HIPAA Best Practices for Diagnostics Involving EMR/EHR

Lab results and diagnostic test data are one of the most common types of PHI data created. Lab information that is entered into EMR/EHR can come from many sources, including on-site labs, remote labs, radiology, at-home devices, and more. It can also travel through many different devices, and at every step it’s vital to your business that it maintains HIPAA best practices. This can be incredibly difficult to accomplish, especially when you also have to deal with national and regional laws.  

While this might all be daunting, protecting PHI data can be done. Just as important, it can be customized to the specific scenarios that individual labs and medical facilities require. Let’s take a look at the most common problems and how they can be solved. 

Doctor Approval

Most lab tests will require pre-approval from a doctor or medical professional to verify it’s okay for a person to take the test or get an exam. These requirements can be extensive, including a registration process to verify that the patient has the medical conditions they are claiming. 

Because of this, doctors and patients may need to complete a detailed registration process and questionnaire via a patient or doctor portal. Or they may have to verify certain information upfront regarding their physical location. In the United States, different states can regulate lab tests and what treatment and medicine options are available. 

Patient identification and location verification are other important steps in getting a test performed. This can be as simple as verifying their address or performing a GeoIP lookup so that shipping information is verified. This alone can be very important from a compliance perspective. Software can track the IP address of the request, verify the email address, or even consult public records to do some form of verification that this is actually their physical address. 

What can be done if these options fail? Perhaps the user’s information is legitimate, but for some reason their identifying data doesn't properly exist in a trusted format. There can be major fines for improper verification of the patient’s ID; always keep a HIPAA checklist or lawyer close by, and make sure this information is baked into the platform you use. It’s very important to have a medical platform that can take these things into account and pass information onto a human to perform other kinds of identification. 

Contact with a patient goes beyond the information that is included in the test itself. This can include creating email workflows that don't contain any HIPPA information but instead have links that will allow the patient and the different medical professionals to authenticate their identify. Based on their access to this particular patient, they can update the records, upload information, or pull information from systems that we have access to. (This is often done via portal integration through which all this information can be accessed.) Once someone has verified that they have met the criteria necessary for both government entities and medical professionals, the medical website or app can enable a workflow where the patient can receive the test. This can be done through a multi-location lookup where they can physically go to different physical locations to conduct a test and then have those results shared back into the patient portal. 

For some tests, a test kit will be sent to their physical address. There might be legally binding stipulations for this, such as they have to be physically present and sign for the package. HIPAA compliant correspondence can give them options for scheduling and coordinating when this shipment is going to arrive. Alternately, a test might have to be picked up from the medical facility and then administered at home; perhaps the test must be kept at a certain temperature that must be supervised by professionals. In all of these cases, processes can be put in place so that the platform can send reminders and provide resources via a HIPAA compliant website. 

Whenever healthcare app developers work with medical organizations and organizations that deal with PHI information, there may be some advanced requirements concerning the physical devices that need to connect securely and pass data into a mobile application. That mobile medical application on the physical device needs to be secure while it's sitting in a cache or in a data store. The mere act of transfer could be a PHI risk while it moves from a Bluetooth-using physical device to the server, so the patient may need to take the device to the doctor’s office for secure PHI data transfer.  

However the information is transferred, the medical app developer needs to make sure that the information is secured at each step in the process and that a mechanism is in place for logging who has access to the data after it's been pushed to the different locations. This ensures that any access to the data is authenticated and that the authorization is firmly enforced. 

Medical Facility Mobile Device Security

Once the medical facility has the PHI data in its system, the data is often pushed and pulled within the organization. It may be shared between doctors’ offices or could be accessed by locations across the region that are part of the same medical group. That data needs to be secure whenever different users are looking at the information. There may be tablets or different client terminals throughout the facility and the entire caregiving process. It's very important that any information that is on HIPAA mobile apps on these client devices — tablet, mobile phone, laptop, PC terminal — is kept secure at all times. 

It's very important that we have the right authentication in place so that the data that gets transferred is only accessible once a user has been authenticated. Every HIPAA-cover medical entity must be very careful whenever data is stored anywhere, even if it’s for an incredibly short amount of time. Planning must be done regarding where it's going to “live” in a location and what the risk is in those different locations. 

Work With Experienced Medical App Developers

Dealing with physical devices that are interacting in a medical organization and with different users who may be using these devices can be a difficult prospect for medical facilities, which is why it’s so important to work with medical app developers that can provide the best PHI data protection possible. Clarity is ready to show you the steps it takes to make patient EMR/EHR safe. Contact us today.