HIPAA requires that covered entities have in place "appropriate administrative, technical, and physical safeguards" for protected health information (PHI).

More specific guidance as to what constitutes appropriateness, for electronic PHI, is provided in HIPAA's Security Rule. The Privacy Rule, which also extends to non-electronic information, does not define reasonableness or appropriateness.

DHHS commentary on the Privacy Rule offers this guidance:

"It is not expected that a covered entity’s safeguards guarantee the privacy of [PHI] from any and all potential risks. Reasonable safeguards will vary from covered entity to covered entity depending on factors, such as the size of the covered entity and the nature of its business. In implementing reasonable safeguards, covered entities should analyze their own needs and circumstances, such as the nature of the [PHI] it holds, and assess the potential risks to patients’ privacy. Covered entities should also take into account the potential effects on patient care and may consider other issues, such as the financial and administrative burden of implementing particular safeguards."

There is a tendency to focus on technical measures to promote privacy. Behavioral, administrative (policy), and simple physical measures are just as critical. Consider these, only one of which is "technical":

• speaking quietly when discussing a patient’s condition with family members in a waiting room or other public area;

• avoiding using patients’ names in public hallways and elevators, and posting signs to remind employees to protect patient confidentiality;

• isolating or locking file cabinets or records rooms; or

• providing additional security, such as passwords, on computers maintaining personal information.

All of these are privacy-promoting practices of long standing.

See also:

• 45 CFR 164.530(c)
• administrative safeguards matrix (HIPAA)
• physical safeguards matrix (HIPAA)
• technical safeguards matrix (HIPAA)

Last modified: 12-May-2005 [RC]