business of Medicine


Onboarding Medical Assistants and Office Staff Toolkit

August 2, 2019

Documentation risk management

Electronic Medical Records (EMR) & the HIPAA Security Rule

Although electronic medical records (EMR) offers substantial benefits, it is necessary to understand and manage the special security risks introduced by such systems. Physicians maintaining patient records electronically should become familiar with the requirements of the HIPAA Security Regulations (or HIPAA Security Rule) that became effective in April 2005 and as amended under the American Recovery and Reinvestment Act of 2009. To achieve and maintain compliance with the Security Rule, physicians, hospitals and other “covered entities” will have to implement a series of administrative, technical and physical security procedures. The rule will generally require physicians to do the following:

  • Ensure the confidentiality, integrity, and availability of all electronic protected health information (PHI) they create, receive, maintain or transmit.
  • Protect against any reasonably anticipated threats or hazards to the security or integrity of electronic PHI.
  • Protect against any reasonably anticipated uses or disclosures of electronic PHI that are not permitted or required under the Rule.
  • Ensure compliance with the rule by their staff.

The Security Rule focuses more on the end result -compliance- than the method by which physicians will achieve that end result. It was designed to be scalable, flexible and addressable through multiple ap-proaches. The rule states that when deciding which security measures to use, physicians must take into account such things as the size, complexity and capabilities of their practices and their technical infra-structure, hardware and software security capabilities.

Physicians are encouraged to contact an attorney or a qualified healthcare consultant knowledgeable on healthcare information sys-tems to ensure compliance with those Regulations.

Security challenges created by the electronic medical record can be both internal and external. Examples of internal challenges include the unauthorized release of medical record information or the unintentional deletion of information from a patient’s record. Challenges from external sources include computer viruses, hackers, and vendors who install disabling software. Other risk management concerns include theft of laptop computers, power failures, transmission errors and computer hardware failures.

Security should be designed into the system from the start.

  • All records, centralized or decentralized, should be kept in a secure location accessible only to authorized individuals.
  • Levels of security should be established so users can only access the information they need to do their jobs. Access codes should be assigned according to job codes.
  • Maintain a list of users, their access codes and their level of access.
  • Disclosure of an employee’s access code (for login to the system) should be subject to the same sanction as disclosure of confidential patient information.
  • Disclosure of information should be handled by trained individuals to ensure compliance with state and Federal laws.
  • If participating in an EMR network, draft and execute a confidentiality agreement with all others in the network, and make sure all employees understand their responsibility to keep patient information confidential.
  • All employees should sign confidentiality agreements at the time of hire and a confidentiality acknowledgment annually to remind them of their ongoing confidentiality responsibilities.
  • Implement policies and procedures to protect against the theft of laptop computers and any computer hardware used in a physician’s practice.
  • Document security measures.
  • All users, including physicians, should be required to attend an orientation program and have periodic updates.
  • Deactivate codes when a person leaves employment.
  • Limit staff’s access to printers.
  • Prepare a disaster plan.
  • Protect against viruses.
  • Negotiate indemnifications in contracts with computer vendors.

Check with your state laws allowing healthcare providers to create, maintain, transmit, receive and store medical records in an electronic format, and would not have to maintain duplicate paper copies. A pa-per print-out of an electronic record would be considered an original for purposes of providing copies to patients or other authorized parties and for introduction of the records into evidence in administrative or court proceedings.

For additional information regarding certification standards for electronic health records systems, contact the Certification Commission for Health Information Technology (“CCHIT”) at

Authorization for release of medical information–checklist for compliance

HIPAA privacy regulations provide that the healthcare provider generally must furnish a complete and current copy of the record to third parties upon written request from the patient.

The patient must identify the records to be released and the person or class of persons that may receive copies of them.

