The HIPAA Master paused, looking at the novice, "Is it not true that everyone in your office has access to all information of your employees?"

The novice responded, "But Master, that is how we have always handled that information."

"All your people need to know everything about all your employees?" the Master inquired. "Is it not true that only certain of your people really need to have all this knowledge?"

The entrepreneur sat on a fallen tree, pondering this question. "Well, the person that answers our phone has no need to know an employee's health history. And I suppose as I think of each of my HR people, very few actually need to know anything about each employee. Some do, most don't."

The Master smiled, "Grasshopper, do not forget the broker you send applications to. For he also has minimal need to see the information either."

"Your people within receive the information as a normal course of the day." the Master responded. "This is called access and must be restricted to the minimum necessary to do their tasks and no more."

"But there is another issue and that is availability. Is it not true that many of your people can get to this protected health information even though it is not needed for their tasks?" the Master inquired.

"You mean I must restrict not only the information my people receive but also protect the data from being simply available?" the novice asked. "But that means I must change the way all my in-office systems work, and install security in places I now have none!"

"Ah, the path of HIPAA enlightenment becomes clearer now, does it not?" The Master smiled.

copyright 2004 er.HIPAAps.com

next page