Introducing an electronic medical records system into the practice helps the physicians and staff provide more efficient care by making medical records more accessible. It also brings some risks. Here are five areas of risk exposure and provides recommendations in each area.
1. EMR or EHR
Know your system. Electronic Medical Record (EMR) is the term most often used for the electronic system now holding the medical records of the physician’s patients. If a patient’s medical data is shared electronically with other facilities, locations, caregivers, and/or billers, the term Electronic Health Record (EHR) is more accurate. In articles and in practice, however, the terms are often used interchangeably.
2. Security Levels and Passwords
Confidentiality must be maintained in an electronic system just as with paper records. Administrators and/or the physician in charge should assign the levels of security clearance for the EMR for each staff member based on his or her individual job function. Prevent staff access to physician progress notes and prescription templates to avoid the creation or alteration of these areas for their own purposes. Each person should have his or her own password and the practice’s policy should forbid sharing of those passwords. Immediately delete the password of any employee who leaves the practice.
3. Weights and Medications
Confusion in this area may adversely affect medication doses. The amount of medication will be dramatically different based on a patient’s weight of 160 pounds versus 160 kilograms. the physician should seek vendor assistance in choosing the most appropriate format for weight measurements.
Set an expectation that two employees check weight, conversion calculations, and dosage prior to administration to avoid mistakes. This can be especially critical in a pediatric practice.
4. Health Information Privacy
Employers have a responsibility under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a federal law, to train employees in the protection of protected health information (PHI). Each physician’s practice must have privacy and security policies that address patient privacy, preserve the security of data, and monitor confidentiality of patient information. HIPAA violations may occur with EMRs when employees:
- Access, print, or download information that is not within the scope of their job
- Disclose or alter patient information without proper authorization
- Disclose to another person their sign-on codes or passwords, or use another person’s, for accessing electronic records
- Attempt to access a secure part of the EHR without proper authorization
5. Prescriptions
Electronic-prescribing (e-Rx) is helpful if it saves the information to the patient’s medical record. To be eligible for incentives, physicians should migrate to all-electronic prescription systems.
Be sure that you know the source of the EMR’s drug and clinical decision support information. Continual updates are important if it becomes necessary to defend the adherence to a specialty’s clinical standards of care or show knowledge of FDA updates and/or drug alerts for medications ordered.
All medication refill requests should be processed through the electronic system. Care must be taken when the dose of a medication is a change, a “taper,” or a “Sliding Scale.” It is often necessary to enter these as separate orders.
As a result, at the patient’s next visit, the EMR may only show the last dose, not the progressive order.
WANT MORE HIPAA COMPLIANCE RESOURCES? Get our free HIPAA Compliance Action Guide, filled with step-by-step advice and a helpful checklist for ensuring your practice stays compliant. Download the HIPAA Compliance Action Guide.
If you have questions about this article, please contact us. This information should not be considered legal advice applicable to a specific situation. Legal guidance for individual matters should be obtained from a retained attorney.