When sports chiropractors first appeared at the Olympic Games in the 1980s, it was alongside individual athletes who had experienced the benefits of chiropractic care in their training and recovery processes at home. Fast forward to Paris 2024, where chiropractic care was available in the polyclinic for all athletes, and the attitude has now evolved to recognize that “every athlete deserves access to sports chiropractic."
Is Your EHR HIPAA Compliant?
Since 2009, the American Recovery and Reinvestment Act has funded a movement toward the implementation and adoption of electronic health records (EHR). For nearly a decade, health care providers and health systems have spent time, effort and money on bringing technology on board to harness data and improve the quality of health care.
While much discussion and attention in chiropractic has been given toward how the patient record is documented to achieve compliance for Medicare policy, an essential element within the regulatory environment has been missing in the chiropractic EHR industry: HIPAA compliance.
HIPAA Requirements
The U.S. Department of Health and Human Services (HHS) issued the Privacy Rule to implement Public Law 104 – 191: Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Privacy Rule standards address the use and disclosure of individuals' health information – called "protected health information" by organizations subject to the rule – called "covered entities," as well as standards for individuals' privacy rights to understand and control how their health information is used.
Within HHS, the Office for Civil Rights (OCR) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.
Where HIPAA Meets EHR
Then the HIPAA Security Rule came into force two years after the original legislation on April 21, 2005. Dealing specifically with electronically stored PHI (ePHI), the Security Rule laid down three security safeguards – administrative, physical and technical – that must be adhered to in full in order to comply with HIPAA.
We all know protecting PHI is serious business. Just ask the health care organizations who have made it to the OCR's "wall of shame". But here comes the tricky part: Of the 45 citations of HIPAA law with which your practice must comply, nine of these standards must be met through your EHR system.
What Must Your EHR System Allow You to Do?
Mechanism to authenticate electronic protected health information: How can you prove that the data has not been altered in your EHR system?
Assign role-based access to treatment, payment and/or operations: Can you assign minimum information levels of access to your staff based on their job description?
Track user activity within the system: Can you monitor / track the activity of each user in your EHR system?
Monitor log-in attempts that are both successful and unsuccessful: Can you track users (and hackers) who have made log-in attempts or intruded into your EHR system?
Establish unique user identification: Does your EHR system allow you to set up unique identification for each user in the practice?
Encrypt your data at rest and encrypt / decrypt your data in motion: Does your EHR system encrypt data at rest or in motion?
Provide automatic log-off and lockouts after failed attempts: Can your EHR system be programmed to log-off your users after a set period of time or lock out a user after failed attempts?
Backup and disaster recovery plan: Is your EHR system able to create and maintain – and restore – exact copies of your files?
Your EHR Won't Take the Blame for HIPAA Violations – You Will
HIPAA places the burden for privacy and security on the clinician, who is the covered entity (that's you). As the originators of PHI with the patient, clinicians have the responsibility to keep PHI privately and securely safeguarded.
Since the PHI in our practices is largely located and accessible through our EHR system, it only makes sense that the EHR system should have the capacity to perform essential functions to allow us to meet the standards of the law. But the question is – do you have proof your EHR system is capable of these functions ... and are you doing them?
Contact your electronic health records vendor today; get the proof and training you need to confirm you are compliant with HIPAA standards.
Author's Note: Learn more about this issue by watching the webinar, "HIPAA Compliance Through EHR Systems".