The Safeguards Principle in the Privacy and Security Framework emphasizes that trust in electronic health information exchange can only be achieved if reasonable administrative, technical, and physical safeguards are in place.The HIPAA Privacy Rule supports the Safeguards Principle by requiring providers to implement appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI).
The Privacy Rule’s safeguards standard assures the privacy of PHI by requiring providers to reasonably safeguard PHI from any intentional or unintentional use or disclosure in violation of the Privacy Rule. The safeguards requirement, as with all other requirements in the Privacy Rule, establishes protections for PHI in all forms:
Safeguards include such actions and practices as securing locations and equipment, implementing technical solutions to mitigate risks, and workforce training.
The Privacy Rule’s safeguards standard is flexible and does not prescribe any specific practices or actions that must be taken by providers. This allows entities of different sizes, functions, and needs to adequately protect the privacy of PHI as appropriate to their circumstances. However, since each provider chooses the safeguards that best meet its individual needs, the types of protections applied may not be the same across all participants exchanging electronic health information to or through a health information organization (HIO), and some participants may not be providers.
When providers and others participate in electronic health information exchange with an HIO, the actual exchange of information may be facilitated and even enhanced if all participants adopt and adhere to the same or consistent safeguard policies and procedures. To that end, the flexibility of the Privacy Rule would allow providers and the HIO, as their business associates, to agree on appropriate, common safeguards that would apply to their electronic exchange of information. In addition, as a requirement of participation in the electronic health information exchange with the HIO, these commonly agreed safeguards also could be extended to other participants, even though they are not providers. For example, HIO participants may agree to use a common set of procedures and mechanisms to verify the credentials of and to authenticate persons requesting and accessing information through the network, or to apply the same standard training for persons who utilize the network.