Medscribbler HIPAA features

Client Server Application:

Medscribbler does not need to pass patient information over the Internet. Being a "stand alone" network system means independence from the possible ill effects the Internet can bring to HIPAA compliance.

User Authentication Security:

Medscribbler controls access to restricted areas of information via login authentication. An automatic log off feature is in place to prevent unauthorized access to information in the event of the original user leaving the workstation without logging off.

Internal Audit:

Medscribbler records in Administrator logs all system activities, including but not limited to, login, file access and security events.

Personnel Policies:

Access to patient data is limited only to those employees who are liable to perform related tasks. Each employee can have individual permissions set to the tasks they are permitted to do, from creating and modifying patient records to only reading them to no access at all.

Provider Policies:

Physicians and other medical users can prevent other providers from accessing their patient records either for their whole roster or down to just one patient.

Patient Policies:

An accounting can be printed out for patients who ask how their information has been accessed or disclosed. Record is kept of HIPAA Notice-of-Privacy and State patient routine service agreement.

HIPAA "in a nutshell"

There are two HIPAA rules requirements; privacy (2003) and security (2005). Both rules require:

• Identifying possible threats
• Assessing specific vulnerabilities
• Determining appropriate and reasonable safeguards
• Implementing the necessary defense mechanisms and policies.

There are no absolute right and wrongs in either computer equipment or software. Usually there are four areas to examine:

• Physical Security - can your computers with patient data be stolen?
• User Security - can anybody log on to the patient database?
• System Security - what happens on a hard drive crash?
• Network Security - can unauthorized persons outside your facility access patient data?

There are penalties

The civil monetary penalty is up to $100 per person per violation and up to $25,000 per year total for the same type of violation. There is 30 days to correct the problem if it is not through willful neglect.

The criminal penalties are for "misuse" and for obtaining or using health information by "false pretenses" or with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm. These penalties are up to $250,000 and five years in jail.

Currently there is no real effective enforcement body.

Most of the requirements are common sense and providers do not need to be overly concerned but do require some basic steps like:

• Put your computer server in a secure room, locked.
• Use an EMR with user management and permissions ( ie.: Medscribbler).
• Make regular back-ups and store them in a secure place.
• Employ a computer specialist.

If you continue to use paper then there are a whole lot of areas to consider like how to monitor staff and fire protection (insurance is not enough.)

Finally, if there is a legal case brought forward a provider to protect themselves should have a trail of how the patient information was accessed. Medscribbler is one of very few that provides individual patient record access logs.

More HIPAA Information www.hipaa.org or www.hipaacomply.com