HIPAA Guidelines

Posted on February 1, 2006 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I found a very nice list of HIPAA guidelines at EMRUpdate by the infamous AlBorg. Here’s his list that I’d like to take and refine as a permanent posting on the site. I really think this gives people a good outline of what’s most important in HIPAA compliance in an EMR:

1. Under the Privacy Rule, patients have the right to adequate notice of the uses and disclosures of their private health information that may be made by “the covered entity” (s.a. the provider), as well as their rights and the covered entity’s legal obligations. Notices must be in plain language and clearly posted. Certain covered entities must make a good faith effort to obtain an individual’s acknowledgment of receipt of this notice. In certain cases, notice may be provided electronically… i.e. via your EMR.
2. HIPAA requires restricted access to sensitive data, including password protection. The minimal level of this protection has not yet been established, but most systems in hospitals have upped the difficulty of entering into a computer to including both password protection at the level of Windows logon and later to the software logon.
3. Encryption of emails, faxes, and other document transmissions should be considered, although difficult. If you encrypt an email, for example, how will the patient, physician, or hospital receiving entity decript the message?
4. You should add the capability to track the use or users of protected health information.
5. For billing, any electronically transmitted information should be encrypted, and if you use an intermediary, make sure that they use HIPAA-compliant ANSI format e-billing forms.
6. Should you have to provide documentation to a legal entity, s.a. during a lawsuit, you should be able to set user restrictions to only the patient data needed, making the rest of the EMR patient data locked.
7. You should make sure that users know how to report to the covered entity any use or disclosure of the information, in violation of the agreement, of which it becomes aware.