Ways To Protect Electronic Health Records – In 2018, the number of compromised health records tripled from the previous year, with 15,085,302 records in 2018 and 5,579,438 in 2017.
Patient files are at risk! And the biggest threat comes from inadequate privacy and security measures used by healthcare providers and their IT vendors. 51% of security breaches were repeats, meaning organizations repeatedly fail to detect and fix things the first time.
Ways To Protect Electronic Health Records
One of the most important ways to protect your patient data and save you from devastating fines and lawsuits is to build a HIPAA compliant electronic medical record system.
Hipaa Compliance And Emr Systems
In this article, we’ll show you 7 key elements of HIPAA compliance for electronic records that will help you protect your patient data.
But let’s start by getting some important definitions out of the way: What is an EHR? How does it differ from an EMR? And what do they have to do with HIPAA? Read on to find out, or if you’re already an expert, skip the compliance steps.
EHR and EMR stand for electronic patient records, and as such, people often use them interchangeably. So why change a damn letter and confuse people, you ask?
Because they are not the same systems. An EMR is a system that a particular healthcare provider uses to collect and track all patient data in their facility. Thus, patient data in the EMR is limited to a single provider. The EHR, on the other hand, accumulates data across various health care providers and specialists involved in patient care.
Why Are Electronic Health Records Better Than Paper Records?
Despite the fact that these systems are different, the general HIPAA compliance requirements for them are almost the same. So forgive us for sounding like amateurs, but for the purposes of this article, we’ll always use these terms interchangeably.
The two systems also have much in common in terms of the benefits they bring to medical and clinical practices. However, as EHRs become more widespread, they can be more useful to patients and providers.
Therefore, when implemented correctly, you will find that one of the systems will be useful for your practice. Now, let’s see what EMRs and EHRs have to do with HIPAA.
You should be concerned about HIPAA if you are a covered entity, meaning you collect patient information to provide healthcare services and bill insurance.
The Role Of Data Analytics In Health Care
The information you need to keep secure is called Protected Health Information (PHI) when it is in physical records or Electronic Protected Health Information (ePHI) when it is in digital form. This information includes demographics, medical history, mental health information, lab results, insurance information, anything accompanied by personally identifiable information (eg, name, social security number, address). So basically everything you have in your EHR/EMR.
Your EMR or EHR will carry all the electronic information you are required to protect by law. This is why you need to consider all the technical requirements when developing a custom EMR or, in case you choose to buy an off-the-shelf system, make sure you comply with this law.
Most of the compliance requirements for EMRs are outlined in the Technical Safeguards of the HIPAA Security Rule. We’ve compiled them into the 7 Key Elements of EMR Compliance and listed them below for your convenience.
But before that, let’s talk about some scary stuff: What happens if you don’t comply?
Pdf) Validating The Access To An Electronic Health Record: Classification And Content Analysis Of Access Logs
In addition to the moral implications of mishandling your patient data, there are other, more tangible consequences. These range in severity from not getting a monetary incentive to full blown disasters – like a gazillion dollar lawsuit. Let’s talk about them in ascending order of seriousness…
If you’re eligible for the Medicare or Medicaid incentive programs (“Meaningful Use”), your EHR must meet a long list of criteria to receive it. Ensuring privacy and security are also on this list, so many requirements intersect with HIPAA. If you do not comply, you will not be able to receive incentives.
One very important thing to keep in mind here is that HIPAA does not penalize you for a violation, but for non-compliance. So, in theory, if you cover all the HIPAA requirements well, but someone still manages to hack you, you won’t be penalized.
However, if you don’t comply, HHS can fine you for violations even if there is no violation! Anyone can report a violation, or you may be subject to a random audit.
Secondary Data For Global Health Digitalisation
When a breach occurs, under HIPAA, you are legally required to notify all patients whose data has been compromised, and in some cases even the media.
Below we mention a devastating case where patients from 12 states joined their efforts to sue an EHR vendor!
HIPAA and electronic medical records remain such a mystery to many people because there is no comprehensive checklist. HHS was very careful not to be too specific, because the security issue is so complex and technology has changed so quickly that no single checklist can cover everything.
But fear not – we’ve put together a list of key aspects to help you get started.
Storing Important Documents
“Implement procedures for authorization and/or supervision of workforce members who work with electronically protected health information or in locations where it can be accessed.” AUTHORITY AND/OR SUPERVISION (A) – (§ 164.308(a)(3)(ii)(A))
Therefore, it is important to ensure that your employees only have access to the information they absolutely need and nothing more (the minimum necessary rule). For example, an x-ray specialist only needs to see data related to the procedure they are about to perform, for example. injuries related to the past. However, the specialist does not need to see the entire medical history or any personally identifiable information, such as the patient’s address or phone number.
In addition to deciding what patient data each user can see, you also determine what each user can and cannot do with this data. This is also part of the HIPAA requirements and is referred to as the standard called “Integrity” declared in the Technical Assurance (§ 164.312(c)(1)). This standard states that you must protect data from unauthorized modification or deletion.
To ensure this, you should set different access levels for different user roles in your EMR. Once you’ve identified each employee’s rights and privileges regarding patient information, you can configure your EMR to reflect that. This will also mean that some employees will receive some portions of ePHI in read-only mode.
Analyze Your Security Risk Analysis Methods
Every time a user accesses your EMR, you must be sure that this user is who they say they are. This is called “authentication”. Only after the system is authenticated can a user access ePHI with the rights and permissions you have previously designated for this person.
“Implementing procedures to verify that the person or entity requesting access to electronically protected health information is who they claim to be. § 164.312(d)
Although passwords are the easiest and most common authentication methods, they are also less secure. This is why HHS recommends that you consider using other forms of authentication.
Also, remember to keep your user and system credentials safe. Writing EMR passwords on sticky notes and attaching them to computer screens is not HIPAA compliant. Instead, consider using a specialized credential management system like AWS Secrets Manager.
How Do I Organize My Medical Records At Home?
Another good idea would be to use temporary user credentials that expire after a certain period of time and need to be replaced with new ones.
Ingegneria Informatica Medica (MIE), an EHR vendor, failed to meet basic authentication requirements and created shared test accounts. Several employees shared the same login “tester” and password “test” to access the system. No unique user identification was required. Hackers used this account to discover system vulnerabilities. As a result, they managed to attack the system several times, compromising the files of millions of patients in 11 hospitals that used this system.
In addition to authentication, MIE had other HIPAA violations such as not encrypting sensitive data, not providing adequate training to staff, not performing a risk assessment, etc. This made the hacking job even easier.
The consequences of this carelessness were costly. Not only did they have to pay $100,000 for a HIPAA violation, but they also had to deal with the first EHR lawsuit from 12 states.
Patient Access Information For Individuals: Get It, Check It, Use It!
To prevent unauthorized access, your employees should always log off after leaving their workstation (regardless of which device they are using the EMR on). However, since we are only human, there is a good chance that one of the users will forget to do this. It is therefore better to implement automatic logout in your EMR so that the session is automatically terminated after a period of time when the system is not in use.
Only you can determine how long the class should be – 5, 10 or more minutes – to be safe and convenient for your staff. Once you have defined the appropriate session end time, you or your developers can configure your EMR accordingly.
You need to know about any breach or breach as soon as it happens so that you can take timely action. What’s up