Medical Records Software Programs
The History of Medical Records Software
As the old saying goes, necessity is the mother of invention. This is certainly the case when it comes to the need to find a better way to manage patient medical records. For the medical community, the invention was creating specialized medical records software.
Although EMR software is relatively new to many medical practices its roots as EHR software can be traced back to the 1960s. The University of Scranton states, “One of the earliest data processing systems originated in the mid-1960s and focused specifically on clinical data management…Also in the 1960s, the development of the Problem Oriented Medical Record by Larry Weed introduced the idea of using electronic methods of recording patient information.”1
Paper Medical Records Management Problems
It was widely recognized that because the number of medical records is so massive, storing and organizing them requires a lot of time and is error-prone. Small practices with small staffs endured a heavy burden from the time required to pull, manually update and refile medical records folders. When files were misplaced it exacerbated the problem with even more stressful, time-consuming tasks. Additionally, legal risks and HIPAA liabilities from records being destroyed by natural disasters, burglary, etc. heightened the need for records security. Paper medical records management was, without question, increasingly problematic.
Are paper records really a problem? Regarding financial risks to medical practice, Coleman Data Solutions, in a 2013 article, commented, “There are major security issues with paper medical records, mostly because of the costly consequences of not securing protected health information.”2.
EMR Software Solved the Problems
As have so many businesses, the medical community found their solutions in automation and digital asset management. Software companies recognized the opportunity to develop faster and easier ways to manage medical records.
From Records Management to Practice Management
As medical professionals embraced the use of EMR software solutions software developers received excellent user feedback. This feedback enabled significant year-after-year improvements to be made to the practice management software. What started as simply electronic medical records management software morphed into full-scale practice management software. Today there are numerous EMR / EHR software products.
The medical records management software programs, commonly known as EMR / EHR software, are now commonplace in medical offices and hospitals. These products offer a robust and secure system for managing health records, scheduling, billing and a host of front-office tasks.
Today, hospitals, clinics, and practitioners have a number of medical records management software options. The current challenge for clinicians, practice and business managers is to make the right choice when trying to find the best EMR software for their hospital, clinic or practice. Depending and the size and scope of your business, what constitutes the “best EMR software” will vary.
Types of EMR Software
Medical Records Software Comparison
Within the offerings of EMR software there are products that range from exceptional to poor based on functionality, training, post-sale support and pricing. Without a solid understanding of what is available in EMR software solutions in 2019, it’s easy to overlook the absence of features that you need.
The top 5 Things to Know About EMR Software
Converting to a new EMR solution is a major decision. Yes, converting from a paper-based records system or inferior EHR software to a new robust EMR software is a good business decision. However, the conversion requires a significant amount of time to implement the software, migrate data, and train users. Choosing your EMR system goes beyond just what the software can do for you. You need to look at the big picture of subscribing to and living with, an EMR software system and vendor.
- EMR Software Features: Quality basically equates to how well a product or service meets your needs. You need to explore all of the possible capabilities and functionalities of any software to evaluate its suitability for your needs. It is nice to have an EMR software that provides scalability to add services, users and features as you may need. The best EMR software solutions offer ways to manage scheduling, patient notifications, patient registration, medical records, billing, collections, and a myriad of custom reports.
- EMR Software Implementation and Conversion: How well does the software vendor manage converting customers from existing systems to the new EMR system? The greatest challenge is integrating and launching a new EMR software parallel to you actively running your business. The migration of data must be timely, precise and secure. The setup of security features and users must be done perfectly. Your best option is to use a U.S. based company that has many years of experience in software implementation. Specifically, it helps if they understand other systems (what you have now) to mitigate problems in a changeover.
- EMR Software Training: You already know subscribing to a service is the easy part. You don’t really get value until the service (software) is working for you. You need a vendor who will work closely with your staff to instruct and coach them on how to get the most from the software. The best vendors have live phone support and don’t just refer you to website pages or PDF documents. More to the point, you want to work with top EHR companies that goes beyond giving you only top-level instruction. You want a company that will show you how to unleash all of the bells-and-whistles of your software.
