I found a very nice list of HIPAA guidelines at EMRUpdate by the infamous AlBorg. Here’s his list that I’d like to take and refine as a permanent posting on the site. I really think this gives people a good outline of what’s most important in HIPAA compliance in an EMR:
1. Under the Privacy Rule, patients have the right to adequate notice of the uses and disclosures of their private health information that may be made by the covered entity (s.a. the provider), as well as their rights and the covered entity’s legal obligations. Notices must be in plain language and clearly posted. Certain covered entities must make a good faith effort to obtain an individual’s acknowledgment of receipt of this notice. In certain cases, notice may be provided electronically i.e. via your EMR.
2. HIPAA requires restricted access to sensitive data, including password protection. The minimal level of this protection has not yet been established, but most systems in hospitals have upped the difficulty of entering into a computer to including both password protection at the level of Windows logon and later to the software logon.
3. Encryption of emails, faxes, and other document transmissions should be considered, although difficult. If you encrypt an email, for example, how will the patient, physician, or hospital receiving entity decript the message?
4. You should add the capability to track the use or users of protected health information.
5. For billing, any electronically transmitted information should be encrypted, and if you use an intermediary, make sure that they use HIPAA-compliant ANSI format e-billing forms.
6. Should you have to provide documentation to a legal entity, s.a. during a lawsuit, you should be able to set user restrictions to only the patient data needed, making the rest of the EMR patient data locked.
7. You should make sure that users know how to report to the covered entity any use or disclosure of the information, in violation of the agreement, of which it becomes aware.