Electronic Health Records and The Security Rule

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author

Patient care in a digital age means that most information is stored electronically. These records, known as electronic Protected Health Information (ePHI), are collected as electronic health records (EHR) and then stored in a variety of systems. With the Health Insurance Portability and Accountability Act (HIPAA) in mind, how do you maintain security around the ePHI beyond the EHR?

The HIPAA Security Rule has set the minimum standards for securely protecting all ePHI that a Covered Entity (CE) or Business Associate (BA) receives, creates, maintains, or transmits. This includes all safeguards related to administrative, physical, and technical aspects that those businesses must put in place to properly protect ePHI.

There are safeguards and requirements which must be applied to protect healthcare providers and their internal processes around caring for their patients. These are in place to protect the people, the data, the technology, and the facility that healthcare businesses use in that care. Additionally, they address the risk that comes from cybercrime that could result in a cyberattack or loss of data.

Administrative Safeguards
Performing a security risk analysis will be how you can identify and plan to mitigate and remediate the risks to ePHI that are found within your business. The plan will involve administrative actions, policies, and procedures that will address security issues. This includes overseeing the workforce that handles the ePHI.

Organizational Standards
A Covered Entity must have contracts or agreements with Business Associates that have access to their ePHI. There are specific criteria that need to be included in these written contracts.

Physical Safeguards
Policies, procedures, and physical measures must be in place for electronic information systems and the buildings and equipment that house them to protect them from natural and environmental hazards and unauthorized intrusion. These are in the form of technology and the policies and procedures that control access to ePHI. This documentation must be periodically reviewed and updated.

Policies & Procedures
A Covered Entity must adopt reasonable and appropriate policies and procedures to comply with the Security Rule. These must be maintained for six years after their creation date. This documentation must be periodically reviewed and updated.

Technical Safeguards
While specific technology solutions are not required, there are measures that should be in place and implemented. Access controls or having the “the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource” is defined in the Department of Health and Human Services guidelines. Additional information can be found here, including a more detailed breakdown of the technical safeguards that can protect your business such as unique user identification and so on.

A complete list of these safeguards and additional detail can be found via the Office for Civil Rights.

Keeping your EHR software and equipment secure is the responsibility of the healthcare business, and while most come with built-in features to protect ePHI, it is important to designate someone who oversees that. Knowing how to enable and update those features is critical and should be reviewed regularly.

Whether your healthcare business has an internal IT department or relies on an outside partner to manage your network, putting an emphasis on the importance of a strong HIPAA and cybersecurity program will keep you and your patients protected.

This article was originally published on HIPAA Secure Now! and is republished here with permission.