HIPAA Security: What Risks Are Realistic for Your Practice?

Is your practice on the coast in hurricane territory? Is your practice management system on a computer network?

These are some of the factors practices should consider when assessing the security of their patients’ electronic protected health information (e-PHI).

The HIPAA Security Rule aims to protect e-PHI confidentiality, integrity, and availability. Its security standards help make sure that only authorized people and processes can access e-PHI and can do so as needed, and that e-PHI is not altered or destroyed in an unauthorized way.

The Security Rule offers detailed instructions for implementing particular standards, but some of these are “addressable.” This means each medical practice must decide whether it is a reasonable and appropriate safeguard in that practice’s environment.

For example, the rule’s Technical Safeguards include:

  • Unique user identification (required). Assign a unique name and/or number for identifying and tracking user identity.
  • Automatic logoff (addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

The U.S. Health and Human Services (HHS) offers this sampling of threats a practice might look at in assessing its risk regarding e-PHI and deciding what steps to take to mitigate it:

  1. Natural: Hurricanes, floods, tornadoes, electrical storms, and other such events;
  2. Human: Events a person could either enable or cause, i.e., unintentional acts (inadvertent data entry) or deliberate actions (network-based attacks, malicious software upload, unauthorized access to confidential information); and
  3. Environmental: Long-term power failure, liquid leakage, and the like.

HHS’s Security Rule Educational Paper Series offers practices and other covered entities insight into the Security Rule and help with implementing the security standards. No. 6 in the series is “Basics of Risk Analysis and Risk Management.” 

Reviewed Sept. 19, 2018

NOTICE: The Texas Medical Association provides this information with the express understanding that (1) no attorney-client relationship exists, (2) neither TMA nor its attorneys are engaged in providing legal advice, and (3) the information is of a general character. This is not a substitute for the advice of an attorney. While every effort is made to ensure that content is complete, accurate, and timely, TMA cannot guarantee the accuracy and totality of the information contained in this publication and assumes no legal responsibility for loss or damages resulting from the use of this content. You should not rely on this information when dealing with personal legal matters; rather legal advice from retained legal counsel should be sought.

  TMA Practice E-Tips main page  


Last Updated On

May 30, 2019

Originally Published On

September 13, 2012