Despite the best efforts of many Covered Entities, there appears to be an upward trend in violations of HIPAA and EHR policies – or rather, gaps in EHR policies – are a contributing factor. Indeed, in the second quarter of 2022, more than 15% of data breaches reported to HHS´ Office for Civil Rights involved an EHR.
According to the HHS´ Office for Civil Rights´ HIPAA Data Breach Report, a significant number of data breaches involve EHRs. While some of the data breaches are due to the actions of external actors deploying successful phishing and ransomware attacks, the majority are attributable to the failure to implement effective access controls and monitor user activity. These failures are basic concepts in HIPAA and EHR policies should be in place to prevent them.
Furthermore, the HIPAA Data Breach Report only reflects data breaches affecting 500 or more individuals. Due to the ways in which EHRs are used, it is possible that a much higher percentage of smaller data breaches occur that are attributable to EHR policy failures. It may also be the case that gaps in EHR policies result in patient complaints to HHS´ Office for Civil Rights in relation to impermissible uses and disclosures of PHI and disclosing more than the minimum necessary PHI.
The Rules of HIPAA and EHR Policies
One possible reason for there being gaps on some EHR policies is that policy makers might only look at the Administrative, Physical, and Technical Safeguards of the HIPAA Security when developing EHR policies. While these safeguards are necessary to mitigate threats to the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI), these are not the only areas of HIPAA that need to be considered for EHR policies to be effective.
For EHR policies to be effective, medical professionals with access to EHRs need to understand what information is considered PHI, what the General Principal for Uses and Disclosures covers, and the difference between patient consent and patient authorization in relation to sharing information maintained on EHRs with patients´ families and friends. Consequently, it is not sufficient to develop EHR policies based on the Security Rule Standards alone.
The Administrative Requirements of the Privacy Rule
To fill gaps in EHR policies, Covered Entities should review the Administrative Requirements of the Privacy Rule (§164.530). Among other requirements, this section covers the development of privacy policies, workforce training on privacy policies, and sanctions for noncompliance with privacy policies. Other relevant standards include putting safeguards in place to limit incidental disclosures and developing procedures to mitigate the effect of unauthorized disclosures.
General Security Rules and Organizational Requirements
In some cases, Covered Entities and Business Associates fail to look beyond the Administrative, Physical, and Technical Safeguards when developing policies to comply with the Security Rule. However, there are standards in the General Rules and Organizational Requirements of the Security Rule that could impact compliance with HIPAA and EHR policies – especially the standards relating to sharing ePHI maintained on an EHR with Business Associates and subcontractors.
Impermissible, Incidental, and Unintentional Disclosures
More than two-thirds of complaints for alleged impermissible uses or disclosures are dismissed after review – implying may complainants are not aware of the difference between impermissible, incidental, and unintentional disclosures. As EHR users spend the most time talking with patients and their families, they need to know the differences between the three types of disclosures to prevent unnecessary complaints and potentially time-consuming investigations.
The Importance of EHR Policy Enforcement
Developing comprehensive EHR policies that take into account all the HIPAA Rules is a key step to achieving compliance with HIPAA – but a more important step is to ensure the policies are enforced. The volume of data breaches attributable to the failure to implement effective EHR access controls and monitor EHR user activity shows that either there are gaps in Covered Entities EHR policies, or the EHR policies are not being enforced.
The descriptions of EHR-related data breaches in HHS´ Data Breach Archives (requires exporting to read descriptions) indicate both scenarios exist. Examples include a Covered Entity whose lack of effective access controls enabled an employee´s estranged spouse to access PHI of 1,600 patients, while another´s lack of user monitoring and enforcement of their EHR policy allowed several employees to impermissibly access and acquire the PHI of 30,000 patients.
One of the challenges of complying with HIPAA and EHR policy enforcement is that EHR users frequently share login credentials. A small-scale survey of EHR users conducted in 2017 reported that 73.6% had “obtained the password for another medical staff member”; and while this was only a small-scale survey, it raises issues about EHR users (i.e. scribes) being able to access more health information than their role allows and establishing who is liable when a data breaches occurs.
HIPAA and EHR Policies: Conclusion
There is an increasing number of EHR-related data breaches attributable to the failure to implement and enforce effective EHR policies. Consequently, Covered Entities need to ensure that EHR policies cover more than the requirements of the Administrative, Physical, and Technical Safeguards, train members of the workforce on the policies (and alert them to the sanctions for violating the policies), and implement technology solutions to help better enforce EHR policies.