HIPAA Trouble and EHR Implementation – How to Avoid Legal, Ethical Issues

Learn how you can avoid legal issues with electronic medical records management. Get tips on best practices to manage EHR / EMR security, privacy concerns and avoid problems causing HIPAA violations.

HIPPA and the EMR EHR Environment

HIPAA trouble due to errors in managing electronic health records can be costly. Every clinician and EMR software user needs to have a solid understanding of how to comply with HIPAA regulations. Lack of knowledge is a poor defense against alleged HIPAA violations. What you don’t know about EMR and HIPAA could cause you to make mistakes that result in civil or criminal charges, large fines, and possible licensing problems.

Health Insurance Portability and Accountability Act of 1996

The Health Insurance Portability and Accountability Act of 1996, commonly known to as HIPAA, set federal standards for the electronic exchange, privacy and security of health information. This covers “Protected Health Information ” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.¹ The critical question to ask yourself is, “How confident are you in your understanding of HIPAA and how it relates to EMR or EHR use and management?”

The Security Rule and Your Potential Risks

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and its business associates conduct a risk assessment of their healthcare organization as part of their risk management process.²

What is Risk Assessment?

Video courtesy of the Office of the National Coordinator for Health IT

How to Do a Risk Analysis

To do a risk analysis you can utilize a free online Security Risk Assessment Tool (SRA Tool). This tool was created by The Office of the National Coordinator for Health Information Technology (ONC), working with the HHS Office for Civil Rights (OCR). Use the following link to download the SRA Tool from the HealthIT.gov website.

Why you need to do a risk assessment.: Doing an initial risk assessment can give you actionable information for avoiding legal problems with HIPAA non-compliance. Acting now to identify and resolve issues likely puts an end to immediate risks of civil or criminal liabilities.

Basic things you need to know about Security Risk Analysis: The introduction of new programs or regulations often generates unnecessary concerns and misinformation. The following is a list “Top 10 Myths of Security Risk Analysis “, provided on the HealthIT.gov website.

Top 10 Myths of Security Risk Analysis

1. The security risk analysis is optional for small providers.

False. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis.

2. Simply installing a certified EHR fulfills the security risk analysis MU requirement.

False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR.

3. My EHR vendor took care of everything I need to do about privacy and security.

False. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.

4. I have to outsource the security risk analysis.

False. It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through the services of an experienced outside professional.

5. A checklist will suffice for the risk analysis requirement.

False. Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed.

6. There is a specific risk analysis method that I must follow.

False. A risk analysis can be performed in countless ways. OCR has issued Guidance on Risk Analysis Requirements of the Security Rule. This Guidance assists organizations in identifying and implementing the most effective and appropriate safeguards to secure e-PHI.

7. My security risk analysis only needs to look at my EHR.

False. Review all electronic devices that store, capture, or modify electronic protected health information. Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data. Please see U.S. Department of Health and Human Services (HHS) guidance on remote use.

8. I only need to do a risk analysis once.

False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections. For more on reassessing your security practices, please see the Reassessing Your Security Practice in a Health IT Environment.

9. Before I attest for an EHR incentive program, I must fully mitigate all risks.

False. The EHR incentive program requires correcting any deficiencies (identified during the risk analysis) during the reporting period, as part of its risk management process.

10. Each year, I’ll have to completely redo my security risk analysis.

False. Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks. Under the Meaningful Use Programs, reviews are required for each EHR reporting period. For EPs, the EHR reporting period will be 90 days or a full calendar year, depending on the EP’s year of participation in the program.

How to Avoid Common HIPAA Compliance Problems

The next step in avoiding HIPAA trouble is implementing measures to prevent new compliance issues. Next, we offer ideas and tips for a proactive approach to maintaining HIPAA compliance for electronic health records.

Create an EMR Compliance Checklist

Protecting your patient’s medical records starts with implementing measures that address key areas of PHI security. Your guide and checklist should be used to educate persons accessing and managing data, and govern the workflow practices.

Be certain to do periodic reviews of, and make appropriate updates to, your guide and checklist. Part of your internal review process should be conducting a new Risk Assessment using the SRA Tool mentioned above.

