The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996. It specifies who can access or retrieve a patient’s medical records. When you have an electronic medical record system, you face specific requirements in keeping your patient information private. This act sets limit on the use and release of medical records and establishes a series of privacy standards for health care providers to follow HIPAA compliance. The truth of the matter is that the HIPAA privacy and security obligations of a healthcare provider are not changed by transitioning to an electronic medical record system.
Providers are responsible for informing their patients of their HIPAA privacy and security rights. They must outline the policies and procedures they undertake to meet those obligations regardless of whether they use an electronic medical system or not. However, nowadays, electronic medical systems are the rule not the exception.
HIPAA has a Security Rule and it requires provides with electronic medical record systems to use 75 specific security controls including specific safeguards that are in place to protect the personal health information. It’s up to each healthcare organization to learn and understand the features of their medical information gathering and retrieval systems, what security mechanisms are in place, and how to use them.
Creating adequate safeguards doesn’t happen overnight. Your organization should have a designated HIPAA-assigned compliance officer or team member. You should clearly and specifically lay out the roles in your organization involved with HIPAA compliance responsibilities. This includes people in charge of your electronic medical record system.
You must ensure that the electronic medical records are restricted based on an individual’s job roles and responsibilities. Your organization should conduct an annual HIPAA security risk analysis which is specifically required under HIPAA regulations. This can involve regularly engaging with a trusted provider that can remotely monitor your network and devices to ensure that your electronic medical record system is compliant. You must make sure there is ongoing security and records remain secure.
Check the policies and procedures of HIPAA compliance and ensure that your systems match. You’ll also want to require user authentication such as passwords or PIN numbers that limit access to patient information to authorized-only individuals. It’s a good idea to encrypt your patients’ information in electronic medical record system using a key known only to authorized individuals.
You should have audit trails. This means that you know who accessed the patient’s record. You will also want to know what they did to the record and when. It’s important to implement workstation security so unauthorized persons cannot gain access to patients’ electronic records.
HIPAA privacy and security rights requires that you keep your patient records for six years after either the later of the date of creation or the date when last in effect. State laws may require longer holding periods. You should know the rights that HIPAA provides patients and make sure your electronic medical record system follows them. It’s not always easy to do so, but it is necessary.
If you have questions or want Paul De Chant, MD, MBA to speak at your health care organization, please use the contact form at: http://www.pauldechantmd.com/contact/. We’re happy to hear from you.