- EMR Software Post-Sale Support: Anything related to networks, computers, and the software will need service. Whether it’s troubleshooting, add-ons or upgrades you need a vendor that is highly responsive and customer focused. A good idea is to check online reviews for EMR software companies. Read actual customer comments to gauge which company really sticks with its customers.
- EMR Software Pricing: The best EMR solutions offer a monthly subscription model vs. the old way of making you pay a large price to "buy the software package". Obviously, you’re going to question the affordability of the monthly subscription price. In your consideration, you should factor in the positive financial contribution the software provides. A software program that facilitates collecting revenue faster, improves record keeping efficiency and facilitates excellent scheduling sort of pays for itself. Try to balance the monthly fee with the impact the EMR software can have on your business efficiency.
You should always do a post-implementation evaluation to confirm everything is in place and working properly. The Office of the National Coordinator for Health Information Technology offers information on its website. They state the following, "Conducting a post-implementation evaluation will enable your practice to continue improving workflows, achieve your goals and needs, and realize the benefits of EHRs. During your post-implementation evaluation, you should check that the practice/hospital/health center team is still intact and that workflows are running smoothly, with few workarounds. You should also seek to identify unresolved vendor issues, interface issues, and staff training needs. You can use the findings of your post-implementation evaluation to target and implement initiatives that will enable your practice/hospital/health center to continue quality improvement.".3
Example of Comparing Medical Records Software
To give you a specific example of how to evaluate EMR and EHR software we’re going to compare two popular systems – Lytec MD Software and CureMD Software.
Lytec MD Software 2019
What is Lytec? Lytec Practice Management software provides an ANSI 5010 compliant, platform to manage scheduling, billing and revenue management functions of your practice.
Lytec 2019 provides tools to efficiently manage patient accounting, insurance billing, claims tracking, accounts receivable, and appointment scheduling.
Lytec EMR is available as a stand-alone network version and as a cloud-based version.
Notable Features of Lytec’s Cloud-Based EMR
- Use our up-to-date Lytec Practice Management (PM) software without incurring any upfront or upgrade fees
- Medical software that is available anytime, Anywhere 24/7/365
- Electronic Health Records (EHR) option
- HIPAA compliant backup and disaster recovery
- Electronic services – claims, claims verification, patient statements, eligibility verification, remittance, and ePrescribing
- Appointment reminder system
- No expensive hardware to purchase
Other Lytec Features:
- Accounting– Move credits and adjustments between billings
- Engagement– Patient Email Connect allows for a targeted export multiple filters such as age, gender, activity, last visit, etc.
- Appointments– Customized printed appointment schedules.
- Notifications– Hold code display improvements including hovering on patient appointments – saving time and clicks.
- Collections– A/R Tracker enhancements, including the ability to see the patient co-pay in the unpaid transactions grid.
- Registration– Duplicate patient record enhancements
- Billing– BillFlash patient statement enhancements.
- Timely Filing– Billers can now instantly see how many days until timely filing expires and which claims have already been billed and which ones are overdue.
CureMD Software 2019
CureMD’s All-in-One Cloud platform integrates electronic medical records with practice management, patient portal, and an iPad app to personalize care delivery, increase patient safety, and minimize costs for medical practices of all sizes.
CureMD is well suited for cutomization to fit with a particular type of medical practice.
CureMD is an all-in-one EMR and practice management system that enhances quality, profitability, and collaboration. CureMD offers special features for:
- Enterprise Scheduling
- Intelligent Billing
- Workflow Management
- Gold Certified e-Rx
- DICOM Imaging
- Clinical Knowledgebase
- Clinical Alerts
- Device Connectivity
- Data Mining Reports
- Patient Education
- Credit Card Processing
- Text Messaging Reminders
- Lab Orders and Results
- Document Management
- Recalls and Reminders
- Risk Management
- Enterprise Messaging
- Electronic Superbill
- Data Backup
- Security
- E&M Coding
Notable Benefits of CureMD EMR Software
- Participate in pay-for-performance incentive programs
- Connect directly with hospitals, labs, radiology centers and diagnostic equipment
- Satisfy government and industry compliance regulations and standards
- Optimize billing and collection processes
Popular EMR Software Solutions
A Google search will bring up a list of countless EMR software vendors, each presented as a great solution for medical records and practice management. Obviously, each has it’s strengths and weaknesses. What may be a great solution for a hospital may be a bad choice for a small practice. What may be great for a small practice may prove to be okay to start but have no ability to scale up to other needs. Selecting the right medical records software can be a daunting endeavor.
