EHR and HIPAA

Top 5 Considerations for HIPAA and EHR Implementation

EHR systems are software or an electronic program that keeps client charts safer and more secure than traditional paper charts.

Since mental health EHRs contain protected health information (PHI) in a secure hosting environment, whether cloud-based or on-site, they are accountable to HIPAA compliance.

Here are the top 5 considerations for HIPAA and EHR implementation.

#1—Enhance your agency’s administrative controls

Your first action step should be to update policies and procedures for employees to follow the HIPAA safeguards. A well planned policy and procedure manual distributed to staff will help you make sure everyone knows what privacy and security of PHI entails.

Next, provide stringent training to employees so they are aware of and on the lookout for security risks and malicious attacks. Make sure you document employee training for verification.

Finally, make sure you run background checks on all employees.

#2—Monitor physical and system access

Create physically inaccessible safeguards to prevent against unauthorized individuals. This could be as simple as locking office doors and ensuring your EHR system has an automatic logoff feature for idle workstations.

You also need contingency plans in place in case of emergencies. Cover who has access to PHI and how PHI is accessed.

Thirdly, each employee should have unique passwords and PINs a central position monitors. It is also good to change passwords periodically.

Lastly, make sure you can password protect certain windows or screens in your EHR to restrict access to only those who need it.

#3—Audit system users

A system audit is a log that captures all attempts to access EHRs and PHI and documents the access results.

Identify weaknesses in how users access your behavioral health EHR system that could leave a hole for unauthorized users. Make each employee aware of proper procedures to tighten up any holes.

Next, you should educate users on how to detect possible security breaches or attempts. This is an ongoing practice requiring awareness training and refresher courses to keep everyone diligent.

Finally, publish the consequences to employees for not complying with HIPAA guidelines and your policies and procedures.

#4—Data encryption

Data encryption is one of the most important aspects of HIPAA and EHR implementation. Make sure your EHR platform encrypts data during transmission and decrypts received data.

To make the most out of your encryption procedures, use data encryption best practices and expert methods.

#5—Destruction controls

When it is time to dispose of PHI, make sure you do it properly. Create policies and procedures for PHI destruction and disposal and make sure staff adhere. This is applicable for both electronic and paper PHI.

Remove any data from hardware you are repurposing, and keep track of where hardware moves and the loaded information on each machine.

HIPAA EHR Compliance Checklist

• Know what constitutes protected health information (PHI), and pinpoint all instances of PHI in your organization.
• Identify someone in your agency who will serve as a patient privacy champion. Make him or her your formal “privacy official.” This person will create and implement policies and processes designed to ensure full compliance with HIPAA privacy standards. Other staff should feel comfortable coming to your privacy official with concerns, questions, and requests.
• Develop a Notice of Privacy Practices that “provides a clear, user-friendly explanation of individuals’ rights with respect to their personal health information” and your agency’s privacy practices. Distribute your notice to all clients and staff.
• Record all uses and disclosures of PHI in your organization. The right EMR compliance solution automates this step.
• Allow patients an appropriate level of control over their own PHI, like an access portal to their information. Make sure it is consistent with the HIPAA Privacy Rule.
• When necessary, get explicit, written consent to disclose PHI.
• Stick to the “minimum necessary” method for disclosing PHI. Only use, give or ask for the least amount of PHI to carry out the intended purpose.
• Create a list of your business associates (e.g., any external company that may be exposed to your clients’ PHI). Make sure you have signed Business Associate Agreements with each.
• Implement adequate physical, technical, and administrative safeguards per HIPAA’s Security Rule to prevent illegal PHI disclosure—whether disclosure is intentional or unintentional.
• Make sure your staff has continuous training on HIPAA policies and procedures. Your privacy officer should keep a record of the policies and document associated training.