Does your business handle patient information? Are you familiar with the emr laws? Have you taken the proper steps to secure protected information?
According to a June 30, 2018 report, there were 2,308 breaches worldwide. This exposed 2.6 billion records. The Canadian Underwriter also states that Canada had 48 breaches. This accounted for exposure of 12,551,574 records.
Canada experienced the third most cyberattacks in the world. Canada is one of the most internet-connected countries in the world. This may account for this high incidence.
According to this same source, about 87% of households have internet. This puts Canada as the 16th ranked country for internet penetration in the world.
You must take steps now to ensure your patients' electronic medical records are secure and meet HIPAA standards. Keep reading to find out about the EMR laws and how to make your business secure and compliant.
The medical industry is moving to electronic medical records (EMR). This applies to hospitals, clinics, and single healthcare providers.
EMRs improve efficiency and security compared to paper-based systems. Loss of paper records has occurred due to fire, storms, and other disasters.
Some of the benefits of EMRs include:
EMRs allow for an increase in collaborative and efficient care for the patient. Information is always put in the same location by all healthcare professionals. This decreases stress and provides quick retrieval of information in critical medical situations.
In the US, The Health Insurance Portability and Accountability Act became law on August 21, 1996. You will often see this referred to as HIPPA. It’s the same Act.
This act guarantees that employees keep uninterrupted health insurance when changing jobs. HIPAA also holds healthcare organizations responsible for all health data collected. The purpose is to ensure that health information stays private and confidential.
In Canada, The Personal Information Protection and Electronic Documents Act (PIPEDA) became law on January 1, 2004.
This act requires an individual’s consent before collecting, using or disclosing personal information. Individuals are also given the right to challenge the information’s accuracy.
Organizations may only collect information for the stated purpose that it’s collected. Companies must get consent before using the information for other reasons.
HIPAA, in the U.S., focuses on the healthcare industry. PIPEDA in Canada encompasses all types of industry including healthcare.
The HIPAA Security Rule sets a minimum security standard to protect all EMRs. This applies to Covered Entities (CE) and Business Associates that create, receive, maintain or transmit records. This Security Rule includes administrative, physical, and technical safety standards.
The EMR Security Rules help protect healthcare providers from allowing common security breaches. This can lead to cyber-attacks and loss of data.
These laws ensure the protection of personal information. They also protect the facility’s information and technology.
Organizations must put the following safeguards in place.
This rule applies to administrative actions, policies, and procedures. Administrative measures must serve to prevent, detect, contain, and correct security breaches. These safeguards must include the selection, development, implementations, and maintenance of stated security measures.
All actions should serve to protect electronic personal health information. Administrators are to oversee the work of their employees to ensure compliance.
They must also have established protocols to assess security risks. When the CE finds risks, actions must occur to restore security.
Physical measures, policies, and procedures must focus on protecting EMRs. This includes protections of the building and equipment that stores EMR. Preparation includes protection from natural disasters, environmental hazards, and unauthorized attacks.
Access to the storage facility must always be controlled. Routine backups to another location or media may be part of the security measures.
All CEs must establish legal contracts with Business Associates who have access to EMRs. All contracts or arrangements must be in writing.
All CEs must establish reasonable and appropriate policies and procedures. They must follow all provisions of the Security Rule.
Organizations must keep and protect all EMRs for six years. The six years starts from the date of their creations or last effective date depending on which is later. This includes all security policies and procedures for EMR protection.
Businesses must also keep all written records of security actions, activities, and assessments for six years.
The CE must routinely review and update all documentation about security measures. CEs must update security measures when environmental or organizations changes occur that may impact EMR security.
Following is a list of actions that will help you ensure HIPAA compliance. This list may not address every need specific to your business.
All companies that collect personal information must be familiar with HIPPA and PIPEDA. It's your responsibility to ensure that your organization is compliant.
Our company specializes in document management. We provide a secure method to file, store and retrieve critical documents. Today, your business’ future depends on secure document management processes.
If you handle patient information, you must follow the emr laws to the letter. This article focused on actionable information to ensure your business is within compliance. Our company is here to help you comply with HIPAA standards.
Contact us today to learn more about our services and discuss your business needs.