HIPAA requires that covered entities have in place "appropriate administrative, technical, and physical safeguards" for protected health information (PHI). The Privacy Rule, which also extends to non-electronic information, does not define reasonableness or appropriateness. HHS commentary on the Privacy Rule offers this guidance:
"It is not expected that a covered entity's safeguards guarantee the privacy of [PHI] from all potential risks. Reasonable safeguards will vary from a covered entity to a covered entity depending on factors, such as the size of the covered entity and the nature of its business. In implementing reasonable safeguards, covered entities should analyze their own needs and circumstances, such as the nature of the [PHI] it holds and assesses the potential risks to patients' privacy. Covered entities should also consider the potential effects on patient care and may consider other issues, such as the financial and administrative burden of implementing particular safeguards."
There is a tendency to focus on technical measures to promote privacy. Behavioral, administrative (policy), and simple physical measures are just as critical. Consider these, only one of which is "technical": (1) speaking quietly when discussing a patient's condition with family members in a waiting room or other public area; (2) avoiding using patients' names in public hallways and elevators and posting signs to remind employees to protect patient confidentiality; (3) isolating or locking file cabinets or records rooms; or (4) providing additional security, such as passwords, on computers maintaining personal information.
All of these are privacy-promoting practices of long-standing.