To learn more, call 1-800-759-1321 for a free consultation with an EMR specialist.
FOOTNOTES
- 1 The University of Scranton, “EMR: The Progress to 100% Electronic Medical Records”, September 17, 2013, Available from University of Scranton
- 2 CDSadmin, “Security Issues with Paper Medical Records”, October 4, 2013, Available from Coleman Data Solutions
- 3 HealthIT.gov, “How do I conduct a post-implementation evaluation?”, March 5, 2018, Available from HealthIT.gov
In-house vs. Outsourcing Medical Billing
Pros and Cons of Medical Billing Solutions
Outsourcing your medical billing is a smart move for many medical practices. Explore the thoughts of industry experts comparing in-house coding and billing to hiring a medical billing company.
Outsourcing medical billing can make some people nervous yet it is a common topic among small medical practices. This conversation generally weighs the pros and cons of utilizing EHR billing software or third-party medical billing services. The situation that drives this discussion is a need to find a cost-effective solution for better revenue cycle management. Specifically, this comes down to the key goals are timely and accurate billing, collecting money faster and improving your bottom line.
An Introductory Comparison
In-house coding and billing requires using employees to utilize medical coding and billing software to complete tasks for revenue cycle management.
Outsourcing coding and billing means the doctor or practice business manager hires a third-party medical billing company for revenue cycle management.
EHR Billing Software vs. Outsourced Medical Billing
Starting Your Comparison Process
Where do you start in doing the analysis and comparisons? Finding the best medical billing solution for your practice begins with doing an honest assessment of your existing in-house structure, strengths and weaknesses. Think about what you have tried that has worked, and what has not worked. Determine which challenges are manageable and which are out of your control. Knowing what you have now in terms of staff, skills, space, time, and capital can make the evaluation process a bit easier. 1
4 Pros of Outsourcing Medical Billing
Cost Control: When you outsource coding and billing you know what the costs will be to get the work done. With in-house staff, you never really know what the true cost is because you don’t know how much time they are spending on this work. Outsourcing makes it easier to control your operating budget.
Error Reduction: Let’s face it, medical coding and insurance billing requirements change often.2 Errors in coding and billing practices result in denied claims and delayed payments. The only way to mitigate these issues is for your in-house staff remain current on these changes. How will you or your staff stay abreast of changes and train the people doing the work? A professional coding and billing company are experts at remaining at the top of their game.
Timeliness: A physician or office manager eliminates the need to micro-manage a billing staff. A third-party billing company is committed to only doing your billing right away. Your in-house billing staff can get behind on coding when they miss work or are pulled into other tasks in the practice. Having dedicated medical coders and billing specialists means you have a team that makes collecting money their top and only goal.
Responsiveness: A medical billing service has dedicated points of contact that can provide a variety of reports on-demand. Unlike waiting for an employee to “get to it when they can”, a billing service can respond promptly with the information you need. Again, you get people dedicated to supporting you with a full-time eye on your revenue.
4 Cons of Outsourcing Billing
Unexpected Fees: The potential for add-on monthly fees. This should not be a huge concern because you’re simply paying for the time required. If you required an in-house staff to do it you’re still paying them for their time to do the work. The best thing to do, before hiring a third-party vendor, is to learn all of the standard and potential costs. Consider how these costs apply to what your practice needs. Decide for yourself if the numbers work for you. Cost analysis yield varying results.3
Conflicting Styles: When you have in-house coders and billers they know exactly what you want, how you want it and when to do it. When you hire a medical billing service you need to be a bit flexible to fit into their system and processes. Generally, your outsource partner will go through the revenue cycle management steps nearly the same as your in-house team. In any situation, there will be some operational or procedural differences. Moving that aside, let’s look at what you can expect your vendor to do for you:
Privacy Concerns: Bringing in a billing service requires a lot of sensitive disclosure. Things like (even discretely) sharing your financial situation can be uncomfortable. With computer server hacking being relatively common, there is a possibility a large billing company would be the target of a hacker. Having any or all of this information compromised could bring about very bad consequences.
