Privacy Assessment

From OpenEMR Project Wiki

A privacy assessment should be done to review compliance with the HIPAA Privacy Rule. The paper office has been subject to these regulations for some time. A summary of the Privacy Rule should be reviewed prior to this assessment, and the Privacy Officer should be involved. A privacy assessment and an analysis of the possible changes to procedures when the office starts using OpenEMR provides focus for an upcoming workflow assessment.

Identify current business associates:

  • OpenEMR consultant
  • Contracted IT support
  • Billing service
  • Transcription

Current HIPAA considerations:

Physical storage and access:

  • Where are the patient records currently stored?
  • What workspaces are visible to patients and visitors?
  • Are computer terminals accessible or visible to patients and visitors?
  • Who has access to the office after hours?
  • Can the office are be locked if unattended?
  • Are paper charts checked out and taken for charting offsite?
  • How is PHI disposed of?
  • Where do charts of inactive or discharged patients go for storage? Are they readily accessible by staff?

The HIPAA Privacy Rule states that while the Privacy Rule is scalable to accommodate many different practice settings, an example of a safeguard presented is that “doors to medical records departments (or to file cabinets housing such records) remain locked and limiting which personnel are authorized to have the key or pass-code.” <ref>Standards for privacy of individually identifiable health information. Office of the Assistant Secretary for Planning and Evaluation, DHHS. Final rule. Fed Regist. 2000 Dec 28;65(250):82462–829. [1]</ref>

Paper charts are in some practices removed from the office and taken home. While this practice is not implicitly forbidden, a risk exists that an incidental disclosure may happen while in transport or at home.

Policies and procedures:

  • Is there a Privacy Officer designated for the development and implementation of policies and procedures?
  • Do new patients sign a Notice of Privacy Practices? Where is this documented?
  • How is exchange of PHI for TPO functions consented and recorded?
  • Has HIPAA compliance training for employees been completed? Where is it documented?
  • Have all business associates completed documentation of HIPAA training? Have they signed a privacy agreement?

With a new electronic medical record, some of the above processes will change. There is need for a clear policy documenting the changes concerning consent for release of PHI.

HIPAA Security Rule: Operations involving PHI stored or transmitted in electronic form have additional requirements. While telephone, written, fax, and verbal communications are not subject to the Security Rule, electronic medical records are. An analysis will need to be done to ensure compliance. This should take place after the infrastructure is in place. This is discussed in further detail unter the security assessment, but it is prudent to take a look at security while making a privacy assessment. The six points of concern are:

  • Security standards
  • Administrative safeguards
  • Physical safeguards
  • Technical safeguards
  • Organizational requirements
  • Policies and procedures and documentation requirements <ref>NIST SP 800-66 Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule [2]</ref>

There are benefits to using an EHR and electronic PHI. However, the transition from paper to an EHR brings up many concerns. Modifications to current privacy policies and procedures will need to occur, and a thorough analysis of compliance requirements will need to be made. The following table demonstrates some of the changes that will be anticipated during the transition.

Present status Potential change with EHR
Chart security All new PHI will be electronically stored. As long as the server is secure physically and electronically, there will no longer be a concern after-hours entries. Charts will no longer need to be carried out of the office.
Potential for visible PHI in workspace Less paper containing PHI will be used. If a fax server is installed, most of the faxes will never reach the paper state. There will always be some paper, but its use will be diminished. A computer terminal will be facing away from patients and front office patrons, with PHI out of view. Care must be taken to secure terminals with a passcode when not in use.
Volume of shredding
Archive storage The paper charts will exist for 10 years unless completely converted to electronic form. However, no new charts will be generated. At the longest, 10 years after the go-live date, the paper charts will no longer be required.
Notice of Privacy Practices These documents will still be required, but the extra step will be to scan them into the EHR. A desktop scanner will be required for scanning of these and all other paper forms the patient signs. In some EHR software, the signatures can be captured electronically with a signature pad.
Consent for Release of Information
Business associate agreements These will also still be required, but an EHR is the first move toward a paperless office. These documents can be stored electronically in a separate area of the server.
Employee training documents
Paper PHI Further assessment will be required to determine future compliance with the Security Rule.

Transition to an EHR can result in increased security and streamlined privacy policies and procedures. It requires significant effort to make the change, but a smart plan and thorough research can result in more efficient protection of patient privacy and confidentiality.

References:

<references />