As many organizations have found out the hard way, there is an important relationship between HIPAA compliance policy and your Electronic Medical Records (EHR).
Consider these recent headlines:
- 100 million health records stolen in 2015 – one in three Americans’ information compromised,
- Electronic Medical Records are the latest target for identity thieves,
- Huge hack shows the vulnerability of electronic health records,
- US Government inter-agency report indicates there has been an average of 4000 daily ransomware attacks since early 2016.
Headlines like this really bring home the need to protect access to your hospital or clinic’s electronic health record system. An annual HIPAA risk analysis will help in identifying issues early on. Healthcare organizations need several policies to give employees guidance on limiting access to protected health information.
Important HIPAA Compliance Policy
All employees should undergo initial and annual HIPAA privacy and security training. This training should cover the general principles underlying HIPAA. Many staff members would like specific do’s and don’ts. But the HIPAA Privacy regulations are reason-based. They exhort us to protect the privacy of protected health information (PHI). We are expected to look at situations involving disclosing PHI, and recognize how our actions maintain privacy – not just follow specific rules. Employee training should cover the rules, of course, but it must start with the basic premise of the regulation.
An organization’s Network Usage Policy will specify the acceptable and unacceptable use of electronic devices and network resources at the organization. It should remind staff that any form of tampering, including snooping and hacking, to gain access to computers is a violation of company policy.
One of the most important vulnerabilities to HIPAA and your EHR is malicious software. A HIPAA compliance policy on this issue will instruct users to take due care when opening suspicious or unexpected email with attachments from unknown users. This is one of the most frequent methods hackers use to gain access to other systems – including electronic health records.
An email use policy should mandate the use of encryption when sending protected health information or other confidential information via email.
Of course, password management is very important. This HIPAA compliance policy should describe the standards for passwords. It should also remind staff that passwords should never be written down, shared or communicated to anyone else.
A computer security incident policy should require everyone to report potential security incidents. These include any attempted or unsuccessful unauthorized access, use or disclosure of information systems and the information they contain. The policy should also identify the Information Security Officer of the organization.
HIPAA Compliant EHR Access
Your EHR vendor is very likely a Business Associate. Your software licensing agreement should include a business associate agreement whenever a vendor has access to your PHI.
Controlling access is important to HIPAA and your EHR. User roles should be well-defined. Non-employee users should be screened occasionally to make sure such people continue to need access.
Periodic audits of staff who are accessing EHR information are also important. Are employees accessing their own records? Is there a patient portal employees should use instead?
Does your system automatically log off users after a predetermined length of time? Do you have a disaster recovery plan, and do you test it periodically?
HIPAA Compliance Policy and Your EHR – the Bottom Line
In the end, the success of your HIPAA compliance policy depends on staff members acting in accordance with it. The incidents in the headlines all included some lapse in security. And there are many hundreds of similar occurrences across the country and the world. Sometimes it was lack of a policy or a technical failure like leaving firewalls down. Other incidents are due to open an attachment to an email from someone you don’t know. Still, others are due to not encrypting PHI when loading it onto a portable storage device or laptop computer – and then having the device stolen!
Organizations can and should take several steps to address HIPAA compliance policy and your EHR. There have to be technical, administrative and physical safeguards for EHR systems. But some or even none of these safeguards will work without trained, conscientious staff members.