Exit Strategy: What happens if you stop outsourcing, and decide to bring your billing back in-house or hire another service? It may not be particularly easy to get your information in a format that makes it easy to put into a new system. Some providers make it very difficult to extricate your practice from their system.
Should You Hire a Medical Billing Company?
It’s a matter of personal preference as to whether or not to go with outsourcing medical billing and coding. From a top-level view, here are a few things to think about;
You will need to relinquish some control of your billing. When you hire a coding and billing company you will need to adapt to their processes and style. The initial experience of things not being done the same way may be uncomfortable. Ultimately, you have to not focus on the methods, and instead focus on the output.
Outsourcing will return to you all of the time your staff now spends on billing. You may even find that it saves you money. Think about all of the time your practice spends on coding and billing. Now think about how much time you will suddenly have available when 90% of the work is done by a third-party service.
The bottom line is the bottom line. A billing specialist will get the billing out in a timely manner, virtually eliminate billing errors, and bring in revenue at an optimal pace. That’s what matters, right?
Want to learn more? Call a medical billing specialist to discuss your situation. Get a non-biased recommendation on which option is best for your practice.
FOOTNOTES & CREDITS
- 1 Unknown, "Cost comparison In-house Medical Billing VS Outsourced Medical Billing ", November 15, 2016, Available from ISSUU
- 2 Megan Knowles, "WHO releases ICD-11: 5 things to know", June 18, 2018, Available from Beckers Hospital Review
- 3 Gaby Loria, "Should You Outsource Your Medical Billing?", January 1, 2019, Available from Software Advice
Medical Billing Services 2019
Medical Billing Services 2019
For smaller medical practices and clinics, medical billing services are often an ideal alternative to tying up a small staff on revenue cycle management using EHR software. This article presents the advantages of using a medical billing and management service in the United States.
What are Medical Billing Services?
As the name implies, a medical billing service is a company staffed by trained medical billers that manage revenue-related functions for sole practitioners, group medical practices and healthcare clinics.
Medical Billing Service Staffing
Medical billing and coding specialists are certified and trained, including receiving ongoing training on industry updates, changes, and best practices. Regarding the importance of formal training and certification you can see the AAPC website which states, "Regulations and requirements with the current healthcare delivery system are best met when medical coders, certified in specialty practice, provide medical coding. Medical coders achieve AAPC certification through specialized education, experience in an area of specialty, and a qualifying exam(s)."1
Medical coding involves reviewing statements and records of patient services rendered, and assign the correct billing codes using the ICD-10-CM classification system. Medical billing refers to the process of preparing and filing insurance claims or patient billing statements. Medical billers also track and follow-up on unpaid billing statements to facilitate timely revenue collections.
The medical practice will work with an account manager and sometimes work directly with the coder or billing specialist.
Advantages of Using Medical Billing Services
The industry experts at verywellhealth have this offer, "It saves time and money and eliminates the burden of concentrating on too many aspects of the medical office. ".2 A list of the key advantages in using a medical billing service includes:
- Restores Focus on Patient Care: Imagine a revenue management process that is effectively running in the background. Your practice will return to feeling more like a medical office than a business office. A billing service does the heavy lifting, provides you with reports and requires minimal direct supervision.
- Optimizes Revenue Cycle Management: Your in-house staff is getting the job done, often as part of other administration duties. This means that prioritizing tasks may require billing and collections duties get put off. A medical billing service stays on top of your money with no distractions. Their focus is only on revenue management.
- Improves Cash Flow and Profitability: With a dedicated team of coding and billing professionals, your finances will improve. Promptly preparing and submitting billing statements lowers the average age of your receivables. Accurate coding means a minimal number of claims are rejected. The bottom line is money comes n faster, and less time (money) is wasted on billing problems.
- Reduces In-House Staffing Needs: When you use a billing service your requirements are reduced to sending the necessary support documentation (statement of services for a patient), answering occasional questions, and managing incoming reports. Obviously, you still need to do your own bookkeeping and taxes, but you will no longer need a large billing staff.
