HIPAA
requires that covered entities have in place "appropriate administrative,
technical, and physical safeguards" for protected health information (PHI). The
Privacy Rule, which also extends to non-electronic information, does not define
reasonableness or appropriateness. HHS commentary on the Privacy Rule offers
this guidance:
"It is not expected that a covered entity's safeguards guarantee
the privacy of [PHI] from all potential risks. Reasonable safeguards will vary
from a covered entity to a covered entity depending on factors, such as the size of
the covered entity and the nature of its business. In implementing reasonable
safeguards, covered entities should analyze their own needs and circumstances,
such as the nature of the [PHI] it holds and assesses the potential risks to
patients' privacy. Covered entities should also consider the potential effects
on patient care and may consider other issues, such as the financial and
administrative burden of implementing particular safeguards."
There is a tendency to focus on technical measures to promote
privacy. Behavioral, administrative (policy), and simple physical measures are
just as critical. Consider these, only one of which is "technical": (1)
speaking quietly when discussing a patient's condition with family members in a waiting room or other public area; (2) avoiding using patients' names in public
hallways and elevators and posting signs to remind employees to protect patient
confidentiality; (3) isolating or locking file cabinets or records rooms; or
(4) providing additional security, such as passwords, on computers maintaining
personal information.
All of these are privacy-promoting practices of long-standing.