Law Doc

Electronic Health Records: Are You in Compliance?

Written by Goosmann Law Team | Feb 24, 2015 12:30:37 PM

The federal government is setting deadlines for physician practices to make the switch to electronic health records (EHRs) and recently announced plans to begin financially penalizing those practices which do not make this switch to EHRs. Although the final government rules regarding EHRs may be modified, the government has made it clear that financial penalties for not using EHRs will still be used. Because of these trends it is more and more important for health care providers, and other health-related entities, to ensure that they have taken proper steps to protect the privacy of health information that is available through cyberspace.

In order to avoid legal liability for the disclosure of protected health information it is important to understand the requirements of the Health Insurance Portability and Accountability Act (HIPAA) security rule.

Overview of HIPAA Security Rule

The HIPPA Security Rule covers individuals’ electronic personal health information (ePHI) that is created, received, used or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of ePHI. Under the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 the scope of the HIPAA Security Rule expanded to include Business Associates as being responsible for the security and integrity of ePHI.

Who Is Covered by the HIPAA Security Rule?

By law, HIPAA applies only to “covered entities.” Which include:

  • Health Plans: health insurance plans, long-term care insurers, employer-sponsored group health plans, HMOs, etc.
  • Healthcare Clearinghouses: billing services, repricing companies, value-added networks
  • Health Care Providers who transmit health information in electronic form

However, most health care providers and health plans do not carry out all patient-related functions themselves. Often billing, coding, records transcription services, etc. are completed by third-party entities, referred to as “business associates” under HIPAA. Because of the expansion of the HITECH Act of 2009, business associates must also adhere to the HIPAA security rule. The inclusion of business associates under the HIPAA security rule broadly expands the scope of compliance and may catch many businesses, which are not traditional “health care” businesses by surprise.

What Information Is Protected Under the HIPAA Security Rule

While the HIPAA privacy rule protects the privacy of individually identifiable health information, the security rule applies only to individually identifiable health information that a covered entity creates, receives, maintains or transmits in electronic form. This information is referred to as ePHI. However, given the breadth of use of electronic media in the health care sector, the scope of the security rule is immense and will only continue to grow.

General Requirements Under HIPAA Security Rule

Covered entities and business associates must maintain reasonable and appropriate administrative, technical, and physical safeguards to protect ePHI. These requirements include:

  • ensuring the confidentiality, integrity, and availability of all ePHI they create, receive, maintain or transmit.
  • identifying and protecting against reasonably anticipated threats to the security and integrity of the ePHI.
  • protecting against reasonably anticipated, impermissible uses or disclosures of ePHI.
  • ensuring compliance by their workforce.

As part of these requirements, ePHI must not be available or disclosed to unauthorized persons. In addition, ePHI must not be altered or destroyed in an unauthorized manner. Furthermore, ePHI must be accessible and usable on demand by authorized personnel. The HIPAA security rule applies to all covered entities, whether it is a one-person office, or a multi-state hospital system.

For more information on whether your business' EHRs are in compliance with HIPAA, contact the Goosmann Law Firm at info@goosmannlaw.com or (712) 226-4000.