My last post prompted a comment from Mary Hawking which asked this question:
How does the legal framework in the USA influence the design of US EMRs?
My answer:
The only legal requirements for protecting patient health information in the US is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA became effective in 2001, with mandatory compliance in 2003-2004. These rules only specify who (“covered entities”) must protect health information and the security standards for electronic transactions. All covered health care institutions in the US must now comply.
How does HIPAA influence EMR design? IMHO: Not a whole lot. Most of the functionality of an EMR system is incorporated in the data presentation and work-flow management within the EMR itself. HIPAA only dictates privacy rules and data protection when health information is being transmitted from one institution to another. Privacy and security measures must certainly be implemented within an EMR, but it is usually a relatively minor component.
I'm talking specifically about the affect HIPAA has on EMR software design though. HIPAA has had a large influence on the behavior of covered health care institutions. Here are some related resources:
I think that your missing a major point that an EMR company must cover: Audit trails. Every EMR company I’ve ever seen has to make sure that they have good audit trails built into their system in order to comply with HIPAA. Without the audit trail of who did what, then that EMR would be in trouble.
EMRs are also much more granular with who can see what. HIPAA is pretty clear that you should only see what you need to do your job. An EMR really takes this to the next level because of the granular security you can implement.
The interesting thing is that there probably isn’t an EMR out there that isn’t HIPAA compliant. So, that question really doesn’t need to be asked now. Plus, since HIPAA compliancy is now complete for most EMR companies, then it’s a very marginal cost for the EMR to continue to comply with EMR. However, that initial jump to comply with HIPAA certainly cost EMR companies some money, which they then most probably passed on to the consumer.
@EMR and HIPAA:
Audit trails are not really part of HIPAA (45 CFR Parts 160 and 164) which is primarily concerned with privacy rules. You’re thinking of the 21 CFR Part 11 rules for electronic records and signatures which is what the FDA uses for all life science industries.
Thanks for sharing this information and article post.
For privacy and security concerns, people would rely on an EMR which is HIPAA compliant. HIPAA would have its impact more on the process of compliance rather than the actual design or framework of an EMR.
It is important to analyze many aspects during your emr software search. And it’s also important to have all the facts. For example, did you know that 85% of electronic medical records software systems are slower than handwritten notes? Did you know that with most EMR software, you write down objective findings on a cheat sheet and then enter them in your computer hours later, i.e. you document twice?!?