By Mary Anne C. Murphy, OD 
Electronic health records can protect your patients’ private information–if you set up effective work protocols in your office to meet HIPAA requirements.
Electronic health records and practice management systems can make it easier for a doctor and her staff to manage patient eye health conditions and track preferences like past purchases of eyewear, but this technology also can make the patient’s private information safer. Whereas in the past, private information was often stuffed into overflowing manila folders crammed into shelves directly in view of the reception area, EHR offers a database that is password protected. These systems offer redundancies so that information is backed-up with less chance of important details falling between the cracks, or lost in manila folder files. However, to fully realize the privacy protection benefits of EHR, and meet patients’ HIPAA privacy rights, you must set up work protocols that guide your staff’s use of your system. Here is how we do this in our office to meet HIPAA requirements using our EHR, OfficeMate ExamWRITER.
Sophisticated Technology Means Added Protocols Needed
The key protection challenges with electronic records are not much different than they are with paper records. For instance, among other HIPAA security issues, we are still responsible for maintaining secure access and training our staff to understand HIPAA requirements. However, using electronic records does pose a few additional concerns such as protecting your system from viruses, ensuring secure, encrypted data transmission, using a secure network, limiting unauthorized wireless access, and other network integrity controls. Keeping a database of all systems that house your data and EHR software is critical. You want to have specific details about mobile devices used by staff in the event that the devices are stolen or lost. This is especially important as many EHR systems enable accessibility on mobile devices such as iPads or other tablets.
Same Protocol When Patient Requests Record
Many of the same restrictions apply to electronic health records that applied to paper records. For instance, for each release of a patient’s records, a signed consent must be obtained and kept within the record. As an added benefit of EHR, records can be transmitted via e-mail to the desired destination. However, while not required, data should be encrypted when transmitted over non-secure networks.
Set System and Staff Protocol for Maximum Protection
Each individual workstation in our office has a username and password, which prevents unauthorized users from accessing our network. Once logged in, our EHR has an additional level of security, which uses unique credentials to log in each user. This ensures that no one has access who shouldn’t. Our office administrator can set up unique properties of each user ensuring that each employee only has access to the information they need. Furthermore, our EHR has a log-out timer that automatically logs off a user who has been inactive after a specified amount of time to prevent unauthorized access. It is important to change passwords as employees depart the practice to maintain data integrity. The security function that is available through OfficeMate ExamWRITER allows us to not only control which employee can access specific information, but can also generate a log of those who have accessed the system. Additionally, our EHR has an encryption function to be used with data transmission.
Enhanced Protection
With paper files, almost anyone who had access to the office could theoretically access the patient records. For instance, most of us have a cleaning crew that enters the office after hours. With paper records, many offices were not designed to provide locked security of the records leaving them susceptible to breach. In the age of electronic health records, there are usually at least two levels of security that would prevent access to the data. Additionally, electronic health records are commonly backed up off-site at least twice daily. This prevents loss of patient data in the event of disaster such as fire or flooding. Traditional paper records were never backed up, and in the event of fire, all data would be forever lost.
Mandate EHR HIPAA Training for Staff
Each office should appoint a HIPAA officer who is well versed in HIPAA policies. We require each of our employees to read the HIPAA Privacy Policy that we provide to patients and test them on their understanding. Frequently, at office staff meetings, our HIPAA officer quizzes the employees with simple “what if” questions. This keeps the topic simple and easy because the true language of the law is cumbersome. Our HIPPA officer creates real life scenarios such as: “What if I present to the office and ask for my records?” or “What if I want to buy my wife a pair of Rx sunglasses for mother’s day?”
These situations are not rare and each offer an opportunity to use our knowledge of the HIPAA security policies we have in place. While it is important to keep it simple, it might also be important to share the consequences of information security breaches, including fines and incarceration. Employees should know that it is not just the practice that is responsible, but also each employee.
Beware of Pre-Testing Area
If an image is displayed without a patient’s identifying information, this does not pose a problem. For instance, if your topographer takes an image but does not display the name alongside the picture, this would not be a violation. Many instruments can collect data without requiring the patient’s name. It is only when the data is attached to a patient’s electronic health record that it gains an identity. This can be done discretely. Additionally, for those instruments that do require patient input, it would be prudent to use a patient number or a patient’s initials rather than their full name. The pre-testing area should be designed to limit a patient’s view of the screen where data is being collected. Furthermore, privacy screens can be used which deter passersby from viewing the data screen. Screensavers should be set to launch after only 30 seconds of inactivity preventing breach should an employee inadvertently walk away without logging out of the system.
Protect Files When Co-Managing Patients
When communicating with other doctors, data transmission that reveals personal information should be encrypted requiring the end recipient to have a password to reveal the data. While encryption is not required, it is desirable to offer comprehensive protection. If communicating over a non-secure network you must be weary of potential for unauthorized access. A simpler method may be to use a central transmission system like Microsoft HealthVault or another Health Information Exchange portal. It is wise to have a document that outlines your office privacy policies that you share with doctors with whom you share patient care, so everyone who has access to your patient data understands how you intend it to be used. Another important consideration with electronic health records is the opportunity for medical billing which uses patient information from the records to communicate with other parties involved, such as insurance companies providing coverage for your patients. Using a reputable billing company with clear documentation of compliance with HIPAA guidelines is essential.
Enhance Patient Privacy Protection with EHR: Action Plan
Create unique user IDs and passwords for each workstation.
Create unique user IDs and passwords for each employee who requires access to the EHR.
Create a culture of awareness for HIPAA policies and require documentation of all data release–consents for release, as well as requests for information from outside sources–you can never over-document.
Work directly with an IT professional who ensures your network is secure from unauthorized outside access, as well as viruses, and backs up your data regularly.
Be weary of vendors that request access to your patient information for marketing unless you have notified patients that their data will be used for this purpose.
Related ROB Articles
Use EHR System to Data Mine Your Patient Base
EHR Protocol: Set Up Consistent Rules to Maximize Benefits
Key to EHR Staff Training: Train “Super-Users” Who Then Train Others
Mary Anne C. Murphy, OD, is the owner of Front Range Eye Associates in Broomfield, Colo. To contact her: DrMurphy@FR-EA.com.
