Your EMR product should have zero gaps with the requirements of the transaction and code sets and privacy and security regulations, meaning that end users can be fully compliant using these products, provided that they have the appropriate policies and procedures in place, says Jolene Eicher, Practice Administrator for Commonwealth Ear, Nose & Throat and The Sinus Center in Louisville, Ky. Remember, it’s the physician’s practice that is compliant, not the products that it uses.
Explore this issue:January 2007
Ms. Eicher, whose practice has been using Greenway’s PrimeChart since May 2005, recommends that a PMS and EMR include the technical safeguards of HIPAA’s security standard to ensure privacy (see www.cms.hhs.gov/EducationMaterials/Downloads/Security101forCoveredEntities.pdf ).
We have firewall protection, says Linda Bauer, Practice Administrator for Pediatric Ear, Nose & Throat of Atlanta, PC, and all employees have a security code which changes every 90 days. Logins are routinely monitored to see who is viewing patient records and why.
Since the privacy rule requires the designation of a privacy officer, Ms. Bauer strongly recommends that a practice hire or train an existing employee in HIPAA security and privacy laws. This person should explain HIPAA regulations to the EMR vendor and information technology (IT) person and be included in all talks regarding how to maintain patient privacy, as well as what the needs of the practice are regarding HIPAA, before implementation of the EMR.
In his September 4, 2006 AMNews article, contract expert Steven Harris suggests that, a provision to provide technology or mandatory updates for regulatory compliance be required in the vendor’s contract, even though the software should comply with HIPAA’s security standards and include appropriate safeguards for PHI upon purchase.
E-Prescribing and E-Mail
Not only are physicians transitioning to EMRs, they are also beginning to use e-prescribing and Web-based applications, such as e-mail, that save time, money, and postage, but also increase access to patients’ PHI.
We have a two-part Web site, says Jeffrey Dudley, Practice Administrator for Sacramento Ear, Nose and Throat Surgical and Medical Group, Inc. in California. The general information at www.sacent.com was designed by a local developer. The encrypted, patient portal side of the website was developed by Kryptic, whose products are designed specifically to meet HIPAA privacy standards.
Through secure online messaging, patients can complete forms, make appointment requests, and request prescription refills, says Mr. Dudley. Most patientsdon’t think twice about using secure online communication, since they have experience with it through other sources, like online shopping or bill paying.