To release copies, the physician must be provided with an authorization signed by the patient or an appropriate personal representative. Under the HIPAA Privacy Rule, physicians must treat personal representatives as the patient for matters relating to medical records access and release. Examples of personal representatives include, but are not limited to, parents of minors, executors of deceased patients’ estates, and persons holding a Durable Power of Attorney for Healthcare. HIPPA privacy regulations require the following elements to be present in a proper authorization for release of medical information. You may find this checklist useful to ensure that a medical release you have received complies with the privacy regulations.

Authorization Form Checklist

A valid authorization must contain at least the following core elements:

  • A specific description of the information to be disclosed.
  • The name (or other specific identification) of the person(s) or class of persons authorized to make the use or disclosure of information.
  • Specifically to whom the physician may make the requested use or disclosure.
  • A description of each purpose of the requested information. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.
  • An expiration date or an expiration event that relates to the individual or the purpose of use or disclosure.
  • The signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual must also be provided. 45 CFR § 164.508(c) (1)
  • The individual’s right to revoke the authorization in writing, and either: (a) the exceptions to the right to revoke and a description of how the individual may revoke the authorization; or (b) a reference to the physician’s notice of privacy practices.
  • The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization.
  • The potential for information disclosed with this authorization to be subject to redisclosure by the recipient. 45 CFR § 164.508(c) (2)

The authorization must be written in plain language. If it is the physician that seeks an authorization from a patient for a use or disclosure of protected health information, the physician must provide the patient with a copy of the signed authorization. 45 CFR § 164.508(c) (3) & (4).

Release of confidential information

Patient medical information is confidential. There are state and federal laws that govern the release of such information to protect the patient and the physician. Subject to certain exceptions, medical information may be released only upon written patient authorization. It is recommended that the authorization be updated at a minimum annually.

There are a number of situations in which medical information may be released without patient authorization. Some of those exceptions will be addressed in following sections. If unsure about whether to release a patient’s medical information, it is always best to err on the side of protecting the patient’s confidentiality. If there are any questions regarding release of medical information, the physician should contact legal counsel or his/her professional liability insurance company for advice.

Destruction of records

It is suggested that the physician review office records before allowing them to be destroyed to be sure he/she is comfortable that the record will not be required for patient care or to defend a medical professional liability lawsuit.

Records should be destroyed either by shredding or incineration. Special care should be taken to ensure patient confidentiality is maintained throughout the destruction process. Under HIPAA, the practice should initiate a business associate agreement with the company hired to destroy the medical records. A manifest or list of the medical records which were destroyed should be developed and maintained permanently.

As noted previously, the original record should not be given to the patient. In the event the patient needs a record, a copy should be provided, and the physician should retain the original in accordance with the guidelines set forth in the previous section concerning “Record Retention.”

Never give the patient the original record; it should be destroyed. Only give the patient a copy to prevent changes in the record that could be alleged the physician made.

Record retention

How long medical records must be kept is determined by the potential use of the record and specific legal requirements. Unless state statues require that medical records be retained for a longer period of time, MagMutual requests that our policyholders retain patients’ medical record for 10 years from the date of the last patient visit or medical record entry. This includes medical records of deceased patients.

Otherwise, medical records should be kept indefinitely or until the applicable statute of limitations or repose expires for situations:

  • With adverse or less than desirable outcomes
  • When patients are unhappy with results
  • Any time a patient threatens or files a lawsuit


Every medical office should have an approved list of standard abbreviations for use in medical records. When healthcare practitioners use unusual or non-standard abbreviations, the quality of communication suffers and patient care can be compromised.

Guidelines to follow regarding the use of abbreviations include:

  • Using abbreviations easily recognized by all healthcare providers.
  • Avoiding the use of ambiguous abbreviations or abbreviations known only to yourself or a few others.
  • Developing a list of approved abbreviations for use in the medical office which should be consistent with abbreviations used in the hospital(s) with which the physician(s) has privileges.

NOTE: Abbreviations should not be used on informed consent forms or in any other communication with the patient.


The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.