Who is Paying Attention to Security and Privacy While Implementing Electronic Health Records?
InfoManagement Direct, May 23, 2008
Why implement an electronic health records (EHR)? If designed properly, an EHR system can produce many benefits for health care organizations. As more and more health care organizations push forward to aggressively implement EHR systems, security and privacy of patient information is not always given the attention it deserves. Although most organizations have carefully addressed privacy concerns for paper records, they struggle to maintain the same vigilance when it comes to electronic records. Government regulations like health insurance portability and accountability act (HIPAA) and other state laws require providers and payers to follow strict guidelines concerning the security of their health systems, yet security breaches continue to occur with minimal repercussions. Why is this happening, how can it be prevented, and why should organizations prioritize security as a fundamental building block to their EHR implementation strategies?
Health care organizations were required to be compliant with the HIPAA security rule as of April 2005. Both civil and or criminal penalties were promised for organizations that were found in violation of HIPAA. Little has been done in the way of enforcement, and the fallout has been minimal to date. With little threat of enforcement, many organizations were not diligent in their efforts to comply with the security rules required by state and federal laws. This has led to a number of security breaches in the health care industry. A quick search on the Internet will produce several sources that list various security breaches that have occurred across all areas of health care, including physicians practices. The majority of these breaches were the result of lost or stolen media and laptop computers containing patient information. The widespread movement of EHR implementations and the automation of electronic protected health information (ePHI) are pushing the need to implement a security framework that will deal with the intricacies associated with not only the rules imposed by government regulations, but also ensure patient privacy and security.
Advertisement
It is important to prioritize security for many reasons, but one area often not considered is cost. Cost-effective EHR system implementations are imperative, but implementing an EHR system without proper consideration of security controls can be more costly. In one recent example of a security breach, a doctor’s office was broken into and a hard drive containing personal information of hundreds of patients was stolen. After further investigation by law enforcement, it was determined that the hard drive was the only item taken by the thieves. It was clear that the perpetrators were targeting the hard drive as a means to steal the identities of the patients for fraudulent purposes. Identity theft is one of the fastest-growing crimes in the country, and health care providers are being targeted because medical records contain key patient information such as Social Security numbers and date of birth. There will be monetary costs associated with responding to an event such as this, but in the end, loss of reputation and patient confidence will be the greatest expense.
So, how can you prevent security and privacy breaches at your practice and at the same time meet state and federal regulatory compliance requirements? Regardless of the industry or associated regulations, a good security program begins by addressing the fundamentals of information security - maintaining the confidentiality, integrity and availability of all systems. Creating a best practices security environment will result in a HIPAA compliant environment. In fact, the HIPAA security rule states that covered entities must maintain reasonable and appropriate administrative, technical and physical safeguards to ensure the integrity and confidentiality of the health information and to protect against any reasonably anticipated threats or hazards to the security or integrity of the information. What does this mean? This means that there are administrative, technical and physical safeguards which need to be considered and put into place. Administrative safeguards address the security management process, assigned security responsibility, workforce security, information access management, security awareness and training, security incident procedures, contingency planning, evaluation and business associate contracts and other arrangements. Technical safeguards address access controls, audit controls, integrity, person or entity authentication and transmission security. Physical safeguards address facility access control, workstation use, workstation security and device and media controls.
The security program should be initiated, supported and directed by senior management. By taking a top-down approach, you can provide a solid foundation for security and emphasize how strategic security is to your organization. Organizations should perform a risk analysis of their environment. This will identify where vulnerabilities exist and the potential risk associated with them. It is important to note that if your organization will be using third-party vendors as part of your program, you should perform due diligence by auditing their security controls to ensure that they meet your requirements. By doing so, your organization will have a good idea of what is required to reduce the effects of threats and vulnerabilities to a reasonable level. This will also enable your organization to decide what administrative, technical and physical controls should be implemented to reduce the effects and probability of the identified threats to a reasonable level as well as determine the cost benefits of the associated controls.
Page 1 of 2.
