Do you HAVE to use an emr?

[jbomba]

I have a very small cash practice. Like 6-10 at any given time. I've decided I don't want to go above this. Is it ok/legal to write my notes in a word doc and save them in a secure manner? I will use venmo for payment and self schedule patients. I use iprescribe for meds. I really don't have a strong need for an emr given I've decided not to increase my panel. Thoughts?

---

Members don't see this ad.

 

[dgdg]

Some EMRs, like Practice Fusion (charting, prescribing only) are fairly inexpensive for what you get as a single provider. Would save you A LOT of headaches for the small monthly fee.

But to your question -
Small practices have all the same regulatory burdens as larger entities. If you want to go electronic on your own, you should consult an attorney with HIPPA experience. It is very important to set up your practice properly from the start. Well worth a few hours in attorney fees if you amortize that cost over your entire career. If you are sued and found negligent, your insurance carrier (cyber, HIPPA, malpractice, etc), may not cover your costs.

The medical record, once legally signed, needs to be un-editable and securely available historically based on your state's statutes. There's a lot to that last sentence. You should read the HIPPA requirements while you seek legal advice.

 

[TexasPhysician]

Some EMRs, like Practice Fusion (charting, prescribing only) are fairly inexpensive for what you get as a single provider. Would save you A LOT of headaches for the small monthly fee.

But to your question -
Small practices have all the same regulatory burdens as larger entities. If you want to go electronic on your own, you should consult an attorney with HIPPA experience. It is very important to set up your practice properly from the start. Well worth a few hours in attorney fees if you amortize that cost over your entire career. If you are sued and found negligent, your insurance carrier (cyber, HIPPA, malpractice, etc), may not cover your costs.

The medical record, once legally signed, needs to be un-editable and securely available historically based on your state's statutes. There's a lot to that last sentence. You should read the HIPPA requirements while you seek legal advice.

HIPAA doesn’t apply here.

There is no requirement to have an EMR.

 

[Bartelby]

Rather than saving word documents that could be edited later, I would recommend going full paper chart if you are not going to use an EMR. I am not sure what requirements exist for paper charting, but I know there are people still doing it out there.

 

[Stagg737]

Rather than saving word documents that could be edited later, I would recommend going full paper chart if you are not going to use an EMR. I am not sure what requirements exist for paper charting, but I know there are people still doing it out there.

If they're doing cash only, then technically none. Practically, the minimum to make sure patients can get their meds from pharmacies/PAs (if necessary) along with whatever OP would feel is necessary to protect them if sued. Given how short some of the examples docs on SDN have given for outpatient notes are, I'd say the standard is pretty low.

 

[Sushirolls]

The best time to not use an EMR, is a cash only practice. Embrace the gifts laid before you.

I'd suggest using 2 portable hard drives, with password encrption. Drop $500 on a good FAST scanner like a Fijitsu ScanSnap.
Write or type your notes. Print/sign, scan, store in your hard drive. Make a personal policy, back up the hard drive to the other one at time frequency X of your choosing.

Use this for your file naming:
2024-06-25 Demographics
2024-06-25 Credit Card Auth
2024-06-28 Consultation
2024-06-29 Phone Note
2024-07-08 Follow Up or SOAP
2024-07-12 Records from previous psych
2030 Admin Notes (keep here little memo things like when you faxed off ROI requests, mailed lab orders, why pt gets discount rate, etc)

 

[dgdg]

HIPAA doesn’t apply here.

There is no requirement to have an EMR.

I may have not been clear in how I said things.

As a health care professional treating patients, Jbomba is a HIPPA Covered Entity.
The PHI created by Jbomba, regardless of its form (electronic or paper), will be HIPPA bound.

Correct, there is no requirement by HIPPA to have an EMR, only for the Covered Entity to nonetheless still abide by HIPPA with its PHI.
If one is simply going to use Microsoft Word 'securely', just be sure you are in compliance with HIPPA.
Document your security risk assessment and plan.

