Every healthcare organization under HIPAA is responsible for the protection of patient data, regardless of whether they use a vendor to process or store their patient records. If your EHR vendor claims you don’t have to worry about HIPAA compliance, it may not be true for your particular business. Privacy and security are much more than simply having a HIPAA compliant EHR.
The federal government put in place the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to ensure you have rights over your own health information, no matter what form it is in. The government also created the HIPAA Security Rule to require specific protections to safeguard your electronic health information. A few possible measures that can be built in to EHR systems may include:
- “Access control” tools like passwords and PIN numbers, to help limit access to your information to authorized individuals.
- “Encrypting” your stored information. That means your health information cannot be read or understood except by those using a system that can “decrypt” it with a “key.”
- An “audit trail” feature, which records who accessed your information, what changes were made and when.
Finally, federal law requires doctors, hospitals, and other health care providers to notify you of a “breach.” The law also requires the health care provider to notify the Secretary of Health and Human Services. If a breach affects more than 500 residents of a state or jurisdiction, the health care provider must also notify prominent media outlets serving the state or jurisdiction. This requirement helps patients know if something has gone wrong.
Here are some specific actions your entity should take when working to protect patient information:
- Have a designated HIPAA-assigned compliance officer or team member. Clearly and specifically lay out the roles of everyone in your organization involved with HIPAA compliance responsibilities.
- Ensure that access to ePHI is restricted based on an individual’s job roles and/or responsibilities.
- Conduct an annual HIPAA security risk analysis (specifically required under HIPAA rules.) This can involve regularly engaging with a trusted provider that can remotely monitor and maintain your network and devices to ensure ongoing security.
- Mitigate and address any risks identified during your HIPAA risk analysis including deficient security, administrative and physical controls, access to environments where ePHI is stored, and a disaster recovery plan.
- Make sure your policies and procedures match up to the requirements of HIPAA.
- Encrypt patient information using a key known or made available only to authorized individuals.
- Incorporate audit trails, which record who accessed your information, what changes were made, and when they were made, providing an additional layer of security.
- Implement workstation security, which ensures the computer terminals that access individual health records cannot be used by unauthorized persons.
Keep Your EHRs Protected & Compliant
Record Nations works to help make sure transferring your medical records to electronic is seamless. We specialize in helping you find the document management contractor that’s right for your businesses regardless of the size of the job. If you are interested in learning more about the document management services that we can provide please fill out the form to the right, or give us a call at (866) 385-3706.