The HIPAA EHR rules stipulate the measures healthcare organizations are required to implement to protect health information maintained on EHRs against impermissible uses and disclosures. Unfortunately, not all healthcare organizations fully comply with the HIPAA EHR rules, and many data breaches are attributable to a lack of EHR security or workforce knowledge.
The adoption of EHRs in the U.S. is mostly attributable to the Meaningful Use incentive program introduced in Title II of the 2009 HITECH Act. Prior to the passage of HITECH, only 9% of non-federal acute care hospitals used EHRs. By 2015, the percentage had increased to 84% according to a report published by the National Coordinator of Health Information Technology.
The digitalization of health records had a significant impact on the delivery of healthcare. According to a second report published by the National Coordinator of Health Information Technology, “84% of academic studies examining health IT functionalities required under the Medicare and Medicaid EHR Incentive Programs had a positive or mixed positive effect on quality, safety, and efficiency of care.”
More EHRs = More Data Breaches
The increase adoption of EHRs has also led to an increased number of data breaches attributable to a lack of EHR security. According to the Office for Civil Rights´ data breach report, nearly 8% of data breaches currently under investigation are due to “IT Incidents” involving EHRs – some exposing tens of thousands of records to hackers who can sell the records on the dark web.
However, the data breach report does not represent the true scale at which HIPAA EHR rules are violated because it only lists data breaches in which 500 or more records are exposed. A more revealing report published in 2017 claims 73% of healthcare professionals have used credentials other than their own to log into an EHR – each impermissible login being a violation of the HIPAA EHR rules.
What are the HIPAA EHR Rules?
One of the problems with protecting health information maintained on EHRs is that it is possible to find standards relating to EHRs – and health information maintained on EHRs – throughout much of the Administrative Simplification provisions – not just in the Administrative, Physical, and Technical Safeguards of the Security Rule. This makes it difficult to compile a definitive list of HIPAA EHR rules.
HIPAA EHR Rules in the Privacy Rule
One example of where standards exist relating to EHRs in the Privacy Rule is the Administrative Requirements (§164.530). These require Covered Entities to train members of the workforce on HIPAA policies, put safeguards in place to limit incidental disclosures, and mitigate the effect of impermissible disclosures by adopting breach response best practices (among other requirements).
If Covered Entities develop HIPAA EHR policies based on the content of the Security Rule alone, workforce members might not understand what Protected Health Information consists of, may disclose more than the minimum necessary information, and – if they do not know a disclosure is impermissible – will not know to report a breach.
Look Beyond the Security Rule Safeguards
While many policies relating to EHR utilization will be based on the standards of the Administrative, Physical, and Technical Safeguards (§164.308, §164.310, and §164.312 respectively), it may be necessary in some circumstances to look beyond the safeguards for potential HIPAA EHR rules in the General Rules (§164.306) and the Organizational Requirements (§164.314).
The General Rules stipulate how much flexibility Covered Entities and Business Associates can use when adopting Security Rule standards based on “the size, complexity, and capabilities of the Covered Entity or Business Associate”, while the Organizational Requirements cover Protected Health Information created by a Business Associate that is fed into a Covered Entity´s EHR system.
Impermissible, Incidental, or Unintentional?
Even in the Breach Notification Rule (§164.400 to §164.414) there are definitions that EHR operators will need to be aware of. These definitions can help determine whether an unauthorized disclosure of Protected Health Information is impermissible, incidental, or unintentional and in good faith, and if the unauthorized disclosure should be reported or documented.
In this respect, and as EHRs are often used to stored more than just health information, it is also advisable to ensure EHR operators are familiar with the General Principles for Uses and Disclosures in the Privacy Rule. Workforce knowledge of this area of HIPAA will help avoid patient complaints for impermissible uses and disclosures of Protected Health Information.
There are No One-Size-Fits-All HIPAA EHR Rules
Because Covered Entities are different sizes, provide functions of varying complexities, and have a range of capabilities, there are no “one-size-fits-all” HIPAA EHR rules. Therefore, Privacy and Security Officers should conduct risk assessments to determine threats to the confidentiality, integrity, and availability of health information maintained on EHRs and develop HIPAA EHR policies accordingly.
It is important to include among these policies rules that prohibit credential sharing, procedures for backing up data and operating in emergency mode, and schedules for reviewing the organization´s HIPAA EHR rules to ensure they are up-to-date and effective. Covered Entities unsure about fully complying with the HIPAA EHR rules should seek professional compliance help.
