Since 2009, the American Recovery and Reinvestment Act has funded a movement toward the implementation and adoption of electronic health records (EHR). For nearly a decade, health care providers and health systems have spent time, effort and money on bringing technology on board to harness data and improve the quality of health care.
HIPAA Requirements
The U.S. Department of Health and Human Services (HHS) issued the Privacy Rule to implement Public Law 104 – 191: Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Privacy Rule standards address the use and disclosure of individuals' health information – called "protected health information" by organizations subject to the rule – called "covered entities," as well as standards for individuals' privacy rights to understand and control how their health information is used.
Within HHS, the Office for Civil Rights (OCR) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.
Where HIPAA Meets EHR
Then the HIPAA Security Rule came into force two years after the original legislation on April 21, 2005. Dealing specifically with electronically stored PHI (ePHI), the Security Rule laid down three security safeguards – administrative, physical and technical – that must be adhered to in full in order to comply with HIPAA.
We all know protecting PHI is serious business. Just ask the health care organizations who have made it to the OCR's "wall of shame". But here comes the tricky part: Of the 45 citations of HIPAA law with which your practice must comply, nine of these standards must be met through your EHR system.
What Must Your EHR System Allow You to Do?
Mechanism to authenticate electronic protected health information: How can you prove that the data has not been altered in your EHR system?
Assign role-based access to treatment, payment and/or operations: Can you assign minimum information levels of access to your staff based on their job description?
Track user activity within the system: Can you monitor / track the activity of each user in your EHR system?
Monitor log-in attempts that are both successful and unsuccessful: Can you track users (and hackers) who have made log-in attempts or intruded into your EHR system?
Establish unique user identification: Does your EHR system allow you to set up unique identification for each user in the practice?
Encrypt your data at rest and encrypt / decrypt your data in motion: Does your EHR system encrypt data at rest or in motion?
Provide automatic log-off and lockouts after failed attempts: Can your EHR system be programmed to log-off your users after a set period of time or lock out a user after failed attempts?
Backup and disaster recovery plan: Is your EHR system able to create and maintain – and restore – exact copies of your files?
Your EHR Won't Take the Blame for HIPAA Violations – You Will
HIPAA places the burden for privacy and security on the clinician, who is the covered entity (that's you). As the originators of PHI with the patient, clinicians have the responsibility to keep PHI privately and securely safeguarded.
Since the PHI in our practices is largely located and accessible through our EHR system, it only makes sense that the EHR system should have the capacity to perform essential functions to allow us to meet the standards of the law. But the question is – do you have proof your EHR system is capable of these functions ... and are you doing them?
Contact your electronic health records vendor today; get the proof and training you need to confirm you are compliant with HIPAA standards.
Author's Note: Learn more about this issue by watching the webinar, "HIPAA Compliance Through EHR Systems".
Dr. Scott Munsterman, a graduate of Northwestern Health Sciences University, served two terms as mayor of Brookings, South Dakokta, and three consecutive terms on the S.D. House of Representatives, chairing the House Health and Human Services and Legislative Planning committees. He is the founder and CEO of Best Practices Academy and co-founder of ChiroArmor. Contact him with EHR-HIPAA questions at
.