Federal Security Mandate!
Electronic Storage and Transmission of Records1
© Lawrence E. Hedges, Ph.D., Psy.D., ABPP
Your Duty to Protect
The federal government has spent more than a decade studying the
problem of electronic storage and transmission of confidential Protected
Health Information (PHI). The Security Rule, while initially developed under
the HIPPA administration, is now widely accepted as the standard of care
for all psychotherapists by ethics committees and licensing boards
throughout the country. Complying with the Security Rule is not an option
nor does it apply only to HIPPA-compliant health providers. It is as simple
as this: You have a Duty to Protect the privacy and confidentiality of any
and all Electronically created, stored, or transmitted Protected Health
Information (EPHI).
A Written, Signed, and Dated Policy is Federally Mandated
In attempting to address the many complex issues of electronic
medical record security in all types of settings, from mega-corporations to
individual practitioners, the federal government became aware of how easy
it is in any setting to become thoughtless and/or careless about electronic
security—especially since technology keeps changing. The decision was
therefore made that each health service provider shall create, maintain,
and regularly update a written policy on exactly how security is
guaranteed and maintained in that particular setting. This written policy is
to be signed and dated by the health services provider and distributed to
1 The information in this article is taken from my book on law and ethics, Facing the
Challenge of Liability in Psychotherapy: Practicing Defensively (Jason Aronson, 2007).
This book covers risk management in all aspects of psychotherapy practice including
HIPPA compliance and is accompanied by a CD-Rom with 40 electronic forms ready for
adaptation to the particular needs of your practice.
Electronic Storage & Transmission of Records 2 of 4
any and all persons who have any kind of access to Electronic Protected
Health Information. Since ethics committees and licensing boards
nationwide are now accepting the Security Rule as the standard of care of
electronic data, I further strongly suggest that a copy of your written,
signed, and dated Security Policy be a part of every client record—just like
your HIPPA Privacy Policy. And further, that at intake you provide your
client with a signed and dated copy of your Security Policy at the same time
as you provide your Privacy Policy—making certain that they are both
constructed as separate documents, not a part of the informed consent or
any other intake document. The reason is clear: when anything that is
being viewed by ethics committees and licensing boards as the standard of
care you want to have your compliance clearly documented in every chart.
Compliance with this federal mandate means that you must conduct and
document a full risk analysis of potential security breaches in your office,
computers, and storage locations such as break-ins, computer viruses,
fires, floods, and internet hackers. You must also document how you are
addressing each security concern and how you will periodically re-assess
your security issues.2 What follows is a brief overview of what you must
do.
The three HIPAA Security Rule standards: In conducting and
documenting your risk assessment there are three categories of Security
Rule standards that must be explicitly addressed.3
I. Administrative Standards: In your written Security Policy you must
address the implementation of office policies and procedures, staff training,
and other measures designed to carry out security requirements. The
Administrative Standards you must address in writing are:
2 All of our national mental health associations maintain on their websites information on how to comply with the
security rule. A particularly useful guide is “The HIPAA Security Rule Primer” available at www.apapractice.org.
Also available at the same site is a workbook that can take you systematically through all of the relevant concerns
and suggest ways of addressing them.
3 The Implementation Specifications can also be found in the Security Rule itself located at:
www.cms.hhs.gov/HIPAA/HIPAA2/regulations/security/default.asp.
Electronic Storage & Transmission of Records 3 of 4
1. Assigned Security Responsibility: You must appoint a
HIPAA Security Officer (yourself?) who is responsible for
developing and implementing security protocols and who
can answer client questions.
2. Security Management Process: The HIPAA Security
Officer must create and implement practices designed to
prevent, detect, contain, and correct HIPAA violations. How
is this done in your setting?
3. Workforce Security: The Security Officer must create a
system that insures and limits appropriate employee access
to EPHI.
4. Information Access Management: You must create a
system of passwords to guarantee that only authorized
people have access to each type of client information.
5. Security Awareness and Training: You must implement
and document training of all people who have access to any
EPHI. How do you do this? At the beginning of
employment? On a periodic basis?
6. Security Incident Procedures: You must implement
procedures to detect, correct, and discipline any breaches in
EPI security.
7. Contingency Plan: You must establish emergency
procedures for responding to threats of security such as
vandalism, fire system failures, and natural disasters. What
are your plans? Put them into writing in your policy.
8. Evaluation: You must document the ways you regularly
review and update your security standards.
9. Business Associate Contracts: You must insure that all
business associates (answering services, billing services,
shredders, computer technicians, etc.) are trained properly
and in compliance with HIPAA security rules.
II. Physical Standards relate to limiting access to the physical areas in
which electronic information are housed. In your written Security Policy
Electronic Storage & Transmission of Records 4 of 4
you must address the following areas of concern.
1. Facility Access Controls: You must control physical access to
all locations where EPHI is stored to assure only appropriate
people have access to or can remove EPHI.
2. Workstation Use: You must assure that each workstation that
can access EPHI can only be used by authorized personnel.
3. Workstation Security: All devices must be secure so they
cannot be moved or observed by non-authorized personnel.
4. Device and Media Control: You must insure that any devices or
media (discs, etc.) are secure when changing locations or
discarding. How do you wipe your hard disc totally when
discarding your computers? Think through all of this and put your
policies in writing.
III. Technical Standards concern authentication, transmission, and
other issues that may arise when authorized personnel access EPHI
via computer or any other electronic devices.
1. Access Controls: You must ensure only appropriate access to
EPHI by authorized users.
2. Audit Controls: You must create procedures that monitor for
EPHI security breaches.
3. Integrity: You must create safeguards to protect from improper
alteration or destruction of EPHI.
4. Person or Entity Authentication: You must implement
procedures that ensure that the person attempting to access
EPHI is in fact that person.
5. Transmission Security: You must implement procedures that
guard against unauthorized access to EPHI that is being
transmitted over an electronic transmissions network.