EHR security is a critical part of maintaining HIPAA compliance. Healthcare organizations, providers, health plans, and patients must work together to help to ensure that electronic health records are used in a way that protects the privacy and security of patient information. 

By following the best practices for EHR security, patient information is kept safe and confidential. In addition to peace of mind for your patients, your organization can also avoid the costly penalties associated with noncompliance. Our colleagues at PrivaPlan Associates, a leading consulting company for HIPAA compliance, recommend the following for ensuring EHR security: 

• Maintain an inventory of all systems that host, store, and transfer protected health information (PHI). This inventory should include all interfaces and remote access points. 

• Ensure that physical, administrative, and technical safeguards are in place to protect PHI. The specifics of these security measures may vary based on the size and needs of your organization.

• Develop policies and procedures for the secure handling of PHI. Keep written documentation of these policies and procedures, as well as records of how they change over time.

• Provide training to employees on how to protect EHRs from unauthorized access, use, or disclosure. This should also include training on how to identify phishing and ransomware attempts. 

• Perform an annual IT and/or HIPAA Security Risk Assessment (SRA) (a long-time requirement to participate in Hospital PI and MIPS PI) to learn where sensitive information resides and where there are risks for breaches. Based on the results of an SRA, your organization can then appropriately coordinate remediation efforts. 

• Utilize the CMS SAFER Guides to do a full spectrum assessment of EHR safety (a new requirement of Hospital PI and MIPS PI in 2022).

• Encrypt information to ensure confidentiality. When information is encrypted, there is low probability that anyone other than the receiving party will be able to access or decrypt the information that has been sent.

Cyber-attacks on healthcare systems are on the rise, with 2021 seeing an all-time high in the number and volume of data breaches. Maintaining EHR security protects both your patients and your organization if your records are targeted. Our team can help you evaluate and select a certified EHR system to start your security compliance out on the right foot.

For more information on how to perform an IT and/or HIPAA Security Risk Assessment (SRA) or to develop policies and procedures, contact PrivaPlan Associates for a free consultation. PrivaPlan Associates has over 20 years of HIPAA intelligence and customized approaches for all aspects of healthcare. 

Footnote: Special thanks to David Ginsberg and Athea Merredyth of PrivaPlan Associates for their contribution to this guide.