Does your business handle patient information? Are you familiar with the emr laws? Have you taken the proper steps to secure protected information?
According to a June 30, 2018 report, there were 2,308 breaches worldwide. This exposed 2.6 billion records. The Canadian Underwriter also states that Canada had 48 breaches. This accounted for exposure of 12,551,574 records.
Canada experienced the third most cyberattacks in the world. Canada is one of the most internet-connected countries in the world. This may account for this high incidence.
According to this same source, about 87% of households have internet. This puts Canada as the 16th ranked country for internet penetration in the world.
You must take steps now to ensure your patients' electronic medical records are secure and meet HIPAA standards. Keep reading to find out about the EMR laws and how to make your business secure and compliant.
Benefits of Paperless Medical Records
The medical industry is moving to electronic medical records (EMR). This applies to hospitals, clinics, and single healthcare providers.
EMRs improve efficiency and security compared to paper-based systems. Loss of paper records has occurred due to fire, storms, and other disasters.
Some of the benefits of EMRs include:
- Faster retrieval of medical documents
- Increased availability for several healthcare providers in various locations
- Decreased storage space
- Efficient workflow
- Improved customer service
EMRs allow for an increase in collaborative and efficient care for the patient. Information is always put in the same location by all healthcare professionals. This decreases stress and provides quick retrieval of information in critical medical situations.
What is HIPAA vs. PIPEDA?
In the US, The Health Insurance Portability and Accountability Act became law on August 21, 1996. You will often see this referred to as HIPPA. It’s the same Act.
This act guarantees that employees keep uninterrupted health insurance when changing jobs. HIPAA also holds healthcare organizations responsible for all health data collected. The purpose is to ensure that health information stays private and confidential.
In Canada, The Personal Information Protection and Electronic Documents Act (PIPEDA) became law on January 1, 2004.
This act requires an individual’s consent before collecting, using or disclosing personal information. Individuals are also given the right to challenge the information’s accuracy.
Organizations may only collect information for the stated purpose that it’s collected. Companies must get consent before using the information for other reasons.
HIPAA, in the U.S., focuses on the healthcare industry. PIPEDA in Canada encompasses all types of industry including healthcare.
EMR Laws That Impact Your Practice
The HIPAA Security Rule sets a minimum security standard to protect all EMRs. This applies to Covered Entities (CE) and Business Associates that create, receive, maintain or transmit records. This Security Rule includes administrative, physical, and technical safety standards.
The EMR Security Rules help protect healthcare providers from allowing common security breaches. This can lead to cyber-attacks and loss of data.
These laws ensure the protection of personal information. They also protect the facility’s information and technology.
Organizations must put the following safeguards in place.
Administrative Safeguards
This rule applies to administrative actions, policies, and procedures. Administrative measures must serve to prevent, detect, contain, and correct security breaches. These safeguards must include the selection, development, implementations, and maintenance of stated security measures.
All actions should serve to protect electronic personal health information. Administrators are to oversee the work of their employees to ensure compliance.
They must also have established protocols to assess security risks. When the CE finds risks, actions must occur to restore security.
Physical Safeguards
Physical measures, policies, and procedures must focus on protecting EMRs. This includes protections of the building and equipment that stores EMR. Preparation includes protection from natural disasters, environmental hazards, and unauthorized attacks.
Access to the storage facility must always be controlled. Routine backups to another location or media may be part of the security measures.
Organization Standards
All CEs must establish legal contracts with Business Associates who have access to EMRs. All contracts or arrangements must be in writing.
Policies and Procedures
All CEs must establish reasonable and appropriate policies and procedures. They must follow all provisions of the Security Rule.
Organizations must keep and protect all EMRs for six years. The six years starts from the date of their creations or last effective date depending on which is later. This includes all security policies and procedures for EMR protection.
Businesses must also keep all written records of security actions, activities, and assessments for six years.
The CE must routinely review and update all documentation about security measures. CEs must update security measures when environmental or organizations changes occur that may impact EMR security.
Summary of Action to Take to Ensure HIPAA Compliance
Following is a list of actions that will help you ensure HIPAA compliance. This list may not address every need specific to your business.
- Identify Covered Entities and any Business Associates
- Do you have written contracts in place with Business Associates?
- Do you have a system for controlled entrance to EMRs and storage facilities?
- Can you encrypt data to increase security?
- Do you have automated EMR entrance and activity logs?
- Is there an automatic log-off mechanism when the EMR isn’t in use?
- Have you established routine compliance evaluations?
- Do you have policies governing access and positioning of workstations?
- Do you have policies about the use and security of hand-held electronic devices?
- How do you check and protect equipment inventory?
- Have you trained all applicable employees on HIPAA and EMR compliance policies and procedures?
- Have you developed and tested contingency plans?
- How do you restrict third party access?
- What is the procedure for reporting a breach?
All companies that collect personal information must be familiar with HIPPA and PIPEDA. It's your responsibility to ensure that your organization is compliant.
Would You Like to Improve Document Management?
Our company specializes in document management. We provide a secure method to file, store and retrieve critical documents. Today, your business’ future depends on secure document management processes.
If you handle patient information, you must follow the emr laws to the letter. This article focused on actionable information to ensure your business is within compliance. Our company is here to help you comply with HIPAA standards.
Contact us today to learn more about our services and discuss your business needs.