EMR and HIPAA Compliance

The Health Insurance Portability and Accountability Act, also known as HIPAA, creates solutions to address two distinct issues within the medical field. The first part of HIPAA addresses health insurance. It regulates health insurance coverage when employees leave their current place of employment. The second part of HIPAA addresses quality, security, and privacy standards for electronic medical records. An electronic medical record is a tool that can greatly improve the quality and accuracy of patient health care records but must be monitored to prevent protected health information from being obtained by unauthorized individuals.

HIPAA and Electronic Medical Records
For many years, patient’s medical records have been limited to manual documents. Technology has become a driving force in the medical industry that has also lead to the integration of electronic medical records instead of manual health records. There are many benefits to using electronic files including increased accuracy, enhanced portability, improvements in monitoring capabilities, and greater efficiency in the record documentation from a health provider perspective. There are also some potential drawbacks to using electronic files as well. These drawbacks include increased exposure to unauthorized record access and potential tampering with patient data. HIPAA was enacted in part to limit the patient exposure to these risks.

Besides just enforcing security of a patient’s electronic medical records, HIPAA also seeks to ensure that electronic systems focus on efficiency through “Administration Simplification” rules. The Department of Health and Human Services is responsible for issuing these rules that include the privacy rule, the enforcement rule, the transactions and code sets rule, the security rule, and the unique identifiers rule. These rules apply to “covered entities,” which are health insurance companies, billing service and health information system companies, and health care providers.

The privacy rule is the most commonly referred to HIPAA rule. This rule applies to an electronic medical record or a manual health record. Any form of documentation that includes protected health information, including various forms of payment, is protected under this rule. Due to the significance of this rule, there are stringent requirements for compliance. One compliance requirement is that HIPAA and privacy standards must be discussed during training sessions. Providers must also give notification to patients of the healthcare practice’s privacy procedures in relation to a patient’s health records. An electronic medical record must also be available for a patient when they request access to it, it must be withheld from unauthorized requestors, and it must maintain information on individuals who have accessed the records. Under the privacy rule, a patient is also allowed to request changes to their medical records if the data is incorrect or misleading. An electronic system makes these HIPAA compliance requirements much easier to adhere to, because it allows easy access capabilities, easy monitoring capabilities, and easy editing capabilities for incorrect data if a change is necessary.

The transactions and code sets rule basically tries to create a uniform electronic file format for all healthcare transactions that are processed so that healthcare providers can easily share electronic medical records. If a provider currently uses manual documents, HIPAA does not require the use of electronic records if all of the provider’s patients are fully insured health insurance members. Health care providers that accept Medicare or Medicaid patients are required to use electronic file systems.

The unique identifiers rule necessitates the use of a national provider identifier (NPI). The NPI is a number that often coincides with an employer tax identification number or an employee number. This identifier must be used to login to the system in order to obtain an electronic medical record for a patient. The intent of this HIPAA rule is to limit potential errors relating to client records potentially getting mixed up. The security rule establishes necessary security protections for electronic health information. This HIPAA rule creates multiple security protocols that each provider must adhere to in order to maintain a high level of privacy over all types of protected health care information in an electronic medical record.

The enforcement rule took effect in 2006. This HIPAA rule creates civil punishment criteria for any health care provider violations of the “Administrative Simplification” rules. Prior to this rules creation, civil and criminal penalties were imputed only on health care providers who weren’t in compliance with just the privacy rule. This rule opened the door for punishment on any violation of these rules. This rule also outlines the standard procedures for any necessary investigations, it outlines what factors are used to determine the penalty, and it outlines the procedures necessary to appeal a ruling.

HIPAA requirements were established to protect patients from improper handling of their protected health information. The requirements also ensure efficient data sharing is accessible for enhanced patient safety and care. Another purpose of the rules is to ensure that patient’s data does not get mixed up. When used properly, electronic medical records can ensure a health care provider stays in compliance.