Skip to Main Content

How to Protect Patient EMR to Comply With the HIPAA Privacy Rule

By Tayla Holman January 21, 2016 Posted in: Your Practice , Article

At a time when everybody is storing and transmitting personal information online, security is a high priority, and if your medical practice is one of many that uses electronic medical records (EMR), protecting your patients' health information should be a top concern. The Health Insurance Portability and Accountability Act (HIPAA) requires that covered entities -- including health plans, health care clearinghouses, and health care providers who electronically transmit health information -- comply with certain rules regarding patients' protected health information (PHI).

The HIPAA Privacy Rule protects the privacy of individually identifiable health information, and the HIPAA Security Rule sets national standards for the security of electronic protected health information (e-PHI). Specifically, the Security Rule requires that covered entities maintain appropriate physical, administrative, and technical safeguards to protect e-PHI.

The Department of Health and Human Services also requires that covered entities develop and implement written policies that are consistent with the HIPAA Privacy Rule and that workforce members be trained on privacy policies and procedures. The Office for Civil Rights has educational programs for providers on multiple aspects of the Privacy and Security Rules. Covered entities must also designate a privacy official who will be responsible for developing and implementing policies and procedures.

Once policies are written down and communicated to staff, employees should sign the documents to show that they understand and will adhere to the policies. Appropriate sanctions should be put into place in case of violations. The following policies can help protect patient EMR and bring your practice into compliance with HIPAA.

Require Passwords

Complex passwords are an effective safeguard against unauthorized access of PHI, and the HIPAA Security Rule requires that covered entities establish guidelines for creating passwords and changing them during periodic change cycles. Password policies may include requiring passwords to be changed every 90 days or meeting criteria such as a certain length or containing a mix of upper- and lowercase letters, special characters, and numbers. Beyond these safeguards, staff should never share their passwords with co-workers or write them down and leave them in areas that are visible and accessible to others. Another password policy that practices may want to implement is to lock out a user or require a password reset after multiple failed log-in attempts.

Lock Everything Tight

A clear-screen policy means that staff must either log off or lock their computers when they're away. This ensures that the information on the computer is protected from unauthorized access. Keyboard shortcuts that allow employees to quickly lock their computers or password-protected screen savers that turn on after a certain amount of time can also help prevent unauthorized access of PHI.

Control Access

Both the HIPAA Privacy Rule and the Security Rule limit the uses and disclosures of PHI to the "minimum necessary." This means that access to PHI should be authorized only when it's appropriate based on the employee's role. Covered entities must also implement technical policies and procedures that allow only authorized personnel to access e-PHI.

Although the Privacy and Security Rules set standards for securing patient EMR, they are not intended to be definitive guidelines for compliance, and there are several factors that will influence the safeguards each entity needs to put into place. These include the size of the covered entity, as well as the entity's technical infrastructure, hardware, and software security capabilities.

Some of these policies are commonly implemented at companies across all industries, but for medical practices that house a wealth of personal information on their patients, privacy and security are of the utmost importance. You want your patients to trust in your security, and that process begins with HIPAA compliance.

5 Questions Women Should Ask Their Primary Care Physician

MAR 01, 2023

Going to the doctor can be stressful. Whether for a general exam or a specific health problem, there is often so much information to process that we don't think to ask questions during our visit or simply feel embarrassed to ask.

Read More Additional information about Dignity Health | 5 Questions Women Should Ask Their Primary Care Physician

The Importance of Prenatal Vitamins

SEP 12, 2022

It's important to remember that vitamins and supplements cannot take the place of a healthy diet. For example, pregnant women should eat multiple servings of fresh green vegetables and foods rich in omega-3 fatty acids. Higher doses of certain vitami...

Read More Additional information about Dignity Health | *

Breastfeeding for Working Moms: 5 Tips to Guide You

SEP 12, 2022

It's often said that breastfeeding is a full-time job. And in those first few weeks of motherhood, when it feels like you're feeding constantly, it certainly can be. But what happens a few months later when you have to go back to work?

Read More Additional information about Dignity Health | How to Make Breastfeeding for Working Moms Easy