- Assures Regulatory Compliance: Billing errors are the number one reason payments are rejected. HIPAA violations are always a potential problem. When you engage a billing service company you are almost totally guaranteed to not have problems. The benefits are mitigating risks and consistently getting paid faster.
- Provides Exceptional Billing Records: When you need billing records, all you need to do is call or send an email. Some services offer an online dashboard from which you can print reports. This eliminates the cumbersome process of creating custom reports using your own staff.
Medical Billing Services vs. EHR Medical Billing Software
While clinicians debate which is option better, it really comes down to which is the best fit for your situation. One critical element is the amount of available staff time to effectively manage coding, billing, and collections. A small office may find a coding and billing service to be more cost-effective than hiring additional staff. A group practice or smaller clinic may find either option can work for their business.
There is one very compelling reason to hire a billing service. A billing service is dedicated to only revenue related tasks. The billing service, versus an in-house staff, is not splitting their time with other operations functions.
A small practice may not generate enough billing to justify a full-time billing and collections person. A larger practice may need one or more dedicated billing people.
If you opt to buy EHR software with medical billing functionality you need a plan to keep your staff trained. Your billing staff will need ongoing training on IDC code changes and proper financial records keeping.
Hidden Costs for In-house Revenue Cycle Management
Payment Problems Caused by Medical Billing Code Errors
How do you keep up with and manage ICD-10 code changes? In 2018 alone there were over 300 billing code changes. The timing of implementing these changes among payors may vary. This complicates efforts to submit billing that is in compliance with various payor systems. Healthcare Administrative Partners published an article on 2018 coding changes which stated, "Commercial payers may differ from Medicare in their adoption of coding changes, and so practices are advised to monitor their claims denials in the early part of 2018 to be sure any modified codes are being accepted and paid by all carriers.".3 Trying to stay abreast of changes, and implement them into your daily routine requires a lot of work. When you outsource billing management, with one of the best medical billing companies, your practice management will probably become much easier.
Would you like some guidance on which option is best for your practice? Reach out to a medical billing expert to get the answers you need before making a decision. Call us at 1-800-759-1321 for free information.
FOOTNOTES
- 1 Unknown, "Medical Billing and Coding Certification", January 20, 2019, Available from American Academy of Professional Coders
- 2 Joy Hicks, "Pros and Cons of Outsourcing Your Medical Billing", September 16, 2018, Available from verywellhealth
- 3 Unknown, "Regulatory Changes Affecting Physician Reimbursement in 2018", November 13, 2018, Available from Healthcare Administrative Partners
Medical Billing Software 2019
Medical Billing Software
Medical billing and coding software can make a huge positive impact on your practice. Learn about the advantages of using medical billing software to improve your revenue cycle management process.
What is Medical Billing and Coding Software?
Medical billing and coding software facilitate efficiency in creating, filing, tracking, and recording payments for healthcare services. Medical billing software has traditionally been a program installed on a computer or computer network. The modern trend is using cloud-based medical billing programs made available on a subscription basis. The best medical practice software (EMR or EHR software) includes functionality for medical coding, billing, and accounting.
Why Use Electronic Medical Billing Software?
Electronic medical billing software opens the door to increased productivity, lower operational costs, and optimal management of the revenue billing cycle. Per Software Advice, "in 2014, we found that 88 percent of buyers (from a sample of 385) preferred cloud-based deployment, over the 12 percent who wanted on-premise.".1 Medical billing and coding software plays a key role in revenue cycle management. The most profitable practices and clinics utilize cloud-based billing solutions. Web-based solutions meet the needs for health insurance billing software and direct patient billing software.
Web Based Medical Billing Software
In 2019, integrated medical billing software is the preferred option for coding, billing, and collections. A web-based solution provides all of the functionality of a desktop solution and offers a number of advantages versus software installed on individual computers.
Five key advantages of web-based medical billing software include:
- Affordability: A subscription model provides the lowest cost for entry and usage. With monthly charges, there is no down payment, and no requirement to pay thousands of dollars to buy software.
- Scalability: Web-based medical billing system allows you to add as many users as you need. This makes a web-based solution perfect for any size medical practice, clinic, or hospital.
