Healthcare is evolving, and the tools to facilitate better patient care are in use as much by multi-specialty hospitals as by single practices. During your visit to the doctor, you may have seen them taking notes on their computer, tablet or smartphone. As you may have guessed, they aren’t just typing up new documents, they’re utilizing electronic health record software (EHR). There are many advantages to using EHRs, among which are improved care for patients and increased efficiency for physicians. While EHRs make maintaining medical records more efficient for practices, electronic health record security and privacy concerns are also on the rise.
Data loss and weak cybersecurity have disastrous consequences. Questions like who can access my information and how my data is protected from theft plague the minds of patients. These questions are important to consider because, in healthcare, the inability to handle patient data could be the difference between life and death.
Most of you have heard of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA privacy and security rules hold individuals, agencies and organizations accountable for the electronic health records security and privacy of patients’ health data and is enforced by HHS Office for Civil Rights (OCR). Many patients recognize jargon such as HIPAA, but don’t know how these rules relate to their rights.
HIPAA gives patients rights to their health information, regardless of whether it’s paper-based or in electronic form. Patients have the right to:
- See a copy of their medical data
- Get any mistake corrected
- Be informed about how their health data is shared and used
- Update their contact details
- File a complaint if any of their rights have been violated
As for physicians, many of them consider EHR software counterproductive. Switching EHR software every few years, redefining system requirements, buying new software, switching over existing patient data to the new software and changing how dashboards present patient medical information is tedious and inconvenient. Of course, that is a lot to handle, but not adopting an EHR system is a bigger risk; it can not only result in privacy violations but also drain revenue, increase clinical turnover and slow down the practice as a whole.
Most vendors take electronic health records security seriously and their products already come equipped with features to protect against hacking and data breaches. Practices that resist adopting an EHR platform end up putting patient’s privacy at risk and will inevitably end up violating HIPAA guidelines.
In this article, we’ll look at some of the top electronic health records security features EHRs have to protect your practice and your patients’ health data.
Does Patient Privacy Matter?
Patient data privacy is no small issue. After the massive data breach of Anthem Inc. in 2015, in which nearly 80 million records were leaked, there was widespread concern amongst patients and their families about the security of their health information. Many patients refrain from sharing all of their health information because of the fear of it being misused or landing in the wrong hands.
A 2017 report by Gartner on top technology trends highlights how digital ethics and privacy is a growing concern as much for individuals as for organizations and governments. Small and mid-size medical practices see complying with government rules and regulations as a roadblock to achieving their business goals.
Now that you know about how physicians feel about new technology and patients feel about data breaches, you must be thinking, why adopt an EHR solution at all? The short answer is that you have to in order to be eligible for Medicaid and Medicare reimbursements.
The long answer is practices that don’t adopt certified EHRs are putting their practice in danger and risking HIPAA violations. These violations can easily be prevented by using EHRs, thus safeguarding against common mistakes.
Now we’ll discuss a few electronic health records security features.
Standard Security Measures in EHRs
The biggest benefit of adopting an EHR for your practice is that EHRs today are built with robust security measures. Some of those security features are:
- HIPAA and HITECH Compliance
- Audit Trails
- Data Encryption
- Password Protection
- ONC-ATCB Certification
HIPAA and HITECH Compliance
HIPAA and HITECH provide regulatory guidelines for the security of protected information. While they are a good baseline, you’ll certainly need additional electronic health record security protocols modified to your practice’s specific needs. Since EHR security concerns are not the same for everyone, vendors go beyond what the certifications require of them.
For example, EMRs today provide bank-level (SSL) encryption for secure data exchange, ensuring that data can be transmitted over the internet via an encrypted algorithm.
Audit trails automatically register and record where, when and who accessed the system. It also records what users do when they access the system. This tracks every change in patients’ information and documents it.
Since all the data is logged in the EHR system, it enables users to review the data at regular intervals and flag activities that seem suspicious. Regular reviews can also help correct mistakes caused by human error that could be flagged as a HIPAA violation. An audit trail answers the following:
- Which patients’ data was accessed?
- What time was it accessed?
- Who retrieved the data?
- Where was the data accessed from?
EHR software can also be set to send notifications to patients when their information is accessed. This way patients can report breaches as soon as they happen.
The Stakes: Without audit trails, practices will have to manually record and review every entry in every patient’s record. This is not only arduous but also time-consuming. If this isn’t done thoroughly, it could make the practice vulnerable to EHR security breaches.
