News Feature | March 23, 2015

EHR Compliance And HIPAA Compliance: Help Your Healthcare IT Clients Understand The Difference

By Megan Williams, contributing writer

Cleint EHR Compliance And HIPAA Compliance

Your clients likely have concerns around the Health Insurance Portability and Accountability Act (HIPAA) that extend beyond the reach of your influence. Unfortunately, many may be thinking those concerns are being covered by the HIPAA compliant EHR (electronic health records) solutions you offer.

Healthcare IT News explores that topic in an article by Security Metrics security analyst, Tod Ferran. The piece is written as an advisory to healthcare entities tackling HIPAA compliance and EHR implementations, and is good insight for solutions providers looking to address the deepest needs of their clients.

“Every healthcare organization under HIPAA is responsible for the protection of patient data, regardless of whether they use a vendor to process or store their patient records. If your EHR vendor claims you don’t have to worry about HIPAA compliance, don’t believe them — it’s just not true.”

Advice To Maintain Security

Ferran makes sure to advise organizations to prioritize security, warning them about the new HIPAA Security Rule that requires they protect their system against 75 specific security controls.

He urges them to “assess their security programs as a whole” and make sure that procedures, policies, and security measures are best configured to protect patient information and shield them against potentially costly regulatory penalties. At the same time though, he acknowledges that organizations frequently do not prioritize addressing risks to electronic patient data, and stresses the importance of an approach that goes beyond “simply checking a box.”

Selling The Importance Of Risk Management

Ferran frames approaching risk management in an organization around two timelines, the reality of the present and the optimal future.

“No matter how small or long established, it’s critical for healthcare entities to understand what they are doing to protect patient data, what they are not doing, and what they should be doing in the future.”

He puts the responsibility of understanding the features of their medical devices and IT assets directly on their shoulders — a weight solutions providers could easily help them bear. Some of the areas they will need help with include:

  • intrusion prevention
  • anti-malware
  • identity management
  • integrating data loss prevention tools

Attaining True Compliance

Ferran also includes a basic roadmap for attaining HIPAA compliance, and suggests that organizations implement a regular, weekly routine, starting with as few as 30 minutes each session to meet and discuss priorities. Other specific actions he suggests include:

  • designating a HIPAA compliance officer or team member
  • conducting annual HIPAA security risk analyses
  • checking organizational policies and procedures against HIPAA requirements
  • encrypting patient information using a key accessible only by authorized individuals
  • implementing workstation security

For solutions providers who do communicate regularly with their clients, this would be an article many would likely find useful, and a good way to start a conversation about current and future solutions they’re considering.