Paper charts have to follow HIPPA as well if it contains PHI. The HIPPA requirements for any form of PHI are the same. The implementation will be different, of course.

2043-Does an individual’s right under HIPAA to access their health information apply only to the information a health care provider maintains about the individual in an Electronic Health Record (EHR), or paper medical record?

www.hhs.gov

You may want to review the SRA tool to help you stay in HIPPA compliance for your practice.

Security Risk Assessment Tool | HealthIT.gov

www.healthit.gov

As far as backups. I would suggest three 'rules'.
Manual backups are not a good backup solution. It needs to be automated.
You need one backup offsite as part of your disaster plan.
Test your backups.

Good luck!

 

[clausewitz2]

I may have not been clear in how I said things.

As a health care professional treating patients, Jbomba is a HIPPA Covered Entity.
The PHI created by Jbomba, regardless of its form (electronic or paper), will be HIPPA bound.

Correct, there is no requirement by HIPPA to have an EMR, only for the Covered Entity to nonetheless still abide by HIPPA with its PHI.
If one is simply going to use Microsoft Word 'securely', just be sure you are in compliance with HIPPA.
Document your security risk assessment and plan.

Paper charts have to follow HIPPA as well if it contains PHI. The HIPPA requirements for any form of PHI are the same. The implementation will be different, of course.

2043-Does an individual’s right under HIPAA to access their health information apply only to the information a health care provider maintains about the individual in an Electronic Health Record (EHR), or paper medical record?

www.hhs.gov

You may want to review the SRA tool to help you stay in HIPPA compliance for your practice.

Security Risk Assessment Tool | HealthIT.gov

www.healthit.gov

As far as backups. I would suggest three 'rules'.
Manual backups are not a good backup solution. It needs to be automated.
You need one backup offsite as part of your disaster plan.
Test your backups.

Good luck!

Why do you keep calling it HIPPA?

 

[calvnandhobbs68]

I may have not been clear in how I said things.

As a health care professional treating patients, Jbomba is a HIPPA Covered Entity.
The PHI created by Jbomba, regardless of its form (electronic or paper), will be HIPPA bound.

Correct, there is no requirement by HIPPA to have an EMR, only for the Covered Entity to nonetheless still abide by HIPPA with its PHI.
If one is simply going to use Microsoft Word 'securely', just be sure you are in compliance with HIPPA.
Document your security risk assessment and plan.

Paper charts have to follow HIPPA as well if it contains PHI. The HIPPA requirements for any form of PHI are the same. The implementation will be different, of course.

2043-Does an individual’s right under HIPAA to access their health information apply only to the information a health care provider maintains about the individual in an Electronic Health Record (EHR), or paper medical record?

www.hhs.gov

You may want to review the SRA tool to help you stay in HIPPA compliance for your practice.

Security Risk Assessment Tool | HealthIT.gov

www.healthit.gov

As far as backups. I would suggest three 'rules'.
Manual backups are not a good backup solution. It needs to be automated.
You need one backup offsite as part of your disaster plan.
Test your backups.

Good luck!

Nope, @TexasPhysician is correct.

Covered Entities and Business Associates

Covered Entities and Business Associates

www.hhs.gov

A covered entity only exists if they "transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard".

A purely cash only practice does not fall under this category.

 

[TheRightMedication]

I went with a hardware encrypted drive when I first started but I switched to an EMR over time. I, personally, need the added structure to manage the information.

Do you plan to make it your full time gig eventually? That would be a reason to go for an EMR.

 

[TexasPhysician]

I may have not been clear in how I said things.

As a health care professional treating patients, Jbomba is a HIPPA Covered Entity.
The PHI created by Jbomba, regardless of its form (electronic or paper), will be HIPPA bound.

Correct, there is no requirement by HIPPA to have an EMR, only for the Covered Entity to nonetheless still abide by HIPPA with its PHI.
If one is simply going to use Microsoft Word 'securely', just be sure you are in compliance with HIPPA.
Document your security risk assessment and plan.

