HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996. This is a legislative framework which is multifaceted. On one hand, the Act seeks to ensure that individuals who are no longer in employment have access to health insurance. Stated differently, it safeguards the entitlement to health insurance cover of persons with pre-existing conditions (US Department of Health and Human Services, 2008a; APA Practice.org, 2008). Besides, the Act provides guidelines which seek to control the way in which medical information is exchanged. In this respect, the HIPAA Privacy Rule protects the privacy of a person’s health information. Under this law, covered entities including health care organizations, providers, and clearing houses are allowed access to the patients’ protected health information or PHI. De-identified data is not affected by the Privacy Rule (US Department of Health and Human Services, 2008b; NIH, 2008).
HIPAA’s Impact on Electronic Health Records (EHR) Systems
HIPAA has had several impacts on EHR systems. First, it has led to the wide adoption of EHR systems by encouraging computerization of health information. This is because compliance to the act would almost be impossible where use is made of paper records. Secondly, the act has led to standardization of health information transfer with an impact on the way claims are processed. Thirdly, harmonization of vendor software has been necessitated by the act, helping further to standardize EHR systems across the board. The act has also made electronic data interchange or EDI to be the most preferred transaction method of choice for most healthcare organization further helping to entrench EHR systems.
Planning HIPAA Compliance for a new inpatient EHR system
The Privacy Rule requires that the privacy, integrity as well as confidentiality of patient information to be maintained. Therefore, EHR systems need to be designed is such a manner as to ensure compliance to the HIPAA stipulations. This forms a big challenge in the implementation of HIPAA stipulations. Appropriate measures that will lead to compliance with HIPAA regulations should therefore encompass security, administrative, as well as technical safeguards (AHA, 2006).
Recommendations and Discussion
A risk assessment that explicitly identifies the incongruities existent between current organizational practices and HIPAA requirements should form the first step in the formation of a new EHR system (Kibbe, 2001). This will help determine the actions that need to be taken in order to meet compliance. A policy that clearly spells the terms under which physicians can access patient data and to what extent needs to be put in place. Such a policy needs to take into account the following four considerations. First, the relationship between the physician and the health organization should be considered. Secondly, the organization should explicitly determine what kind of information the doctors are allowed access to and the limits set (McGuire Woods, 2001).
Further, notice should be taken on whether the information for which access is being sought is aggregate or not. Fourthly, before access to the information is granted, the reason for which the information is being sought needs to be determined. Disclosures for the purposes of treatment, research, imbursement and or reimbursement, and organization processes should be granted while other cases need to be closely scrutinized in order to ensure compliance with the stipulations of HIPAA (McGuire Woods, 2001)..
Compliance to HIPAA can be assured through seeking consent from the patients as appropriate and execution and recording of the needful access restrictions. Additionally, compliance to the Act can be assured by making certain that HIPAA riders protecting the patient’s rights are respected. Further, minimal disclosure of the protected information should be made whenever possible (CDC, 2008; McGuire Woods, 2001).
Adherence to the stipulations of HIPAA should also focus on ensuring that all persons who have access to the EHR other than the physicians meet the requirements of the Act. In this respect, they should be made to inform the health care organization of any inclusions and removals of users with access to the system in order to ensure that access is granted or denied as appropriate. Additionally, proper precautions should be instituted to ensure violations do not occur. Further, it needs to be made certain that all the rules and procedures put in place to safeguard the privacy of the information are being adhered to. Finally, federal and state laws regulating patient privacy should be strictly followed (CDC, 2008; McGuire Woods, 2001).
Regarding security, the organization needs to originate a security policy which conforms to HIPAA’s requirement that effective measures be put in place to protect the privacy, fidelity, and secrecy of the information. To do this, the policy must of necessity assign unique user names to persons with access to the system. This would also assist in tracing and identification of users. Secondly, the policy should protect against identity theft besides validating the users. Thirdly, the EHR system needs to originate fool proof access, reliability, and verification measures. Further, there should be a continuous risk management process that anticipates privacy violations with requisite mitigating measures. An effective way through which the safety policy can be monitored and compliance evaluated is through audit logs which document all the activities in the EHR. Additionally, suitable fax security routines need to be adopted to ensure that PHI transmitted via fax machines is secure. Besides, the “chain of trust relationship” between the organization and business associates needs to be carefully and stringently defined. (Kibbe, 2001; US Department of Health and Human Services, 2008b; McGuire Woods, 2008; HHS.gov).
It is necessary that the EHR system adequately restricts data that cannot be shared from the reach of the public. Such data should be securely withheld and should also comprise information that cannot be segregated. Besides, procedures intended to protect the privacy of the EHR data need to be effected and should determine if users can withhold such information from other users and the reasons behind such moves. Moreover, a harmonized method to consider requests for information as well as subpoenas needs to be created. In the same breath, a similar standardized procedure to deal with requests for access to patients’ own information should be set up (CDC, 2008).
Other measures that can be taken to ensure compliance with HIPAA include employee training in order to ensure that all the workers are familiar with the act’s requirement, establishment of an oversight team that would ensure compliance, and notification of individuals on their entitlements, obligations, and disclosure rules (Kibbe, 2008; CDC 2008; McGuire, 2001).
AHA. (2006). HIPAA. Retrieved on 5th October, 2008 from
APA Practice.org. (2008). HIPAA Security Rule Online Compliance Workbook.
Retrieved on 5th October, 2008 from http://www.apapractice.org/apo/hipaa.html#
CDC. (2008). HIPAA Privacy Rule and Public Health. Retrieved on 5th October, 2008
HHS.Gov. (2008). Overview- Security Standards. Retrieved on 5th October, 2008 from
Kibbe, D.C. (2001).HIPAA 10 Steps to Security Compliance. AAFP. Retrieved on 5th
October, 2008 from http://www.aafp.org/fpm/20050400/43tens.html
National Institutes of Health. (2008). Protecting Personal Health Information in
Research: Understanding the HIPAA Privacy Rule. Retrieved on 5th October,
2008 from http://privacyruleandresearch.nih.gov/pr_02.asp
McGuire Woods. (2008). HIPAA Impact on Electronic Health Records. Retrieved on 5th
October, 2008 from http://www.mcguirewoods.com/news-resources/news/3453.asp?SearchFor=lundeen
Privacy Rights Clearing House. (2008). HIPAA Basics: Medical Privacy in the Electronic
Age. Retrieved on 5th October, 2008 from http://www.privacyrights.org/fs/fs8a-hipaa.htm
US Department of Health & Human Services. (2008a). Summary of the HIPAA Privacy
Rule. Retrieved On 5th October, 2008 from http://www.hhs.gov/ocr/privacysummary.pdf
US Department of Health & Human Services. (2008b). what is the Privacy Rule and why
Has HHS issued regulations?