Is My EHR “HIPAA Certified”?
If your vendor just answers “yes”, be careful….
A brief history of “HIPAA certified” software
It’s been almost 20 years since HIPAA started a wave of technology solutions that touted HIPAA compliance as part of their value propositions. A cottage industry of HIPAA-compliant billing systems, email, and medical record systems soon grew to meet market interest. The arrival of HITECH further excited the demand for regulatory-compliant technology by offering government incentives to organizations that would begin to do away with paper (along with penalties for those who would not…).
What we’ve learned from this experience is that apart from ensuring certain HIPAA security standards are in place, there isn’t much an electronic system can do to ensure your clinic is compliant with HIPAA privacy standards. EHRs are great for increasing operational efficiency, but several regulatory requirements involve processes and procedures that need a human element to perform. Therefore, the responsibility of maintaining regulatory compliance can only be met by the organization itself. With regards to HIPAA, you “certify” yourself.
The search for a “state certified” EHR
A specific example is Article 31 of the mental hygiene division of New York Codes, Rules, and Regulations (14 NYCRR), under which any certified mental health clinic in that state must comply with. Article 31 encompasses a broad spectrum of regulation, including facility and staffing requirements, policies and procedures, and even language used in documentation. Within Article 31, multiple specific parts dictate the operations of OMH-licensed clinics, such as part 512 for PROS, or part 599 for outpatient mental health.
Like HIPAA, the parts of Article 31 created similar demands for fast and easy EHR solutions to fully address the intricacies. But because Article 31 maintains requirements that exist both inside and outside of a clinic’s workflows, the solution is not so simple. The New York state-certified EHR solution is, unfortunately, just as non-existent as its HIPAA-certified big brother.
Take Part 599 for example: it contains the operational rules for standards of care in outpatient mental health clinics. Many of these rules can be operationalized as knowing who (the kind of provider) can do what (service procedure) to whom (based on the patient’s health benefit) and where (in an approved shared space with a peripheral service provider). Section 599.12 of the regulation provides clear and concise documentation requirements, both in general and for specific requirements per procedure, such as for the clinical documentation of psychiatric assessments or ongoing psychotherapy.
Your EHR can and should have document templates to fit your programs and services–but no EHR can write good documentation for a clinic or ensure the staff has a strong understanding of the rules. It cannot do things like check in with a client within 72 hours of hospital discharge or ensure the clinical staff is culturally competent—that much still requires a human element—but nor should EHR get in the way of workflows or take over policies and procedures. EHRs should work cooperatively with organizations and the regulations they work under to maintain compliance. The right EHR will work hand in glove with standards of care, regulation, and subregulatory guidance.
Many operational challenges can be handled entirely through software automation, however, regulatory compliance is not among them. It is important for an organization to have a dedicated compliance specialist in place, and to understand that compliance is a complementary process. Though some vendors offer products that are certified on a federal level, it is dangerous to assume an EHR solution is intrinsically compliant with local regulations as well.
It may be news to clinics looking for their first EHR, but it should come as no great surprise to those looking to their second or third electronic record that the rules are not intrinsic to the EHR itself. Compliance is ultimately up to the organization to maintain. Finding a vendor that works with you to make sure protocols, workflows, and operations are in line with what you expect makes it that much easier.