HIPAA EHR Security
The HIPAA Security Rule requires that covered entities (health plans, health care clearinghouses, and health care providers who electronically transmit any health information in connection with a HIPAA-related transaction), and business associates (read more about business associates here), implement security safeguards.
These security safeguards must protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). ePHI is any protected health information that is created, stored, transmitted, or received in any electronic format.
A common type of ePHI is known as an electronic health record (EHR). Entities that use EHRs must develop and implement HIPAA EHR Security measures.
What is an EHR?
An EHR, or electronic health record, is a collection of ePHI pertaining to a particular patient. In essence, an EHR is a digital version of a patient’s paper chart. EHRs are real-time, patient-centered records that make information available instantly and securely to authorized users.
What Does an EHR Contain?
EHRs contain standard clinical patient data – that is, the medical and treatment histories of a patient. EHR systems are built to contain considerably more information, that ultimately paints a broader picture of a patient’s care. EHRs can also:
- Contain radiology images (X-Rays, PETs and MRIs),
- Contain laboratory and test results
- Allow access to evidence-based tools that providers can use to make decisions about a patient’s care.
- Evidence-based tools give providers access to the current best evidence available, so providers can make the most informed decisions about patient treatment and health services delivery
- Automate and streamline provider workflow
EHRs are powerful tools. Using EHRs, authorized providers can create and manage health information in a digital format that can be shared both with other providers in an organization, and with providers across more than one organization.
This sharing of information – with other health care providers and organizations, laboratories, specialists, medical imaging facilities, pharmacies, emergency facilities, and school and workplace clinics – enables all clinicians involved in a patient’s care to view the details of that care.
What are HIPAA EHR Security Measures?
EHRs are fully subject to the requirements of the HIPAA Security Rule. As such, a medical practice must take all necessary steps to protect the confidentiality, integrity, and availability of ePHI maintained in your EHRs.
Key HIPAA EHR security measures include:
- Creating “access control” tools like passwords and PIN numbers. These serve to limit access to a patient’s ePHI to authorized individuals.
- Encrypting, as appropriate, ePHI that is stored in the EHR. Once ePHI is encrypted, it cannot be read or understood except by those people who have been authorized to “decrypt” the information with a “decryption key.”
- Having an electronic audit trail function. An electronic audit trail can be used to determine which of your employees have accessed ePHI, which records who has accessed your information, what changes to ePHI have been made, and when the changes were made. Audit trail review allows an organization to determine whether PHI has been accessed without proper authorization.
- Conducting a security risk analysis (sometimes referred to as a “security risk assessment”). The risk analysis process will guide you through a systematic examination of many aspects of your health care practice to identify potential security weaknesses and flaws.
Additional HIPAA EHR security measures are outlined in the HIPAA Security Rule.
Compliancy Group Simplifies HIPAA Compliance
Covered entities and business associates can address their HIPAA EHR Security obligations by working with Compliancy Group.
Our ongoing support and web-based compliance app, The Guard™, gives health care organizations the tools to address HIPAA Security Rule standards so they can get back to confidently running their business.