« EHR System Modeling
Bill Gates CES2008 Keynote »

HIPAA and EMR Design

My last post prompted a comment from Mary Hawking which asked this question:

How does the legal framework in the USA influence the design of US EMRs?

My answer:

The only legal requirements for protecting patient health information in the US is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA became effective in 2001, with mandatory compliance in 2003-2004. These rules only specify who (“covered entities”) must protect health information and the security standards for electronic transactions. All covered health care institutions in the US must now comply.

How does HIPAA influence EMR design? IMHO: Not a whole lot. Most of the functionality of an EMR system is incorporated in the data presentation and work-flow management within the EMR itself. HIPAA only dictates privacy rules and data protection when health information is being transmitted from one institution to another. Privacy and security measures must certainly be implemented within an EMR, but it is usually a relatively minor component.

I’m talking specifically about the affect HIPAA has on EMR software design though. HIPAA has had a large influence on the behavior of covered health care institutions. Here are some related resources:

Sphere: Related Content

This entry was posted on Thursday, January 3rd, 2008 at 9:19 pm and is filed under EMR, HIPAA. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “HIPAA and EMR Design”

  1. EMR and HIPAA Says:
    January 8th, 2008 at 10:24 pm

    I think that your missing a major point that an EMR company must cover: Audit trails. Every EMR company I’ve ever seen has to make sure that they have good audit trails built into their system in order to comply with HIPAA. Without the audit trail of who did what, then that EMR would be in trouble.

    EMRs are also much more granular with who can see what. HIPAA is pretty clear that you should only see what you need to do your job. An EMR really takes this to the next level because of the granular security you can implement.

    The interesting thing is that there probably isn’t an EMR out there that isn’t HIPAA compliant. So, that question really doesn’t need to be asked now. Plus, since HIPAA compliancy is now complete for most EMR companies, then it’s a very marginal cost for the EMR to continue to comply with EMR. However, that initial jump to comply with HIPAA certainly cost EMR companies some money, which they then most probably passed on to the consumer.

  2. Bob Says:
    January 10th, 2008 at 7:27 pm

    @EMR and HIPAA:

    Audit trails are not really part of HIPAA (45 CFR Parts 160 and 164) which is primarily concerned with privacy rules. You’re thinking of the 21 CFR Part 11 rules for electronic records and signatures which is what the FDA uses for all life science industries.

Leave a Reply