HIPAA Guidelines

I found a very nice list of HIPAA guidelines at EMRUpdate by the infamous AlBorg. Here’s his list that I’d like to take and refine as a permanent posting on the site. I really think this gives people a good outline of what’s most important in HIPAA compliance in an EMR:

1. Under the Privacy Rule, patients have the right to adequate notice of the uses and disclosures of their private health information that may be made by “the covered entity” (s.a. the provider), as well as their rights and the covered entity’s legal obligations. Notices must be in plain language and clearly posted. Certain covered entities must make a good faith effort to obtain an individual’s acknowledgment of receipt of this notice. In certain cases, notice may be provided electronically… i.e. via your EMR.
2. HIPAA requires restricted access to sensitive data, including password protection. The minimal level of this protection has not yet been established, but most systems in hospitals have upped the difficulty of entering into a computer to including both password protection at the level of Windows logon and later to the software logon.
3. Encryption of emails, faxes, and other document transmissions should be considered, although difficult. If you encrypt an email, for example, how will the patient, physician, or hospital receiving entity decript the message?
4. You should add the capability to track the use or users of protected health information.
5. For billing, any electronically transmitted information should be encrypted, and if you use an intermediary, make sure that they use HIPAA-compliant ANSI format e-billing forms.
6. Should you have to provide documentation to a legal entity, s.a. during a lawsuit, you should be able to set user restrictions to only the patient data needed, making the rest of the EMR patient data locked.
7. You should make sure that users know how to report to the covered entity any use or disclosure of the information, in violation of the agreement, of which it becomes aware.

About the author

John Lynn

John Lynn

John Lynn is the Founder of HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • military – my boss used my wifes (civilian) medical records and appointment to verify I was not lying when I told him I had a reason to be gone. He told me to have the doctor’s office fax the appointment to me and then give it to him. he took the fax from me, looked at it, commented on my wife’s medical condition and filed the fax away. I had taken leave for the day, but only took 2 hours off for her medical appointment, the leave was charged against my balance. the reason I complied with giving him the fax (under duress) was I feared losing my job. I had to urge my wife in the matter so she also under duress complied but again just because we were protecting my job. I am HIPAA certified minimally and I know that this is a violation. but again, I fear losing my job if I say anything. using a pseudonym here.

  • In the army they use electronic medical records. This army colonel who is a physician felt he had the right to access his 18 year old daughter’s medical records to find out what was said and performed during her clinic visit. He then questioned the provided who saw his daughter during that visit. This is a HIPPA violation. Of cousre he does not see it that way because he is using his rank and physician titles. Something needs to be done about him.

  • Joyce,
    That really is unfortunate. I bet the military has some interesting laws that have to be dealt with too. I’d say that the daughter would need to consult an attorney on this one.

Click here to post a comment