An EHR system should increase medical office productivity and reduce the time it takes to respond to patients and other medical professionals.
Sloppy electronic health record management erodes patient trust and can leave your office open to Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) violations. By using the correct equipment and performing regular audits on electronic health records, you can make sure that no one within your office is violating HIPAA. Having the appropriate safeguards in place also protects you from malicious third parties who might want to gain access to your patients' information.
Use EHR System Settings to Limit Security Breaches
When assigning user permissions in your electronic health record (EHR) system, your office should only allow enough access for workers to do their jobs. For example, medical professionals may need permissions to update and view EHRs, but billing personnel may only need access to view, and not edit, records. Audit log access should be limited to office managers only.
These security measures protect EHRs, but these safeguards also help protect against financial fraud. Financial fraud may not only trigger an extensive audit from the federal government or an insurance company, but it could severely damage the office's reputation.
Audit to Ensure Document Security
Routine security audits help promote personal and office accountability. Your office should also verify that the EHR system's audit trails meet official compliance guidelines in case of an audit from an outside agency. Your office should keep audit trail history for at least one year.
The American Health Information Management Association notes that audit trails should include the date and time of access, the username of the person accessing the EHR, the exact document viewed, the workstation used to view the document, and the software that triggered the audit. In addition to this basic information, audit trails should also keep a record of the specific edits made, which should include any deleted information. Most EHR audit trails can also send an alert if systematic invalid logins or other possible hacking attempts occurred. The audit trails should be completely secured and should not be editable.
When making security audits, it's impossible to verify every EHR. Therefore, your office should investigate instances where there's a higher likelihood that HIPAA was violated. For example, staff accessing celebrity or VIP health files, workers viewing patient files with the same last name or address, or staff accessing particularly sensitive health information (e.g., pregnancy of a minor or HIV status) should trigger a review. Medical staff viewing EHRs of patients they did not treat or records outside of their specialty are also worth review.
During an audit, your office should also verify that every account belongs to a current employee. Former employee accounts should be promptly suspended to avoid possible security issues.
Effective audits are a difficult task, so many medical offices invest in specialized, programmable audit tools that flag potential problems. EHR audit tools can detect suspicious activity, automatically send alerts to IT personnel or your office manager, and generate easily understood reports. They can also provide the proof of compliance that demonstrates regular audits, as required by HIPAA. You should keep proof of these audits for at least six years.
Invest in Secure Digital Copiers to Meet EMR Mandates
Like all electronic devices with a hard drive in the office, your digital copier should be encrypted and secure. Not only should this copier, along with any printers, be placed in a locked area, but it should also require biometric, swipe card, or password authentication before working. The copier should have an encrypted disc drive and all USB ports should be disabled to prevent your office staff from downloading information to an unsecured USB drive.
Each digital copier should also produce a record of use for routine oversight and auditing. Most of these machines have printing, scanning, copying, and faxing capabilities. Networked copiers have these capabilities, as well as the capacity to send documents through email, add them to document management systems, and place them in file-sharing services. Thus, copier security measures that protect patient data is just as important as the security on your office computers.
In smaller offices, you can depend on your encrypted copier to scan paper documents into an EHR system. Larger offices, or offices that consistently use large amounts of paper files, may want to invest in a dedicated scanner for medical documents. There are also companies that specialize in converting large backlogs of paper medical files into EHRs. To protect the overall security of medical files, paper files should be scanned and encrypted as soon as possible. Then you can securely shred the originals.
Having the right copier is only part of the challenge. Your office should also have a good EHR system that makes it easy to scan and upload documents. Once in the system, all scanned records should not be editable. They should be stored as encrypted PDFs or TIFF files. The right EHR system should also easily integrate with your other systems and devices to ensure seamless operability.
HIPAA and HITECH have far-reaching implications for how your medical office is run. In order to ensure document security, your office should pair the right hardware and software with security best practices to protect patient health information. When properly implemented, an EHR system should increase medical office productivity and reduce the time it takes to respond to patients and other medical professionals.