Any software that processes protected patient data must adhere to strict health information security requirements and guidelines set by government regulations. Below are the steps to make your healthcare information systems and software compliant with the Health Insurance Portability and Accountability Act (HIPAA).
The guidelines of this act require you to develop a set of procedures to access and send patient health information securely and then find a software vendor that can help you implement the procedures.
1. Maintain an Access Log
You must monitor each user that gains access to a patient’s health data. Each person who will access patients’ information must have a unique username and password. In the access log, you need to keep track of:
- the record accessed
- the date and time it was viewed
- the operation performed – that is whether it was viewed, updated or deleted
2. Create Restrictive Access Levels
In the HIPAA guidelines, an employee’s access to information should be restricted to the minimum information needed to carry out their job function. A doctor, for instance, should be given more access to a patient’s health information and history than a cashier or receptionist. Consequently, you must create access levels that define the amount of information a user can see.
- Review job descriptions and make sure roles are clearly defined
- Provide just enough information for each person to perform their role
- Grant employees access to only the patient records that they must work with
3. Set Up an Override Function
After creating access levels, some circumstances may arise causing an employee to need emergency access to patient records. This is why you need an “override” function for such situations. This will facilitate prompt treatment in an emergency.
- Don’t make the override position available unless it is needed
- Alert many other people via email when a function is used
- Keep track of all those who use this function
- Review everyone who uses the override function and let them meet with a supervisor for justification
4. Keep All Data Secure
The HIPAA security rule demands that you secure all patient data. In practice, this means using encryption, strong passwords, and a firewall.
- Be sure that all your emails are secure
- Encrypt all email messages
- Don’t use any free web-based email services like Gmail, Yahoo, and Outlook
- Work with a competent health care attorney to select email service providers that are HIPAA-compliant
- Encrypt all attachments sent in email messages
5. Get Patient Consent
Regardless of the type of email service provider you use, you need to get your patients’ consent (in writing) before you transmit their health information electronically. Don’t assume that because a patient sends you an email, they also want you to send their confidential information electronically.
- Let all patients sign an authorization form or contact sheet
- Your patients must indicate which method they want you to use for contacting them
- Let all patients – including current and new patients – sign a consent form
Do You Need to Urgently Improve Your IT System’s Health Information Security?
Lifepoint Informatics is here to help you. Give us a call now to schedule a free health information security consultation. We have successfully completed thousands of healthcare IT projects for clients across the country. Contact us today and we’ll help you eliminate vulnerabilities from your healthcare information system.