EHR Privacy and Security-An Overview

August 10, 2012

Privacy and security of electronic health records is an issue that should be at the forefront of every hospital and physician practice’s technology efforts, but often times it is overshadowed by the many other demands surrounding EHR implementation.  However, with medical records now living online, it is extremely important to take measures to secure protected health information not only out of concern for the patient but also to maintain compliance with HIPAA and Meaningful Use criteria.   A recent study published by HIMSS Analytics and Kroll Advisory Solutions showed that in 2012, 27% of all survey respondents said their organization has experienced a security breach in the past 12 months, which is up from 19% in 2010 and 13% in 2008.  In addition, of those respondents who claimed to have experienced a security breach, a staggering 69% experienced more than one.  With statistics like these, it is no wonder why the movement to take privacy and security measures more seriously is gaining momentum within the industry.

The ONC recently put out a 10 Step Guide to Health Information Privacy and Security that offers providers useful information on how to address various federal privacy and security requirements.  Among the 10 steps are:

1. Confirm you are a “Covered Entity”– Most healthcare providers are covered entities and have HIPAA responsibilities for individually identifiable health information.  The Department of Health and Human Services offers a tool to confirm covered entities.

2. Provide Leadership– It is essential for a facility to have a leadership team on staff that champions the importance of protecting patient health information.  HIPAA requires covered providers to have a privacy officer and a security officer on staff.

3. Document your processes, findings, and actions– Document your security measures including why and where you have them in place, how you created them, and how you monitor them.  Keep paper and electronic records of these measures.  Maintaining these records is necessary when attesting for Meaningful Use or verifying HIPAA compliance.

4. Conduct Security Risk Analysis– Routinely conduct a security risk analysis and reassessments to compare what you currently have in place to what is legally required to protect health information.  These analyses will identity threats and vulnerabilities which should be addressed.

5. Develop action plan for addressing threats and vulnerabilities– Develop an action plan to address all risks that includes administrative safeguards, physical safeguards, technical safeguards, policies and procedures, and organizational standards components.

6. Manage and Mitigate Risks– Implement your action plan and develop written policies and procedures regarding how your facility protects electronic health information. Keep records of outdated policies.

7. Prevent with workforce training and education– Train your workforce on how to implement your policies, procedures and security audits.  Provide formal training on breach notification.

8. Communicate with patients– Address patient concerns regarding privacy and confidentiality of EHR information and emphasize the benefits EHRs offer.  It is a best practice to utilize patient education materials.

9. Update your business associate agreements– All business associate agreements should require compliance with HIPAA and HITECH Breach Notification requirements.

10. Attest for the security risk analysis MU objective– Only attest for an EHR incentive program after you have conducted a security risk analysis or reassessment and corrected any issues identified during this process.  Be sure to document these changes and understand that when you attest for meaningful use, it is a legal statement that you have met specific standards including that you protect electronic personal health information.

All of the guidelines outlined above can help to safeguard against security breaches or privacy problems.  Health information professionals should note that while the steps are in line with HIPAA and Meaningful Use objectives, they do not act as a statement of meeting requirements for either initiative.  In addition, it is emphasized that it is important for HIT professionals to not be satisfied with simply meeting Meaningful Use standards regarding privacy and security of EHRs and nothing more, as that will not provide the comprehensive protection patients deserve.  Furthermore, it is essential to look beyond the bare minimum guidelines in order to ensure privacy and security of EHRs that will build trust within the patient population and encourage individuals to disclose complete health information and support the transition to electronic records.

While the responsibility of addressing privacy and security concerns ultimately falls on the facility or physician practice, many would argue that any legitimate EHR vendor, service provider, or consultant will possess the up-to-date knowledge necessary to maintain compliance and contribute to the advancement of health information protection. Many resources are currently available to assist with HIT privacy and security concerns, including Regional Extension Centers (RECs) and numerous documents, tools, and education & training pieces published by various government agencies.  One extremely useful document is the ONC’s “Guide to Privacy and Security,” which details concepts such as providing patients with electronic copies of their health information and the steps involved in a security analysis.

As Meaningful Use can dominate the EHR industry because it offers monetary incentives, HIT professionals are encouraged to remember that the health industry is still people-focused and patient-driven.  While implementing privacy and security measures for EHRs may not always end in direct financial gain, it will make healthcare safer, more accessible, and potentially save lives by encouraging full disclosure of relevant personal health information.

EHR Jobs and EHR Services
Excite Health Partners is pleased to provide services that are in line with EHR privacy and security measures to clients nationwide.  Contact us today at 877-803-5804 or visit us online for more information.  In addition, Excite is proud to offer EHR jobs to H.I.T. professionals across the country.  Contact us today at 877-803-5804 or visit us online for more information about available opportunities.