Boy, back in the good old days, protecting patient data was comparatively easy. All you had to do was make sure that nobody got their hands on a patient’s paper chart who shouldn’t be looking at it.

After all, simple stuff like locking file rooms and making sure charts never get left in a public place are pretty easy to understand. Sure, paper records get stolen or rifled through now and then — no system is perfect — but putting processes in place to prevent unauthorized chart access isn’t that complicated.

On the other hand, introducing electronic medical records  – plus e-prescribing, digital sharing of lab results and more — is a completely different kettle of fish.

For one thing, providers must control access to medical information stored in their EMR in a far more sophisticated way than they had with paper charts.  For example, while role-based access to data may not sound too threatening to your average IT boss, it’s not exactly intuitive if you’re not a geek. Figuring out just who should get access to what gets a lot more complicated than when you used to just have to pull and route a chart.

Another issue: few clinicians know much about data security, and it’s not likely that they’re going to suddenly get wildly excited about encryption or VPNs.  Sure, you can warn them that it comes down to whether some random stranger (or even a staff member) will steal their patients’ Social Security numbers or broadcast medical secrets. But it’s just about impossible to explain security issues without wandering into scary jargon that will alienate the heck out of many doctors.

Of course, healthcare organizations can make sure their clinicians are trained to understand the importance of  securing their EMR. And they can even explain why specific types of security measures will limit their HIPAA exposure, the best pitch you can make to non-techies.

Still, the bottom line is that moving from paper to EMRs isn’t just a change-management exercise. It forces clinicians to think about how they use, distribute and share data on a profound level. I hope it does, anyway…cause if providers aren’t ready to think about these issues, things aren’t going to be pretty.

Guest Poster: John Brewer is the founder of HIPAAaudit.com.  He and his team help physicians run HIPAA Compliant practices in the simplest, most pain free way.

So far we’ve covered Information System Activity Review & Sanction Policy.

The next item to tackle for the HIPAA side of Meaningful Use is the Risk Analysis.  This may also be referred to by some as the Risk Assessment also.

The Risk Analysis is simply a look at the way your practice operates as it pertains to PHI and your computer network.

Your risk analysis shouldn’t be a handful of questions.  It should be a set of targeted questions – partly to see that your practice is doing things correctly and partly to invoke conversation to ensure you fix other areas of how your practice does business.

The risk analysis we use is just north of 100 questions…and it continually grows as technology changes and new phishing scams arrive on the scene.

How often should a risk analysis be accomplished?

Once a year is reasonable for most practices.  An additional risk analysis should be accomplished anytime there is a major technological or physical change.

A technological change would include: a new EHR, a new component to your EHR new computer network architecture, and even something as innocent as a new photocopier (more on this later).

Physical change would include any remodeling that might change the layout to the waiting area or a complete location change for the office.

Can I accomplish the risk analysis?

Sure, you or your staff may accomplish the risk analysis.  Be aware though, the risk analysis can become quite technical, so you may need to have your IT staff involved, at least in part of this analysis.

But don’t be fooled, this risk analysis is not just technology based.  Your risk analysis should cover areas including:

• Does the practice have a privacy window at the sign in station?
• Does the practice close the privacy window to the lobby except when speaking to a patient directly?
• Does the practice use an acceptable procedure to hide patient names on the sign-in form?
  • What is acceptable?  Here are a few examples:
    • Individual sign-in slips that are handed to the receptionist
    • Peel-off name labels that are removed by the receptionist and stuck to the file (yes, even in the electronic world paper still exists)
    • An electronic sign-in system – this is a fancy way of saying a computer in the lobby on which the patient signs in.
• Who has keys to the office?
• Where is the list of who has keys to the office?
• Who has the alarm code to the office?
• Where is the list of who has the alarm code?
• Is the door from the waiting area always locked?
• Does the facility have a sprinkler fire system?
• Does the server have a fire system sprinkler above it?
• Are all computers at least 3 inches off the ground?

Now we’ve hit 3 of the 4 HIPAA items in the required Risk Analysis in the Meaningful Use Core Objectives.

Next time we’ll at least start on Risk Management.

Guest Poster: John Brewer is the founder of HIPAAaudit.com.  He and his team help physicians run HIPAA Compliant practices in the simplest, most pain free way.

As previously mentioned, the Sanction Policy is an integral part of Meaningful Use.

What exactly is a Sanction Policy?

Quite simply, it is clarification to your staff…all staff…yes, this includes the physicians, that there are ramifications for breaking company computer policies, specifically HIPAA violations.

First, your practice must have policies.  Without knowing the rules, nobody will know if they are breaking them or not.

The computer policies of a practice are the foundation on which your office will operate.  The computer policies are different than human resource company policies…actually, they are different, but enhance the HR policies.

For example:

• Which websites can staff go to during business hours?
• Which websites are completely banned?
• Is your staff allowed to check their personal email on office computers?

These are all policies you may think are understood by your staff, but if you do not have these policies in writing AND ensure all staff has signed a document of understanding AND have them sign this document of understanding every year…you will run into trouble

So, this sanction policy will generally be in addition to any Human Resources sanction policy that exists (it does exist, right?).  Remember, this Sanction Policy is geared toward HIPAA violations and computer use violations.

This Sanction Policy should cover:

• Initial reaction to a violation
  • Document the violation
  • Detail the exact violation to the offender
  • Document this communication
  • Initiate any company checklists that may be required depending on the specific violation
• Secondary reaction to a violation
  • Retraining
    • Re-attend Annual Awareness Training
    • Document this re-training
  • Document understanding of the violation
• Repeat violations
  • Repeat violations need to be dealt with in a solid and consistent way
  • How many repeat violations before termination?
  • Is any HIPAA violation a “counter” toward termination or should it be an exact repeat violation?
  • Is the training for repeat violations different?

As you can see, there are many parts to what appears to be a “single line” requirement within the Core Requirements for Meaningful Use.

Also note, this Sanction Policy originally reared its head in the HIPAA regulations, and yes, it is still a HIPAA requirement.  As I expected, the feds are using Meaningful use to push you toward HIPAA compliance.

Next time, the Risk Analysis (you guessed it, another HIPAA requirement).

My desire is to post things I find of importance related to HIPAA and EMR. My personal experience is in College Health so I will focus on posting items related more specifically to College Health. However, I will try to incorporate any aspects of EMR and HIPAA because I think best practices across the industry are important to know. Please feel free to post all you want if you find some good information that I haven’t seen and correct me if I’m wrong. This is my best knowledge from my research and is not guaranteed in anyway.

EMR BLOG