Do I really need an EHR to be HIPAA compliant?

[Phanicus]

I feel like this should be an easy question to answer but I'm struggling to find a clear answer. I am launching a private practice soon and would love to be able to keep notes on my computer in password-protected Word docs. According to HIPAA though, it seems like for digital notes, we are supposed to use an EHR with back-up capabilities and means of locking notes so they become unalterable. My question is, is that rule specifically for people who use EHRs or does it apply to everyone who uses any sort of digital notes, including people with locally maintained, Word document notes?

I have been using Theranest at my current organization and while I like it, I would rather not have to pay $40 a month just to keep my notes in an EHR. Any good and cheap alternatives would be much appreciated.

Thanks in advance!

---

Members don't see this ad.

 

[AbnormalPsych]

It has been many years since I was in the weeds with the details with this stuff, but if I recall, the thing that matters a lot here depends of how you structure things (e.g., are you taking insurance or 100% cash). If you transmit information electronically (through the lens of HIPAA) things are very different than just a small cash practice.

I used to know psychologists who had a small cash only practice that did this with a non-internet connected, encrypted laptop, with encrypted backups. We also did this in my training clinic as a grad student back in the day. I also know a psychologist who still does old school hand written only notes. No computers at all. Although that seems more related to that person's personality than age / comfort with technology.

No idea how this changes with the no surprises act, or other recent regulations, or state specific things.

 

[foreverbull]

I knew a few folks who kept docs for progress notes on their laptops/computers as long as there was a password to the laptop and auto-lock screen after a few minutes. I’m assuming a backup drive/usb/disc would need to be made periodically and locked away to be compliant.

My understanding also was that this was perfectly fine HIPAA-wise without needing EHR.
Some people still do this to save money, so I think it’s possible and compliant as long as everything is locked in some form so that it can’t be accessed by just anyone—like physical file cabinets for paper files.

But if you have to send PHI to clients or submit superbills, that’s where it gets murky. You have to use snail mail or you need a fax line to keep it private, I think, because electronically you don’t have a way for it to be secure unless you use a HIPAA-complaint fax software. You might have to get encrypted email and/or Google workspace/email is HIPAA complaint and has a BAA (I have it), but I still avoid sending PHI info over email in most cases and use my secure messaging via my practice management software.

So somewhere you will need to pay for some communication service regularly, I think, even if you do the cheap no-practice management software route. There are certain corners you can’t cut in terms of transmitting PHI.

 

[WisNeuro]

Be sure to also check your state rules and statutes around this. They vary a good deal. some states do not mention these issues, and some are very specific about what you need to do. So, be sure you are compliant with federal and state law.

 

[smalltownpsych]

I think that the effort to make another system would be better out into generating revenue with an EHR. Probably just look for the cheapest one. Also, the platform can be helpful for other aspects of a small private practice. If it’s really, really small and literally cash only then maybe just use paper and not worry about it at all.

 

[yana clever]

Hello, the issue of compliance with HIPAA rules and regulations is of great concern to many. Therefore, it is important to familiarize yourself with the information in this direction or find a service provider who can help with this How to Comply With HIPAA Requirements and Not to Fail