Paper charts have to follow HIPPA as well if it contains PHI. The HIPPA requirements for any form of PHI are the same. The implementation will be different, of course.

2043-Does an individual’s right under HIPAA to access their health information apply only to the information a health care provider maintains about the individual in an Electronic Health Record (EHR), or paper medical record?

www.hhs.gov

You may want to review the SRA tool to help you stay in HIPPA compliance for your practice.

Security Risk Assessment Tool | HealthIT.gov

www.healthit.gov

As far as backups. I would suggest three 'rules'.
Manual backups are not a good backup solution. It needs to be automated.
You need one backup offsite as part of your disaster plan.
Test your backups.

Good luck!

HIPPA is not a thing.

Cash practices are not HIPAA covered entities, so nothing in the practice applies to HIPAA.

 

[Stagg737]

HIPPA is not a thing.

Cash practices are not HIPAA covered entities, so nothing in the practice applies to HIPAA.

Correct me if I'm wrong, but pretty sure if you're transmitting patient information to pharmacies or doing PAs for patients to submit to their insurance then those aspects would require HIPAA compliance. The cash only doc I worked with in med school used a pad and pen specifically to avoid electronics as much as possible.

 

[TexasPhysician]

Correct me if I'm wrong, but pretty sure if you're transmitting patient information to pharmacies or doing PAs for patients to submit to their insurance then those aspects would require HIPAA compliance. The cash only doc I worked with in med school used a pad and pen specifically to avoid electronics as much as possible.

False

The easy proof - Google the HIPAA violation complaint site. Try to report someone. Give a fake name like Bob Bob and answer the questions. Once you get to the question that says “ Does this clinic accept insurance?” Click No. It will automatically direct you to a page that states no complaint will be filed as HIPAA doesn’t apply.

The wording on other sites can be tricky. The complaint process however is clear and simple.

 

[calvnandhobbs68]

Correct me if I'm wrong, but pretty sure if you're transmitting patient information to pharmacies or doing PAs for patients to submit to their insurance then those aspects would require HIPAA compliance. The cash only doc I worked with in med school used a pad and pen specifically to avoid electronics as much as possible.

https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/Downloads/CoveredEntitiesChart20160617.pdf

 

[dgdg]

Fascinating!

So our OP would fall under regulations by the FTC and State statutes instead? Wonder how those differ from HIPPA provisions as far as PHI.

 

[lol.psych]

Just throwing in a recommendation for the EHR I've been using the last few months, Sessions Health. It's not flashy, their support is really responsive, and it's straight up cheap ($39/month, plus 10 if you use their built-in telehealth platform). Something to keep in mind if you someday decide you don't want to deal with the responsibility of being the Keeper of Records.

 

[ObsequiousAplomb]

Fascinating!

So our OP would fall under regulations by the FTC and State statutes instead? Wonder how those differ from HIPPA provisions as far as PHI.

I feel like I'm the fourth person to tell you this, but HIPPA isn't a thing. Do you have an autocorrect that needs training or are you just really not aware of what you are talking about?

 

[Crayola227]

Just throwing in a recommendation for the EHR I've been using the last few months, Sessions Health. It's not flashy, their support is really responsive, and it's straight up cheap ($39/month, plus 10 if you use their built-in telehealth platform). Something to keep in mind if you someday decide you don't want to deal with the responsibility of being the Keeper of Records.

Seems a little crazy not to spend this much money and have less to worry about as far as records, HIPAA, prescribing.

Interesting that no one here has brought up if it's needed to transfer records from your office to elsewhere. Does that not open you up to any possible HIPAA issues? I'm surprised that would be exempted communication under the law even for a cash practice. I'm no expert on HIPAA

 

[Crayola227]

Even if it's not an issue of HIPAA, couldn't you still be open to lawsuit or consequences if whatever method you used led to negative consequences for the patient? Lost records, breach of confidentiality, impact on care?

Seems like if what you're doing is HIPAA compliant even if that high a standard is not required, would at least potentially mitigate some of these potential headaches.

