A recent Medscape report on electronic health records found that only 17 percent of EHR users have no patient privacy concerns. However, the Health Insurance Portability and Accountability Act of 1996's Privacy and Security Rules were created to protect individually identifiable health information. HIPAA is enforced today with regards to the use of EHRs for the collection and exchange of administrative and clinical data. HIPAA enforcement is one way the federal government provides security for EHRs, however, there are many other reasons why EHR programs are more useful and secure than traditional paper records.
Mansur Hasib, D.Sc., CISSP, PMP, CPHIMS, former chief information officer and current professor at the University of Maryland Baltimore County and Carnegie Mellon University, wrote an article for InformationWeek that details why paper health records are less secure than EHRs. He stated that with EHR software, data is collected regarding who sees health information, when they see it, how long they observed it and if they were authorized to see it. With paper records, anyone can pick up, read and photocopy a patient's folder and there will be little to no evidence of this action.
Paper records can also be written illegibly, and that can cause issues with a patient's care. Hasib stated that patients' lives were saved due to accurate health information made available electronically to multiple specialists around the U.S. because each physician could give input on treatment and medications. With paper records, acts like that would be impossible. EHRs allow for a complete collection of a patient's data in multiple digital locations, while paper records are susceptible to theft, water damage and fires.
The National Library of Medicine stated that the HIPAA Privacy Rule gives patients the rights to their health information, such as the right to examine and collect a copy of their health records, as well as opportunities to request corrections. Patients have the ability to determine the extent of use of their EHRs. The individuals in charge of health information must protect it from being improperly used or disclose. If they fail to do so, they will face severe penalties either civil or criminal, according to Health IT.
Consequences of breaking HIPAA rules
The Department of Justice recently filed an indictment to set an example of the consequences of violating HIPAA. A former employee of an East Texas hospital received charges of wrongful disclosure of individually identifiable health information that could result in a conviction of up to 10 years in prison. The U.S. Department of Health and Human Services takes violations seriously in an effort that suggests EHRs are more secure than paper records.
The individual allegedly had access to the hospital's health records, but EHR software allows for better security of those who do not have authorized access to a certain patient's EHR. Hasib stated that paper records have no encryption, while electronic databases allow for information scrambling and obfuscation by means of storing data in shredded file formats. If someone were to try and access the data without authorization and managed to succeed, the culprit would only be able to read a small portion of a patient's whole EHR.
More physicians need to become aware of the fact that EHRs have policies that ensure their protection in more ways than paper records.