|  | Healthcare Industry | General Healthcare Industry

Electronic Medical Records Laws

The Health Insurance Portability and Accountability Act (HIPAA) provides federal protection for privacy of personal health-related information. The HIPAA program falls under the U.S. Department of Health and Human Services. The act does allow for release of information under some circumstances such as to a person's insurance provider and to other health care providers. HIPAA has a special security rule that establishes the standards for safeguarding medical information that is stored electronically.

  1. Electronic Personal Health Information

    • Most medical records are now saved electronically.

      Electronic personal health information (e-PHI) is protected by the "Security Rule." E-PHI information cannot be provided to people who are not authorized to see it or reveal any information from the records while simultaneously making the records available by people authorized to review the records. The Security Rule also protects against changing or destroying the data by unauthorized means.

      How this rule is implemented is not regulated. Small clinics may have a different way of keeping records as opposed to a hospital that has branches across the country.

    Physically Restricting Access

    • Security measures are required to be in place that limit access to the records by unauthorized personnel. This is called "Facility Access and Control."

      The "covered entity," which is the place that has the records such as a doctor's office, must use policies and procedures for the "proper use of and access to workstations and electronic media," according to HIPAA. This also applies to sending records, removing files, destroying files and even reusing electronic media such as a read/write CD.

    Electronic Security

    • Polices must be created and used for hardware and software to create records of who has accessed the information. A procedure must be in place for reviewing who has accessed the records. Systems must be in place to protect records from being changed or destroyed. For example, a backup system can be used to protect the electronic data. Protection must also be provided during the course of sending the data electronically. This is typically an information technology security system.

    Business Responsibility

    • The covered entity must address any violation such as if an unauthorized person does gain access to private records. "Reasonable steps" must be taken to resolve the situation, according to HIPAA. It is considered a violation if the covered entity does not have safeguards such as access control in place.

    Records Management

    • Policies and procedures must be in place to maintain the records. Currently, the HIPAA rule is to keep policy and procedure records as well as any written required actions for six years from the date of creation or the "last effective date." The covered entity must also conduct reviews of its records and implement new guidelines as needed. The Security Rule does not set retention rules for the medical records.

General Healthcare Industry - Related Articles