QUESTION: It is my understanding that the requirement to adopt HIPAA security safeguards applies only to electronic health information and not to paper records. Is that correct?
ANSWER: The HIPAA security rule technically applies only to electronic protected health information (electronic PHI), which is PHI transmitted by or maintained in electronic media. “Electronic media” include: (1) electronic storage devices, including computer hard drives and transportable digital memory media, such as magnetic tapes, disks, or USB flash drives; and (2) transmission media used to exchange information already in electronic form, such as leased lines, dial-up lines, private networks, the Internet, and the physical movement of transportable memory devices. On the other hand, electronic PHI does not include fax transmissions of information stored on paper or PHI communicated orally over the telephone.
But even though nonelectronic PHI isn’t covered by the HIPAA security rule, it is still subject to the HIPAA privacy rule, which applies to both electronic and nonelectronic PHI. This includes the privacy rule’s requirement to safeguard PHI from unauthorized uses or disclosures through implementation of appropriate administrative, technical, and physical safeguards. This portion of the privacy rule is often called the “mini-security rule,” and its requirements are intended to be parallel to and consistent with the security rule. Although the safeguards requirement does not expressly incorporate provisions of the security rule into the privacy rule, there may be significant overlap between the standards.
For example, appropriate privacy safeguards may include locking filing rooms where paper PHI is stored and limiting the workforce members who are authorized to have the key or access code. Locking the rooms and limiting access may also be an appropriate safeguard under the security rule if the rooms contain computers storing electronic PHI. (Further steps, such as encryption of PHI stored on computers, may also be appropriate under the security rule.) Another example of safeguards under the privacy rule would be shredding documents prior to disposal. The analog for electronic PHI might be degaussing or incinerating electronic storage media. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXVIII.C (“Safeguards (the ‘Mini-Security Rule’)”) and XXIX.B (“Security Requirements: What Information Is Protected and What Entities Must Comply?”). You may also be interested in our recorded webinar “Learning the Ropes: An Introduction to HIPAA Privacy & Security” (recorded 1/17/18).
Contributing Editors: EBIA Staff.