Journal of AHIMA - March 2011

Organizations that provide PHI
on electronic media must comply
with the HIPAA security rule.

usually 30 days, before they are automatically removed.

In these instances reviewers are issued log-in credentials to the system. Log-in credentials must meet HIPAA access and control requirements. Organizations may choose to accomplish this by limiting access to a certain population or ensuring the log-in credentials expire within a specific time frame.

In addition, organizations may choose to limit access to “view only.” Reviewer requests for information to be printed for further review should be handled through the HIM department’s normal release of information processes.

The Requirements

Organizations that provide protected health information (PHI) on electronic media must address requirements in the HIPAA security rule. The physical safeguards section of the rule (164.310) requires organizations address the receipt and removal of electronic media that contain PHI. The rule also requires organizations address the use, reuse, and disposal of such media, both within the organization and outside it.

The HIPAA security rule also can provide guidance to organizations when a reviewer requests protected health information be downloaded onto the reviewer’s media device. Most organizations have implemented security policies that prohibit connecting media devices from outside the organization to the internal network (e.g., EHR). Prohibiting external devices allows an organization to prevent potential data breaches or system failures.

The HIPAA security rule clearly states that organizations are responsible for this assurance and strongly recommends organizations encrypt protected health information as a further measure to protect information from breaches and inappropriate access.

In addition, organizations should ensure they have a signed business associate agreement in place with any vendor who chooses to receive information via electronic media. To mitigate potential risk, the information should be provided on a media device approved and supplied by the organization. All external reviewers should be educated on organizational security policies that explain why protected health information cannot be downloaded to an external unsecured media device.

There are other items to take into account in order to manage electronic access effectively. Regardless of the final format, all basic release of information guidance remains the same. For example, organizations still have 30 days under the HIPAA privacy rule to produce the health record. Reviewers should not expect to walk in and receive immediate access to the EHR or a CD.

The Expenses

HIPAA allows organizations to charge reasonable costs to produce health records. HIM professionals should carefully review the HIPAA guidance and relevant state guidance. Some states are in the process of approving legislation that would place a limit on the fees associated with producing personal health information in electronic media.

Contrary to popular belief, producing electronic health records is not quickly accomplished with a simple keystroke. There is still time associated with validating the authorization, processing the request, and producing the record in accordance with the legal health record policy.

In addition, system capability will determine the time it takes to produce the information in electronic media as well as the final format of the information. If the final format on the CD is unrecognizable, neither the reviewer nor the organization has gained any efficiencies.

In the end, providing information electronically can benefit the HIM department. In order to provide an accurate and complete health record in electronic media HIM professionals should collaborate with the external reviewers, information technology, and security officer to ensure compliance. ¢