Security breaches to healthcare systems can result in private medical records—and all the sensitive information they contain—being exposed. How significant is this threat? According to HIPAA Journal, there were 3,705 significant breaches between 2009 and 2020, and nearly every year, that number increases. Over half of these breaches occurred in the last four years alone.1
A security breach is the most obvious way to expose protected health information. But it's not the only way. Healthcare staff can also divulge protected information through accidents or faulty procedures. It's up to individual healthcare organizations to maintain HIPAA and EHR HIPAA compliance by designing more secure EHR systems and training their employees in best practices.
EHR and HIPAA are related concepts, but there are important distinctions to understand. This article explores those distinctions along with the evolution of the regulatory environment.
An Overview of HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 created national standards to protect patients by preventing the release of sensitive health information without their consent.
There are two components to HIPAA, a Privacy Rule, and a Security Rule. The Privacy Rule applies to the disclosure of all medical records, while the Security Rule specifically addresses electronic health records.
More About the HIPAA Privacy Rule
Under the HIPAA Privacy Rule, certain "covered entities" are subject to rules for using and disclosing protected health information. These entities are:
- Healthcare providers
- Health plans
- Healthcare clearing houses
- Business associates
It's important to note that HIPAA's purpose is not just to protect individuals. The law seeks to balance patient protection with legitimate needs to share important health information. Permitted sharing of records includes disclosure to:
- The individuals themselves
- Other treatment providers
- Other entities when disclosure serves the public good2
The HIPAA Privacy Rule also includes standards for making individuals aware of their rights regarding the disclosure of sensitive information.
The History of HIPAA and EHR Rule Development
Researchers in academic medical centers began developing electronic records systems, known as clinical information systems, in the 1960s, and the federal government began using an electronic health records system in the 1970s. EHR systems were limited to the largest organizations until the computer revolution of the late twentieth century democratized access to the equipment. The Institute of Medicine, an independent nonprofit organization that is now part of the National Academies, first published a report advocating the widespread adoption of EHR in 1991.3, 4
As EHR systems became widespread, so too did concerns about their security. All EHR systems must be constantly monitored and frequently updated to protect against new cyber threats and security breaches.
The HIPAA Security Rule first addressed U.S. EHR security issues in 1998. Subsequent modifications to the HIPAA Security Rule have expanded and refined the rules for protecting EHR. These include:
- Development of electronic signature and security standards
- Delegation of oversight authority to the Office of Civil Rights
- Modifications to the breach notification protocol5
Summarizing the Difference Between HIPAA and EHR
The overarching concerns of patient confidentiality are addressed in HIPAA, EHR HIPAA, primarily concerned with securing software systems, is a subset of it. Healthcare organizations must comply with EHR security regulations and practices as part of their overall HIPAA compliance.
System Features Important to HIPAA and EHR Compliance
Electronic health records systems should have the following features to help healthcare organizations achieve and maintain HIPAA and EHR compliance.
Access control: Passwords and two-step security verification are access control measures that allow authorized individuals access to EHR.
Encryption: HIPAA-compliant EHRs use data encryption to send documents with sensitive medical information.
Audit trails: A compliant EHR system should record when users access information and what information they access. It should also know when there are changes to an EHR.
Software updates: Regular software updates will help maintain compliance by preventing hackers from breaching the system and gaining access to sensitive patient information.
Best Practices for EHR HIPAA Compliance
EHR HIPAA compliance also depends on using best practices in managing the records software system. These include:
- Conducting annual audits to find system weaknesses, then remedying them.
- Training employees to use the EHR consistently with HIPAA regulatory standards.
- Thoroughly documenting all transactions, including with vendors to whom sensitive information may be disclosed under HIPAA regulations. This information will be needed if there is a HIPAA investigation.
- Documenting any data breach that might occur and notifying patients that their data may have been stolen or compromised so they can address the situation.
The Role of Health Informatics in EHR HIPAA Compliance
The widespread adoption of EHR systems, coupled with hackers' increasing sophistication and aggressiveness, has created a growing need for health informatics professionals. Health informatics is part of a rapidly growing field. The Bureau of Labor Statistics predicted 32% growth in the healthcare services management category during the 2020s.6
Professionals in health informatics work to compile and analyze the large amounts of data that institutions accumulate, to create better, more compliant EHR systems. Earning a degree in health informatics positions you at the intersection of healthcare and technology. The career options are growing, and job titles include:
Health Informatics Specialist: This catch-all title encompasses many different jobs, including data reduction, tech support, project management, and consulting.
Clinical Informatics Analyst: These professionals analyze data so that an organization can make adjustments to EHR systems that improve HIPAA compliance and system efficiency.
Health Informatics Consultant: When an organization wants to make foundational changes to its EHR system, they often contract with a consultant to lead the transition.
Health Information Technology Project Manager: These individuals lead diverse projects, including implementing new technology.
EHR Implementation Manager: They are technology experts who design, implement, and optimize the software that runs EHR systems.
Accelerate Your Professional Future in Health Informatics
Kent State University's online Master of Science in Health Informatics transports you to your future in this dynamic field with its flexible online program delivered by expert faculty. Learn more about the program and Kent State's Health Informatics career resources, then begin your application today.
- Retrieved on January 12, 2022, from hipaajournal.com/healthcare-data-breach-statistics/
- Retrieved on January 12, 2022, from cdc.gov/phlp/publications/topic/hipaa.html
- Retrieved on January 12, 2022, from journalofethics.ama-assn.org/article/development-electronic-health-record/2011-03
- Retrieved on January 12, 2022, https://www.nap.edu/read/12709/chapter/2
- Retrieved on January 12, 2022, from hhs.gov/hipaa/for-professionals/security/index.html
- Retrieved on January 12, 2022, from bls.gov/ooh/management/medical-and-health-services-managers.htm