Is your EHR compliant with HIPAA regulations? These requirements are complex and can be difficult to keep up with—so we compiled a list of simple, actionable strategies to help you avoid costly fines and lawsuits. As you already know, your EHR houses a multitude of protected health information ranging from names and patient billing information to physician notes and prescriptions. Consequently, this type of information must be stored, accessed, and transmitted according to HIPAA in order to protect patients. HIPAA requirements for healthcare practices stem from three main rules, all of which we cover in this post. We also differentiate between required and addressable safeguards so you know where you have flexibility in implementation.
1- Security Rule
The HIPAA Security Rule is the most comprehensive piece of the puzzle. It includes technical, physical, and administrative components.
Let’s start with two required and three addressable technical safeguards.
- Access control [required]: Authorized users must have unique, centrally controlled usernames and PINs. Ensure you have a documented process for how to handle ePHI during an emergency.
- Activity audits [required]: You must monitor activity closely, including both successful and attempted access of ePHI. Your system must also be equipped to log what happens to acquired information.
- Authenticate ePHI: Implement a mechanism to check that ePHI hasn’t been altered or destroyed in an unauthorized manner.
- Encrypt and decrypt: All user devices should automatically encrypt and decrypt messages sent beyond the internal firewall (follow NIST standards).
- Automatic logoff: Set devices to automatically log users off after a predefined period of time has passed.
You’ll also need to address two required physical safeguards and consider two additional addressable components.
- Workstation protection [required]: You must enforce policies around the use of workstations with ePHI access. Specifically, the screen cannot be seen from an unrestricted area, and functions performed must be closely monitored.
- Mobile security [required]: Set strict governance over mobile devices with ePHI access to ensure information is kept safe while in use—and removed appropriately before device reuse.
- Facility access control: Any location where ePHI is stored or accessible needs a comprehensive record system to track every person that enters and keep unauthorized individuals from tampering or theft.
- Hardware inventory: Keep clear documentation of hardware inventory—including where it is, when it moves, and what is on it.
Finally, the Security Rule includes four required and three addressable administrative safeguards. These standards must be maintained and overseen by a Security Officer and a Privacy Officer.
- Risk analysis [required]: Identify potential security risks, assess the probability of their occurrence, evaluate the magnitude of the impact if they did occur, and determine your organization’s current preparedness. Important note: Documentation for these assessments must be kept for a minimum of six years.
- Risk management [required]: Devise and institute security measures to reduce risk to a reasonable and appropriate level. Conduct regular reviews and introduce sanctions for employees who fail to comply.
- Contingency planning [required]: Prepare an emergency plan that ensures the continuation of critical business procedures while protecting ePHI.
- Access restriction [required]: Keep ePHI safe from unauthorized access or use by parent organizations, subcontractors, or other business partners.
- Employee training: Require employees to take regular, documented trainings on ePHI policies and procedures. These modules should also include practice for identifying breaches, attacks, and malware.
- Emergency testing: Contingency plans should not simply be ‘set it and forget it’—they must be tested and revised to ensure efficacy.
- Incident reporting: Develop and deploy a system to notice and flag incidents before they turn into larger issues or breaches. In the event of a breach, follow HIPAA’s Breach Notification Rule.
2- Privacy Rule
The Privacy Rule dictates how patients can interact with their EMR and sets out guidelines for sharing. It applies widely across the industry, meaning that all types of healthcare companies must abide by it.
To align with this rule and fulfill its requirements, you must:
- Administer comprehensive training across the organization so employees are well-versed in information-sharing policies
- Execute the appropriate tactics to keep ePHI (and other personal identifying information) intact and secure
- Require and enforce the need for written permission from patients for any use of health information (e.g., for research or fundraising)
- Use Notices of Privacy Practices to advise patients or plan members about data usage
- Provide patients visibility and access into their health records
- Respond to corrections requests from patients promptly (within 30 days)
- Offer patients the option to restrict disclosure of ePHI to a health plan when the procedure was paid for privately
3- Omnibus Rule
Last but not least, the Omnibus Rule includes critical clarifications and modifications to the original HIPAA legislation. It stipulates the need for:
- New business associate agreements: Business associates are bound to the same regulations laid out in the Security and Privacy rules and must abide by them. Consequently, healthcare organizations are required to get a new, HIPAA-compliant agreement signed with business associates before using their services.
- Updates to privacy policies and practices: The Omnibus Rule included alterations to requirements around deceased persons, patients’ PHI access, disclosure limitations, patient data usage, and more. As a result, organizations must update both their internal-facing policies on privacy and their external-facing notices of privacy practices.
- Additional training: To ensure that amendments and definition updates made in the Omnibus Rule are applied correctly, all staff must be trained on the changes. Additionally, these trainings must be documented carefully and completely.
The smallest error or minor missed step in executing HIPAA can have significant consequences for your practice’s financial well-being and community reputation. This guide aims to help you avoid these losses and penalties by supporting your efforts toward total HIPAA compliance.
Even with the best resources in hand, achieving and maintaining HIPAA compliance can be quite difficult. If you’re considering the need for extra support and advice, look no further than our experienced team of health IT experts at Physician Select Management. Our managed IT security solution is in full compliance with HIPAA standards, certifying our commitment to medical information security excellence. Let’s start a conversation.