EHR and HIPAA Compliance

Traditionally, medical records were kept on paper and were manually filed. EHR Systems revolutionized patient care by enabling patient and treatment data to be accessed by a multitude of caregivers. But how does systems affect HIPAA compliance?

Traditionally, all medical records were kept on paper and were manually filed. All information from a doctor visit, such as lab reports, diagnoses, and notes, were written by hand, bound together in a file, labeled with the patient's last name, and then placed on a shelf for storage.

History of EHRs 

In the 1960s, Lockheed developed an electronic system for storing and maintaining medical records, but due to the size and cost of computers in the 1960s, it was only adopted by the largest healthcare organizations.

The decline of the price of computers and their rise in everyday usage prompted the growth of EHR-like systems. The industry recognized the need to convert medical records to EHR format so the government created the Office of the National Coordinator of Health Information Technology in 2004. Soon after, mandates for EHR adoption were included in the HITECH Act of 2009 in order to encourage healthcare providers to adopt electronic healthcare records and supporting technology.  This went as far as providing incentives for early adoption as well as financial penalties in the form of reduced medicare and medicaid reimbursement for organizations that did not adopt the EHR technology.

What is an Electronic Health Record?

An Electronic Health Record is a real-time, patient centered record that makes it incredibly easy for caregivers to access and update patient records. It is essentially the digital version of a patient's care chart, but goes beyond the data and will often include a far broader view of a patient's care. EHRs are a vital part of modern healthcare and can contain all of a patient's medical history, diagnoses, medications, treatment, immunizations, allergies and lab results while allowing access to an evidence-based tool that providers can use to make decisions about a patient's care.

Additionally, another key benefit of EHR is that health and treatment information can be created in a format that allows it to be shared with users from more than one healthcare organization. They are made to be able to share information so laboratories, specialists, pharmacists, and clinics can access all the information needed to achieve optimal patient care.

EHR and Protected Health Information

EHR systems have completely changed how medical data is collected and utilized during treatments by standardizing data and making the transmission of health data even faster. Now it is incredibly easy for healthcare providers to give more efficient and accurate care. However, providers must still abide by the regulations set by HIPAA to protect the data they are using. Common types of information stored in EHR systems include:

  • Names 
  • Patient billing information
  • Weight, body mass index (BMI), and body temperature
  • Allergies
  • Appointment History
  • Complete medical Records
  • Physician notes
  • Prescriptions
  • Discharge summaries and treatment plans

All of this information is considered PHI and must be stored, accessed, and transmitted in accordance with the HIPAA Security Rule. Under the rule, every healthcare organization is responsible for protecting patient healthcare data, regardless of whether they store that data themselves or utilize a vendor to process and store their patient records, because vendors have to comply with HIPAA, too. In the event that a vendor is hired and the vendor will have access to, transmit, or store PHI, the healthcare organization must sign a BAA with that vendor.

HIPAA Compliance and EHR

Some healthcare organizations have made the error of assuming that just because the EHR system they are using is compliant with HIPAA, that they are too. The truth is, having HIPAA compliant software does not mean your organization is compliant with the regulation, because there are a multitude of practices that can result in security and privacy breaches.

For example, are your systems password protected and can your users only access the least amount of PHI needed to do their job? Is the data transmitted on a secure network? Are your employees trained in HIPAA compliance? Has your organization appointed a privacy officer to oversee all matters of complying with HIPAA? Everyone at your organization needs to understand their role in keeping the organization compliant with HIPAA, and this can only be done if expectations are clearly communicated to them. 

HIPAA Compliance means more than simply having a compliant EHR system. It is critical that healthcare providers regularly conduct a risk assessment of the physical, technical, and administrative security measures that they have in place to protect sensitive patient information in order to avoid costly fines in the event of a breach or random audit. EHR systems can make better healthcare possible, but they open your practice up to risk from accidental violations due to improper access as well as actions of hackers. Fortunately, there is a way to mitigate the risks of HIPAA noncompliance. Become HIPAA Compliant with Accountable.


Need HIPAA help?

Accountable can help you achieve HIPAA compliance for your company.

More Articles