If you are one of the approximately 78% of physician practices that has set up electronic health records (EHR) during the last few years, or if you are a business associate working for a physician practice that uses electronic health records, you cannot simply set aside thoughts regarding access and security of patient health records. Just like your computer, tablet or smart phone needs regular updates, your system for EHR must regularly be evaluated and updated. The Health Insurance Portability and Accountability Act (HIPAA) rules require that covered entities and business associates review and modify their security measures to safeguard their electronic protected health information (ePHI) in an ever-changing technology environment.
As part of this regular risk assessment, each covered entity must:
- identify and analyze potential risks to ePHI
- implement security measures that reduce risks and vulnerabilities (to a reasonable and appropriate level)
- designate a security official who is responsible for developing and implementing the security plan
- periodically assess how well security policies and procedures are meeting the requirements of the security rule
- train all workforce members regarding security policies and procedures
- have appropriate sanctions in place, and utilize them when necessary, for staff who do not follow security policies and procedures
- limit physical access to its facilities while ensuring that authorized access is allowed
- have technical controls in place (passwords, etc.) which only permit authorized personnel access to ePHI
- have audit controls in place that monitor and record who gains access to ePHI
- have integrity controls in place that ensure that ePHI is not improperly altered or destroyed
- have encryption mechanisms in place to ensure that ePHI is not accessed when transmitted over an electronic network.
For more information on how you can continue protecting your ePHI, contact the Goosmann Law Firm at info@goosmannlaw.com or (712) 226-4000.