The advice to get legal advice in the setting up of a practice, no matter how small or private, seems sound as well.

Any business venture that wings it in this regard, especially high risk industries, is just an asking for trouble.

 

[Crayola227]

EMR and HIPAA are separate issues in some ways anyway. As is setting up a business that is legally compliant with applicable state and federal law, as well as legally prudent.

 

[psycho-matic]

Nope, @TexasPhysician is correct.

Covered Entities and Business Associates

Covered Entities and Business Associates

www.hhs.gov

A covered entity only exists if they "transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard".

A purely cash only practice does not fall under this category.

There's 2 components of HIPAA: the Security Rule and the Privacy Rule. The latter applies to any practice, even a completely paper one. It sets standards for the secure storage of documents including non-electronic data. No practice is exempt from HIPAA rules. Lol SMH

 

[psycho-matic]

Seems a little crazy not to spend this much money and have less to worry about as far as records, HIPAA, prescribing.

Interesting that no one here has brought up if it's needed to transfer records from your office to elsewhere. Does that not open you up to any possible HIPAA issues? I'm surprised that would be exempted communication under the law even for a cash practice. I'm no expert on HIPAA

If it's faxed or mailed, the HIPAA Security Rule doesn't apply because it's not transmitted electronically.

Edit: for clarification, old fashioned fax transmission from one machine to another does not fall under the HIPAA security rules. If one party uses e-fax via a computer, all bets are off.

 

[psycho-matic]

The best time to not use an EMR, is a cash only practice. Embrace the gifts laid before you.

I'd suggest using 2 portable hard drives, with password encrption. Drop $500 on a good FAST scanner like a Fijitsu ScanSnap.
Write or type your notes. Print/sign, scan, store in your hard drive. Make a personal policy, back up the hard drive to the other one at time frequency X of your choosing.

Use this for your file naming:
2024-06-25 Demographics
2024-06-25 Credit Card Auth
2024-06-28 Consultation
2024-06-29 Phone Note
2024-07-08 Follow Up or SOAP
2024-07-12 Records from previous psych
2030 Admin Notes (keep here little memo things like when you faxed off ROI requests, mailed lab orders, why pt gets discount rate, etc)

Storing notes on a hard drive entails the electronic storage of patient data and automatically makes one a HIPAA covered entity. Moreover, there are specific requirements for how to encrypt files and how to dispose of the hard drive, etc.

Are external hard drives HIPAA compliant? - Darwin's Data

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that provides data privacy and security provisions for safeguarding

darwinsdata.com

 

[psycho-matic]

Correct me if I'm wrong, but pretty sure if you're transmitting patient information to pharmacies or doing PAs for patients to submit to their insurance then those aspects would require HIPAA compliance. The cash only doc I worked with in med school used a pad and pen specifically to avoid electronics as much as possible.

You're right. Even the transmission of electronic prescriptions from an iPhone makes one a HIPAA covered entity.

 

[michaelrack]

I used to have a small psych/sleep (non-cpap) OP practice, I sublet a room within the office of some medical NP's that I collaborate with. I would just have my handwritten notes scanned into kareo EMR
Wasn't worth it financially, and was a distraction from my psych IP work- ended it about 18 months ago.

 

[splik]

FYI ChARM is free for a small practice and then a small charge once you do more than 50 encounters per month. The adds ons like e-rx you do have to pay for. You can certainly keep paper records but for those of use who trained in the EMR era, it's probably more straightforward and advantageous to use an EMR. some advantages include creating templates, smart phrases, sending questionnaires and intake forms, incorporating said forms into your notes, searching medication history, sending and receiving secure messages, scheduling, automatic patient reminders, saving outside records securely, creating and sending invoices, creating slips to get labs done (possibly lab integration) etc.

Paper records may be best for a therapy only/heavy practice with a small numbers of pts seen regularly with entirely private pay pts and no superbills etc If you are working with pts who value discretion paper records (handwritten using a printed out template with checkboxes) are a positive too but then you have to store them appropriately.

