Health providers have increasingly migrated from paper charts to electronic health records (EHRs), many of them encouraged by the HITECH Act, which President Barack Obama signed into law in 2009 to promote the use of health information technology. The right EHR can provide convenience, efficiency, and improved data management for a practice.
Just like with paper charts, however, practices that use EHRs must follow HIPAA rules for keeping patient information secure. Unfortunately, not all EHRs are made to be HIPAA compliant. High-profile security breaches in recent years have demonstrated the vulnerability of electronic data. As a result, it is important to choose an EHR system that helps practices adhere to HIPAA standards to protect patient data.
Elements of HIPAA Compliance in EHRs
The HIPAA Security Rule has set national standards for protecting patients’ electronic health information. Under the Security Rule, providers must implement certain measures to be compliant and keep protected health information secure.
While there may be numerous ways to implement this rule, the U.S. Department of Health & Human Services offers recommendations for EHR security. Providers that must follow HIPAA rules should look for an EHR that offers these features.
Access control: A HIPAA-compliant EHR should use access control measures, such as passwords, so that only authorized persons can access protected health information.
Encryption: The EHR should provide encryption for the data it contains. This protects the information by converting it to a code that cannot be read except those who have the correct key.
Audit trail: The EHR should be able to record which user accesses which information, as well as record changes, and when they were made.
Security updates: Because hackers are constantly developing new and more sophisticated measures for finding and obtaining private data, the EHR system should receive periodic updates to keep security features effective.
What Practices Must Do
When it comes to HIPAA compliance, it’s not only about choosing the right EHR system. Behavioral health, addiction treatment, and other providers also must use their EHRs correctly and create practice standards, to adhere to HIPAA.
Practices should conduct annual audits of their system to find any gaps in adherence. This includes the creation and implementation of a plan to close those gaps and improve HIPAA adherence.
All providers and relevant staff members should receive thorough training in using the EHR appropriately, as well as education on HIPAA regulatory standards.
Documentation is vital for practices, especially if they become involved in a HIPAA investigation. Administration departments should maintain records of all practice efforts to become or remain HIPAA compliant. This includes documentation of all vendors who may receive health information.
In case of a data breach, practices must document the breach, notify patients that their data may have been compromised, and take appropriate and necessary steps to correct the situation.
Not all EHRs are created equal. To ensure HIPAA compliance when switching to an EHR, providers should look for products and services that offer up-to-date measures for protecting patient measures. For full compliance, however, practices should also create standards for using the EHR to keep patient information safe.