Safeguard records to comply with HIPAA security rule

A column examining the ins and outs of contract issues

By Steven M. Harrisis a partner at McDonald Hopkins in Chicago concentrating on health care law and co-author of Medical Practice Divorce. He writes the "Contract Language" column. Posted Jan. 3, 2005.

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

The increasing number of Internet health care activities and transactions has significantly changed how many physicians practice medicine. While the term e-health has not been specifically defined, legally, it is generally used to identify "Internet medicine" and the provision of health care information, products or services via the Internet.

The emergence of e-health has raised issues regarding when the physician-patient relationship begins; licensing requirements for physicians who provide medical care across state lines; the standard of care for telemedicine; and liability exposure.

There have been several court decisions on these issues, and case law continues to evolve in conjunction with e-health's growth. Congress is also considering proposed legislation related to monitoring various aspects of e-health, including Internet prescription drug sales.

Many physicians began using electronic medical records to improve their ability to share patient information, thereby improving quality of care. Physicians have voiced concerns about EMR security and access to patient information by unauthorized users. It is imperative that you comply with the Health Insurance Portability and Accountability Act regulations, including the security rule that becomes effective in April, when you transmit EMRs via the Internet.

HIPAA regulations, including the security rule, address the use and disclosure of protected health information via the Internet. A key component of the HIPAA regulations has been the development of electronic data interchange.

EDI is the transfer of information, including electronic media health claims, in a standard format between health care entities and others to protect patient confidentiality and eliminate the unauthorized disclosure of protected health information.

EDI allows entities within the health care system to exchange medical, billing, and other information and to process transactions in a manner that is fast and cost-effective. The security rule protects an individual's health information while permitting appropriate access and use of the information by physicians, hospitals, clearinghouses, health plans and others.

If you are transmitting electronic medical records and using EDI, you must protect and safeguard your EMRs. You should consider taking the following steps to ensure protection of health information and EMRs in compliance with the HIPAA regulations and the new security rule:

  • Draft and implement HIPAA security policies and procedures for your practice prior to the April effective date.
  • Educate and train your staff regarding proper procedures for transmitting EMRs.
  • Contact other physicians and entities that receive your EMRs to receive assurance that such recipients agree to be in compliance with the security rule, and with your policies and procedures.
  • Conduct frequent reviews of your internal processes regarding the use and disclosure of protected health information, and how it is transmitted by EMRs via the Internet.
  • Communicate with your patients regarding how their information will be used and disclosed to other entities during their treatment.
  • Confer with an information technology consultant as needed to safeguard accessibility of protected health information by your staff and patients and eliminate any potential security breaches.
  • Monitor the legislative landscape and expansion of e-health to protect patient confidentiality and your EMRs.

Steven M. Harris is a partner at McDonald Hopkins in Chicago concentrating on health care law and co-author of Medical Practice Divorce. He writes the "Contract Language" column.

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn