HIPAA privacy and security officers need not revamp their entire policy and training program because of the "meaningful use" of electronic health records (EHR) guidelines published this month in the Federal Register.
If you're on the right track toward complying with HIPAA privacy and security requirements and protecting your patient's information, stay right there.
The EHR standards simply enable you to carry out certain aspects of HIPAA and HITECH better, such as encryption, says Margret Amatayakul, MBA, RHIA, CHPS, CPHIT, CPEHR, CPHIE, FHIMSS, of Margret\A Consulting, LLC.
CMS and the Office of the National Coordinator for Health Improvement Technology (ONC) released the two regulations regarding the definition of "meaningful use" of EHRs and the standards to improve the efficiency of health information technology used nationwide by hospitals and physicians last month.
EHR compliance does not guarantee HIPAA compliance.
ONC writes in its interim final rule, "Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology":
"While the capabilities provided by Certified EHR Technology may assist … in improving … technical safeguards in order to meet some or all of the HIPAA security rule's requirements or influence … the use of Certified EHR Technology alone does not equate to compliance with the HIPAA privacy or security rules."
One security standard ONC does require already in its meaningful use interim final rule is that EHR systems be capable of encryption.
For instance, if you take your laptop out of your facility with personal health information on it, you must have the capability to encrypt it. Or if you are going to send data to a Health Information Exchange (HIE), you can encrypt the transmission. It does not mean you have to encrypt the entire EHR, Amatayakul says.
"We believe a logical and practical next step … is to require Certified EHR Technology to be capable of encryption," ONC writes. "We hope that by requiring Certified EHR Technology to include this capability, that the use of encryption will become more prevalent."
Keep in mind the ONC interim final rule and CMS proposed rules are in a public comment stage now, with final rules expected in the spring. However, the interim final rule is in effect today.
Further, ONC says it may add layers of security standards to what's already established in HIPAA and HITECH.
"We believe that the HIPAA Security Rule serves as an appropriate starting point for establishing the capabilities for Certified EHR Technology," the ONC writes in the interim final rule. "That being said … we intend to … explore these areas and where possible to adopt new certification criteria and standards in the future to improve the capabilities Certified EHR Technology can provide to protect health information."
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.