Healthcare providers deal with HIPAA privacy and security issues every day. Staff members follow strict processes to ensure compliance with how Electronic Protected Health Information (ePHI) is stored both on paper and electronically. It also is essential to consider HIPAA data retention regulations when archiving ePHI after decommissioning a system.
In his article “The impact of HIPAA and HITECH on healthcare data governance” published in Management Health Technology magazine, Chris Grossman says that health practices must prioritize data governance for data that is both stored and in transmission. “The system must demonstrate proactive compliance, and healthcare organizations must be able to demonstrate that their everyday transactional, back-up and storage processes actively preserve patient information security,” writes Grossman.
In an effort to prevent fines for non-compliance, both small medical practices and larger healthcare facilities need to consider how the method in which they archive legacy EHR will meet HIPAA data retention regulations.
Consider the following ePHI archive HIPAA safeguards when storing data long-term:
When patient data is output to paper or PDF, it is exposed in its entirety to anyone who gains access to the document. That document may contain sensitive information like financial records and clinical or behavioral health data. While it is possible for a network administrator to make separate PDF files available for the access level of each staff member, this strategy creates additional work for the IT department as well as introduces the possibility for manual errors in the data separation process.
With old EHR archiving, user-based access level mapping allows you to limit each staff member’s access to specific sets of patient information relevant to their job. Sensitive information can only be viewed by authorized users.
Once the legacy EHR is archived, HIPAA requires that an audit log of access to the records be maintained. When a staff member accesses a paper or PDF document, it may be more difficult to log an exact date and time of the access much less which portion of the record was viewed, copied or printed. While third-party audit logging software may be used to track access to the ePHI archive, it may not always provide a complete picture of an employee’s activity.
When EMR migration and archiving is implemented, tracking software is often integrated right into the archive solution to allow compliance officers to view archive access audit logs. Any log should contain a user ID, date and time stamp and a summary of the information viewed, printed or exported.
HIPAA requires that electronic PHI is encrypted with â€œthe use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key – (45 CFR 164.304 definition of encryption). If patient data is archived using paper or PDF documents it becomes more difficult to secure or encrypt specific portions of the chart.
When selecting a legacy EHR archiving solution, make sure that the product uses a HIPAA-compliant format via data encryption, Secure Sockets Layer (SSL) connectivity, security access level mapping and audit logging. Archived data should also be encrypted while at rest.
How have you addressed HIPAA compliance during the archival of your protected health information?