- Productivity: Cloud-based billing software allows multiple people to work on billing in-office or remotely.
- Privacy: Online medical billing solutions do not share data with big pharma or other commercial enterprises.
- Compliance: Cloud-based software is actively maintained by the software company. Upgrades and revisions are made to maintain compliance with HIPAA and ICD standards.
- Security: Cloud-based billing solutions 100% HIPAA compliant. Hosting servers have multiple layers of security including data encryption. Servers utilize active data backup to prevent loss of information from computer failures or natural disasters.
Is Medical Billing Outsourcing a Better Option?
Small medical practices often lack the staff to do everything the business needs. Medical billing is obviously a critical part of the business and is something that can be outsourced. Many clinicians opt to devote their time and staff to patient care and outsource certain business operations functions. Med-Ops is an affordable medical billing service whose website states a compelling reason to outsource medical billing. Per their website, "Our experienced team of coders and collectors can turn the sometimes arduous process of medical billing into a seamless procedure so payments come more quickly and you can spend more time caring for patients — and less time worrying about collections".2
Stand Alone Medical Billing Software
Lower cost medical billing software for small practices is available. A 2019 article published by Technology Advice states, "The trend in healthcare is toward integration, but standalone products are often cheaper and may feature simpler functionality that works better for smaller practices that don’t plan on purchasing an EHR and PM system in the near future.".3 
Stand-alone products such as BillFlash provide options for e-billing and generating paper billing statements. BillFlash includes functionality for secure online and in-office payments. BillFlash is cloud hosted on secure servers and meets HIPAA requirements. This patient billing software has data storage, backup, and built-in capability for data recovery.
Medical Billing Computer Programs
References to computerized billing systems are for software installed on a single computer or server for networking. In 2019 it is not practical to invest in software that runs on only your office computers. There are numerous reasons to not rely on PC based billing software. If you want more information to compare computer-based with web-based solutions you can contact a medical billing software company.
If your practice is using computer-based software it is possible to seamlessly modernize your billing system. When you are ready to buy medical billing software you should learn about the product and vendor support. Ideally, your software company offers support for account set-up, data transfer, and user training. You should ask for references that can speak to the quality of customer support.
Medical Billing Software Specialty Customization
Being able to customize (semi-customize) is valuable, but often overlooked when shopping for EMR software. The reason this matter is that your EMR, including medical billing, should represent your practice workflow. For example, the EMR and billing software needs for a pediatrician are quite different than for an anesthesiologist. With this in mind, you need to work with a vendor who understands your medical specialty. A knowledgeable software vendor offers expertise to set-up a solution designed to provide the best possible user experience.
What is the Best Medical Billing Software?
Finding the best medical billing software can be a daunting task. There are numerous billing software companies to be found online. The list of top tier software vendors is rather short. CureMD and Lytec offer excellent cloud-based solutions. In fact, SelectHub rates CureMD as their top choice and stated, "CureMD Medical Billing Service supports payer management, electronic claims tracking and submission, electronic remittances, automatic charge capture, clean claim checks, and electronic payment posting. . . . CureMD supports excellent billing and collection functionality."4
Get accurate information and save time researching software! Contact a medical billing software specialist to learn about features, benefits and critical support services. Call MediPro at 1-800-759-1321.
FOOTNOTES & CREDITS
- 1 Lisa Hedges, "Practice Management Software Buyer Report – 2018", March 15, 2018, Available from SoftwareAdvice.com
- 2 MedOps, "Advantages of Outsourcing Medical Billing", March 2018, Available from MedOps
- 3 Unknown, "TechnologyAdvice Guide to Medical Billing Software", January 2, 2019, Available from Technology Advice
- 4 Bergen Adair, "Best Web-Based Medical Billing Software", August 20, 2018, Available from SelectHub
Electronic Health Records Errors – How to Avoid HIPAA Trouble
HIPAA Trouble and EHR Implementation – How to Avoid Legal, Ethical Issues
Learn how you can avoid legal issues with electronic medical records management. Get tips on best practices to manage EHR / EMR security, privacy concerns and avoid problems causing HIPAA violations.
