One of the pervasive considerations with electronic medical records (EMR) is protecting the privacy of the individual. People seem to get very nervous about security issues with electronic records, and when you hear about data breaches in the news, some of that fear is not totally unrealistic. However, electronic medical records offer the opportunity for security, auditing, and tracking disclosures that is often not possible with paper records.
With current technology, we have the capability to send electronic medical records to collaborating medical partners, health plan administrators, ancillary care providers, and a variety of other organizations that use patient data. How do we protect this data? How do we address security of our electronic systems? These questions were some of the initial concerns with the creation of the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
HIPAA was enacted to help establish national standards for EMRs, especially in relation to funding of healthcare services and protection of the information held by covered entities. In an effort to better understand HIPAA and the relation to the camp setting, two components need to be defined:
- Covered entity: any person, business, or agency that furnishes, bills, or receives payment for healthcare in the normal course of business and transmits any covered transactions electronically.
- Covered transaction: transactions for which standards (45 C.F.R. Part 162) have been adopted. These transactions involve:
a. health care claims
b. eligibility for a health plan
c. referral certification and authorization
d. health care claim status inquiry/response
e. enrollment or disenrollment in a health plan
f. health care payment and remittance advice
g. health plan premium payment transaction
h. coordination of benefits transaction
These covered transactions deal most specifically with the financing of healthcare services and the sharing of medical information that will help to determine funding requirements. Camps will need to consider their role in the funding of healthcare services and the impact of HIPAA on the security of medical records. If an individual camp facility does not charge for their healthcare services, much of HIPAA is not applicable. However, if a camp bills insurance or other sources for payment or funding, they would then be considered a “covered entity” and would be required to adhere to the requirements as set forth in HIPAA. Before attempting to develop an entire response plan for HIPAA in your organization, ask other healthcare organizations in your area if they would be willing to share their established plans. Most organizations are willing to help by sharing their expertise in areas related to protected health information (PHI) and protection of patients.
Many camps may identify that they do not meet the requirements of a “covered entity,” and therefore, are not required to adhere to the many HIPAA requirements. It would be wise, however, to consider the safeguards discussed in the act as important efforts for securing any PHI. HIPAA has two security rules: the privacy rule and the security rule. The privacy rule addresses both electronic and paper copy records and encourages us to disclose the minimally necessary health information to achieve our purpose.
Several questions emerge when considering the privacy rule because camps may need to send campers for offsite health services and will need to share medical information regarding the camper. Who will have access to a camper’s medical information? How will you share the information? What will you need to share? Will you have the ability to electronically transmit that information to the offsite health center, and if so, how are those transactions protected? Each camp should evaluate individual processes and consider establishing systems that attempt to maintain the privacy of PHI to the best of our ability.
The security rule deals specifically with electronic records and addresses administrative, physical, and technical safeguards. Some of these safeguards are valid and useful considerations for a camp. Questions to consider include:
- How will you determine who will have access to the medical records? Will there be required training regarding privacy considerations?
- Do you have a contingency plan for emergencies in order to safeguard electronic records and/or retrieve electronic records? What disaster recovery procedures are in place to protect electronic records?
- Are there controls for introducing or removing hardware, software, or data from the network?
- When equipment is retired, how is it disposed of (or repurposed) properly to ensure that PHI is not compromised?
- Have you considered a policy related to proper workstation use?
- Are computer screens away from high traffic areas and not in direct view of the public?
- Are you using some form of encryption when transmitting information so PHI is protected from intrusion?
- Are there systems in place not allowing critical data and information to be changed (i.e., documentation by healthcare provider)?
- Have you carefully considered the risks associated with EMRs? Should you establish a written risk management plan or integrate EMRs into your existing risk management plan?
Electronic medical records are the way of the future. EMRs have the ability to provide access to the right information by the right people and keep an audit trail of those activities. With electronic information, we will be able to analyze data regarding illnesses, injuries, and accidents. Electronically trending data will allow us to establish systems that can improve the safety of the camp experience for campers and staff and hopefully provide a timely response to health events when they do occur. Access to PHI that is accurate, up to date, and timely is essential to providing a quality camp experience and will be a driving force for the future
Check out new training opportunities available through the e-Institute in ACA’s Professional Development Center — www.ACAcamps.org/einstitute . CECs are available for all online courses and webinars. An April webinar will address technology in camp health care.
Visit the “Healthy Camp Toolbox” to learn more about ACA resources related to camp health care — www.ACAcamps.org/research/enhance/reduce-injury-illness .
The Healthy Camp Study is generously sponsored by Markel Insurance Company.
Tracey Gaslin RN, PhD, CRNI, CPNP is a professor and a certified pediatric nurse practitioner specializing in camp nursing, pediatrics, and children with bleeding disorders. She is currently the medical director at The Center for Courageous Kids and serves as the education chair for the Association of Camp Nurses.
Stuart T. Weinberg, MD, FAAP, is an assistant professor in the Departments of Biomedical Informatics and Pediatrics at the Vanderbilt University School of Medicine. Dr. Weinberg has over forty-five years of experience with the camp community as a camper, staff, board member, volunteer, and consultant, and seventeen years of clinical experience as a pediatric resident, hospitalist, and outpatient clinician.
Dr. Gaslin and Dr. Weinberg are also members of the Healthy Camp Education and Monitoring Project Committee.
Center for Medicare & Medicaid Services. (2011). Covered entity charts. Retrieved from http://www.cms.gov/HIPAAGenInfo/Downloads/CoveredEntitycharts.pdf 
US Department of Health and Human Services. (2011). The privacy rule. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html 
US Department of Health and Human Services. (2011). The security rule. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html 
US Department of Health and Human Services. (2011). Understanding health information privacy. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html