New Laws and New Technologies Shift the Focus on Healthcare Information Security

The need to protect patient records and personal information has been a fact of life since the enactment of HIPAA regulations in 1996. Physicians and healthcare organizations nationwide have taken steps to comply and protect patients from unauthorized access to their personal information. Compliance, however, has not kept up with technology or economic developments in healthcare management. Now, a recent wave of new laws and regulations has clearly raised the stakes for providers to implement adequate protection from security breaches.

Fewer than 20 percent of the nation’s doctors have adopted Electronic Health Records (EHR) or Electronic Medical Records (EMR) according to a recent study published in the New England Journal of Medicine. That number is cut in half for practices with three or less physicians, which make up the majority of the practices in this country. Most providers are still utilizing traditional paper records and/or maintaining billing and patient information on laptops or hard drives within the office environment…a system leaving those physicians and healthcare organizations open to easy infiltration of patient health information and theft.

In the past, a major barrier to implementing state-of-the-art EHR and other electronic systems has been hardware and software costs which could add up quickly to $50,000 to $100,000. However, security today does not require the large financial investment that it did a decade ago. A comprehensive, robust, Internet-based Practice Management System (PMS) and EHR, which also provide superior security, can each be implemented for approximately $200 a month.

That’s particularly good news for providers, because the information security game is changing. Along with HIPAA regulations, there is a growing movement to hold physicians and providers financially accountable for any security breach. There is no longer simply the burden of notifying patients in the event of a breach, but these incidents now threaten real financial liability.

Recently, two new laws took effect in California requiring providers to maintain the confidentiality of patient health information. If they fail to protect confidential patient information, providers will face substantial consequences under the new statutes, with penalties for security breaches ranging from $25,000 to $250,000 per reported event. Even more alarming, the new laws do not require patients to prove actual harm or loss to recover damages…the mere fact of a breach will result in penalties.

I believe physicians and healthcare organizations across the country must address this new challenge, as other states are certain to follow the California example. Providers should immediately review their security procedures and begin decisive action to protect patient information.

Fortunately, there are incentives for providers included in President Obama’s American Recovery and Reinvestment Act of 2009 to accelerate the move to EHRs. This stimulus package, coupled with the dramatically lower cost alternatives of Web-based solutions, gives providers manageable options to implement electronic systems.

There are a multitude of such systems available today, offering a range of services and applications from which to choose. Not all provide the same security and protection from liability which, given our litigious culture, should be one key consideration in the selection of electronic medical systems moving forward. Higher priced systems do not necessarily mean greater security protection.

As someone who began their career as a family physician, I understand how inundated practices, particularly small practices, feel with the multitude of healthcare information technology solutions on the market. Most providers do not have an employee with a technical background to sort through the information with an eye on security measures. So what should providers look for in terms of security? What strategies will best protect providers from future liability?

First and foremost, practices should and must begin to make the switch to digital systems and the EHR. Not only do they reduce operating costs and increase revenue, they are far safer than paper systems. Files cannot be left open on desks, misplaced, misfiled, dropped in hallways and copied for malicious purposes. Additionally, electronic systems enable providers to control file access, monitor who is accessing files and immediately stop unauthorized access.

Second, providers should recognize that the requirements to keep electronic patient information secure are not best achieved by storing the data locally on laptops, desktops, or hard drives. In fact, systems that store information on off-site computer servers with properly layered security can be far more secure than systems that store information on drives in the office or healthcare facility. Consider that wherever digital patient information is stored, that data requires layers of security, ranging from network firewalls, strong password-protection, encryption algorithm technologies, and redundant backup in case of fire or natural disaster to physical security and access control. Each of these technologies requires expert network design and implementation as well as constant monitoring and updates to remain effective. The best large-scale off-site systems have already made the investment in such sophisticated data security, disaster recovery, and quality assurance technologies.

You may also recall the theft — among many over the past several years -- of a U.S Department of Veterans Affairs laptop computer containing the personal information of millions of American Veterans. This incident alone led to a $20 million settlement between the VA and the veterans and their families. In busy offices and facilities, theft of laptops, hard drives, and data is far too easy and leaves providers wide open to financial liability.

Third, look for systems that are continuously tested both internally and externally. Thieves and hackers continually refine their malicious use of technology. Office staff can fall into bad habits regarding data protection. Routine testing of security technologies and practices is the only way to stay a step ahead of potential security breaches and protect against the latest attacks.

Lastly, know that independent evaluations by third-party organizations, such as the Electronic Healthcare Network Accreditation Commission (EHNAC), provide valuable insight into the security infrastructure of electronic system developers and validate their technology and service claims.

Electronic billing and practice management and EHRs can be of phenomenal benefit to both the provider and the patient until patient information falls into the wrong hands. Transitioning to such digital systems no longer requires that providers invest tens of thousands of dollars, and the cost of enhanced security should no longer be viewed as “a risk worth taking” against potential penalties.

As increased financial liability for patient information security becomes a reality nationwide, and the federal government begins to provide incentives for the move to the EHR, providers should keep the requirements, costs, and potential liabilities of security a central element of the system they select.

Sol Lizerbram, DO, is Chairman and CEO of HealthFusion, a national clearinghouse and Practice Management System company for healthcare transactions. Dr. Lizerbram helped found the company in 1998, when as a practicing family physician himself, he recognized the need for a fundamentally better way to manage the exchange of patient information and data between healthcare providers and insurance companies.