Electronic Medical Records (EMR) systems can make things drastically easier for medical professionals working for healthcare providers. However, it’s up to the provider’s compliance team to make sure the things that make their jobs easier aren’t also the things that leave the healthcare entity exposed to fines, data breaches, and lost revenue.
In the January 2019 edition of Compliance Today, healthcare compliance expert Lisa I. Wojeck offered tips to keep an EMR systems compliant while making the best use of the system and its technology. Below are some of the suggestions Wojeck offered for EMR system administrators, compliance professionals, and privacy officers.
Understanding Medicare Requirements
The team or individual tasked with overseeing the EMR system and the compliance department need to have a strong understanding of the federal regulations that govern EMR including the Medicare manuals and requirements. Diagrams, flowcharts, and narratives should be created to make sure the business process accounts for the billing intricacies Medicare requires in an EMR system.
Configure Copy & Paste Settings
EMR systems include copy-and-paste options, and the system administrator should adjust how and when copy-and-paste can be used. Mistakes with copying and pasting patient information can result in false claims and can be avoided by prohibiting the features in certain places. Creating a documented policy on acceptable uses is also recommended. For administrators that allow copy-and-paste, they need to make sure users understand the importance of removing information specific to patients that was copied over from the original text.
Configure Fax Settings
Utilize the technology and features within the EMR system to ensure the faxed documents always meet the reasonable safeguards required under the Health Insurance Portability and Accountability Act (HIPAA) Securities and Privacy rules. Sometimes the EMR system can help eliminate the need for unnecessary faxing. Faxing from the EMR can be effective in establishing safeguards that set how the fax is sent, how it is addressed, and who receives it.
Configure Notice of Privacy Practices
Consider building the Notice of Privacy Practices into the EMR system. The notice is required by law to be presented to a patient to alert them how an entity might use and disclose their personal health information. While the law doesn’t require them to sign it, they must be presented with the option, and using the EMR to administer it is a good use of the technology.
Monitor Access
HIPAA Securities and Privacy rules require covered entities to “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.” The EMR system will generate a log of reports, which is then up to the privacy officer, human resources and possibly the IT department to comb through. If the task becomes too daunting and eats away at man-hours, there are EMR companies and access management software products to help ease the pain.