At a time when everybody is storing and transmitting personal information online, security is a high priority, and if your medical practice is one of many that uses electronic medical records (EMR), protecting your patients' health information should be a top concern. The Health Insurance Portability and Accountability Act (HIPAA) requires that covered entities -- including health plans, health care clearinghouses, and health care providers who electronically transmit health information -- comply with certain rules regarding patients' protected health information (PHI).
The HIPAA Privacy Rule protects the privacy of individually identifiable health information, and the HIPAA Security Rule sets national standards for the security of electronic protected health information (e-PHI). Specifically, the Security Rule requires that covered entities maintain appropriate physical, administrative, and technical safeguards to protect e-PHI.
The Department of Health and Human Services also requires that covered entities develop and implement written policies that are consistent with the HIPAA Privacy Rule and that workforce members be trained on privacy policies and procedures. The Office for Civil Rights has educational programs for providers on multiple aspects of the Privacy and Security Rules. Covered entities must also designate a privacy official who will be responsible for developing and implementing policies and procedures.
Once policies are written down and communicated to staff, employees should sign the documents to show that they understand and will adhere to the policies. Appropriate sanctions should be put into place in case of violations. The following policies can help protect patient EMR and bring your practice into compliance with HIPAA.
Complex passwords are an effective safeguard against unauthorized access of PHI, and the HIPAA Security Rule requires that covered entities establish guidelines for creating passwords and changing them during periodic change cycles. Password policies may include requiring passwords to be changed every 90 days or meeting criteria such as a certain length or containing a mix of upper- and lowercase letters, special characters, and numbers. Beyond these safeguards, staff should never share their passwords with co-workers or write them down and leave them in areas that are visible and accessible to others. Another password policy that practices may want to implement is to lock out a user or require a password reset after multiple failed log-in attempts.
Lock Everything Tight
A clear-screen policy means that staff must either log off or lock their computers when they're away. This ensures that the information on the computer is protected from unauthorized access. Keyboard shortcuts that allow employees to quickly lock their computers or password-protected screen savers that turn on after a certain amount of time can also help prevent unauthorized access of PHI.
Both the HIPAA Privacy Rule and the Security Rule limit the uses and disclosures of PHI to the "minimum necessary." This means that access to PHI should be authorized only when it's appropriate based on the employee's role. Covered entities must also implement technical policies and procedures that allow only authorized personnel to access e-PHI.
Although the Privacy and Security Rules set standards for securing patient EMR, they are not intended to be definitive guidelines for compliance, and there are several factors that will influence the safeguards each entity needs to put into place. These include the size of the covered entity, as well as the entity's technical infrastructure, hardware, and software security capabilities.
Some of these policies are commonly implemented at companies across all industries, but for medical practices that house a wealth of personal information on their patients, privacy and security are of the utmost importance. You want your patients to trust in your security, and that process begins with HIPAA compliance.