- Is your Health Care Practice operating an Electronic Medical Records (EMR) System?
- Have you, as a Covered Entity (CE) validated each aspect of your IT systems to ensure your patient’s data is secure?
- Does your IT Firm, as a Business Associate, alleviate potential “new” concerns for various technologies?
If you answered yes to any of the questions above, then read on…And after finishing, you should check out your IT Provider to be sure they are up for the challenges that lay ahead.
Health Care Practices that have implemented an EMR system are eligible for reimbursement from the government. These practices have to meet “Meaningful Use” and attest to doing so. Meaningful use covers aspects of your practice that your trusted IT provider should be helping with. Have you been able to leverage the Patient Portal? Are you ready for stage 2 in 2014? Critical concerns need to be addressed now as your practice begins to share data outside of your walls…
Are you ready for an audit from HIPAA?
- Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
- Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
- Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
- Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.(1)
Above are the summation of “technical safeguards” that are contained in the HIPAA Act of 1996. Considering the nature of EMR, practices of all sizes are now required to follow these safeguards much more closely. Has your IT provider perhaps placed your practice in a compromised situation? Are they up for the tasks at hand?
In the past, HIPAA audits were rare or occurred only when a breech occurred, however there is now funding through the HIPAA Act that is allowing for KPMG to select certain CEs for a random audit. Are you ready? According to Rita Bowen of HealthPort, most health care providers are not ready.
“…findings show that only 10%–20% of health information management (HIM) professionals, as interviewed at AHIMA-component state association meetings in 2012, are aware of these HIPAA audits or are ready for them.”(2)
Do you have an iPhone or Android Device? Do you interact with your EMR system remotely or with an iPad? If you are, then you have to ensure that your HIPAA safeguards extend to those devices. Some practices allow employees to access systems through their own devices…If you are doing this, then you need to have very strict controls in place. This setup, allowing employees to use “their device” is called Bring Your Own Device (BYOD) and requires strict controls in place.
HIPAA, Meaningful Use, BYOD, what do they all have in common? IT. The majority of concern for these various regulations are covered by a technical system or IT system. You need to be sure that your IT provider is up for the challenges that YOU are facing.