SymQuest Blog

9 Areas to Assess ePHI and Ensure HIPAA Compliance

May 13, 2015 - SymQuest Blog, Compliance

9 Areas to Assess ePHI and Ensure HIPAA Compliance
Mark Jennings

Posted by Mark Jennings

Image of stethoscope and keyboard to illustrate challenges of keeping medical records in compliance with HIPAA and ePHI rules

How safe does your practice keep your patients’ health and personal information?

HIPAA and HITECH have been in effect since 1996 and 2009, respectively, so creating a safe environment for patient information should be second nature by now, but emerging reports paint a different picture.

According to the 2013 Redspin Breach Report, in just 2013, over 7 million patient health records were compromised, with over 4 million of those attributed to one event. A more recent report published in the Journal of the American Medical Association this month confirms an upward trend in data breaches, with almost 60% the result not of hackers, but of theft.

With electronic records across all industries coming under greater threat, practices can expect greater scrutiny of HIPAA compliance as well as increased call for stronger legislation to protect patient information.

Now is the time to take stock of your compliance and make sure you’re being proactive in order to avoid costly penalties and audits, maintain the trust of your patients and prepare for any future changes to the laws and requirements.

phi security webinar

Here are nine areas to assess and make sure you’re up to snuff:

  1. Unique User Identification – Required under the Access Control standard of the Technical Safeguards section of the HIPAA Security Rule. Does every user on your system have a unique user name and/or number to identify and track their activity?
  2. Emergency Access Procedure – Also required under the Access Control, does your practice have a procedure in place to gain access to necessary records during an emergency? More importantly, does your staff know what it is and how to implement the procedure?
  3. Automatic Logoff – How long do your computers keep users logged in during an inactive time? Putting an automatic logoff in place on all devices is an easy way to reduce your risk of a breach.
  4. Encryption – Knowing that almost 60% of breaches are the result of theft of devices, how secure are your ePHI records in the event that a laptop goes missing? Establishing a mechanism to encrypt and decrypt records can keep your patients’ information secure even in the event of a theft. There are two types of Encryption: Encryption at Rest and Encryption in Transit:

Encryption at Rest involves full disk and database encryption. The phrase At Rest means your data is not moving. Data stored on your laptop or desktop could be considered data at rest. Even if you copy your data to a memory stick, it’s still considered data at rest. Much encryption at rest involves copying whole disks or databases versus smaller columns or sets of data.

Encryption in Transit involves backing up data that is often moving from one location or network to another. An example of this type of encryption includes email and data backup encryption. It is recommended that employee protocols are set for encryption in transit to mitigate risk from outside your network.


  • Audit Controls – When things go wrong (and it’s more of a “when” than an “if,” if statistics are to be believed…) do you have a mechanism in place that allows you to review activity in systems that contain ePHI?
  • ePHI Authentication – It may sound basic, but can you prove that a given ePHI hasn’t been altered or destroyed without authorization?
  • Authentication – How do you determine that the person or persons requesting access to a record is actually authorized to do so?
  • Integrity Controls – How secure is your network? How secure is your staff’s email? What about the e-mail on their laptop, phone or tablet? Making sure your electronic transmission security is on par is crucial.
  • Decryption – While it’s important to encrypt all data at rest or in transit, there are times when you will need to pull data from an encrypted source. By having the proper tools for decryption you can determine if data is malicious, and complete regular necessary network tasks.

As with any practice, just putting systems in place is only the beginning. It’s important to regularly review, test and update your systems, both electronic and human. These nine areas are crucial to meeting HIPAA standards and protecting your practice from penalties, but keeping your patients’ information secure is an ongoing effort.

To speak with a technology professional about building a HIPAA compliant IT workflow call us today at 1-800-374-9900 or request a Network Assessment.


Subscribe to Symquest Tech Talk

Sign up to receive the latest news about innovations in the world of document management, business IT, and printing technology.

Mark Jennings

about the author

Mark Jennings

Mark Jennings is SymQuest’s Area Vice President of IT Sales. Jennings works with SymQuest’s sales and service teams to educate customers on current best practices around data protection, disaster recovery, security, and overall technology planning.

Find me on