Table 4.
Consensus Expectations for the Content Area, “Security”
| Health information trustees should protect the identifiable health information in their care using reasonable security measures appropriate to the sensitivity of the information. A specific individual or group should be identified as being responsible for overall security mechanisms and processes. |
| Written policies |
| 4.1 Health information trustees have written policies that delineate the security measures used to protect identifiable records from risks such as loss or unauthorized access, destruction, use, modification, or disclosure. |
| Security of information stored and transmitted on paper |
| 4.2 Health information trustees have physical security measures in place where paper records are used to ensure that: |
| a) Areas where health information is stored physically (e.g., record rooms, file cabinets, etc.) are locked when not attended. |
| b) There is a mechanism to sign out and track the whereabouts of physical records. |
| c) A record is maintained to track instances where clinical records are copied and distributed. |
| d) Identifiable health information is not visible in public areas. |
| Security of information stored and transmitted electronically |
| 4.3 Health information trustees have electronic security measures in place where electronic records are used, to ensure that: |
| a) Identifiable data is encrypted for any external transfer over the Internet. |
| b) Automated access controls and user profiles are in place in any computer or computer system storing identifiable medical information. |
| c) User-friendly audit trails are in use and checked regularly or randomly. |
| d) User authentication protections are in place (e.g., secret passwords or biometric identifiers). |
| e) Identifiable health information visible on computer screens is not easily read by public passersby, and computer screens are disabled when the user leaves his/her computer terminal. |
| Security officer or team |
| 4.4 Organizations that are health information trustees designate 1 or more specific individuals to be accountable for overall security measures, regular review of security issues and updating of security protocols (e.g., a security officer or team). |
| 4.5 The security officer, or other responsible party, does the following: |
| a) Performs or supervises periodic audits of health information security procedures to detect and prevent breaches in security |
| b) Defines and periodically updates mechanical and electronic deidentification procedures and oversees their use |