Posted by: Dr. David Scher, DLS Healthcare Consulting
1. Privilege management
This refers to the management of users with regards to their access to features and data of the EHR system. Some EHRs predefine the roles and access, and some may be left for the practice to determine. This is a fluid process and will be dictated by changes in personnel roles over time. The assignment of IT user roles should be left to the practice or IT managers. This management is protective from technical as well as HIPPA standpoints. It should also apply to the Internet in general, as many EHRs are ‘cloud-based’ and this will decrease the introduction viruses and other common problems.
2. EHR security and malpractice issues
All EHR entries are date and time logged. This applies to the record itself as well as modifications of the record. The entire staff should be made aware of many medico-legal implications of this. Schedulers to technicians to all clinical personnel (including physicians, sometimes the worst violation culprits of all) should be taught the usual important points about the medical record: stating just facts, keeping it short, pertinent, and complete, with closed loop follow-up of conversations and treatment changes. The entry log may be audited by the practice or IT manager, as well as attorneys during discovery. So it is important to know that once an entry is entered, it is non-erasable.
3. Breaches of hospital EHR security is not by hackers, but by lost or stolen information, or noncompliance with regulations
Seven hospitals were audited by the Inspector General to oversee the Office of Civil Rights which oversees HIPPA compliance. "Although each of the seven hospitals had implemented some controls, policies and procedures to protect ePHI [electronic protected health information] from improper alteration or destruction, none had sufficiently implemented the administrative, technical and physical safeguard provisions of the Security Rule," the report states. The audits identified 151 vulnerabilities in the systems and controls intended to protect ePHI, of which 124 were categorized as high impact. This emphasizes that strict security measures need to be in place and enforced.
With regards to technical security, regular changing of security login passwords, eliminating access to personnel suspended or who leave the practice or hospital, mandating logging off after use, all allow for easy identification of users and use. Interoperability only with systems or products with adequate security provisions is also paramount, and ONC certification of an EHR will not necessarily address this issue.
4. An EHR will NOT provide all necessary security
In a national survey of 200 representative physician practices conducted by CDW Healthcare in 2010, 30% reported that they did not use basic antivirus software, and 34% did not use network firewalls. This is a recipe for disaster. Some EHR companies offer little in the way of implementation. It is imperative for practice managers to work with hospital CIOs to make sure the office systems are secure, in addition to the EHR meeting all security standards including the security portion of Meaningful Use.
5. Data must be securely stored
How data is displayed and transferred from one employee to another is one important aspect of secure storage. Leaving a computer screen open or leaving a computer tablet where any other employee or patient can see it violates privacy. Proper training of workers is necessary in this regard. All computers and tablets should be tagged and regularly controlled to prevent unrecognized theft. Servers need to be secure. Regular security testing of the system needs to be performed.
Thus, EHR security involves many layers, from personnel to technical assurances both automatic and supervised. It is up to all who deal with the record to do their part to maximize security. The physician, as usual, holds much of the liability of the record. These tips should help.
Dr. David Scher was a practicing cardiac electrophysiologist for 20 years with extensive experience as a clinical investigator, reimbursement committee member, and institutional review board chair. He is currently director at DLS HEALTHCARE CONSULTING, LLC with a focus on medical device and mobile health companies. You can reach Dr. Scher at dlschermd@gmail.com or on Twitter at dlschermd.
On May 31, 2011, the Department of Health and Human Services’ (HHS) Office for Civil Rights proposed a new rule recommending that patients have the right to ask for a report on who has accessed their medical records. The recommendation has been out for public comment since that time.
Posted by: gaylordsecurity.com | 07/04/2012 at 10:24 PM
The entire staff should be made aware of many medico-legal implications of this. Schedulers to technicians to all clinical personnel (including physicians, sometimes the worst violation culprits of all) should be taught the usual important points about the medical record..
Posted by: security | 03/15/2013 at 04:58 AM