Knowing the Difference Between HIPAA Compliance and EHR Compliance

“Every healthcare organization under HIPAA is responsible for the protection of patient data, regardless of whether they use a vendor to process or store their patient records. If your EHR vendor claims you don’t have to worry about HIPAA compliance, don’t believe them – it’s just not true,” stated by Tod Ferran, a security analyst at SecurityMetrics, Inc. in an article he wrote for Healthcare IT News.

A lot of healthcare entities mistakenly think that if they are covered for EHR HIPAA compliance, then that coverage extends to all of HIPAA’s regulations as well. But, as experts have shown in recent years, HIPAA compliance and EHR compliance are two completely different umbrellas, even if you may be caught in the same storm. Ferran warns healthcare providers that the new HIPAA Security Rule requires that systems are required to be protected against 75 specific security controls. Ferran goes on to state that in order to ensure that your organization’ procedures, policies, and security measures are designed to protect patient health information (PHI) and defend against regulatory penalties, it is important for organizations to “assess their security programs as a whole,” rather than just “simply checking a box”.

So, how can an organization protect itself and do everything in its power to safeguard HIPAA compliance? Ferran recommends that organizations take the following actions right away:

  • Implement a regular, weekly routine, starting with as few as 30 minutes each session to meet and discuss priorities

  • Implement intrusion prevention

  • Install anti-malware

  • Utilize identity management

  • Integrate data-loss prevention tools

  • Designate a HIPAA compliance officer or team member

  • Conduct annual HIPAA security risk analyses

  • Check organizational policies and procedures against HIPAA requirements

  • Encrypt patient health information (PHI) 

  • Use a key accessible only by authorized individuals

  • Implement workstation security

In his concluding statement, Ferran recommended that “No matter how small or long established, it’s critical for healthcare entities to understand what they are doing to protect patient data, what they are not doing, and what they should be doing in the future.”

To read Ferran’s full article, visit Healthcare IT News.