The Electronic Medical Records market is
heating up. VARs selling an EMR – or evaluating EMRs to offer
– would be advised to understand the features in the EMR to support
HIPAA Privacy and Security. When the practice’s entire
collection of patient medical records is computerized, the stakes for HIPAA
compliance are much higher than it was when only billing was
electronic.
HIPAA Privacy compliance is the responsibility
of the medical practice, not the software vendor. So, looking at
compliance from a practice’s point of view, here are some compliance
obligations and corresponding features that the EMR system should
offer:
1)
Patient Right to Inspect and Copy Records. The system needs
a feature to print out a copy of the entire medical record, if
requested, for patient inspection.
2)
Patient Right to Request Amendment. HIPAA includes a
multi-step protocol for this patient right:
a)
When patients request an amendment to their records,
providers must either accept or deny the amendment. If accepted,
the data can be changed directly in the system. A permanent audit
trail of this change, optionally noting that it was initiated by the
patient, is essential.
b)
If the practice disagrees with the amendment, it must still
document the request for change. This system must have the
capability to document this.
c)
If the practice denies the change, the patient has a right to
submit a statement of disagreement, which must be included in the
chart. The system must have the capability to document this.
d)
If a statement of disagreement is filed, the practice, at its
option, may prepare a written rebuttal. This system must have the
capability to document this.
e)
For all future disclosures of the patient’s chart, all of the
above documentation must be included if the disputed item is
disclosed. Routines which print and/or transmit the document (e.g.
via HL7) must be programmed to include this additional information.
3)
Minimum Necessary. The practice must decide who in the
practice is entitled to see what information. Decisions will vary
based on the size of the practice what these criteria are. So the
system should have flexible access controls to accommodate a variety
of minimum necessary determinations.
4)
Tracking Disclosures. For systems which allow the practice
eliminate the paper chart (any good system!), a logging capability
of disclosures (built into the chart printing or export routine,
perhaps) must be included. Disclosure tracking for treatment,
payment, and operations are NOT required. Disclosure tracking is
also NOT required for disclosures specifically authorized by the
patient. Disclosures which need to be tracked include disclosures
to public health officials, to law enforcement officials,
disclosures by accident, and the laundry list of other
HIPAA-authorized disclosures which are not authorized by the
patient.
5)
Agreed Upon Restrictions. An individual may
request limitations on disclosures, for example, that a wrist
pain episode not be billed to insurance or sent out with the
chart to the employer’s worker’s comp attorney. Other requests
might include that only the doctor have access to the
information. Note that the practice is not required to agree to
these special requests, but if it does agree, it must abide by
these agreements. So, technical features to help with the
administration of special disclosure restrictions would be a
plus.
-- Gary Pritts
Gary Pritts is not affiliated with InvestMed; he is a healthcare,
business and information systems consultant with 25 years of
experience. To contact Gary with questions about this article
or HIPAA in general, visit his website at: