HIPAA Security Rule Compliance for Electronic Medical Records

HIPAA Security Rule Compliance for Electronic Medical Records

The Secretary of the U.S. Department of Health and Human Services (HHS) developed regulations protecting the confidentiality of patients and security of certain health information.1 In order to ensure the compliance of these regulations HHS published The Health Insurance Portability and Accountability Act of 1996 (HIPAA): HIPAA Privacy Rule and the HIPAA Security Rule. 1 According to the HIPAA Security Rule physicians must protect patients’ electronically stored health information (known as “ePHI”) by implementing apposite administrative, physical and technical safeguards to maintain the confidentiality, integrity and security of this information (American Medical Association). 1, 2 All covered entities, including those utilizing certified electronic health record (EHR) technology must evaluate their security risks. 2

HIPAA security rule: A flexible strategy for protecting ePHI

The Security Rule integrates the model of scalability, flexibility and generalization. The security regulations comprise of a 3-tiered system of requirements. At first tier, all the covered entities are required to meet a series of standards and legal requirements. Second tier includes implementation specifications (“Required specifications” which are mandatory or ‘Addressable specifications’ which are situation based) that act as detailed instruction guide and provide steps to be HIPAA-compliant. Lastly, these specifications are executed. The required documentation must be archived for at least six years (and state requirements may mandate longer maintenance periods). 2

Risk Assessment

1. Evaluate the probability and effect of potential risks to ePHI 3 2. Employ suitable security measures to solve the risks identified in the risk analysis 4 3. Proper documentation of the preferred security measures with the rationale for adopting those measures 5 4. Sustain constant, rational, and suitable security protections 6

Responsibilities of a Covered Entity to Ensure Protection of ePHI

1. Regular reviews of its records to track access to ePHI and detect frequency of security incidents7 2. Periodical evaluation of the efficiency of security measures which are being implemented8 3. Regular reassessment of potential risks to ePHI 9

The three layered safeguard approach of HIPAA Security Rule

The administrative, physical and technical safeguards facilitate in maintaining compliance with the Security Rule and aid in documenting every security compliance measure 2

GeeseMed: A complete HIPAA-compliant platform

GeeseMed Virtual scribe solutions are HIPAA-compliant which enables to navigate the EMR, update notes, locate labs, order prescriptions, and adjust coding or billing information

For more information contact: sales@MDofficeManager.com

References:

1.Public Law 104 – 191 – Health Insurance Portability and Accountability Act of 1996. https://www.govinfo.gov/app/details/
PLAW-104publ191
2. HIPAA security rule & risk analysis. https://www.ama-assn.org/practice-management/hipaa/hipaa-security%02rule-risk-analysis
3. 45 CFR § 164.306 – Security standards: General rules. 45 C.F.R. § 164.306(b)(iv)
4. 45 CFR § 164.308 – Administrative safeguards. 45 C.F.R. § 164.308(a)(1)(ii)(B)
5. 45 C.F.R. § 164.306(d)(3)(ii)(B)(1); 45 C.F.R. § 164.316(b)(1).
6. 45 C.F.R. § 164.306(e).
7. 45 C.F.R. § 164.308(a)(1)(ii)(D)
8. 45 C.F.R. § 164.306(e); 45 C.F.R. § 164.308(a)(8)
9. 45 C.F.R. § 164.306(b)(2)(iv); 45 C.F.R. § 164.306(e)
10. 45 C.F.R. § 164.304
11. 45 C.F.R. § 164.304
12. 5 CFR §164.312