P.S. I would not recommend using Venmo for payments since it is not secure, and is basically a social media platform that allows payments. It's also not supposed to be used for this sort of business currently. Zelle is okay. Can also accept ACH and wire transfers. I recommend accepting credit card payments if you can (you can set your fees to account for the processing fees).

 

[TexasPhysician]

There's 2 components of HIPAA: the Security Rule and the Privacy Rule. The latter applies to any practice, even a completely paper one. It sets standards for the secure storage of documents including non-electronic data. No practice is exempt from HIPAA rules. Lol SMH

That is false. HIPAA is poorly understood and the myths continue to be taught in training. The federal government wants nothing to do with cash practices.

That’s not to say that there aren’t requirements for privacy. Cash practices fall under state medical board rules. Every state is different.

Tons of medical practices have paper only records stored in a file cabinet or behind a locked door.

 

[dgdg]

I feel like I'm the fourth person to tell you this, but HIPPA isn't a thing. Do you have an autocorrect that needs training or are you just really not aware of what you are talking about?

I haven't counted yet! 😉
Certainly was not aware of HIPPA exclusions. Wowzers.

When I read yesterday about healthcare entities that were not HIPPA covered, any potentially analogous practice legal privacy requirements fell back to FTC and State regulations instead. Have no idea what those are, but that is what I had read.

A quick glance for Virginia, shows privacy requirements regarding record keeping. I'd be surprised if there is no provision about protection of PHI at the state level even for pure cash and paper chart offices. If that's wrong, good to learn more. I don't mind a 5th time! 😍

 

[calvnandhobbs68]

There's 2 components of HIPAA: the Security Rule and the Privacy Rule. The latter applies to any practice, even a completely paper one. It sets standards for the secure storage of documents including non-electronic data. No practice is exempt from HIPAA rules. Lol SMH

If you look at any of these rules, I think you're missing the main initial statements in all of them. Any HIPAA associated regulation applies to covered entities. If you are not a covered entity, it does not apply. That's your initial branchpoint. Transmitting prescriptions to a pharmacy does not make you a covered entity. Storing patient information on a hard drive does not make you a covered entity.

The security rule is about electronic transmission and storage of PHI the privacy rule is about acceptable disclosure of PHI. It has nothing to do about covered vs non-covered entities. Again, if you are NOT a covered entity, any HIPAA regulation is NOT applicable.

Here's some light reading for you:

https://www.healthit.gov/sites/default/files/pdf/privacy/onc_privacy_and_security_chapter4_v1_022112.pdf

 

[ObsequiousAplomb]

I haven't counted yet! 😉
Certainly was not aware of HIPPA exclusions. Wowzers.

When I read yesterday about healthcare entities that were not HIPPA covered, any potentially analogous practice legal privacy requirements fell back to FTC and State regulations instead. Have no idea what those are, but that is what I had read.

A quick glance for Virginia, shows privacy requirements regarding record keeping. I'd be surprised if there is no provision about protection of PHI at the state level even for pure cash and paper chart offices. If that's wrong, good to learn more. I don't mind a 5th time! 😍

Now I'm wondering if you're doing it on purpose. What do you think HIPPA is an acronym for? Do you not realize that everyone else is spelling it HIPAA?

 

[psycho-matic]

That is false. HIPAA is poorly understood and the myths continue to be taught in training. The federal government wants nothing to do with cash practices.

That’s not to say that there aren’t requirements for privacy. Cash practices fall under state medical board rules. Every state is different.

Tons of medical practices have paper only records stored in a file cabinet or behind a locked door.

That is false. HIPAA is poorly understood and the myths continue to be taught in training. The federal government wants nothing to do with cash practices.

That’s not to say that there aren’t requirements for privacy. Cash practices fall under state medical board rules. Every state is different.

Tons of medical practices have paper only records stored in a file cabinet or behind a locked door.

Of course. Nothing about HIPAA says you can't do this. One is obligated to ensure the records remain private and secure. That was my point.

