Got EMR? Great! But don’t assume that means you’ve got total compliance. Your EMR company has (or should have) compliance safeguards to ensure that their systems are secure, but your EMR is just one part of the compliance equation. To truly keep your clinic’s protected health information (PHI) secure, you must account for all the variables, like access to your facility, workstations, and devices as well as staff training on proper procedure.

According to the new HIPAA Security Rule, covered entities are obligated to “maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.” If you are a covered entity—i.e, a “health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA”—then you must:

  • Ensure the confidentiality, integrity, and availability of all PHI they create, receive, maintain, or transmit.
  • Identify and protect against reasonably anticipated threats to the security or integrity of the information.
  • Protect against reasonably anticipated, impermissible uses or disclosures.
  • Ensure workforce compliance.

While you know that ensuring compliance is mandatory, tackling the HIPAA security requirements can seem a bit overwhelming and time-consuming. Where do you start? Well, let’s break it down. A recent article from Healthcare IT News outlines some of steps you should take to keep your clinic compliant, including:

  • Learn the ins and outs of your EMR’s security features, then ensure they are properly configured and enabled.
  • Establish—and routinely evaluate—your policies, procedures, audit trails, and security measures to ensure total compliance with HIPAA requirements.
  • Designate a HIPAA compliance officer at your clinic.
  • Clearly communicate each staff members’ HIPAA compliance responsibilities.
  • Restrict PHI access (through user authentication or encryption) to only those whose individual’s job roles and/or responsibilities require it.
  • Conduct an annual HIPAA security risk analysis.
  • Mitigate and address security risks—like deficient security, lack of administrative and physical controls, and easy access to workstations or systems where you keep PHI.

Relying exclusively on your EMR to keep your PHI secure doesn’t add up to complete clinic compliance. Ultimately, it’s your responsibility to protect all your patient data. To mitigate your risk for HIPAA violations, you must create your own physical, technical, and administrative safeguards.