Federal law requires that your organization protect electronic information.  If your patients lack trust in Electronic Health Records (EHRs) and Health Information Exchanges (HIEs), feeling that the confidentiality and accuracy of their electronic health information is at risk, they may not want to disclose health information to you. Withholding their health information could have life-threatening consequences. To reap the promise of digital health information to achieve better health outcomes, smarter spending, and healthier people, providers and individuals alike must trust that an individual’s health information is private and secure.

Your practice, not your EHR developer, is responsible for taking the steps needed to protect the confidentiality, integrity, and availability of health information in your EHR system.

A risk assessment is required to determine the threats and vulnerabilities to your protected health information. Not having a risk assessment is “Willful Neglect” of the HIPAA and Omnibus Rules and places your practice at great risk for HIPAA violations, fines and the loss of trust between your practice and your patients.

Security Risk Analysis/Assessment – Definition of Risks:

• Inappropriate access. Occurs when an unauthorized user gains access to EHR data or an authorized user violates appropriate use conditions. For example, a passerby may accidentally view data on a screen or purposely manipulate it, a hacker may breach network security, or a staff member may access the records of an acquaintance.
• Record tampering. Includes occurrences such as back dating, fraudulent entries, or erasures to EHR data. Those known to tamper with health records often are authorized users of the EHR or do so by having access to a server account.
• Catastrophic record loss. Includes events such as natural disasters, hardware breakage, and software issues.
• Record degradation. Can occur during system failures such as tape breakage or scratching of optical media. In these events, data can be permanently lost.
• Occurs when upgrades and replacement parts for outdated EHR systems become unavailable as newer ones emerge.
• Determine Applicability of HIPAA Rules to Your Organization
• Address Breaches of Privacy or Security
• Identify and document potential threats and vulnerabilities and giving recommendations to mitigate the risk
• Identification of vulnerabilities that may lead to loss of confidentiality, integrity and availability
• Develop Disaster Recovery Plan
• Implement Privacy and Security Protection Measures
• Ongoing HIPAA Security Training

Safeguarding the privacy of protected information in your EHR fundamentally changes how your organization manages information. Fortunately, properly configured, certified EHRs can provide more protection to patient health information than paper records can. EMRIS will collaborate with your organization leaders to prepare documented policies and procedures, train staff, inform patients of their rights, and implement safeguards to prevent unauthorized disclosure. In addition, will assist your leadership team to notify the Center for Medicare and Medicaid Services that they have met Meaningful Use standards for security risk analysis in order to qualify for incentive payments.