Doing the math on compliance and electronic medical records

Why a Cloud-Based EMR Does NOT Equate to a HIPAA Compliant Entity

Recently, a question came up that involved entities that said they are perfectly fine with HIPAA compliance because they use a cloud-based EMR (or EHR) who takes care of all their HIPAA compliance for them. A discussion ensued ending with the question: This can’t really be true, can it?

I suppose someone could dream up some condition and try to argue it is true.  I, however, tend to follow the statistics.  The chances any group is able to have all the HIPAA compliance requirements handled by their cloud based software provider is so very tiny I will say it cannot actually be true. Yes, some vendors may tell you just that, but the term “snake oil salesman” comes to mind…

Here is your check list of things your vendor must provide to take care of all your compliance for you.  Does your vendor…

  • Provide a complete and thorough Risk Analysis looking at everything you store in your office that could include Protected Health Information (PHI)?
  • Know every record that comes in and out of your office and how it is managed?
  • Configure your network security and firewall?
  • Monitor your computer systems to confirm they have all their security updates and an active antivirus/malware system?
  • Provide documentation and reports that compliance activity is taking place and reviewing the results?
  • Confirm data you exchange with every single business associate you work with is secured and protected properly?
  • Confirm your Business Associate Agreements are properly in place with every entity that you have a BA relationship?
  • Perform due diligence with all your Business Associates?
  • Update your Notice of Privacy Practices (NPP) to make sure all cases your office should cover is included properly?
  • Confirm you post your updated NPP properly to meet the new requirements?
  • Create a complete disaster recovery and business continuity plan that covers all aspects of your operation being functional?
  • Complete a physical site security checklist and determine all your physical safeguards are adequate and properly documented?
  • Review your administrative safeguards to confirm they are adequate and meet the required and addressable elements properly with documentation of the same?
  • Create and monitor a plan for disposal of all media and equipment that may contain PHI— like printers and copiers?
  • Create and document a breach response plan?
  • Create, monitor and execute a training plan for every member of your staff regarding HIPAA terms, requirements, acceptable uses and disclosures, how to identify a breach, what your own internal policies and procedures require for HIPAA and more?

There is more, but for now, let’s leave it at that. Don’t get me wrong.  There are a lot of HIPAA things, in the Security Rule especially, that you can outsource to your cloud software provider.  But, even those things don’t relieve you of responsibility.  It is up to you to make sure you document completely and audit regularly to make sure those functions like backup and recovery of the data they maintain, up-time guarantees, encryption at rest and in transit, password and user access controls, etc., are actually working as required.

You can’t just say someone else is doing it for me.  If you do, you probably need more training before making your final HIPAA decisions and, of course, detailed documentation of those decisions.   It really takes time and effort on every entity’s part to create their culture of compliance that is really required to make an honest stab at HIPAA compliance in your office.

All this is really a question any Covered Entity (CE) or Business Associate (BA) should be asking themselves no matter who their vendor may be.  Do we have all these things covered?  If you don’t then you definitely need to consider getting some help.  There is a lot to do and you can’t just “mail in” your compliance requirements.

CREDITS

story by DONNA GRINDLE, CHPSE

ABOUT THE AUTHOR: Donna Grindle, CHPSE has been writing medical practice software as a programmer since 1987. She is currently the owner and president of Karden Technology, which specializes in IT and HIPAA compliance services, working with small healthcare providers and businesses that support them.