HIPAA Compliance Policy and Your EHR

HIPAA Compliance and EHR

As many organizations have found out the hard way, there is an important relationship between HIPAA compliance policy and your Electronic Medical Records (EHR).

Consider these recent headlines:

Headlines like this really bring home the need to protect access to your hospital or clinic’s electronic health record system.  An annual HIPAA risk analysis will help in identifying issues early on.  Healthcare organizations need several policies to give employees guidance on limiting access to protected health information.

 

Important HIPAA Compliance Policy

All employees should undergo initial and annual HIPAA privacy and security training.  This training should cover the general principles underlying HIPAA.  Many staff members would like specific do’s and don’ts.  But the HIPAA Privacy regulations are reason-based.  They exhort us to protect the privacy of protected health information (PHI).  We are expected to look at situations involving disclosing PHI, and recognize how our actions maintain privacy – not just follow specific rules.  Employee training should cover the rules, of course, but it must start with the basic premise of the regulation.

An organization’s Network Usage Policy will specify the acceptable and unacceptable use of electronic devices and network resources at the organization.  It should remind staff that any form of tampering, including snooping and hacking, to gain access to computers is a violation of company policy.

One of the most important vulnerabilities to HIPAA and your EHR is malicious software.  A HIPAA compliance policy on this issue will instruct users to take due care when opening suspicious or unexpected email with attachments from unknown users.  This is one of the most frequent methods hackers use to gain access to other systems – including electronic health records.

An email use policy should mandate the use of encryption when sending protected health information or other confidential information via email.

Of course, password management is very important.  This HIPAA compliance policy should describe the standards for passwords.  It should also remind staff that passwords should never be written down, shared or communicated to anyone else.

A computer security incident policy should require everyone to report potential security incidents.  These include any attempted or unsuccessful unauthorized access, use or disclosure of information systems and the information they contain.  The policy should also identify the Information Security Officer of the organization.

 

HIPAA Compliant EHR Access

Your EHR vendor is very likely a Business Associate.  Your software licensing agreement should include a business associate agreement whenever a vendor has access to your PHI.

Controlling access is important to HIPAA and your EHR.  User roles should be well-defined.  Non-employee users should be screened occasionally to make sure such people continue to need access.

Periodic audits of staff who are accessing EHR information are also important.  Are employees accessing their own records?  Is there a patient portal employees should use instead?

Does your system automatically log off users after a predetermined length of time?  Do you have a disaster recovery plan, and do you test it periodically?

 

HIPAA Compliance Policy and Your EHR – the Bottom Line

In the end, the success of your HIPAA compliance policy depends on staff members acting in accordance with it.  The incidents in the headlines all included some lapse in security.  And there are many hundreds of similar occurrences across the country and the world.  Sometimes it was lack of a policy or a technical failure like leaving firewalls down.  Other incidents are due to open an attachment to an email from someone you don’t know.  Still, others are due to not encrypting PHI when loading it onto a portable storage device or laptop computer – and then having the device stolen!

Organizations can and should take several steps to address HIPAA compliance policy and your EHR.  There have to be technical, administrative and physical safeguards for EHR systems.  But some or even none of these safeguards will work without trained, conscientious staff members.

When you need proven expertise and performance

Jim Hook, MPH

Mr. James D. Hook has over 30 years of healthcare executive management and consulting experience in medical groups, hospitals, IPA’s, MSO’s, and other healthcare organizations.

Leave a Reply

Your email address will not be published. Required fields are marked *

2 thoughts on “HIPAA Compliance Policy and Your EHR

  1. Sir,
    I live and work in Rochester NY. My question is as follows:
    Do I have a legal right to obtain a copy of my medical/mental reports/evaluations from my employer? In my specific case it would the City of Rochester and the City of Rochester Police Department.

    1. Mr. Phillips, different states have different laws about records maintained by employers, so we can’t comment on your legal rights under state law. Here is an excerpt from the HHS website on HIPPA and Employers:
      Employment Records
      The HIPAA Privacy Rule does not protect your employment records, even if the information in those records is health-related. In most cases, the Privacy Rule does not apply to the actions of an employer.
      If you work for a health plan or a covered health care provider:
      The Privacy Rule does not apply to your employment records.
      The Rule does protect your medical or health plan records if you are a patient of the provider or a member of the health plan.

      So if your employer is also your provider for health care services, you have a right to the medical records they create or maintain pertaining to your care. (There are special provisions for mental health records both under HIPAA and other federal laws.) Your right to employment records containing protected health information created by other health care providers would be covered by state laws in New York.

      I hope this helps!