While most people use the two acronyms EMR and EHR interchangeably, there is a difference between them. Also, how you must protect each varies as well.
What is EMR? Electronic Medical Records are the digital version of the paper charts in a doctor’s office, which contain the medical and treatment history of a patient at that single practice. The advantage of having this information digitally is for storage, efficiency, and the macro view it gives a medical provider of the individual patient’s life including blood pressure readings, vaccinations, and what preventative screenings are needed. EMR also allows the practice to see trends and the overall quality of care for all patients within the practice such as the percentage of patients that need a tetanus shot.
What is EHR? Electronic Health Records are the digital files that focus on the total health of the patient, including a patient’s mental state. These records are designed for access outside a single office. Information from the primary care provider can tell an emergency room worker of a patient’s life threatening allergy and recent treatments if the patient is unable to speak. EHR can also eliminate duplicate tests ordered from multiple doctors and can warn of potential conflicts with prescriptions.
HIMSS Analytics (https://www.himssanalytics.org/), a healthcare research company, states that, “EHR represents the ability to easily share medical information among stakeholders and to have a patient’s information follow him or her through the various modalities of care engaged by that individual. EHRs are designed to be accessed by all people involved in the patients care—including the patients themselves.”
What term should you use – EMR or EHR?
Because most medical practices need to share records with other entities, such as laboratories and consulting specialists, many practices and hospitals only use the latter term, EHR.
Protecting EMR & EHR
Keep in mind that both EMR & EHR are ePHI (Electronic Protected Health Information), so HIPAA requires all Covered Entities (CEs), the medical providers), and Business Associates (BAs), their vendors, to protect that information or face a minimum fine of $50,000 per incident per year. (Learn more What is HIPAA?)
At a high level, you must make your best effort to protect all PHI (Protected Health Information). Luckily, HIPAA understands the difference in scale between a single practitioner and a large hospital. Yet, ignorance of the regulations is no excuse.
Because EMR (Electronic Medical Records) does not leave a medical provider’s office, protecting it means “building a fortress”, both with the physical office and with your network. You need to secure your server in a safe place, away from patients and employees that should not have access to patient records. All workstations and mobile devices with patient records should require a login or passcode as well as have an encrypted hard drive. Protect your network with a firewall and other cyber security best practices such as anti-virus and patch management.
Since EHR (Electronic Health Records) is made to be shared, you need to protect the connection between your office network and the recipient’s network as well. You can achieve a secure connection by sending encrypted emails that require the recipient to login into a system to access the information. For example, you can send a pdf file of a patient’s test results to a consulting physician and that physician needs to enter their username and password to see the results. Without that login, you can not verify the security of where the information is received; this is why you cannot text a patient their own Protected Health Information (PHI).
To learn more about what your medical practice must do to protect EMR & EHR, I suggest you read our blog 11 Steps You Legally Must Do to Protect ePHI & PHI.
A good IT firm can help you stay compliant and protect your EMR and EHR. Be wary though, most IT firms do not understand HIPAA regulations. Start by asking any IT firm you work with or are looking to work with if they are HIPAA compliant themselves (which they legally must be to work with you) and a telltale sign that they are not compliant is if they do not ask you to sign a Business Associate Agreement (BAA).