| Data conversion and data migration are household | | | | requirements for HIPAA controlled PHI data. |
| words among clinics that are changing Practice | | | | There are fiduciary and identity theft laws which |
| Management/Billing Systems. Many choose to | | | | govern patient demographic and financial |
| convert patient information and other relevant | | | | information but they do not adequately cover PHI |
| data from their Legacy system into their new | | | | data. |
| system. Some do not. And that is an acceptable | | | | The EMR conversion will require the exchange of |
| choice primarily because the data left behind are | | | | PHI data. |
| available from patients when they next visit the | | | | HIPAA requires secure transmission of patient |
| clinic. The relevant financial data will usually | | | | data. It is essential that your data conversion |
| become obsolete in about 90 days. | | | | provider implement a policy to use an encryption |
| However, Clinical data (Electronic Medical Records | | | | method which meets or exceeds HIPAA |
| including image files) are not so easily dismissed. | | | | requirements. One option is to use the 256 bit |
| Leaving EMR data in the Legacy system may be | | | | encryption provided by WinZip (there are others, |
| a short term option but maintaining two EMR | | | | WinZip is used here as an example and for a |
| systems will soon become a financial burden, will | | | | reference point). It does meet the HIPAA |
| decrease efficiency and increase opportunity for | | | | requirements for secure transmission. After data |
| error. Not keeping electronic Chart records is, in | | | | files are zipped they are encrypted with a 256 bit |
| most cases, not a viable option. | | | | encryption key and then password protected. It is |
| Contrary to some opinions, Clinical data and | | | | recommended that passwords of 10-20 |
| images can be converted into a new EMR | | | | characters be randomly created each time a file is |
| System. The issues to effect an accurate | | | | transferred. Passwords should include upper and |
| conversion are not trivial. Different from a Billing | | | | lower case letters, numbers and special |
| System conversion, accurate EMR conversions | | | | characters. |
| cannot be completed without significant | | | | Regardless of the size of the file to be |
| involvement of skilled users from the clinic, people | | | | transferred, when PHI data are included HIPAA |
| who know the data from having used it over a | | | | security is required. Failing that puts all parties |
| period of time. | | | | involved in the transaction at risk for |
| More about EMR conversions at another time. The | | | | non-compliance. |
| point of this article is to discuss the security | | | | |