We are covered, our EMR is Certified. Really??

When asked, almost any small practice owner would respond that he doesn't have to worry about HIPAA compliance, their EMR (common terminology in vogue for practice management systems) is certified. Most don't even know what HITECH or Omnibus rules are. If you try to explain, they take it as someone trying to eek out a few bucks from their already over-burdened cash flow.

Well, let's go through a list of items that would really make a covered entity compliant with HIPAA and related regulatory obligations. This should give one a fair idea if merely having a certified EMR would suffice to be considered HIPAA compliant. The following list has been updated to reflect implications of the recently modified HIPAA/HITECH rules that became effective March 26, 2013 and all CE's are required to be compliant by September 23, 2013:

• The very first requirement for HIPAA compliance is to have a Risk Assessment/Analysis study conducted to identify security and privacy vulnerabilities in your business environment, which extends beyond your place of business as almost all systems provides remote and mobile access. Any audit or inquiry will begin by asking you to provide a copy of you risk assessment report. The risk analysis is an ongoing process and you need to be proactively monitoring your environment for any new or upgraded risks that you should mitigate.
• The Notice of Privacy Practices (NPP or NOPP) needs to be updated. You probably got a template over from somewhere and have been using that. The terms need to be updated with latest requirements that cam into effect this year (2013). You can get some recently updated NPP samples from the websites of VA, Stanford University Hospitals, etc. and develop yours accordingly/
• Your business associates (BA's) have now become covered entities and you need to update your Business Associate Agreements to cover these requirements. Any agreements signed before the March 23, 2013 effective date can be update within next 18 months, but any new BAA's dated after this deadline need to be updated by September 23, 2013. 
• Update your policies and procedures, and train your work force to be aware or the privacy and security requirements. All staff including the higher management are required to undergo training and tested and documented at least once annually , as well as at the time of initial employment. The key words here are training, testing and documentation.
• Your computer environment must be protected by firewall to prevent unauthorized access, anti-virus protection to avoid theft or loss of protected health information and backup system to recovery within reasonable time from any disaster. 
• Mobile Devices are being utilized more and more to access and update information to EMRs, either locally (on premises) or remotely (off premises). Some protective measures to consider include use of complex passwords to access the devices, enable data encryption (both during transmission and local storage - local cache), file sharing apps should be disabled, use only secured Wi-Fi connection - never use public Wi-Fi hot spots, enable remote locking and wiping of the devices to guard against lost or stolen devices.
• The Omnibus rule (new updates in 2013) dis-allows transmission of information on specific patient procedures/treatment to the health plans if the patient pays out of pocket for that service. Your process for coding and billing should be set up to take care of such cases.
• Physical access to your facilities should be well controlled to protect against unauthorized access to PHI. In addition track the backup copies of your data, hard copy information, thumb/external hard drives, CD's/DVD's, tapes and other portable storage media should be properly accounted for. Remember to wipe computers, devices and even your networked copiers/printers before disposing them off as they may have PHI that can be accessed by unauthorized persons.
•  You should be able to produce logs of who logged into your EMR/EHR, when and where the logged in from, and which data or files did they access. Review these logs periodically and in case of any discrepancies, record and take appropriate actions based on violations.
• Be prepared for Disasters, natural and physical failures, and quick recovery to ensure continuous access to patient data.

I urge you to go over the above recommendations once more to really understand what's involved in being HIPAA/HITECH compliant and realize that merely having a Certified EMR/EHR does not make you compliant. Remember, OCR (Office of Civil Rights), OIG (Office of Inspector General) and various federal and state agencies are becoming ever more proactive in enforcing the rules, and larger penalties and sanctions are resulting from these actions. 

You can either invest your time to do it yourself or invest in a good consultant to take care of this for you. Either way, it is a necessary investment that is a part of running your healthcare business as required by the law.