My EMR Makes Me HIPAA Compliant, Right?
No, having an EMR/EHR does not make your organization HIPAA compliant. This is a compliance mistake many organizations unknowingly make. As I visit facilities and ask the privacy officer how their HIPAA compliance program is working, they often respond that all is well because they have an EMR/EHR that keeps them compliant. The truth is the EMR/EHR itself may be HIPAA compliant, but that has no bearing on the compliance level of the entire organization. Let’s dig deeper into this issue to understand what I am saying.
When a vendor implements an EMR/EHR solution, all the compliance activities surround the EMR/EHR solution only. For instance, the vendor will set the EMR/EHR to force the staff to change their password the first time they log in and to use the password every time thereafter. By doing so, the EMR/EHR is helping the organization implement and use unique user identifications as required by the Access Control standard in the security rule. Another example involves the automatic logoff feature. The EMR/EHR’s electronic session is set to automatically logoff after a predetermined time of inactivity. Again, this is another requirement under the Access Control standard of the security rule. Finally, most EMR/EHRs allow the security officer to partition off areas in the EMR/EHR using an individual’s role in the organization, such as nurses, technicians, and doctors. This feature allows the organization to meet the “minimum necessary principle” of the privacy rule where the staff member only has access to the PHI required to do their job. In summary, the EMR/EHR vendor develops privacy and security safeguards into the EMR/EHR that allows the EMR/EHR to be used in a compliant manner.
However, although you have an EMR/EHR that is HIPAA compliant, the rest of your organization needs to meet the requirements of the security and privacy rule as well. The two security features of unique user identification and automatic logoff needs to be implemented in all of the organization’s information systems that process or maintain ePHI, not just the EMR/EHR. Privacy concerns such as accounting of disclosures, requests for restrictions, business associate management, providing a notice of privacy practices, answering HIPAA complaints, or security concerns such as conducting risk analysis, developing contingency plans, facility security plan, and security awareness and training, happen outside the EMR/EHR and thus must be implemented independently of the EMR/EHR for the organization to be HIPAA compliant. So, to summarize, it is incorrect to say you are HIPAA compliant because your EMR/EHR does it all for you. A compliant EMR/EHR is just a fraction of the organizations total efforts to meet the HIPAA security and privacy Rule.