My EMR/EHR Makes Me HIPAA Compliant, Right?


Far too many privacy officers lean on their electronic medical record (EMR) or electronic health record (EHR) system as a HIPAA compliance crutch. They believe (mistakenly) that an EMR/EHR system keeps their organization HIPAA compliant. Maybe that’s you. However, even if your EMR/EHR system itself is HIPAA compliant, it does not cause your organization to be HIPAA compliant as a whole. Let’s look at the HIPAA requirements that an EMR/EHR system will help you comply with and those that it won’t.

What Does an EMR/EHR Do?

EMR/EHR systems have privacy and security safeguards that help you use the system in a HIPAA-compliant manner. These safeguards include:

  • Passwords. An EMR/EHR forces staff to change their password the first time they log in and use that password to access the system thereafter. Consequently, this helps the organization implement unique user identifications, which is a Security Rule requirement.
  • Automatic logoff. The system will be set to automatically log off after a period of inactivity, which is another security requirement.
  • Access control. A security officer can partition off areas in most EMR/EHR systems according to an employee’s role in the organization (ex. Nurse, technician, or doctor). This helps the organization meet the minimum necessary standard, which requires that staff members only access the information necessary for them to do their job.

What Does It Not Do?

Privacy and security safeguards help you be HIPAA-compliant as you use your EMR/EHR system. However, privacy and security principles apply to all of your organization’s systems and processes. For example, you must implement unique user identification and automatic logoff on all of your organizations information systems that handle electronic protected health information (ePHI), not just the EMR/EHR.

Furthermore, there are many privacy concerns that are totally independent of the EMR/EHR system. These include:

  • Disclosures
  • Restriction requests
  • Business associates
  • Notice of privacy practices
  • HIPAA complaints
  • Risk analysis
  • Contingency planning
  • Security awareness and training

You must abide by HIPAA privacy and security rules in all of these areas and many more. Clearly, a compliant EMR/EHR is just a fraction of your organization’s total efforts to meet HIPAA rules. Therefore, do not use your EMR/EHR as a HIPAA compliance crutch. If you do, you will fail to see the broader picture of HIPAA compliance at your organization.

Are you up to date with HIPAA?

Check out our cheat sheet for staying up to date with changing regulations!

Contact us or request a demo to learn how HIPAAtrek can help guide your organization’s HIPAA compliance program.

Request A HIPAAtrek Demo

HIPAAtrek User
Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!

You Might Also Like

Double Extortion: What It Is, and How You Can Prevent It

If organizations refuse to pay their ransom, attackers are threatening to release the data publicly. This will of course include sensitive information and PHI. Before Double Extortion, we assumed that hackers could not actually access our data and were only with-holding it from victims to disrupt the ability to continue their work. Now we know they can extract this information and publish it online, breaching our patient’s security.

Read More »