 

[psycho-matic]

FYI ChARM is free for a small practice and then a small charge once you do more than 50 encounters per month. The adds ons like e-rx you do have to pay for. You can certainly keep paper records but for those of use who trained in the EMR era, it's probably more straightforward and advantageous to use an EMR. some advantages include creating templates, smart phrases, sending questionnaires and intake forms, incorporating said forms into your notes, searching medication history, sending and receiving secure messages, scheduling, automatic patient reminders, saving outside records securely, creating and sending invoices, creating slips to get labs done (possibly lab integration) etc.

Paper records may be best for a therapy only/heavy practice with a small numbers of pts seen regularly with entirely private pay pts and no superbills etc If you are working with pts who value discretion paper records (handwritten using a printed out template with checkboxes) are a positive too but then you have to store them appropriately.

P.S. I would not recommend using Venmo for payments since it is not secure, and is basically a social media platform that allows payments. It's also not supposed to be used for this sort of business currently. Zelle is okay. Can also accept ACH and wire transfers. I recommend accepting credit card payments if you can (you can set your fees to account for the processing fees).

There is Venmo for Business, which might be more appropriate. Regular Venmo is free but it's meant for transferring money to family and friends, but that's probably abused all the time. My landlord has me pay her through regular Venmo.

Here's an interesting article stating Venmo is HIPAA compliant by default when used only for receiving patient-originated payments due to an exemption for payment processors in the HIPAA act. I learned something new today.

https://www.hipaajournal.com/is-venmo-hipaa-compliant/

"Venmo is HIPAA compliant by default for receiving patient-originated payments due to an exemption for payment processors in the HIPAA Act, however, it should not be used for any other purposes due to privacy and security concerns. There are also other reasons why covered entities might want to avoid offering this payment option.

There is a common misconception among some sources that Venmo should not be used by covered entities to accept payments from patients because Venmo will not sign a Business Associate Agreement. However, there is nothing in HIPAA that prevents covered entities using any service to receive patient-originate payments and – under section 1179 of the Act – financial institutions are exempt from complying with the Privacy Rule when facilitating a financial transaction.

Due to the misconception about payment processors, the Department of Health and Human Services (HHS) clarified the position in the preamble to the 2013 Final Omnibus Rule. HHS stated: “The HIPAA Rules, including the business associate provisions, do not apply to banking and financial institutions with respect to the payment processing activities identified in § 1179 of the HIPAA statute”.

However, the preamble continues: “A banking or financial institution may be a business associate where the institution performs functions above and beyond the payment processing activities identified above on behalf of a covered entity.” As a result, in the context of is Venmo HIPAA compliant, Venmo doesn´t need to be HIPAA compliant for payment processing services, but does for any other services performed on behalf of a covered entity or business associate."

 

[Crayola227]

I think if you check the wrong boxes, some transactions can become visible by other parties on Venmo? This is one issue I would have with venmo amongst others. Venmo is also a branch of paypal.

Another issue is that if Venmo thinks your account is in violation of their TOS, they can actually shut down your account as well as keep the balance that was in it. Someone will say this is either untrue (it is) or unlikely to happen to a physician. The latter, perhaps. Regardless, I think there are better platforms for payment.

 

[Crayola227]

What are the odds that one is fully HIPAA compliant and yet is still afoul of a state privacy law? It just seems like more potential headaches can be avoided with that approach and it doesn't seem worth it not to be. Unless you wanted to go fully old school with paper and know what you're doing and what the laws are. Which if nothing else this thread shows that most people don't know what they think they know nearly as well as they think they do.

Fact: once you go electronic (files on a hard drive) if it's at all possible for that device to be connected to the internet, you are now open to various types of hacking and breaches of cybersecurity. Not being plugged in or having the wifi off is not protection enough, there are still remote ways of hacking if I'm not wrong, or prior episodes of being online can plant things in the computer that can then be a security risk.

If you're paper, you either lose the notes (controllable) or your practice gets broken into.

Presumably the latter arrangement is considered low risk enough that it's generally considered to meet privacy standards.

