functions to see who has accessed what information.
The Health Insurance Portability and Accountability Act
(HIPAA) covers electronic health records, and the HIPAA Final
Rule — released on Jan. 25 with a compliance deadline of Sept.
23 — makes some enhancements to patient privacy protections,
said Alan Nessman, JD, senior special counsel for legal and
regulatory affairs in APA’s Practice Directorate.
One important change is in the area of breach notification.
Following a security breach, such as hacking or laptop theft,
practitioners must now conduct a risk assessment to determine
the likelihood that protected health information was actually
compromised. If so, they must report the breach to affected
patients and the federal government. If data were encrypted,
reporting won’t be required in most cases.
The federal government has also ratcheted up enforcement,
said Nessman. In the past, he said, the Department of Health
and Human Services only enforced major breaches. These
days, the department is actively looking for problems. In fact,
the government has made examples of a few smaller providers
who hadn’t made efforts to safeguard information and then
experienced a breach.
A big enforcement concern is that some practitioners
who use electronic health records don’t realize they must
comply with the HIPAA Security Rule, too. That rule requires
practitioners to conduct a structured risk analysis and establish
measures to guard against security risks. Encryption, for
instance, is becoming standard practice. The APA Practice
Organization has tools to help with Security Rule Compliance
and will be providing resources for complying with the recent
Another compliance strategy is to take a minimalist
approach to clinical record-keeping. If you must keep
psychotherapy notes, said Nessman, keep them in a clearly
defined part of the electronic health record with a higher level
of security, in electronic form outside the electronic health
record system or on paper.
There are even simpler things you can do to protect patients’
privacy, said Nathan Tatro, the Practice Directorate’s project
manager for practice research and policy. Set up your electronic
health record with “role-based access,” which allows staff to
access only the information they need to do their jobs. If you’re
“Electronic health records can’t reach their full potential unless
both patients and providers are confident that patients’ data
are private and secure,” Dr. Stacey Larson, director of legal and
regulatory affairs in APA’s Practice Directorate, told attendees.
using a mobile device to communicate with clients, limit the
patient information you store on it, set your device to lock after
a few seconds of non-use and use a password. “I can’t tell you
how many people I’ve seen who don’t lock their smartphones,”
said Tatro, adding that there are also apps that can remotely
wipe out a phone’s content if it is lost or stolen. Also make sure
your home and office wireless Internet connections are secure.
Above all, said Nessman, don’t panic.
“Security issues for electronic health records can seem
complex and daunting; there’s all this jargon, so it can feel like
10 techno-geeks got together to write the rules,” he said. “My
message is that there are simple ways to do it, and we’re here to
help members do it.” n