HIPAA Tip: Changing EMRs? What You Need to Know
Your organization has made a decision to change/upgrade Electronic Medical Records (EMR) or to move from a Practice Management software to a full-blown EMR.
Some of the areas to educate yourself in would be:
- What happens with the data from the previous/legacy system? Will this be imported into the new EMR, or will it remain where it is currently located (on the server, with the respective software company on the web)? And what are the retention requirements for the legacy data?
- If the legacy software company no longer needs access to the organization’s network/environment, be certain your IT department disables access.
- Security controls must be put in place for the new EMR, such as multi-factor authentication for the software company’s remote connection into your organization’s system. There may be specific connections that need to be set up initially, but after the EMR is active those connections may not be necessary – be certain to disable these.
- For the legacy software/system and the new EMR always follow the rule of least privileged access or minimum access necessary. As soon as a user no longer needs access (especially with a legacy system) immediately disable them.
- Review users in the new EMR and legacy system often and check roles and privileges at the same time, as these may have changed.
- If the new EMR is web-/cloud-based how are user accounts set up? Can a user sign in on any device regardless if it’s a business or a personal device? When can users access the system/application – is this unlimited; after business hours, weekends? If so, is this absolutely necessary?
As a reminder secure systems and applications and monitor user activity on a regular basis.
HIPAA compliance isn’t a one-time checklist. It’s ongoing, programmatic in nature, and requires demonstrated reasonable diligence to stay in good standing with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). ANATOMY_IT. can provide you peace of mind with our expert HIPAA compliance services. To learn more, contact us here.