Since I'm not some type of cybersecurity wizard I would hesitate to make records digital without using something that is at least HIPAA standard, even if my practice was exempt.

 

[TexasPhysician]

What are the odds that one is fully HIPAA compliant and yet is still afoul of a state privacy law? It just seems like more potential headaches can be avoided with that approach and it doesn't seem worth it not to be. Unless you wanted to go fully old school with paper and know what you're doing and what the laws are. Which if nothing else this thread shows that most people don't know what they think they know nearly as well as they think they do.

Fact: once you go electronic (files on a hard drive) if it's at all possible for that device to be connected to the internet, you are now open to various types of hacking and breaches of cybersecurity. Not being plugged in or having the wifi off is not protection enough, there are still remote ways of hacking if I'm not wrong, or prior episodes of being online can plant things in the computer that can then be a security risk.

If you're paper, you either lose the notes (controllable) or your practice gets broken into.

Presumably the latter arrangement is considered low risk enough that it's generally considered to meet privacy standards.

Since I'm not some type of cybersecurity wizard I would hesitate to make records digital without using something that is at least HIPAA standard, even if my practice was exempt.

A large hospital in my city transitioned to EMR for the first time in the last 5 years. A elderly psychiatrist I know retired when the transition happened because he wished to never use an EMR ever. EMR’s in the grand scheme of things are incredibly new. Paper and pen was standard.

It is more likely that hackers acquired more medical records and health data hacking United Healthcare in 1 day this year than have been stolen via paper/pen in the history of paper charts combined. If I wanted to maintain my psychiatric privacy at the highest level, a paper record hidden in 1 file cabinet is safer in my opinion than anywhere online. Unless you know my specific psychiatrist, where he stores the charts, and how to access them before law enforcement arrives, you can’t get my health record. A hacker across the world can hack insurance databases with likely no penalty or risk of being caught. Expect these intrusions to become more prevalent as many large companies are being hacked lately.

 

[calvnandhobbs68]

What are the odds that one is fully HIPAA compliant and yet is still afoul of a state privacy law? It just seems like more potential headaches can be avoided with that approach and it doesn't seem worth it not to be. Unless you wanted to go fully old school with paper and know what you're doing and what the laws are. Which if nothing else this thread shows that most people don't know what they think they know nearly as well as they think they do.

Fact: once you go electronic (files on a hard drive) if it's at all possible for that device to be connected to the internet, you are now open to various types of hacking and breaches of cybersecurity. Not being plugged in or having the wifi off is not protection enough, there are still remote ways of hacking if I'm not wrong, or prior episodes of being online can plant things in the computer that can then be a security risk.

If you're paper, you either lose the notes (controllable) or your practice gets broken into.

Presumably the latter arrangement is considered low risk enough that it's generally considered to meet privacy standards.

Since I'm not some type of cybersecurity wizard I would hesitate to make records digital without using something that is at least HIPAA standard, even if my practice was exempt.

You're not some type of cybersecurity wizard and the idea that cloud/remote access of patient records is somehow more secure than local access is just completely false.

The HIPAA security laws are actually pretty onerous and honestly most practices are probably violating some provision of the security rule at some level. If you didn't know this already, all covered practioners/practices (which would just be yourself if you're a solo practioner) are supposed to do security audits, identify vulnerabilities, come up with these ridiculous risk management plans and implement a bunch of written policies for different "security components". That's why you have to do that ridiculous HIPAA compliance stuff every year for hospital systems.

State privacy laws tend to be quite a bit....simpler. For instance, this is what a state I practiced in has to say about medical record privacy:

"Medical records shall be stored in such a manner as to provide protection from loss, damage and unauthorized access."
"All records shall be treated as confidential. Only authorized personnel shall have access to the records. The written authorization of the patient shall be presented and then maintained in the original record as authority for release of medical information outside the hospital."

