August 21, 2008
An increasing number of hospitals and other health care facilities are
providing physicians with access to software and other assistance relating to
the implementation of electronic health records ("EHR")
systems. These entities which are considered covered entities by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"),
find it difficult to reconcile the open access of many EHR systems to the HIPAA
obligations of a covered entity to secure and to protect the confidentiality of
protected health information ("PHI"). HIPAA regulations require that covered entities implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that it creates, receives, maintains, or transmits. This article provides guidelines to assist hospitals and health care facilities
who provide EHR technology to physicians or certain of their representatives on
how to incorporate EHR systems with the HIPAA requirements.
Because HIPAA governs the access to and exchange of information between EHR participants, a health care facility should consider the following when determining whether or not to provide a physician with access to PHI contained in the EHR:
1. The physician’s relationship (and/or the physician’s group’s relationship) with health care facility.
2. The nature and extent of the information in the EHR the physician is permitted to access (e.g., whether the physician will be able to access information for their own patients only, or whether the physician will be able to access information of patients of the facility or of other physicians at the facility).
3. Whether the information is in an individually identifiable form or aggregated.
4. The purpose for which the physician or the physician’s personnel are accessing the information (e.g. for treatment, payment, or operations). Any disclosures other than for treatment, payment, or operations should be analyzed to verify compliance with HIPAA by doing the following:
a. obtaining patient authorizations where appropriate;
b. implementing and documenting appropriate access controls;
c. complying with patient rights provisions such as the right to access or amend the patient’s own medical records;
d. disclosing only the minimum amount of PHI necessary;
e. complying with required provisions if disclosures are for research and other public health purposes; and
f. complying with required business associate agreement provisions.
All individuals who have access to a health care facility’s EHR system should
be required to comply with the HIPAA privacy and security regulations. To
address privacy and security concerns, it is good practice for EHR users to be required to:
1. Notify the facility of additions and deletions of other EHR users within 24 hours. For example, a physician group with EHR
access should inform the facility of the addition or removal of physician
employees of the group so that access can be appropriately added or
2. Notify the facility of any discovery requests that involve
data on the EHR system within a specified and reasonable period of time
which should be within one to three days.
3. Implement reasonable and appropriate safeguards within the EHR
user's office to maintain the confidentiality, integrity and availability of the data within the EHR system and to notify the facility of breaches in security.
4. Comply with HIPAA notice, authorization and patient access
requirements as well as with all applicable state and community laws and
regulations regarding privacy and security of health information.
5. Comply with the facility’s policies and procedures for access to and use of the data in the EHR system.
The HIPAA security rule requires a health care facility to use reasonable and appropriate safeguards to protect the confidentiality, integrity and availability of electronic PHI. The facility’s HIPAA policies and procedures should reflect these safeguards. Therefore, a facility should verify that its existing HIPAA policies and procedures contemplate the exchange of information access the participants of the EHR system and make sure to (i) address access controls, integrity and authentication processes, (ii) provide unique user name to be assigned for tracking and identifying user identity, and (iii) establish policies and procedures to verify that a person or entity is the individual claimed.
A health care facility should continually analyze potential risks and vulnerabilities to confidentiality, integrity and availability of PHI, considering the technology and scope of information that is included in the EHR system. The facility should create audit logs by implementing software, hardware and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic PHI. These audit logs can verify whether the facility’s established policies and procedures work.
The facility should establish policies and procedures to address the following topics. Furthermore, the facility should work to ensure that all participants in the EHR system follow these policies and procedures.
1. Appropriate uses and disclosures of PHI and de-identified PHI.
2. Coordinated process for addressing patient requests for access to patient’s own records.
3. Coordinated process for addressing subpoenas and other requests for information.
4. Data that may not be shared through the EHR system (including sensitive data that the system is not designed to segregate such as mental health data, HIV status, drug abuse records, etc.).
5. Whether a user may withhold data that other users would expect to find through the system (for example, because the patient has requested a special restriction on information).