Let’s face it, in today’s digital age, it’s tough to find a medical practice that doesn’t use an electronic health records (EHR) system. Even if you were late to the game and just recently made the switch, the use of EHRs in doctors’ offices nearly doubled between 2009 and 2017, to almost 86% of providers. One of the biggest qualifications for any EHR system is that it meets all HIPAA-compliance requirements to protect the sensitive patient data held within it.
But is that where HIPAA compliance begins and ends?
A common misconception many providers have, however, is that implementing a HIPAA-compliant EHR ensures their practice is in compliance with all standards — instead, it’s just one piece of the much larger puzzle.
Make no mistake, having a HIPAA-compliant EHR is essential. There are several safeguards that should be implemented to protect your EHR’s electronic data, such as:
- Having the proper technical safeguards in place to secure your online databases.
- Having access controls such as unique logins for your EHR system limiting access to authorized individuals.
- Encrypting all stored information within your EHR.
- Having access logs to your EHR system in case of any breaches or audits.
While these safeguards are key, there are other HIPAA requirements that go beyond the security of your EHR software and impact your practice’s operations, physical accessibility and all technology used within the organization — including IT networks and other applications not included in your EHR software. That’s why the Security Risk Analysis’ three sections — administrative, physical and technical safeguards — are so essential to ensure every aspect of your business’ risk is assessed.
- First, let’s look at HIPAA-compliant operations and administrative safeguards. Much of HIPAA law applies to having the proper policies and procedures in place. This means documenting things like how your practice releases protected health information (PHI), how you complete required annual HIPAA training, how you review employee access to PHI, how you’ll apply sanctions to workforce members if violating privacy laws, and more. Most of these will address how the “business” side of your practice operates. What’s more, your policies must reflect your actual practice operations — they can’t simply be templates downloaded off the internet to meet HIPAA requirements. Administrative safeguards also should include having all contracts in place to protect your PHI, such as Business Associate Agreements with all required vendors — including your EHR provider.
- Second, your physical safeguards encompass both obvious and not so obvious ways to protect your practice from harm. This means determining if you have locks on your doors (we hope this one is covered) but also how often access codes are changed, when your last fire marshal inspection was, if you use privacy screens to prevent seeing PHI on computers in use, and if your PHI is physically separated from patients to prevent unauthorized access — just to name a few. Physical security is key to showing your practice’s efforts to prevent loss or theft of PHI and goes well beyond your EHR system.
- Lastly, beyond your EHR, your practice has likely implemented several different technology systems and applications. These technologies carry the same risks as your EHR and need technical safeguards to ensure the privacy of PHI they store or access. From your office Wi-Fi to your cloud storage solution or server, each system must have controls to prevent unauthorized access to your PHI. In fact, the more technology you rely on, the more accessible PHI is to the wrong people. It’s not just data at rest either — sending emails containing PHI requires encryption, as does instant messaging or text messaging when it includes PHI. All these systems are gateways to your practice’s data and are essential to protect just like your EHR solution.
Even non-HIPAA experts can conclude that having a HIPAA-compliant EHR system is a no-brainer. But missing all, or even just some, of the other pieces to the puzzle puts your practice and your patients at high risk. In fact, within Abyde’s Security Risk Analysis, only 10% of the questions pertain to your EHR system. Whether with Abyde, internally, or with another vendor, it’s essential to review the other 90% of your necessary safeguards before getting slammed with a HIPAA violation.
Abyde is an FDA Crown Savings Endorsed Partner and the Abyde software solution is the easiest way for any sized dental practice to implement and sustain comprehensive HIPAA compliance programs. FDA members save 20% on Abyde services that help their practices meet government-mandated HIPAA standards that protect patient health information by identifying and correcting key security safeguards. Visit fdaservices.com/abyde or call 800.594.0883.
This article was originally posted on Abyde’s blog on July 16, 2020. Reprinted with permission.