HIPAA Compliance & EHRs: Excellent Solutions to Thorny Problems

Home » HIPAA Compliance & EHRs: Excellent Solutions to Thorny Problems

HIPAA Compliance & EHRs: Excellent Solutions to Thorny Problems

I’ll let you in on a secret: Electronic Health Records (EHRs) can be a big help with HIPAA compliance. In fact, using stand-alone tools in your practice may make achieving HIPAA compliance difficult, if not impossible.

Here’s why:

By now, most mental health professionals are using at least one digital tool in their practice. Many have a video product for occasional or full-time telehealth sessions. To complement that, we have added digital tools for common tasks like accepting credit cards or sending digital statements. Some have acquired more advanced tools like apps for creating custom forms and collecting e-signatures. Others, aware of the importance of using encrypted email, texting and file storage, found stand-alone tools for each of those. In short, instead of an up-front investment in an integrated product, many of us amassed our tools one at a time as we saw the need. At this point, we might have a set of tools that includes some or all of these:

Stand-Alone Apps

This scenario is NOT HIPAA Compliant

Keep in mind that EACH of the above tools holds data that is part of the patients’ medical record, because they all store ePHI (electronic protected heath information). In other words, the medical record is not JUST the notes we keep on our patients. It’s also every email or text we exchange with or about them, billing statements and insurance claims, files we exchange or forms we ask them to sign – that’s all part of their medical record.

An integrated app like an EHR differs from the scenario above because it allows one secure application to store the patient’s complete medical record. That one app might offer all the same tools listed above, but it combines them into a single program, like this:

An Integrated Tool

How an integrated app helps with HIPAA Compliance

Previous posts have discussed some of the obvious advantages of the integrated approach (e.g., Integrated Products for Mental Health: Save Time, Money, Errors). However, an especially thorny, though not often discussed, issue with Stand-Alone apps is HIPAA compliance.

For example, consider these HIPAA standards which are all part of the Security Rule:

HIPAA Security Rule: Audit Controls45 CFR § 164.312

The Audit Controls technical safeguard standard is required, i.e., we all have to do it. There is no wiggle room. The Audit Controls standard means that we must have logging functions in place that allow us to monitor our system activity and usage. For those of us in private practice, “system activity and usage” refers to any app we use that comes in contact with PHI. We need to be able to show who accessed each of those software programs, what they did there and when they did it. Functions like this need to be automated from within the program to allow them to have a time/date stamp that is generated by the software itself.

If you are using standalone tools, such as any of the eight sample tools shown in the top image, you would have to find a way to produce a similar kind of log for each tool. Many – perhaps most – of those kinds of tools will not have a logging feature that meets the HIPAA standard. If you are using tools that do NOT provide you with audit tracking tools, you will not be in compliance with HIPAA. You might be able to find a product to log activity on your device itself, but such logs would only say that you accessed x software. It would not be able to provide information on what was done while you were inside the app.

How integrated tools help: Most EHRs have some kind of activity log report or feature that provides you with an Audit Control for the EHR. The screenshot below was taken from the Activity Log of the PSYBooks EHR and is for a fake client named Gobbledy Gook:

An activity log required for HIPAA Compliance

PSYBooks created this log automatically, behind the scenes, capturing all significant events this user did during this time frame. This tool makes meeting this HIPAA standard quite easy. Any time you need to prove what was done in the app and by whom, you just pull the log that PSYBooks has maintained for you. Every event has a time/date stamp so this is a record that should stand up in court, in addition to being acceptable to HIPAA. Most EHRs, but very few stand-alone tools, provide what you need to be in compliance with HIPAA’s Audit Controls standard.

HIPAA Security Rule: Integrity Controls45 CFR § 164.312(c)

Integrity Controls is another technical safeguard standard within HIPAA’s Security Rule. The objective of Integrity Controls is to protect ePHI from unauthorized modification, deletion, or corruption. Data in a medical record must be complete, unaltered, and accurate throughout its lifecycle. (“Lifecycle” refers to the amount of time we are required to keep a medical record – in most cases, 7 or more years.) This means that any healthcare apps you’re using would need to provide a way for you to prove that the integrity of the PHI stored by that tool is in tact. Many stand-alone tools do NOT provide you with a way to prove the integrity of the data, which, again, puts you in violation of HIPAA.

How integrated tools help: Most EHR systems offer a means to preserve all data within the record. You can archive, hide, or even “delete” items you no longer require. However, assuming the EHR is of high quality, it will always retain and make deleted data accessible for viewing. The screenshot below shows another portion of Gobbledy Gook’s PSYBooks Activity Log – this time, with an entry for a deleted note:

Clicking the link “Deleted note: Medical Record: 07/23/2023” opens a copy of the deleted note. The entire content of the original note is still in tact. EHRs with this feature, including PSYBooks, will take care of this HIPAA requirement behind the scenes with no extra work on your part:

Without an EHR, it would be up to you to make sure that each of the stand-alone apps you’re using meets this requirement. Again, most probably will not.

HIPAA Security Rule: Access Control 45 CFR § 164.312(a)(1)

HIPAA defines our “workforce” as anyone under our direct employ or supervision, even if we do not pay them. The Access Control technical safeguard standard can be handled most effectively with role-based controls. The aim is to tailor each individual’s access to only the portion of data they need to perform their job/role.

For example, a billing person usually has no need to see assessment results. A scheduler is unlikely to need to access to the billing person’s data. Even in cases where there’s only one employee for all roles, there should still be permissions. For example, an admin typically does not need access to the therapist’s notes.

This standard overlaps a bit with the Audit Controls standard in that assigning role-based permissions also allows you to see who accessed your system and when. It is never wise to allow a workforce member to use your username and password to access your apps. You need to be able to identify each person who accesses your ePHI.

How integrated tools help: Most EHRs have a way to assign role-based access to your workforce members. Additionally, within role types, you can specify the permissions you want each individual to have. Stand-alone tools often do not offer a way to assign roles or permissions so may make satisfying this requirement challenging.


The examples above are only a few of the HIPAA standards that are difficult or impossible to meet without an integrated product. The PSYBooks EHR & Portal is solidly based on HIPAA and has been since its inception. If you’re considering upgrading to integrated, we’d love to show you around with a free demo. If you’d rather snoop around on your own, sign up for a free trial. Use Promo Code HIPAA to expand your free trial to 60 days and also receive additional free, encrypted storage.

We’d love to have you!

By |2023-08-24T00:58:26-04:00August 24th, 2023|Current, Features, HIPAA/HITECH|Comments Off on HIPAA Compliance & EHRs: Excellent Solutions to Thorny Problems

About the Author:

Susan C. Litton, Ph.D. holds degrees in both psychology and IT. In addition to being the developer of the PSYBooks EHR & Portal, she's been a practicing clinical psychologist in Decatur, GA, since 1985.