breaches in the unauthorized use of PHI. A designated person to develop and monitor the security policies is also required. Another administrative safeguard is to ensure that only appropriate people have access to PHI. A person without a need to use another person's health information, such as a spouse or child, does not have access.

Physical Safeguards

• The OCR's Security Rule defines physical safeguards as "physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion." Policies and procedures are required to restrict access to the facility where PHI is stored. Door locks, locked filing cabinets, and password-protected electronic access to records are examples of restricted physical access. Workstations, such as laptops and desktop computers, are required to have specific functions. Unauthorized use of a workstation may lead to the compromise of PHI through virus attack or breach of confidential material. Another physical safeguard requires policies to determine how PHI on an electronic device is destroyed or removed from the home office.

Technical Safeguards

• The OCR's Security Rule defines technical safeguards as "the technology and the policy and procedures for its use that protect electronic protected health information and control access to it." Technical safeguards are achieved by regulating who has access to information by setting login requirements on workstations. Software to monitor who views PHI on a workstation is also required.