EMR discussion about licenses and use

[Guest guest]

Hi,

I think the point was made that HIPAA regulations for security maintain that

clinics need to have systems in place that can account for who is logged in

and having access to software that contains protected health information

(PHI). If someone logs on using another person's log in information, then

there is no way to accurately account for who had access to the information

at any given time.

However, each clinic has the responsibility to maintain their own

procedures. There are so many individual variations that could occur

because of the realities of clinic operations that clinics have to decide

for themselves and have documented policy for the use of programs and how

they will maintain security based on their own unique situation. Whoever is

registered with access and has a user name is ultimately responsible for

what happens when that user name is logged on and I am sure those users do

not take that responsibility so lightly that they would just let anyone use

their access. Some clinics do get around this by having a separate log on

procedure so there is accounting of who is on a certain hardware at a given

time so that the software log in is not needed to account for who was on.

This is tricky but again there are so many individual situations that

facilities have to figure out what is best for them to maintain HIPAA

security of PHI. If a HIPAA violation occurred and a facility could not

accurately account for who was on the computer at that time then they could

be in line for significant action from the OCR.

Access to EMR by office staff is certainly necessary depending on your

procedures. Some instances have been cited already. Another time is that

clinics may have office staff enter new patient information (admission

information) in to the program and may need the office staff log in access

to do that. Bottom line, no matter who has the access or how it is done,

the HIPAA security regulations must be maintained. Staff needs to know how

to properly handle the information in electronic documentation systems and

EMR. How the EMR company handles the access and HIPAA is a part of

screening which company to use.

M. Howell, P.T., M.P.T.

Howell Physical Therapy

Eagle, Idaho

thowell@...

This email and any files transmitted with it may contain PRIVILEGED or

CONFIDENTIAL information and may be read or used only by the intended

recipient. If you are not the intended recipient of the email or any of its

attachments, please be advised that you have received this email in error

and that any use, dissemination, distribution, forwarding, printing or

copying of this email or any attached files is strictly prohibited. If you

have received this email in error, please immediately purge it and all

attachments and notify the sender by reply email.