The HIPAA Master paused, looking at the novice, "Is it not true that everyone in your office has access to all information of your patients?"

The novice responded, "But Master, that is part of servicing our patients."

"All your people need to know everything about all your patients?" the Master inquired. "Is it not true that only certain of your people really need to have this knowledge?"

The novice sat on a fallen tree, pondering this question. "Well, the person that answers our phone has no need to know a patient's health history. And I suppose as I think of each of my people, very few actually need to know everything about each patient. Some do, most don't."

The Master smiled, "Grasshopper, do not forget the specialist you send patients to. For he also has no need to see the entire file."

"Your people within receive the information as a normal course of the day." the Master responded. "This is called access and must be restricted to the minimum necessary to do their tasks and no more."

"But there is another issue and that is availability. Is it not true that many of your people can get to this protected health information even though it is not needed for their tasks?" the Master inquired.

"You mean I must restrict not only the information my people receive but also protect the data from being simply available?" the novice asked. "But that means I must change the way all my in-office systems work, and install security in places I now have none!"

"Ah, the path of HIPAA enlightenment becomes clearer now, does it not?" The Master smiled.

next page