The benefits of Electronic Health Record (EHRs) are well known. While EHRs ensure improved quality of patient care, improved care coordination, accurate diagnoses and outcomes, improved efficiency, and cost savings, it is very critical to ensure that the security and privacy of the EHR systems are maintained to in order to gain the trust and confidence of the users as well as patients. If patients lose their trust in EHRs thinking that their confidentiality and accuracy will be compromised, they may not feel comfortable to disclose their health-related information, which may lead to serious consequences. Hence, it is imperative to protect the confidentiality and integrity of the information in your EHR system so as to reap the best outcomes of the EHR system.

We must understand that the responsibility of ensuring the security of your EHR systems lies with your own practice and not with the EHR vendor. However, at the same time, healthcare institutions must let their EHR vendor know that meeting Health Insurance Portability and Accountability Act (HIPAA) requirements and protecting patient health information is one of their primary goals. It is also important to involve the staff and any other partners to help streamline this process.

The HIPAA Security Rule requires healthcare providers to take specific measures to safeguard their electronic protected health information (ePHI). Some of the safety measures must be built into electronic health record (EHR) systems to protect medical records. For example, “Access control” tools such as passwords and PIN numbers must be built-in to allow only authorized individuals to access patient information. “Encrypt” stored information so that sensitive health information cannot be read or understood except by someone who can “decrypt” it, using a special “key” made available only to authorized individuals.

Covered Entity and Leadership

First of all, confirm that you, as a healthcare provider, are a covered entity under HIPAA Privacy and Security Rules. You need to convince your leadership, especially the privacy and security official about the importance of protected health information. This official will be responsible for developing, documenting, and maintaining your privacy and security practices to meet the HIPAA requirements, and also work collaboratively with your information technology (IT) administrator or consultant, EHR vendor, and practice management professional.

Make sure that each staff member of your practice understands the privacy and security policies, responsibilities, and the importance of keeping patient information secure and protected.

Process Documentation

Documenting all your processes is a crucial step. Your practice must maintain physical records or electronic records of security risk analysis, risk management efforts and plans, staff training, business agreements, policies and procedures, checklists, information about any breaches to your ePHI and the action taken in response to those breaches, EHR logs that show utilization of security features and so on. This step is a mandate as per the Centers for Medicare & Medicaid Services (CMS) for all providers that attest to the EHR incentive program. These records/documents that support attestation should be date-stamped, and updated documents regularly. These records serve as a complete and up-to-date master record of security findings, decisions, and actions that your staff can reference.

Conduct a Risk Analysis

Going by the HIPAA mandate, you must conduct an initial risk analysis to ascertain the potential risks and vulnerabilities the EHR may be exposed to. The security risk analysis should be conducted periodically and updated at regular intervals. Using the results of the risk analysis, develop an action plan to manage and mitigate the risk factors in your practice. Make sure that your staff is familiar with configuring the security settings in your EHR. Additionally, configure the audit function of your EHR software to record user activity and generate audit logs. Audit logs are useful for protecting ePHI and for tracing back to the unexpected or improper use of patient information.

Ongoing Education and Training

To safeguard patient information, your workforce must know how to implement your policies and procedures. Training is required for each member who joins your staff and you must re-train your staff members any time there is a material change to your policies and procedures. Reinforce workforce training with reminders. Lead by example by adhering to your policies and procedures.

Communicate with Patients

Educate your patients about their rights, which includes the right to an electronic copy of their information in the EHR, and how they can use the EHR system for improving their wellness. Give your patients the confidence that their personal and health information will be safeguarded and help them understand the privacy and security protections that you have in place.


Update business associate agreements

Have agreements in place with any service providers or business associates, such as billing companies, EHR vendors, or storage vendors, etc. and make sure that these agreements are obtained in writing. These agreements ensure that these business associates use and disclose patients’ health information judiciously and safeguard it correctly.



In conclusion, it is important to prioritize the security and privacy of your EHR systems based on the current legal requirements, keeping in mind the technology changes and increased awareness among patients. These steps will instill a feeling of trust in your patients’ mind towards your practice. Trust is an important key business asset. Through diligent action, privacy, security, and meaningful use of EHR systems can be achieved and your practice will reap great benefits.