• Providers must have contracts with “Business Associates”
• The HHS must do audits and can issue subpoenas
• Penalties can extend up to $250,000 for corrected violations
• Breaches of systems with over 500 patients must be reported to the HHS
• EMR software must have robust logging and password security
• The provider or a designate is responsible for HIPAA compliance and staff training

HIPAA compliant medical records security

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. The Act is massive in scope with five separate Titles. Only two Titles are important for the covered entities of health care plans, clearinghouses and providers. When an electronic medical software vendor implies they are HIPAA compliant, the first question you should ask is "under what rule?" Medscribbler is compliant for its part under both the Security and Privacy Rules as modified by the HITECH act. Providers also need to do things that are beyond the scope of just buying and installing electronic medical record, EMR, software.

In the past if a health care provider said they were HIPAA compliant, what they likely meant was that they were attempting to comply with the Privacy Rule. Again in the past if an electronic medical record vendor said they were HIPAA compliant generally they meant they were attempting to comply with the Security Rule. Things are much more detailed with the enactment of the Health Information Technology for Economic and Clinical Health Act (HITECH Act 2009) as part of The American Recovery and Reinvestment Act of 2009 (ARRA.) Together these acts form the basis for stimulus funds when “meaningful use” is met. (see our information on meaningful use.)

The HITECH Act focuses on the establishment of a national health infrastructure and on providing incentives for the adoption of electronic health records (EHRs, in our definition the same as an EMR.) It also provides for "enhanced" privacy protections. This Act now places both the Privacy Rule and the Security Rule as front and center issues for health care providers. Now, there are significant civil penalties (and potentially criminal penalties also) as well as the potential for stimulus incentives to be denied for non-compliance.

First, HIPAA defines “business associates,” as including, other than a health care provider's employees, "partners" that may provide legal, actuarial, accounting, consulting, data aggregation, management, administration or financial services wherein the services require the disclosure of individually identifiable health information.” The critical aspect of the Business Associate concept is the Privacy Rule mandates that providers have written contracts with them. The HITECH Act provides an even more stringent requirement on Business Associate relationships. An EMR/EHR Internet or ASP software vendor is a Business Associate (no contract means non-compliance). Services provided by Scriptnetics with the management of Internet based Medscribbler Cloud makes it a business associate. A Business Associate contract also is needed if the vendor is given access to an office system in order to provide technical support. This is a concept that providers, especially small providers, need to pay close attention to. Medscribbler automatically provides a completed Business Associate contract.

Certain third parties that manage electronic health records like Microsoft HealthVault do NOT fit this definition and therefore are not covered entities. The HIPAA rules do not (currently) apply to them and therefore their own proprietary privacy policies control the data. This is an area that is in flux which the HHS (and perhaps other agencies) may address soon. Information Technology, IT, individuals and companies servicing office based EMRs should have a business associate contract.

Secondly, HIPAA defines electronic media broadly as both electronic storage and electronic transmission media. That said, the following language within this definition excludes certain transmissions including paper, via facsimile; and of voice, via telephone; as not to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission. Almost any electronic storage and transmission media fits the definition; thumb drives, hard disks etc. but there is much confusion in this definition. For example, an email created by a provider and deleted after it was sent (locally and on the mail server) would fit the exclusion rule as written but not likely in enforcement.

Third, the HIPAA definition of protected health information, PHI, means individually identifiable health information. If health care information is linked, or sent, to an individual by paper, fax, electronic, etc., then it appears to be as universally protected as paper. To be “identifiable” some sort of demographic information needs to be sent to a third party that can be tied to an individual, even just name, sex and DOB is probably enough. This is a particular problem for browser based Internet EMR vendors and their customers as whole “pages” of information are sent at once and are easily compromised by browser viruses and “bot” attacks. For true Internet Cloud applications, like Medscribbler, information, even demographics, is sent as bytes of computer code that can be read only by trusted computers in a private network.

Next, a patient has a right to file a complaint with HHS, the HHS has the right to investigate including by subpoena and they have the right to conduct compliance audits. Audits are now becoming common in parts of the US that have had some media reported breaches. HIPAA Rules have not previously been rigorously enforced. That has changed probably because of the incentives provided for in the HITECH Act and political pressure. Those now identified with breaches are being posted on the HHS website. Previously, civil penalties for non-compliance varied from $100 to $25,000 per calendar year per incident. With the HITECH act penalties extend up to $250,000, with repeat/uncorrected violations extending up to $1.5 million.

Furthermore, under certain conditions HIPAA's civil and criminal penalties now extend to business associates. Like HIPAA, the HITECH Act does not allow an individual to bring a cause of action against a provider. However, it does allow a state attorney general to bring an action on behalf of his or her residents. Enforcement is now funded and HHS is now required to conduct periodic audits of covered entities and business associates.

The HITECH Act now imposes data breach notification requirements for unauthorized uses and disclosures of "unsecured PHI." requiring that patients be notified of any unsecured breach. If a breach impacts 500 patients or more then HHS must also be notified. Notification will trigger posting the breaching entity's name on HHS' website. Under certain conditions local media will also need to be notified. Furthermore, notification is triggered whether the unsecured breach occurred externally or internally, through an external “hacker” or internally by someone stealing a laptop.