Use the HIPAA Security Rule

You can refer to the HIPAA Security Rule to develop a compliance checklist. The HIPAA Security Series (PDF’s) identify three specific areas that must be properly managed. Per the HIPAA Security Series, “While there is no one approach that will guarantee successful implementation of all the security standards, this series aims to explain specific requirements, the thought process behind those requirements, and possible ways to address the provisions.”³ These three areas are as follows:

1. Administrative Safeguards

The Security Rule defines administrative safeguards as, “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”

The Administrative Safeguards comprise over half of the HIPAA Security requirements. As with all the standards in this rule, compliance with the Administrative Safeguards standards will require an evaluation of the security controls already in place, an accurate and thorough risk analysis, and a series of documented solutions derived from a number of factors unique to each covered entity.⁴

2. Physical Safeguards

The Security Rule defines physical safeguards as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” The standards are another line of defense (adding to the Security Rule’s administrative and technical safeguards) for protecting EPHI.

When evaluating and implementing these standards, a covered entity must consider all physical access to EPHI. This may extend outside of an actual office and could include workforce members’ homes or other physical locations where they access EPHI.⁵

3. Technical Safeguards

The Security Rule defines technical safeguards in § 164.304 as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”

As outlined in previous papers in this series, the Security Rule is based on the fundamental concepts of flexibility, scalability and technology neutrality. Therefore, no specific requirements for types of technology to implement are identified. The Rule allows a covered entity to use any security measures that allow it reasonably and appropriately to implement the standards and implementation specifications. A covered entity must determine which security measures and specific technologies are reasonable and appropriate for implementation in its organization.⁶

Specifics – 5 Common Causes for HIPAA Trouble

Refer to the following list to learn about common causes for HIPAA trouble related to PHI management. Every practice should discuss these types of things with their employees and vendors to mitigate occurrences of violations.

1. Staff PHI Disclosures. Whether inadvertent or deliberate, employees should discuss a patient’s PHI only when necessary. Every employee should refrain from discussing patient information outside of the workplace, or where uninvolved parties can hear or see the information. Although it should be obvious, employees should never discuss patient information or post related images on social media, blogs or forums.

2. Loss of Control of Information. There are many ways that you can lose control of electronic health records. The worst case scenario is a full data breach involving your computer network being hacked, or a system breach for cloud-based file storage.

A second way of losing electronic information is when information is taken out of your facility. This could be emailing or texting information where it may be accessed by someone other than the intended recipient.

A third way of losing information is when information stored on devices is lost due to theft or burglary. If you feel it is necessary to have PHI on laptops, tablets, phones, or home computers, you should have strong passwords on every device. Keeping health record information on removable devices (thumb drives, external hard drives, etc.) is extremely risky.

3. Negligence & Careless Actions. Problematic disclosure of information often occurs within a medical practice or clinic. This happens when employees inadvertently place or leave files where information can be viewed by other patients, vendors or other unauthorized third-parties. An example is open files on a workspace near a check-in area or check-out area.

4. Unauthorized Access For any number of reasons, employees may engage in unnecessary or unauthorized access to patient health information. Unauthorized access problems could be created by third parties such as vendors, cleaning staff, maintenance technicians, etc.

5. Casual Thinking: Some employees lack an understanding of HIPAA regulations or simply do not apply personal discipline in their work. All employees should be trained in best practices, regulations, standards, and laws regarding health records management. This includes when it is appropriate to share or transfer information, how to confirm consent and authority to provide information to others.

Every medical practice, clinic or facility utilizing electronic health records software needs a formal approach for total HIPAA compliance. HIPAA trouble can be avoided by educating your staff on how to prevent electronic health records errors.

FOOTNOTES & CREDITS

¹ Office for Civil Rights, “Summary of the HIPAA Privacy Rule”, July 26, 2013, Available from HHS.gov
² HealthIT.gov, “Security Risk Assessment”, November 1, 2018, Available from HealthIT.gov
³ HHS.gov, “HIPAA Security Series”, March 2007, Available from Dept. of Health & Human Services
⁴ HHS.gov Website, “Security Standards: Administrative Safeguards”, March 2007, Available from Dept. of Health & Human Services
⁵ HHS.gov Website, “Security Standards: Physical Safeguards”, March 2007, Available from Dept. of Health & Human Services
⁶ HHS.gov Website, “Security Standards: Technical Safeguards”, March 2007, Available from Dept. of Health & Human Services

Electronic Health Records Errors – How to Avoid HIPAA Trouble