Electronic Health Records (EHR) software is becoming increasingly widely used to consolidate and store patients’ records within the healthcare arena. Some clinics have cited concerns over security and privacy breaches of patients’ confidential records as they have yet to invest in EHR software. However, records are more likely to be compromised at practices with no EHR.
Why Does Patient Privacy Matter?
Before we look at the top EHR security and privacy issues, it’s essential to understand why patient privacy matters. A 2015 survey showed that 86% of respondents expressed some level of concern about being subject to a health information security breach, of which 45% were “moderately” or “very” concerned.
The survey also showed that 21% of patients had withheld personal health information from their doctor due to a fear of security breaches leading to identity theft. In addition, more than half of patients would look for a new doctor if their current practice suffered a security or privacy breach.
With the challenges associated with investing in EHR software and the risk of compromised privacy at the forefront of so many patients’ minds, do the drawbacks of EHR software outweigh the negatives?
The answer is a definite no. EHRs are becoming a requirement of receiving Medicare and Medicaid reimbursements. Any practices that hesitate to adopt EHRs risk HIPAA violations that endanger their practices. These violations can be prevented using certified EHRs that automatically build-in protocols and protect individuals from common mistakes.
The majority of EHR systems today come with standard security measures in various features designed to build patient confidence.
The key issues practices will face by purchasing an EHR system that does not meet ONC-ATCB security standards are that they will not meet government requirements to be eligible for reimbursements and open themselves up to the potential of suffering a security breach, which will jeopardize the trust of their patients.
The government mandates that EHR security and EHR privacy meet specific standards that ensure the software meets a minimum standard before market by gaining ONC-ATCB certification.
ONC-ATCB certification stands for Office of the National Coordinator (ONC) recognized Authorized Testing and Certification Body (ATCB) and is the easiest way to identify whether an EHR software is suitable for use.
There are three tests that EHRs must pass to become ONC-ATCB certified. They are:
Functionality – The ability to create and manage patients’ records
Interoperability – The ability to communicate and transfer patient information between systems
Security – The ability to protect patient information from third-party misuse
These three tests evaluate more than 400 different criteria, so any ONC-ATCB certified product has undergone stringent testing to ensure robust levels of security.
If the software does not have ONC-ATCB certification, do not buy it. Move your search on to a provider that does.
EHR security can be enhanced using audit trails. Audit trails provide documentary evidence of every transaction undertaken with a patient’s information. In addition to logging what action has been taken to a record, it also records who has made the update.
EHR systems allow administrators and users to conduct regular activity reviews and flag anything suspicious by registering this information. As well as ensuring patient confidentiality is maintained and ensuring no malicious activity has taken place, EHR audit trails ensure that there are no HIPAA breaches that could cost a practice thousands of dollars in fines.
A further benefit of using an EHR with excellent auditing provisions is that patient portals can share emails to patients when a change is made to their records. This level of transparency allows patients to flag up any potential privacy or security breach and builds layers of trust between the patient and practice.
Investing in an EHR system that does not have robust auditing features built-in is much more likely to end up with security being breached and rely on a more considerable amount of manual recording by staff each time a record is amended. This is not cost-effective.
Asking users to create complex passwords is one layer of EHR security that practices can insist on. However, no matter how secure one thinks their password might be, having a single secured gateway leaves patients’ information vulnerable to malicious attacks.
Because of the sensitive nature of patient information, EHR privacy should offer at least one of, if not a combination of, additional access controls.
The EHR can lock users out of the system where they have entered the incorrect password too many times. A system administrator would be able to reinstate their access once their security had been assured. One of the safest ways to do this is by asking users additional security questions for validation.
In addition, the system can be set up to ensure passwords are changed regularly to limit the potential of passwords being discovered and used to make a data breach. Two-factor authentication, where a single-use code is sent to a separate device after a password has been entered, provides different levels of security and assurance that patients’ records are secure.
Allowing EHRs to interact securely with other systems within the healthcare arena is one of the most significant benefits of using an online portal to hold patient records. EHR software that employs data encryption allows patients’ information to be transferred between different systems without being intercepted in plain language.
If data is stolen, the encryption will limit the damage, making it unreadable and unusable by rogue elements. In addition, encryption allows sensitive information to be accessed only by people with a specified level of access.
Although data encryption is not required for EHR software to achieve certification, the benefits of investing extra to purchase a system that does offer data encryption provide significantly increased levels of security and peace of mind for practice staff and patients.
Practices using EHRs without data encryption will be vulnerable to hackers and unauthorized users when transferring patient information to other healthcare providers or patients. This can jeopardize patient treatment plans and referrals.
Assess Your Risk
Before investing in EHR security, conduct a thorough security risk assessment to understand your practice’s needs. This will help when researching EHR vendors and procure a solution that meets the security and privacy needs of your practice and your patients.