Skip to Main Content

How to Protect Patient EMR to Comply With the HIPAA Privacy Rule

By Tayla Holman January 21, 2016 Posted in: Your Practice , Article

At a time when everybody is storing and transmitting personal information online, security is a high priority, and if your medical practice is one of many that uses electronic medical records (EMR), protecting your patients' health information should be a top concern. The Health Insurance Portability and Accountability Act (HIPAA) requires that covered entities -- including health plans, health care clearinghouses, and health care providers who electronically transmit health information -- comply with certain rules regarding patients' protected health information (PHI).

The HIPAA Privacy Rule protects the privacy of individually identifiable health information, and the HIPAA Security Rule sets national standards for the security of electronic protected health information (e-PHI). Specifically, the Security Rule requires that covered entities maintain appropriate physical, administrative, and technical safeguards to protect e-PHI.

The Department of Health and Human Services also requires that covered entities develop and implement written policies that are consistent with the HIPAA Privacy Rule and that workforce members be trained on privacy policies and procedures. The Office for Civil Rights has educational programs for providers on multiple aspects of the Privacy and Security Rules. Covered entities must also designate a privacy official who will be responsible for developing and implementing policies and procedures.

Once policies are written down and communicated to staff, employees should sign the documents to show that they understand and will adhere to the policies. Appropriate sanctions should be put into place in case of violations. The following policies can help protect patient EMR and bring your practice into compliance with HIPAA.

Require Passwords

Complex passwords are an effective safeguard against unauthorized access of PHI, and the HIPAA Security Rule requires that covered entities establish guidelines for creating passwords and changing them during periodic change cycles. Password policies may include requiring passwords to be changed every 90 days or meeting criteria such as a certain length or containing a mix of upper- and lowercase letters, special characters, and numbers. Beyond these safeguards, staff should never share their passwords with co-workers or write them down and leave them in areas that are visible and accessible to others. Another password policy that practices may want to implement is to lock out a user or require a password reset after multiple failed log-in attempts.

Lock Everything Tight

A clear-screen policy means that staff must either log off or lock their computers when they're away. This ensures that the information on the computer is protected from unauthorized access. Keyboard shortcuts that allow employees to quickly lock their computers or password-protected screen savers that turn on after a certain amount of time can also help prevent unauthorized access of PHI.

Control Access

Both the HIPAA Privacy Rule and the Security Rule limit the uses and disclosures of PHI to the "minimum necessary." This means that access to PHI should be authorized only when it's appropriate based on the employee's role. Covered entities must also implement technical policies and procedures that allow only authorized personnel to access e-PHI.

Although the Privacy and Security Rules set standards for securing patient EMR, they are not intended to be definitive guidelines for compliance, and there are several factors that will influence the safeguards each entity needs to put into place. These include the size of the covered entity, as well as the entity's technical infrastructure, hardware, and software security capabilities.

Some of these policies are commonly implemented at companies across all industries, but for medical practices that house a wealth of personal information on their patients, privacy and security are of the utmost importance. You want your patients to trust in your security, and that process begins with HIPAA compliance.

What Do Blood Pressure Readings Mean?

NOV 09, 2024

When you see your doctor, it seems like one of the first things they do is check your blood pressure readings. Even pharmacies and grocery stores have blood pressure machines for you to check your pressure on your own. So checking your blood pressure...

Read More Additional information about Dignity Health | What Do Blood Pressure Readings Mean?

Allover Wellness: Benefits of Yoga for Heart Health

NOV 09, 2024

Yoga seems to be more popular than ever. If you haven't tried it by now, it's likely you at least know someone who goes to yoga groups or stretches along with an instructor on TV. Because of its prevalence, most people know that yoga is a practice th...

Read More Additional information about Dignity Health | Allover Wellness: Benefits of Yoga for Heart Health

The Surprising Link Between Mental Health and Heart Disease

NOV 09, 2024

The connection between mental health and heart disease is nothing new to health care professionals. Doctors have long known that behaviors associated with certain mental health disorders can increase the risk of heart disease, but that might not be t...

Read More Additional information about Dignity Health | Mental Health and Heart Disease: The Surprising Link