HIPAA Privacy Rule Looking Behind the Curtain at the New EMR Requirements

Recently, we wrote about elements of the American Recovery and Reinvestment Act of 2009 (ARRA ) that impact HIPAA privacy. Along with ARRA , the Health Information Technology for Economic and Clinical Health (HITEC H) Act mandates that healthcare providers take a series of steps to strengthen safeguards for Protected Health Information (PHI). In addition to the new rules are increased penalties that now include criminal prosecution and fines up to $1.5MM annually. With the risk of imprisonment and crippling penalties, it’s time to pay attention to the handling of PHI. Here are some specific steps you need to take if you intend to be HIPAA compliant.

It’s easy to get befuddled in the world of acronyms we live in, so before we start, let’s get clear on a few definitions*.

  • Covered Entity (CE)—Covered entities are defined in the HIPAA rules as 1) health plans, 2) health care clearinghouses, and 3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Generally, these transactions concern billing and payment for services or insurance coverage, but they also include patient-shared clinical information. For example, hospitals, academic medical centers, physicians, and other health care providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. Covered entities can be institutions, organizations, or persons.
  • Protected Health Information (PHI)—Individually identifiable health information that is 1) transmitted by electronic media, 2) maintained in electronic media, or 3) transmitted or maintained in any other form or medium.
  • Business Associate (BA)—Business associate means, with respect to a covered entity, a person who on behalf of a covered entity a nonemployee performs, or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information.
  • * Note that these definitions are abbreviations and are NOT all inclusive. Legal definitions can be found at the DHHS website.

In general, managing your HIPAA compliance can be broken into 3 segments – employee training, documentation, and a risk assessment.

Employee Training

Training is required for “all members of the workforce with respect to the policies and procedures” on use and disclosure of protected health information “as necessary and appropriate for the members of the workforce to carry out their function within the covered entity.”

In short, any employee with access to, or potential access to, PHI is required to participate in regular trainings. Recurrent training is required, but the specific interval is not defined (triennial retraining was dropped from the Final Rule), nor is the method of verification defined (the requirement for employee sign off on the training was dropped from the Final Rule).

In addition to training your workforce on the covered entities, policies and procedures as it pertains to the handling of PHI, a comprehensive training program should also cover basic computer knowledge to prevent errant use of a workstation with PHI access. For example, employees should be aware of the risks presented by accessing the Internet or downloading software from their networked workstation.

Action Step 1:

  • Document a training schedule for existing employees.
  • Acquire or enroll your employees in a HIPAA training program. Numerous options exist online.
  • Tailor a training schedule for your specific policies and procedures. Be sure to include educating your staff on what constitutes a PHI breach and exactly what your protocol is for reporting it.


As a covered entity, you are required to maintain specific documentation as it pertains to the handling of PHI in your facility by your workforce and any business associates. Documentation includes, but is not limited to:

  • Administrative Security Functions, including the identification of your Information Security Officer (ISO)
  • Audit Log Policy that includes documenting how your EMR and HL7 logs are maintained
  • Interface Setup and Contact Information
  • Business Associate Agreements—If you’re asking yourself what vendors should sign one, as a general rule we recommend erring on the side of caution and include most, if not all, of your active vendors that could conceivably have access to your PHI. Yes, this should include your janitorial service
  • List of EHR users and permissions
  • Remote Access Policy with users identified
  • Data Backup Plan
  • Disaster Recovery Plan
  • Stated policy review period (we recommend quarterly reviews)
  • Employee Sanction Policy with acknowledgment of the importance of protecting PHI
  • Security Breach Plan—Who is to be notified in your office (typically your ISO), what are your lock-down procedures, under what conditions do you communicate the breach to potential victims.

Documentation packages can be purchased online but will need to be tailored to your specific needs. We recommend keeping both an electronic and printed version of your documentation for easy reference.

Action Step 2:

  • Acquire a documentation package.
  • Customize it to the specific circumstances of your practice.
  • Store it electronically and in printed form and make it available to your staff.

Risk Assessment

The most challenging requirement for meeting HIPAA compliance is the risk assessment. Numerous guides and toolkits exist for documenting the risk assessment, but regardless of the tool, it’s a daunting process that is best handled by professional IT personnel. The risk assessment includes addressing technical, administrative, and physical risks. CM S published a series of questions to be covered during a risk assessment. If you don’t have it, you can go to www.hipaascore.com to review the published questions and complete the form for an idea of where you stand at this point in time. Recently, a handful of companies have begun offering facility risk assessments. It’s your discretion to conduct the assessment internally or to hire an outside firm.

The bottom line for making the decision is time and skill level. If you’re confident in your tech skills and have the time to devote, then you’ll save some money. We estimate a fiveuser network will take three days to a week to thoroughly document a risk assessment depending on your tech skills. By contrast, a professional IT staff, through experience and the use of automated tools, can conduct the same assessment in one to two days. If you choose to conduct the assessment in house, we encourage you to invite your IT resources to assist in the process since the potential liability you now face can be practice ending.

Action Step 3:

  • Determine if the Risk Assessment will be conducted in-house or through a third party.
  • If in-house, download a Risk Assessment from the numerous sources online and complete it.
  • If outsourcing, identify the IT company to perform the task and schedule the Assessment.
  • Keep a record of the Assessment and schedule a review date (we recommend quarterly or as changes occur).

The poet Robert Burns famously wrote, “The best-laid plans of mice and men/Go oft awry.” When it comes to data security, nothing can be more accurate. The truth is there is no impenetrable wall to protect your PHI. Whether it’s an unintentional act by an employee (the most common cause of a breach), or a determined hacker set on breaking into your network, the reality is PHI is a liability for you and your practice. The goal of your effort is not to eliminate the risk, but rather to minimize your exposure to litigation, penalties, and imprisonment. That can be done by demonstrating that you actively took every reasonable step possible to protect your data. Performing the tasks described herein should be considered a minimum threshold for meeting HIPAA compliance. It also means that failure to conduct and document these steps likely leaves you in an indefensible position in the event of a “potential” breach, as CM S states it. If this makes you hate your EMR , remember, in many ways paper charts were less secure than even the most minimally protected network and EMR . The difference is HIPAA now has a spotlight shining on it, and the more aware consumers become of their rights, the larger the liability will loom, be
it with paper charts or EPHI.