You might think that the task of keeping patients’ electronic data or ePHI  (electronic Protected Health Information) secure is mainly the job of your office’s IT guy. After all, isn’t he the one responsible for installing the system firewall, updating virus protection, and encrypting your data?

But today I’d like to propose a different way of looking at ePHI security in your healthcare practice. Instead of seeing it as the prime responsibility of whoever handles IT in your workplace, view it instead as the shared responsibility of everyone in your office authorized to access to the practice’s computers.

The “90/10” Rule

In offices that implement good security standards:

  • 10% of ePHI security safeguards are technical
  • 90% of ePHI security safeguards rely on the computer user to adhere to good computer practices — for instance, keeping passwords secret and closing computer programs containing ePHI when not in use

Here’s a hypothetical example of the 90/10 Rule in a somewhat different context: Hearing of a break-in in the building next door, Dr. Doright hires a locksmith to install on the door to his office a new state-of-the-art lock — a high-quality, heavy-duty solution. That’s the 10%.

But that expensive lock is worthless if the doctor or his office manager forget to turn the key when they leave, or fail to notice that the door isn’t completely closed, or are careless about where they keep the key during the day. That’s the 90%.

When it comes to HIPAA, remembering the 90/10 Rule makes compliance easier and an integral part of a team effort to safeguard PHI and ePHI.