HIPPA and the EMR EHR Environment
HIPAA trouble due to errors in managing electronic health records can be costly. Every clinician and EMR software user needs to have a solid understanding of how to comply with HIPAA regulations. Lack of knowledge is a poor defense against alleged HIPAA violations. What you don’t know about EMR and HIPAA could cause you to make mistakes that result in civil or criminal charges, large fines, and possible licensing problems.
Health Insurance Portability and Accountability Act of 1996
The Health Insurance Portability and Accountability Act of 1996, commonly known to as HIPAA, set federal standards for the electronic exchange, privacy and security of health information. This covers "Protected Health Information " held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.1 The critical question to ask yourself is, "How confident are you in your understanding of HIPAA and how it relates to EMR or EHR use and management?"
The Security Rule and Your Potential Risks
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and its business associates conduct a risk assessment of their healthcare organization as part of their risk management process.2
What is Risk Assessment?
Video courtesy of the Office of the National Coordinator for Health IT
How to Do a Risk Analysis
To do a risk analysis you can utilize a free online Security Risk Assessment Tool (SRA Tool). This tool was created by The Office of the National Coordinator for Health Information Technology (ONC), working with the HHS Office for Civil Rights (OCR). Use the following link to download the SRA Tool from the HealthIT.gov website.
Why you need to do a risk assessment.: Doing an initial risk assessment can give you actionable information for avoiding legal problems with HIPAA non-compliance. Acting now to identify and resolve issues likely puts an end to immediate risks of civil or criminal liabilities.
Basic things you need to know about Security Risk Analysis: The introduction of new programs or regulations often generates unnecessary concerns and misinformation. The following is a list "Top 10 Myths of Security Risk Analysis ", provided on the HealthIT.gov website.
Top 10 Myths of Security Risk Analysis
1. The security risk analysis is optional for small providers.
False. All providers who are "covered entities" under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis.
2. Simply installing a certified EHR fulfills the security risk analysis MU requirement.
False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR.
3. My EHR vendor took care of everything I need to do about privacy and security.
False. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.
4. I have to outsource the security risk analysis.
False. It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through the services of an experienced outside professional.
5. A checklist will suffice for the risk analysis requirement.
False. Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed.
6. There is a specific risk analysis method that I must follow.
False. A risk analysis can be performed in countless ways. OCR has issued Guidance on Risk Analysis Requirements of the Security Rule. This Guidance assists organizations in identifying and implementing the most effective and appropriate safeguards to secure e-PHI.
7. My security risk analysis only needs to look at my EHR.
False. Review all electronic devices that store, capture, or modify electronic protected health information. Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data. Please see U.S. Department of Health and Human Services (HHS) guidance on remote use.
8. I only need to do a risk analysis once.
False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections. For more on reassessing your security practices, please see the Reassessing Your Security Practice in a Health IT Environment.
9. Before I attest for an EHR incentive program, I must fully mitigate all risks.
False. The EHR incentive program requires correcting any deficiencies (identified during the risk analysis) during the reporting period, as part of its risk management process.
10. Each year, I’ll have to completely redo my security risk analysis.
False. Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks. Under the Meaningful Use Programs, reviews are required for each EHR reporting period. For EPs, the EHR reporting period will be 90 days or a full calendar year, depending on the EP’s year of participation in the program.
How to Avoid Common HIPAA Compliance Problems
The next step in avoiding HIPAA trouble is implementing measures to prevent new compliance issues. Next, we offer ideas and tips for a proactive approach to maintaining HIPAA compliance for electronic health records.
Create an EMR Compliance Checklist
Protecting your patient’s medical records starts with implementing measures that address key areas of PHI security. Your guide and checklist should be used to educate persons accessing and managing data, and govern the workflow practices.
Be certain to do periodic reviews of, and make appropriate updates to, your guide and checklist. Part of your internal review process should be conducting a new Risk Assessment using the SRA Tool mentioned above.
Use the HIPAA Security Rule
You can refer to the HIPAA Security Rule to develop a compliance checklist. The HIPAA Security Series (PDF’s) identify three specific areas that must be properly managed. Per the HIPAA Security Series, "While there is no one approach that will guarantee successful implementation of all the security standards, this series aims to explain specific requirements, the thought process behind those requirements, and possible ways to address the provisions."3 These three areas are as follows:
1. Administrative Safeguards
The Security Rule defines administrative safeguards as, "administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information."
