The HIPAA Security Rule requires providers to assess the security of their electronic health record systems. The Security Rule sets technical safeguards for protecting electronic health records against the risks that are identified in the assessment. Some of the steps that may be taken to reduce the risks include:
- Access controls such as passwords or PINs that limit access to your information to authorized individuals, like your doctors or nurses
- Encryption of your information, which means your health information cannot be read or understood except by someone who can "decrypt" it, using a "key" made available only to authorized individuals
- Audit trails, which record who accessed your information, what changes were made, and when they were made, provide an additional layer of security and oversight.
- Workstation security, which ensures that computer terminals that can access your health records cannot be used by unauthorized persons
Your providers must have risk management policies and procedures in place -- to assess security risks, and to ensure that known risks are addressed and prevented.