Tel: 314-534-3534
Fax: 314-534-0444
personal injury lawyer 


EHR - Electronic Health Records

HIPAA Compliance - Meaningful Use Standards
Federal False Claims Act Liability
Meaningful Use Requirements
HITECH set meaningful use of the secure interoperable electronic exchange of health information by means of Electronic Health Record (EHR) and Electronic Medical Record (EMR) technologies as a critical national goal. HITECH  created incentives - money payments to Health Care Providers that legally attest they achieve specific standards of "Meaningful Use" in their EHR-EMR systems.  A mandatory Core Objective of Stage 1 Meaningful Use is:
"Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process."
In plain English, to receive an incentive payment your Organization must attest it is compliant with the HIPAA Security Rule. The key word is attest.  When your Organization receives a Meaningful Use financial incentive payment it is subject to audit.  False attestation subjects you to liability under the  Federal False Claims Act.
Your Organization is already required to maintain the privacy and security of EPHI.  But "Meaningful Use" attestation of an EHR creates an entirely new and dangerous level of sanction for non-compliance with the HIPAA Security Rule. 


HIPAA Compliant EHRs and EMRs?

No EHR or EMR product or technology, by itself, is HIPAA compliant! 

HIPAA compliance depends entirely on the behavior of the people using the EHR or EMR system - your Workforce. 
Think of electronic record systems as a high tech filing cabinet.  Can a lockable filing cabinet, by itself, be HIPAA compliant?  NO!  Your staff must handle paper PHI records securely, place them in the filing cabinet and lock it.   
Similarly, an EHR or EMR system can only be HIPAA compliant when it is properly implemented by a well trained workforce following HIPAA compliant Policies and Procedures.  See the Security Rule page of this website to review HIPAA compliance requirements for EPHI and the Privacy Rule and Breach Notification Rule pages of this website to review HIPAA compliance requirements for all PHI including EPHI. 

Whether Your Organization Attests to Meaningful Use or Not - Your EHR or EMR System Must be HIPAA Compliant

EHR - EMR HIPAA Compliance Essentials:
   1.  Risk Analysis
   2.  Risk Management
   3.  HIPAA Policies and Procedures
   4.  Workforce Training
Compliance with HIPAA in deploying and using an EHR or EMR is dependent on the ability of your Organization to understand and address the risks associated with implementing your electronic record system.  Follow the steps required by the HIPAA Security Rule and document everything.  First do a thorough and accurate Risk Analysis.  Then establish Policies and Procedures to address the risks that are identified.  Next make sure your workforce is trained to follow your Organizations Policies and Procedures and make sure they are followed.  Finally, do periodic Risk Analyses  so your Organization continues to:
"Ensure the Confidentiality, Integrity and Availability or all electronic protected health information the (Organization) creates receives, maintains or transmits." 45 CFR § 164.306(a)(1)
Advertising for EHR andEMR systems may claim the system is “HIPAA Compliant”. While the system may be technically able to be compliant and may be certified by HHS, the technology, by itself cannot be fully HIPAA Compliant. The only way your Organization's system can be truly “HIPAA Compliant” is if it faithfully adheres to and implements the HIPAA Security, Privacy and Breach Notification Rules.

HHS Health Information Technology Certification

In selecting an EHR or EMR system make sure it is certified by the U. S. Department of Health and Human Services (“HHS”).  HHS certification for health information technology is designed to ensure:
  • Functionality – systems can support the activities and perform the functions for which they are intended
  • Security – systems have the technical capability to protect and maintain the confidentiality of data; and
  • Interoperability – systems can connect to, and exchange information with, other systems.
concerning HIPAA
Compliance, EHRs and EMRs
Paul R. Hales
Attorney at Law
3534 Washington Ave.
St. Louis, MO 63103
TEL: 314-534-3534