HIPPA Compliance in IT and Using Electronic Health Records EHR

The best practice for complying with HIPAA is to have processes, software and hardware in place to control access to e-PHI, prevent adulteration or destruction of e-PHI, secure e-PHI while at rest or while being transmitted. In addition, organizations must be able to track through audit mechanisms as well as any person (authorized or unauthorized) who breaks these rules.


Under the Privacy Rule, organizations are instructed to apply the “appropriate administrative, technical, and physical
safeguards to protect the privacy of protected health information.”

1. Any entity must notify any individual whose protected health information (PHI) has been disclosed in an unauthorized way.
2. If the breach consists of more than 500 residents within a single state, “prominent media” outlets must be notified.
3. If 10 or more individuals have out-of-date contact information, a notice must be placed conspicuously on the entity’s website.
4. The Secretary of the U.S. Department of Health and Human Services (HHS) must be notified immediately in the case of breaches that involve 500 people or more. If a breach affects fewer than 500 individuals annually, the Secretary must be notified within 60 days of the end of the calendar year in which the breach was discovered. These rules are designed to work together, however the Privacy Rule applies to both physical and electronic records, whereas the Security Rule only applies to electronic records.

Utilize hardware and software solutions that provide “encryption at rest” capabilities for your storage area network (SAN), network attached storage (NAS) devices and local server hard drives. This technology ensures that even data stored on a hard drive is encrypted so that unauthorized parties cannot access the e-PHI. Your EHR vendor should already have designed encryption into its application so that all data transmissions within the program are encrypted at each step in the process.

HIPPA can seem like a maze of government regulations. But the basics are actually quite simple: protect e-PHI as if your life depends on it. That’s because we all depend on our personal health information and data being kept confidential, accurate and secure.

What is HIPPA
In 1999, for example, the estimated number of accidental, but preventable, deaths due to medical errors was 98,000. This was the need for HIPAA. HIPAA began legislation in 1996. Its initial goal was to solve problems related to health information portability, privacy, security, and fraud. An additional law, the Health Information Technology for Economic and Clinical Health Act (HITECH), was passed in February 2009. This law pushed for higher health and safety rules along with economic incentives and, as a result, increased the adoption of Electronic Health Records (EHR).