At present, EHR systems are not directly regulated by the government, although some people are calling for legislation to change this. However, EHR systems are not exempt from complying with certain laws.
Responsibility for Data Protection
Since EHR systems handle sensitive data, they must comply with the Health Insurance Portability and Accountability Act, legislation designed to protect personal information. The Health Information Technology for Economic and Clinical Health Act also impacts EHR functionality.HIPAA and HITECH regulations deal with how data are managed, rather than how EHR systems are built, configured or used. If a healthcare provider is found to be in breach of HIPAA or HITECH regulations, the provider could face hefty fines. Additionally, it may leave itself open to lawsuits issued by people whose data has been compromised.
Any healthcare provider moving to EHR for the first time needs to give serious consideration to HIPAA and HITECH regulations. Before any hardware or software is introduced to the service, a detailed plan should be in place as to how data security will be implemented. It may be helpful to use a security consultant to advise on best policy.
It is important to note that HIPAA and HITECH regulations are not specifically related to automated record management systems. Practices that are still using paper-based records must also be compliant with regulations. Every practice has a duty of care to protect patient information.Automating patient record storage and retrieval brings many benefits. It speeds up claims processing, ensures more accurate billing, makes patient records easily available to interested parties in varying locations and greatly improves the patient experience.
Risks of Data Being Inadequately Protected
The flexibility provided by EHR systems comes with its own responsibility to control data access. In 2011, The University of California, Los Angeles made a settlement of almost $1 million after two unnamed celebrities claimed their medical records had been accessed without proper authorization.1
There was no suggestion that any details were released to the public, or the data accessed was used in any way to the patients’ detriment. Nevertheless, the case highlighted the risks for healthcare providers who fail to rigorously control who can access what data.
Security Is an Ongoing Concern for EHR Systems
Security threats and vulnerabilites are in a state of constant flux. What this means for healthcare providers is that implemented security measures have to be constantly reviewed. Whenever necessary, new measures need to be deployed and old procedures amended.
Healthcare providers today face problems that simply did not exist a decade ago. Smartphones and tablet devices have seen an exponential growth in popularity, and healthcare providers now find they are under pressure to secure employee devices as well as their own hardware.2 This creates totally new challenges for providers.
Among the challenges facing providers is controlling how data is used when accessed from a device over which the provider does not have full control. For example, if an employee their personal smartphone to access patient records, how is the data managed on the smartphone?
Most devices use caching to speed up access, and that often means storing data on the device even after the user has stopped looking at the data. This is the type of issue that is likely to give healthcare providers headaches in the future in their efforts to stay compliant with legislation.