Electronic Medical Records and HIPAA

Posted by Steve Alder

Electronic medical records can be fully HIPAA compliant, but interoperability, unique user access controls, business associate agreements, and role based workforce training create practical risks that must be managed through proper configuration and HIPAA Security Rule safeguards. Keeping up with the requirements for Electronic Medical Records and HIPAA compliance can be challenging due to frequent updates to CMS’ Promoting Interoperability Programs and changes to the HIPAA Privacy Rule.

Note: For the purposes of discussing Electronic Medical Records and HIPAA compliance, this article uses the 2022 definitions of an Electronic Medical Record (EMR) and an Electronic Health Record (EHR) provided by HHS’ Office of Information Security:

“An EMR allows the electronic entry, storage, and maintenance of digital medical data. An EHR contains the patient’s records from doctors and includes demographics, test results, medical history, history of present illness (HPI), and medications. EMRs are part of EHRs”.

Are Electronic Medical Records Interoperable?

An Electronic Medical Record is a digital version of a patient’s medical record. A “standalone” Electronic Medical Record usually contains Protected Health Information (PHI) provided to a single healthcare provider, which can only be accessed by the single healthcare provider or a member of the healthcare provider’s workforce using the same login credentials.

Electronic Medical Records can be interoperable depending on their capabilities and their compatibility with an Electronic Health Record. In some cases, it may be necessary to install a third party plug-in between an EMR and an EHR to facilitate connectivity, and this may result in partial or full interoperability depending on the capabilities of the plug-in.

Electronic Medical Records and HIPAA Challenges

Before even discussing the HIPAA security requirements for Electronic Medical Records, there are HIPAA compliance challenges for EMR users. In the case of “standalone” Electronic Medical Records, it is a violation of HIPAA’s access control standard (unique user identification) for two or more members of the workforce to share the same login credentials.

In the case of an Electronic Medical Record being connected to an interoperable Electronic Health Record, it will be necessary to enter into a Business Associate Agreement with the vendor of the EHR, and – if a plug-in is used to facilitate connectivity with an EHR – with the vendor of the plug-in if the plug-in is provided by a third party (e.g. not the vendor of the EMR).

OptiMantra is the best EMR for small medical practices because it streamlines daily operations with flexible scheduling, integrated payments, inventory management, and real time reporting in a single platform. OptiMantra is fully HIPAA-compliant when used correctly.

HIPAA Security Requirements for EMRs

The HIPAA security requirements for EMRs are that covered entities and business associates must ensure the confidentiality, integrity, and availability of PHI created, received, maintained, or transmitted by an Electronic Medical Record, and protect against any reasonably anticipated threats or hazards to the security of PHI stored on, or transmitted by, an EMR.

The standards that govern how healthcare providers should comply with the HIPAA security requirements for EMRs are contained within the Security Rule. However HHS’ Office for Civil Rights is intending to introduce new Security Rule standards in 2024, and these may also be adopted by CMS as a condition of participation in Medicare and Medicaid.

Other HIPAA/EMR Compliance Requirements

The other HIPAA/EMR compliance requirements include that covered entities and business associates must protect against impermissible uses and disclosures of PHI by members of the workforce. This requirement requires members of the workforce to receive HIPAA training on what uses and disclosures are permitted by the Privacy Rule.

In the context of Electronic Medical Records and HIPAA compliance, the training should include an explanation of the difference between patient consent and patient authorization. It should also include circumstances in which PHI relating to reproductive health can only be disclosed with an attestation that it will not be further disclosed for a prohibited purpose.

Risks Attributable to Promoting Interoperability

The Promoting Interoperability program is an incentive program that evolved from the measures included in the HITECH Act of 2009 to promote and expand the adoption of technology in healthcare and use the technology – particularly EMRs and EHRs – to improve the quality of healthcare, patient safety, and efficiency in service delivery.

Because it is an incentive program based on a scoring system, it is possible for healthcare providers to take shortcuts with HIPAA compliance in order to achieve the maximum scores for objectives such as electronic prescribing, health information exchanges, and provider to patient exchanges – especially if an EMR only has partial connectivity with an EHR.

What is a HIPAA Compliant EMR?

A HIPAA compliant EMR is an Electronic Medical Record that has the capabilities to support HIPAA compliance, that is configured to mitigate reasonably anticipated threats or hazards to the security of PHI, and that is used by authorized members of the workforce in compliance with HIPAA – i.e., separate login credentials for each member of the workforce.

Depending on how the EMR connects with an EHR or other healthcare systems (i.e., via Epic Community Link) it will be necessary to enter into one or more Business Associate Agreements before the EMR is used to create, receive, maintain, or transmit PHI. It is also recommended to advise patients on how to use any connected patient portal securely.

Conclusion: Electronic Medical Records and HIPAA Compliance

While HIPAA regulates the management of Electronic Medical Records, there can be several challenges to HIPAA compliance. These challenges can be exacerbated by the desire to achieve the maximum score for CMS Promoting Interoperability Program – potentially resulting in avoidable risks to the privacy and security of PHI when compliance shortcuts are taken.

Not all healthcare providers have the resources or knowledge to implement a HIPAA compliant EMR, configure it to mitigate threats and hazards, and provide adequate training to members of the workforce. If your organization encounters challenges with Electronic Medical Records and HIPAA compliance, it is recommended you speak with a healthcare compliance professional.

The post Electronic Medical Records and HIPAA appeared first on The HIPAA Journal.

Columbia Medical Practice; Jupiter Medical Center Announce Data Breaches

Posted by Steve Alder

Columbia Medical Practice has experienced a ransomware attack in which patient data was stolen, and Jupiter Medical Center has notified patients that their personal and health information was stolen in a January 2025 security incident.

