Health information trustees should protect the identifiable health information in their care using reasonable security measures appropriate to the sensitivity of the information. A specific individual or group should be identified as being responsible for overall security mechanisms and processes. |
Written policies |
4.1 Health information trustees have written policies that delineate the security measures used to protect identifiable records from risks such as loss or unauthorized access, destruction, use, modification, or disclosure. |
Security of information stored and transmitted on paper |
4.2 Health information trustees have physical security measures in place where paper records are used to ensure that: |
a) Areas where health information is stored physically (e.g., record rooms, file cabinets, etc.) are locked when not attended. |
b) There is a mechanism to sign out and track the whereabouts of physical records. |
c) A record is maintained to track instances where clinical records are copied and distributed. |
d) Identifiable health information is not visible in public areas. |
Security of information stored and transmitted electronically |
4.3 Health information trustees have electronic security measures in place where electronic records are used, to ensure that: |
a) Identifiable data is encrypted for any external transfer over the Internet. |
b) Automated access controls and user profiles are in place in any computer or computer system storing identifiable medical information. |
c) User-friendly audit trails are in use and checked regularly or randomly. |
d) User authentication protections are in place (e.g., secret passwords or biometric identifiers). |
e) Identifiable health information visible on computer screens is not easily read by public passersby, and computer screens are disabled when the user leaves his/her computer terminal. |
Security officer or team |
4.4 Organizations that are health information trustees designate 1 or more specific individuals to be accountable for overall security measures, regular review of security issues and updating of security protocols (e.g., a security officer or team). |
4.5 The security officer, or other responsible party, does the following: |
a) Performs or supervises periodic audits of health information security procedures to detect and prevent breaches in security |
b) Defines and periodically updates mechanical and electronic deidentification procedures and oversees their use |