To put it simply, the reason EMRs and remote access to patient records/information exist is not because they're so much more secure, complete opposite in fact as is shown time and time again by ransomware attacks and large data leaks. The purpose is to be able to share information MORE easily, not less easily and to share more information between systems on a larger scale. That opens you up to a higher risk of security breach with more access points and vulnerability points. It also allows a much greater number of patient records to be stolen/accessed at one time.

The chance that someone remote accesses your personal laptop that you're storing patient records on locally if you have adequate antivirus protection and don't go screwing around on weird websites or downloading/installing weird programs on your computer is quite low.

 

[psycho-matic]

What are the odds that one is fully HIPAA compliant and yet is still afoul of a state privacy law? It just seems like more potential headaches can be avoided with that approach and it doesn't seem worth it not to be. Unless you wanted to go fully old school with paper and know what you're doing and what the laws are. Which if nothing else this thread shows that most people don't know what they think they know nearly as well as they think they do.

Fact: once you go electronic (files on a hard drive) if it's at all possible for that device to be connected to the internet, you are now open to various types of hacking and breaches of cybersecurity. Not being plugged in or having the wifi off is not protection enough, there are still remote ways of hacking if I'm not wrong, or prior episodes of being online can plant things in the computer that can then be a security risk.

If you're paper, you either lose the notes (controllable) or your practice gets broken into.

Presumably the latter arrangement is considered low risk enough that it's generally considered to meet privacy standards.

Since I'm not some type of cybersecurity wizard I would hesitate to make records di

What are the odds that one is fully HIPAA compliant and yet is still afoul of a state privacy law? It just seems like more potential headaches can be avoided with that approach and it doesn't seem worth it not to be. Unless you wanted to go fully old school with paper and know what you're doing and what the laws are. Which if nothing else this thread shows that most people don't know what they think they know nearly as well as they think they do.

Fact: once you go electronic (files on a hard drive) if it's at all possible for that device to be connected to the internet, you are now open to various types of hacking and breaches of cybersecurity. Not being plugged in or having the wifi off is not protection enough, there are still remote ways of hacking if I'm not wrong, or prior episodes of being online can plant things in the computer that can then be a security risk.

If you're paper, you either lose the notes (controllable) or your practice gets broken into.

Presumably the latter arrangement is considered low risk enough that it's generally considered to meet privacy standards.

Since I'm not some type of cybersecurity wizard I would hesitate to make records digital without using something that is at least HIPAA standard, even if my practice was exempt.

U
gital without using something that is at least HIPAA standard, even if my practice was exempt.

I use Microsoft 365 for Business. It's fully HIPAA compliant, including email, word, excel, cloud drive. I use Microsoft forms for website submissions. I use OneDrive to store any patient file. HIPAA compliant WordPress website host/server. I feel this is more secure than keeping up with a hard drive. I use secure Wi-Fi and a VPN. Zoom for healthcare. Ringcentral for fax, phone and text. And PracticeQ for the EHR. Worth it to have everything as secure as possible.

 

[The Incredible Nurse]

I am gonna be honest. There are so many near free EMRs that is pointless to go without one. You can spend less than $100 a month to have a full fledged low maintenance EMR that does records, patient portals , med prescribing

 

[ObsequiousAplomb]

I am gonna be honest. There are so many near free EMRs that is pointless to go without one. You can spend less than $100 a month to have a full fledged low maintenance EMR that does records, patient portals , med prescribing

idk. The OP is about an ultra-micro practice. 6 patients at a time. It definitely feels like overkill to have a $1200 overhead annually for an EHR for only 6 patients.

 

[TexasPhysician]

idk. The OP is about an ultra-micro practice. 6 patients at a time. It definitely feels like overkill to have a $1200 overhead annually for an EHR for only 6 patients.

Depends on the context. What else is the OP doing? 5-10 patients is not enough to have much of an office to store paper charts. Is OP always at home to use a file cabinet? If I was doing 5-10 med/therapy patients per week via telepsych while I traveled the US/World, an EMR to store the data would be quite valuable. I wouldn’t feel safe with paper or even a laptop while constantly traveling and maybe going through customs. We don’t have much context here as to why such few patients.