There are criminal penalties for "wrongful disclosure, knowingly." There have been criminal prosecutions brought by the Department of Justice. State law may also have fines and penalties. HIPAA is now a serious matter.

The HIPAA Privacy Rule concerns, as outlined above, are what most doctors and other health providers think of when they think of HIPAA but the second, the Security Rule, is equally as important. The same audits and penalties apply to Security as they do to Privacy. While caring for patients, physicians and other healthcare providers are not directly involved in the Security Rule they are just as responsible for PHI Administration and Security as they are Privacy.

Briefly, for administration; there must be a designate privacy official, all employees must be trained in PHI requirements, the policies and procedures for maintaining PHI must be available in written or electronic form, the Security Rule must be implemented plus several other common sense requirements (ie. no retaliation against a patient that files a complaint.) The Security Rule is essentially an electronic compliance subset of the Privacy Rule. In terms of actual regulatory text the Security Rule is short but is technical in nature.

Generally, the Security Rule is the codification of certain information technology standards and best practices. It really is a law to require healthcare providers to provide the minimum recognized business standard for electronic data storage. Ignoring the Security Rule is seen as the negligence of a healthcare provider’s fiduciary responsibility to care for patients. In short, small and medium sized providers will almost certainly need to devote time in understanding IT standards and / or need to hire IT consultants if they want to "reasonably and appropriately" comply with the Security Rule. HHS and Congress have deemed it “not reasonable” for providers not to meet minimum IT standards.

Generally, the Security Rule requires data integrity, threat protection, Privacy Rule compliance and workforce compliance. These can be provided flexibly as long as there is business, technical, cost, risk assessment and maintenance procedures to meet the Standards and Specifications. In the event of a future possible HHS audit, it is strongly recommended this analysis be documented. There are three sections for the Security Rule; administration, physical and technical.

• Security management process. For most small and medium sized providers this means keeping wireless networks secure and having computer and software user names and passwords managed. Also, required is knowing how to inspect computer server security logs, especially if remote access is provided.
• Assigned security responsibility. The small provider may do it themselves or have an IT company do it.
• Workforce security. The majority of EMR software have an user name and password function, but these must be current with reasonable password protection. There must be computer user password management as well.
• Information access management. The majority of EMRs do NOT have this function. It is the implementation of authorized access to the PHI that is consistent with the requirements of the patient record. Each employee is restricted in what they can see and / or change. Most quality EMRs have an user permissions function. Medscribbler is fully compliant.
• Security awareness and training. There needs to be a security awareness and training program for all members of a practice’s workforce (including management). This is just not the “password problem,” it is also who is allowed to transfer information to whom, Internet use of office computers and developing a culture of security and privacy.
• Security incident procedures. If a system is compromised patients must be informed.
• Contingency plan. This is a plan related to data backups, disaster recovery and emergency operations. In principle, this standard is largely met by having a plan in place that allows a provider to restore a system in a reasonable manner.
• Evaluation. Periodic review of compliance performance.

• Facility access controls. Computer records are now stored on equipment that is valuable for theft. Patient information that is now aggregated is now also valuable because of its aggregation.
• Workstation use. Unauthorized access to a workstation can allow network “hacking” Public workstations require special security for the tasks they can perform.
• Workstation security. This includes laptops. Use Microsoft 7 bitlocker or similar technology. Consider Computrace Agent.
• Device and media controls. Consider disabling un-essential USB thumb and other ports. Limit burner distribution.

• Access control. Appropriate user matched to their granted access rights.
• Audit controls. Implement hardware, software, and procedural mechanisms that record and examine activity in PHI systems.
• Integrity. Check backups and do practice restores.
• Person or entity authentication. No common passwords, no password sharing. Consider RFID.
• Transmission security. Use virtual private networks and ensure network perimeter security.

The Security Rule in many parts is a computer or networking technical chore. It is better in many cases to hire an IT company or person to manage this aspect for PHI HIPAA compliance. While in most cases the IT is not too difficult to comprehend but its management can be time consuming. Many small and middle sized providers enjoy the “puzzle-ness” of computer and network IT. But this is not a hobby that can be disregarded for other pursuits or even patient care. There are no excuses to not pay any attention to the task. No IT person is going to understand completely the workflow and user requirements of a medical office and will never do a perfect job without provider supervision. As the provider is the one ultimately responsible for the privacy and security of the PHI, blaming IT will be a futile argument in the face of an HHS audit.

Recently, conversation about HIPAA, has taken a backseat to other discussions. Although it is a law to protect patient privacy and the security of their health data it is also a law that is key to the development of a national health information system. More importantly, in its requirements is found guidelines for healthcare providers to understand the requirements of running a successful computer system to enter and store medical information. Successful installation of digitized electronic medical record systems allows the advance of the computer for medical health analysis on both the macro and micro level, eventually leading to better patient care. HIPAA is an important law as we move forward.