From providers to technology vendors, HIPAA knowledge is important for anyone involved in the healthcare industry. While the topic of HIPAA and ePHI security goes far beyond EHRs, ensuring your EHR system’s security is one of the most important strategies to align your organization with HIPAA guidelines. In this blog, we discuss six tips for maintaining HIPAA compliance and how the right EHR can help post-acute providers stay within regulation.
Make sure your EHR supports user verification.
The HIPAA Security Rule requires that systems implement the electronic mechanisms that verify the unique identity of anyone seeking access to private health information (PHI). This verification can be done either using a password or something unique to the user such is biometrics (fingerprints, facial recognition etc.). Ensure no user identities are shared in your organization — each user must sign into the EHR using a unique user ID.
The EHR should provide strong password management, either built-in or through federation with third-party identity providers, such as Azure AD, Okta, etc. The system must provide the password configuration capabilities (such as minimal requirements on the password length and complexity) to support the security policies in your organization.
Make sure your EHR offers strong access controls.
According to the HIPAA Security Rule, EHR systems must have access controls in place that enable authorized users to access the minimum necessary information needed to perform job functions. For example, EHRs should allow administrators to configure their clinicians to operate in the clinical domain of the product only. Similarly, billers should only have access to billing modules. Furthermore, healthcare organizations should have a way to deactivate access to the product immediately for those no longer employed.
Additionally, healthcare organizations should establish procedures and instruct employees on possible ways to gain access to ePHI in case of emergency, and EHRs should enable the means to obtain this data (such us ability to export, print the reports, etc.).
Make sure your EHR has the means to log out and lock automatically after a time of inactivity.
Automatic logoff is an effective way to prevent unauthorized users from accessing ePHI on the user device when left unattended for a period of time. EHR systems should be designed to detect the user inactivity and either log users off automatically or lock the device. They should also be able to lock the account after a certain number of unsuccessful login attempts.
Make sure your EHR has integrity controls and encryption.
The EHR should store ePHI on the user device and on the servers, which should be encrypted (this is sometimes referred to as “encryption at-rest”). Similarly, the ePHI transmitted over the internet must be encrypted using industry-standard protocols such as TLS (Transport Layer Security).
Furthermore, the integrity controls must be built in to ensure improper alteration or destruction of ePHI that is either stored on the hard drive or transmitted over the internet (encryption “in-flight”).
Make sure your EHR has audit controls built in.
HIPAA requires implementation of audit hardware, software, and procedural mechanics that both record and examine PHI activity. Ensure your EHR has some level of audit controls built in, allowing you to examine the user activity with regard to PHI.
Make sure you have non-technology related safeguards.
HIPAA regulations go beyond the technical safeguards within the EHR systems described above. Healthcare organizations should implement policies and procedures, and establish organizational and administrative standards to comply with a full scope of HIPPA regulations.
This blog post is provided for informational purposes only and is not intended to be, and should not be construed as, legal advice.