Privacy and Security Rules
HIPAA affects both EHRs and end-users. There are precise rules and regulations about the sharing and storing of electronically protected health information (ePHI) that, if broken, can result in civil violations, criminal penalties, hefty fines, and even jail time. The following details the best ways to safely store PHI and the responsibilities of treatment programs and EHRs like SMART.
Let’s start by looking at HIPAA’s two primary rules:
- The Privacy Rule: This establishes standards for the protection of individuals’ medical records and other personal health information.
- The Security Rule: This requires appropriate administrative, physical, and technical safeguards to ensure confidentiality, data integrity, and the security of electronically protected health information (ePHI).
EHRs’ responsibility under HIPAA
As a cloud-based EHR provider, SMART is responsible for addressing many of the Privacy Rule provisions and all the provisions of the Security Rule. These provisions include securing, encrypting, and backing up our Partners’ ePHI to ensure its security and integrity, and by periodically testing our readiness for possible threats.
We accomplish this by performing routine, thorough Security Risk Assessments to ensure we are appropriately safeguarding all ePHI we receive, maintain, transmit, or process on behalf of treatment providers.
Performing Security Risk Assessments
Understanding how to address HIPAA requirements begins with a full Security Risk Assessment, defined by HIPAA as “a thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic health information.” (1)
The following questions are adapted from NIST Special Publication (SP) 800-66. These are examples of what you should consider as part of the analysis:
- Have you identified all the e-PHI within your organization, including e-PHI you create, receive, maintain, or transmit?
- What are the external sources of e-PHI? In other words, do your vendors or consultants create, receive, maintain, or transmit e-PHI?
- What are the human, natural, and environmental threats to information systems that contain e-PHI?
How does HIPAA Affect Addiction Treatment Providers?
Addiction treatment providers are required by law to abide by 42 CFR Part 2 regulations but, as Covered Entities, providers are also responsible for addressing all provisions of both the Privacy Rule and the Security Rule. Many of the Privacy Rule requirements must be addressed outside the realm of the EHR itself, such as having a sound set of HIPAA policies, providing training to all workforce members, posting notices, and supporting the patients’ rights granted by HIPAA.
To ensure compliance, consider the answers to the three questions listed above to ensure that all your e-PHI is protected against any reasonably anticipated threats and vulnerabilities. Doing this will help to protect both your organization and your patients.
Storing Protected Health Information (PHI)
Electronic vs. paper health records
Do you process every document in your clinic electronically, or are you still hanging on to those paper charts? Electronically entering, searching, and storing data makes being audit-ready and HIPAA–compliant much more manageable.
There are three main benefits to being 100% paperless. The first is organizational efficiency; being electronic helps ensure that staff has access to the same up-to-the-minute patient information at the same time. Next, you can implement quality control processes like providing forms standardization and auto-scheduling regulatory services. And finally, improve data collection standards by creating service type templates with required questions built-in.
Cloud vs. on-premises hosting
Beyond just electronic data processing, how you host your data is incredibly vital to data security. Moreover, cloud-hosted solutions, by-far, provide better security capabilities than traditional on-premises hosting. For example, clinics with PHI hosted on-premise are much more vulnerable to data loss during malicious attacks because of the inability to perform tasks like point-in-time recovery.
The SMART way
SMART’s Cloud-Based EHR – Powered by Amazon Web Services – helps covered entities subject to HIPAA, maintain, and store protected health information. SMART employs several layers of security like our virtual private cloud (VPC), Amazon Aurora, Trend Micro, and Armor Cloud Security that protect data stored in the cloud.
Our EHR platform builds in safeguards, and AWS adheres to all HIPAA protocols. As a result, end users benefit from audit and data integrity controls, malware protection, PHI encryption, backup and storage, automatic logoff, security incident detection and response, and contingency operations processes. Learn more about SMART’s Cloud-Based EHR Software.