EHR security: Confluence of law, patient protection, benefit to physicians

October 10, 2011

Electronic health records are changing the paradigm of medical practice by making increasing volumes of information more central to patient care.

Maintaining this information securely is more difficult than in the paper world due to the volume and mutable nature of electronic patient information: it can be revised, altered, or lost easily. The Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and laws of certain states mandate certain protections for EHRs and related information precisely because of the ease with which these data can be accessed or disclosed to unauthorized users, compromising the confidentiality at the heart of the doctor-patient relationship.

Properly addressing EHR security, however, can reassure your patients about taking advantage of the technology, can help you trust the integrity of the information in an EHR, and can enable you to access HITECH incentive payments to assist in the transition to digital medical records. And if you become enmeshed in a lawsuit, an updated and robust security protocol will allow you to have your electronic evidence comport with the rules of evidence and thereby have it presented to a jury or judge.

Patient confidentiality in an increasingly digitized information environment was the raison d'etre for the HIPAA privacy rule. The prime motivating factor in the law was the need for workers to obtain health insurance when they changed jobs. HIPAA mandated standardization of claims and condition codes. The concern then arose that, with all this patient-identifiable information traveling around the country electronically, a potential for abuse existed should it end up in unauthorized hands.

The U.S. Department of Health and Human Services (HHS) asked for comments and received thousands of them, many detailing horror stories of banks and employers obtaining medical information without consent. Accordingly, HHS drafted and implemented the HIPAA Privacy Rule and, later, the HIPAA Security Rule.

Information technology has advanced by great leaps since the Security Rule took effect in 2004, but the drafters were prescient Even though the HITECH Act was required to update the rules to comport with technologic advances, the Security Rule remains the bellwether for you and your colleagues as to your obligations for patient information security.

It is deceptively easy to leave patient information vulnerable, or to inadvertently disclose or access information improperly, but by the same token, it does not require a great deal of effort to put in place protocols that significantly reduce this risk. In fact, the Security Rule requires physicians and hospitals to have policies and procedures for protection of electronic patient information in storage and transmission, to train the staff on those procedures, and to update those protocols as necessary (for example, to include iPads and text messaging, which did not exist when the Security Rule became effective).

In the early days of HIPAA, caregivers were taught that it was a violation of HIPAA to look at the records of a patient for whom the caregiver had no clinical responsibility. In an EHR, doing so is much easer than in the paper days, when, for instance, a hospital chart had to be requested from the medical records office, and a large number of caregivers have been unable to resist the temptation to peek.

The HHS Office for Civil Rights recently fined the University of California, Los Angeles, Medical Center for a pattern of unauthorized access by physicians and staff to the EHRs of several celebrities. This sort of incident has been repeated at hospitals on the East Coast and elsewhere in the past 4 years, and medical practices are not immune. HHS has stepped up enforcement of HIPAA perhaps, in part, due to the ease with which EHR confidentiality may be compromised. If the patient is not under your care, the rule of thumb dictates, don't look at his or her records.

Another area of governmental scrutiny-and rightly so-is the provision of the Security Rule that requires encryption of data in storage and in transmission. "In storage" means on computers or portable device hard drives or on servers. This may not be a significant problem for the EHRs of large hospitals, but medical offices and physicians' home computers are vulnerable to confidentiality breach if the computer media are not encrypted.

Similarly, the rule requires that email containing patient information be encrypted so that it may not be read if misdirected or intercepted. Encryption programs have declined in price considerably, and HHS generally will not hear an excuse that the physician didn't think to get one.