The Administrative Safeguards comprise over half of the HIPAA Security requirements. As with all the standards in this rule, compliance with the Administrative Safeguards standards will require an evaluation of the security controls already in place, an accurate and thorough risk analysis, and a series of documented solutions derived from a number of factors unique to each covered entity.4
2. Physical Safeguards
The Security Rule defines physical safeguards as "physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion." The standards are another line of defense (adding to the Security Rule’s administrative and technical safeguards) for protecting EPHI.
When evaluating and implementing these standards, a covered entity must consider all physical access to EPHI. This may extend outside of an actual office and could include workforce members’ homes or other physical locations where they access EPHI.5
3. Technical Safeguards
The Security Rule defines technical safeguards in § 164.304 as "the technology and the policy and procedures for its use that protect electronic protected health information and control access to it."
As outlined in previous papers in this series, the Security Rule is based on the fundamental concepts of flexibility, scalability and technology neutrality. Therefore, no specific requirements for types of technology to implement are identified. The Rule allows a covered entity to use any security measures that allow it reasonably and appropriately to implement the standards and implementation specifications. A covered entity must determine which security measures and specific technologies are reasonable and appropriate for implementation in its organization.6
Specifics – 5 Common Causes for HIPAA Trouble
Refer to the following list to learn about common causes for HIPAA trouble related to PHI management. Every practice should discuss these types of things with their employees and vendors to mitigate occurrences of violations.
1. Staff PHI Disclosures. Whether inadvertent or deliberate, employees should discuss a patient’s PHI only when necessary. Every employee should refrain from discussing patient information outside of the workplace, or where uninvolved parties can hear or see the information. Although it should be obvious, employees should never discuss patient information or post related images on social media, blogs or forums.
2. Loss of Control of Information. There are many ways that you can lose control of electronic health records. The worst case scenario is a full data breach involving your computer network being hacked, or a system breach for cloud-based file storage.
A second way of losing electronic information is when information is taken out of your facility. This could be emailing or texting information where it may be accessed by someone other than the intended recipient.
A third way of losing information is when information stored on devices is lost due to theft or burglary. If you feel it is necessary to have PHI on laptops, tablets, phones, or home computers, you should have strong passwords on every device. Keeping health record information on removable devices (thumb drives, external hard drives, etc.) is extremely risky.
3. Negligence & Careless Actions. Problematic disclosure of information often occurs within a medical practice or clinic. This happens when employees inadvertently place or leave files where information can be viewed by other patients, vendors or other unauthorized third-parties. An example is open files on a workspace near a check-in area or check-out area.
4. Unauthorized Access For any number of reasons, employees may engage in unnecessary or unauthorized access to patient health information. Unauthorized access problems could be created by third parties such as vendors, cleaning staff, maintenance technicians, etc.
5. Casual Thinking: Some employees lack an understanding of HIPAA regulations or simply do not apply personal discipline in their work. All employees should be trained in best practices, regulations, standards, and laws regarding health records management. This includes when it is appropriate to share or transfer information, how to confirm consent and authority to provide information to others.
Every medical practice, clinic or facility utilizing electronic health records software needs a formal approach for total HIPAA compliance. HIPAA trouble can be avoided by educating your staff on how to prevent electronic health records errors.
FOOTNOTES & CREDITS
- 1 Office for Civil Rights, "Summary of the HIPAA Privacy Rule", July 26, 2013, Available from HHS.gov
- 2 HealthIT.gov, "Security Risk Assessment", November 1, 2018, Available from HealthIT.gov
- 3 HHS.gov, "HIPAA Security Series", March 2007, Available from Dept. of Health & Human Services
- 4 HHS.gov Website, "Security Standards: Administrative Safeguards", March 2007, Available from Dept. of Health & Human Services
- 5 HHS.gov Website, "Security Standards: Physical Safeguards", March 2007, Available from Dept. of Health & Human Services
- 6 HHS.gov Website, "Security Standards: Technical Safeguards", March 2007, Available from Dept. of Health & Human Services