An internet television program that explores the intersection of medicine and the law.

Best Practices for Maintaining HIPAA Confidentiality in Regard to EMRs

By Whitman Johnson to EMR/EHR


In this episode, Healthcare Matters interviews ALL MD attorney Whit Johnson on best practices for maintaining HIPAA confidentiality in regard to electronic medical records.

Johnson is a shareholder at CURRIE, JOHNSON, GRIFFIN & MEYERS P.A. He practices law in Mississippi, specializing in trial work, with a focus on the defense of physicians, hospitals and other health care providers from claims of medical negligence. Johnson was recognized in 2011 as “Lawyer of the Year” by Best Lawyers in the field of medical malpractice law.

Johnson is a charter member of the Association of Liability Lawyers in Medical Defense (ALL MD), a nationwide organization that connects healthcare providers with attorneys who specialize in medical malpractice defense.

Question 5 of 5

Interview recorded June 30, 2015


Mike Matray: Hi I’m Mike Matray, your host of Healthcare Matters where the medical and legal communities come together to discuss health care matters. Today’s guest is Whit Johnson. Whit is a share holder with Currie Johnson Griffin & Myers in Jackson, Mississippi. Welcome to the program Whit.

Whit Johnson: Thanks, glad to be here.

Mike: HIPPA data breaches are emerging as one of the largest systemic risks a hospital or group faces in the modern healthcare delivery system. What risk management advice would you give physician clients for maintaining HIPPA confidentiality with their EMR system?

Whit: There’s actually some good news on that, because I think the law recognizes that a lot of time in these breaches what happens is you have someone within the facility, or someone within the physicians office who is using the medical records for their own purpose, for their own reason, just being nosy, whatever. And they tend to be a little bit protective of physicians or hospitals who do a good job trying to place that, and who take action after the fact to show that it’s not something that will be tolerated. So keeping that in mind, I think the first thing you have to do is you have to get every employee, even the old ones who’ve been there forever, you’ve got to get everyone to sign a very strict confidentiality statement. It’s something we actually do in our office. You make them sign something, you put it in the employee manual, then you make them sign something saying ” I understand that the information within this office is confidential, it’s protected by Federal Law, it’s protected by State Law. I understand I can only use it for the purposes within this office. I understand I cannot access it except for the purposes within this office.” Something that is very firm, and finite, and leaves no question about their responsibilities.

Next I think you need to make them understand what you just asked me about, which I doubt a lot of doctors understand, and that is the metadata situation, and the audit trail. They need to understand that they cannot do anything on that system without that system remembering it forever. And that you as a physician will be able to tell who got into the system, when they got into the system, where they got into the system from, what they looked at. You can tell exactly what was accessed, so they need to understand that, because I suspect a large part of this is people thinking well I can go to the file. They can go to the hard copy file, and look, and nobody will ever know. You can’t do that with the EMR.

Next I think you have to have a very strict password situation. I don’t know what doctor’s offices require. Interestingly a lot of our carriers, and our own malpractice carrier require us to have various password requirements, including on our mobile devices, because our mobile devices are a lot of times hooked to the internal server here in the office. So you have to have passwords on your phone, you have to have passwords on your computer, some of our carriers require the passwords to be changed every so often. So you have to have a very strict password situation. I think you need to be sure that each of your employees understands that inappropriately accessing someone’s electronic medical record is a firing offense, and it is a firing offense first offense without any excuse without any rationalization. And the reason for that is if the facility or the doctors office does not fire that person on first offense, they can be deemed to have ratified that person’s actions, and now they have lost the protection that the courts will generally try to give to a group that’s trying to do the right thing.