With cybersecurity concerns rising, encryption can go a long way to protect your data. First, it allows only authorized users to access sensitive data and second, it protects against data breaches, whether the data is in transit or at rest.
EHR solutions can code the information in a way that can only be read by authorized users and programs. This makes transferring sensitive patient data such as test results or the transfer of medical histories to referrals much more secure than archaic paper records.
Encryption also reduces potential damage in case data gets stolen. It also enables role-based access control — this way only employees with authorization can view the decrypted data.
A few things to consider:
- If an EHR vendor you are considering does not offer encryption, ask why. Is it because of the cost? Does a third-party vendor encrypt their data? Also, stop to think if unencrypted data is something you’re willing to risk.
- HIPAA certification does not require EHR products to encrypt data, but it is not just a “good-to-have” but a ‘must-have’ feature of any EHR solution.
The Stakes: Medical practices are most at risk when transferring data. Treatment plans, prescriptions and referrals require encryption, without which unauthorized users and hackers can see, steal and tamper with patient data.
This one may seem obvious, but it goes way beyond asking users to create secure alpha-numeric passwords. Because patient records contain sensitive information, any successful EHR should offer the following:
- If a wrong password is entered more than five times, the EHR should have lockout capabilities.
- Passwords should consist of alpha-numeric, capitalized and special characters. This makes passwords difficult to guess.
- Mandatory password resets at regular intervals.
- Five security questions or one-time passwords to validate users after they have entered the password.
- Two-factor authentication as a secondary layer of security.
A 2017 study observed that 73% of physicians and other staff have used a co-worker’s password to access an EHR, violating password security protocols.
Passwords leave a lot of scope for human error. Even though they don’t like to admit to it, patients don’t always securely record and remember their passwords. With this in mind, EHR solutions should be able to take responsibility for maintaining data privacy. Now that you are aware of this, you will obviously want to adopt a few best practices. One such example is requiring setting up complex passwords. There’s a guide for setting up good password practices here if you need some guidance.
If the system does not require complex passwords, users are not forced to change their passwords and outsiders accessing patient information becomes easier.
While EHR products available in the market vary in the features they offer, the government mandates a few features. The first question to ask yourself is: Is the system ONC-ATCB certified?
The Office of the National Coordinator – Authorized Testing and Certification Body is the certifying authority for EHR vendors in the US. It helps all U.S. medical agencies to adopt EHR technologies.
It’s a straightforward question, the answer to which is either a yes or a no.
- If the answer is yes, then look at it’s other features.
- If the answer is no, then reject this vendor and look at others.
To be properly certified, platforms are evaluated on the following features:
- Interoperability: The platform should be able to share information with other systems like billing and practice management software.
- Functionality: It should be able to create and manage patient records.
- Security: It should be able to protect patient information against being shared incorrectly and from being misused.
Within the above three checkpoints, there are approximately 400 criteria that are looked at. This way, if a product is certified, you can be sure that it has been thoroughly scrutinized.
If you adopt an EHR system that isn’t certified, you will not be eligible for governmental reimbursement programs. It is possible that you pay and adopt an EHR that isn’t certified, put your patient’s data at risk and lose out on the financial benefits that the government offers.
Assess Your Risk
We hope by now you are aware of how important electronic health records security features are. The next step is to assess your security risk. HIPAA mandates that all “covered entities” conduct at least one security risk assessment once a year, or whenever security protocols are changed to meet the guidelines of Meaningful Use and Merit-based Incentive Payment System (MIPS) incentive programs.
There are many tools in the market to assess your electronic health records security risk, or alternatively, you can hire external consultants or consulting firms to do the same for you. Your security risk assessment, however you choose to do it, should show the following:
- A list of all the locations, digital and physical, where you store your practice’s protected health information (PHI).
- A brief synopsis of every PHI your medical practice makes, receives or transfers.
- An assessment of EHR security measures in place at present.
- A synopsis of potential vulnerabilities and threats to your current system.
- If the threat was to go through, what would the impact be on the practice and patients?
We at SelectHub have listed also out five ways to maintain better healthcare information security here. After you determine where your potential threats lie, work on securing your systems. This can mean choosing a new EHR, or even establishing best practices for physicians and other administrative staff.
What is your biggest challenge when maintaining electronic health records security? Let us know in the comments below!