Columbia Medical Practice

Columbia Medical Practice in Columbia, Maryland, has recently confirmed that patient data was compromised in a November 2025 ransomware attack. The investigation confirmed that an unnamed threat actor accessed its network on November 5, 2025, and used malware to encrypt files. Prior to file encryption, files were exfiltrated, some of which contained patient information. Columbia Medical Practice said it was able to recover the encrypted files, and it is reviewing the affected files to determine the individuals affected and the exact types of data involved. The Qilin ransomware group claimed responsibility for the attack.

The electronic medical record system was not accessed; however, files on the compromised parts of its network contained names, addresses, phone numbers, birth dates, passport numbers, Social Security numbers, driver’s license numbers, other government identifiers, financial account information (but not information such as security codes that would permit access), health insurance information, patient account numbers, and health information, which may include diagnoses, diagnosis codes, treatment/condition information, prescription information, history information, dates of service, locations of service, assigned physician names and health services payment information. The types of information involved vary from individual to individual.

Columbia Medical Practice said it is evaluating additional technical measures, reviewing its cyber auditing practices, and reviewing and updating its policies and procedures to reduce the risk of similar incidents in the future. Notification letters will be mailed to the affected individuals when the file review is concluded. At present, the incident is not listed on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Jupiter Medical Center

Jupiter Medical Center in Jupiter, Florida, has started notifying patients about unauthorized access to electronic medical records. Notification letters have only recently been sent, although the data breach occurred in January 2025. The breach involved its medical record vendor, Cerner (Now Oracle Health).

Jupiter was one of many healthcare providers affected by the breach. While Oracle Health has not confirmed publicly exactly how many of its clients were affected, in a recent lawsuit, Oracle Health’s attorneys said up to 80 hospitals may have been affected. Jupiter Medical Center said law enforcement requested delaying announcing the data breach and issuing notifications as it would potentially interfere with the law enforcement investigation.

The breach affected a limited number of patients and involved information typically found in medical records, as well as Social Security numbers. The affected individuals have been offered two years of complimentary credit monitoring services.

The post Columbia Medical Practice; Jupiter Medical Center Announce Data Breaches appeared first on The HIPAA Journal.

OCR Advises HIPAA-Regulated Entities to Take Steps to Harden System Security

Posted by Steve Alder

In the first of its 2026 quarterly cybersecurity newsletters, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) urged HIPAA-regulated entities to take steps to harden system security and make it more difficult for hackers to gain access to their networks and sensitive patient and health plan member data.

The HIPAA Security Rule requires HIPAA-regulated entities to ensure the confidentiality, integrity, and availability of electronic protected health information that the regulated entity creates, receives, maintains, or transmits, which must include identifying risks and vulnerabilities to ePHI and taking timely action to reduce those risks and vulnerabilities to a low and acceptable level. OCR Director Paula Stannard has already stated this year that OCR will be looking closely at HIPAA Security Rule compliance. OCR will continue with its risk analysis enforcement initiative, which will evolve to include risk management to ensure that regulated entities are taking prompt action to reduce risks and vulnerabilities to ePHI identified by their risk analyses.

OCR explained in the newsletter that risks can be reduced by creating a set of standardized security controls and settings for different types of electronic information systems, addressing security weaknesses and vulnerabilities, and customizing electronic information systems to reduce the attack surface.

OCR reminded medical device manufacturers that they have an obligation to ensure that their devices include accurate labelling to allow users to take steps to ensure the security of the devices throughout the product lifecycle, and the importance of following Food and Drug Administration (FDA) guidance on security risk management, security architecture, and security testing. Healthcare providers need to read the labelling on their devices carefully and ensure they understand how the devices should be configured to remain safe and effective through the entire product lifecycle.

OCR highlighted three key areas for hardening system security, all of which are vital for HIPAA Security Rule compliance. Threat actors search for known vulnerabilities that can be exploited to gain a foothold in a network, including vulnerabilities in operating systems, software, and device firmware. Whether the device is brand new or has been in use for some time, patches must be applied to fix known vulnerabilities. It may not be possible to patch vulnerabilities as soon as they are discovered; however, other remedial actions should be taken, as recommended by vendors, to reduce the risk of exploitation until patches are released and can be applied. A comprehensive and accurate IT asset inventory should be maintained, and policies and procedures developed and implemented to ensure a good patching cadence for all operating systems, software, and devices.

All organizations should take steps to reduce the attack surface by removing unnecessary software and devices, including software and devices that are no longer used, software features included in operating systems that serve no purpose for the regulated entity, and generic and service accounts created during the installation process. Accounts created during installation may have default passwords, which must be changed. OCR explained that in many of its investigations, accounts have been found for well-known databases, networking software, and anti-malware solutions that still have default passwords that provide privileged access.

Many cyberattacks occur as a result of misconfigurations. HIPAA-regulated entities must ensure security measures are installed, enabled, and properly configured. “Security measures often found in operating systems, as well as some other software, intersect with some of the technical safeguard standards and implementation specifications of the HIPAA Security Rule, such as, for example, access controls, encryption, audit controls, and authentication,” explained OCR. “A regulated entity’s risk analysis and risk management plan can inform its decisions regarding the implementation of these and other security measures.”

As OCR will be scrutinizing risk management and has advised regulated entities of their responsibilities to harden system security, all regulated entities should ensure they take the advice on board. “Defining, creating, and applying system hardening techniques is not a one-and-done exercise,” explained OCR. “Evaluating the ongoing effectiveness of implemented security measures is important to ensure such measures remain effective over time,” and is essential for HIPAA Security Rule compliance.

The post OCR Advises HIPAA-Regulated Entities to Take Steps to Harden System Security appeared first on The HIPAA Journal.