Over the last few months, I have had the pleasure of speaking to medical professionals, practice owners, and service providers that work with medical practices. A lot of them expressed confidence that they were HIPAA compliant simply because they were using cloud-based Electronic Medical Records and practice management systems. When probed on whether or not they had internal policies, sign-offs, and secure end-user systems, the response more often than not was a blank stare. When asked if they have every taken the opportunity to review the requirements on the Department of Health and Human Services website, the response was a wry smile and a shake of a head.
To dispel the myth, just because your cloud EMR/Practice management suite vendor is HIPAA compliant, does not mean that you are. Compliance means having and adhering to a written Information Security policy that
1) Identifies the organization and persons responsible for information security
2) Has a set of written policies and procedures that define how the data is accessed, stored, distributed and deleted
3) Has a set of written documents, policies and procedures that explain how the systems that are used to access and store the data are
designed, implemented, monitored and disposed
4) Explains the process to be followed in case there is a breach
5) Provides for periodic audit of the organization to ensure that the policy is adhered to
6) Is updated as the security requirements change
A baseline template for this policy as well as a checklist to help ensure that appropriate items are included can be obtained for a multitude of sources. Here are some of them:
I do recommend that when designing and implementing the information security policy, one consults a professional to ensure that everything is done properly. For any questions, feel free to reach out at firstname.lastname@example.org or here on LinkedIn.