It can seem like too much of an inconvenience: you buy new software, then switch all existing patient files over to the new system and change everything about the way patient health information is tracked. Show
I get it, that’s a lot. But failure to adopt an EHR system will only result in patient privacy violations down the line. In this article, we’ll review patient privacy and go through some of the essential features in EHR systems that serve to protect you and your patients. Here’s what we’ll cover:
Patient Privacy MattersPatient privacy is a big deal. We know it matters to patients because we asked them back in 2015. Eighty-six percent of respondents expressed some level of concern about a health information security breach. Almost a quarter of patients surveyed (21 percent) said they have withheld personal health information from their doctors due to fear of a security breach that may result in identity theft. And finally, over half of patients said they would find a new doctor if their current physician’s office suffered a security breach.
We also know that security is a concern for medical practices thanks to a 2017 Gartner survey on Top Technology Trends. This was clear when small and midsize health care practices were asked to rank a list of potential roadblocks towards achieving business goals in the coming years:
Knowing how patients feel about the risk of a data breach and how physicians feel about adopting new technologies, you might be wondering: Why bother with an EHR at all? Well, the short answer is because you have to in order to stay eligible for Medicare and Medicaid reimbursement. The longer answer is physicians who hesitate to adopt EHRs are endangering their practices by risking HIPAA violations—violations that can be easily prevented through the use of certified EHRs that follow protocol automatically and protect users from many common mistakes. EHR security measures come standard with most systems in the form of features. Here’s where we’ll discuss a few of the most essential security features of EHR systems. Many EHR Security Measures Come StandardThe main benefit of adopting an EHR is the software’s intrinsic ability to protect you and your patients from data breaches thanks to a few features that come standard with most products. Those features are:
ONC-ATCB CertificationIt’s true that software products in any market will vary in the list of features offered, but physicians are fortunate enough to have the government mandate a few features that IT vendors must provide to all users. Thanks to these requirements, the first question you need to ask yourself about the system you’re selecting is a simple one: Is the product ONC-ATCB Certified? This is a straightforward yes or no question for vendors—either their software has been tested and approved by an Authorized Testing and Certification Body recognized by the Office of the National Coordinator, or it hasn’t.
For reference, all of the products considered for our EMR FrontRunners Quadrant must be ONC-ATCB Certified. We’ve previously covered the different Authorized Testing and Certification Bodies and what they look for when evaluating EHR systems. To quickly recap, there are three main “checkpoints” products are required to pass in order to become certified. They are:
There are almost 400 different criteria being looked at within those three checkpoints, so you can bet any product with this certification has been thoroughly vetted. WHAT’S AT STAKE: Practices that adopt EHR systems without proper certification will have their bottom line affected by not meeting government requirements for certain reimbursement programs. You could also end up paying for a system that doesn’t meet security standards and is therefore more vulnerable to a breach. Audit TrailsAudit trails provide documentation to keep track of every single action taken with patients’ information by automatically registering and recording who accesses the system, where they are, when they’re accessing and what they do once they’re in. Get Price Compare Products Audit trail feature within Practice FusionBy logging all of this information, EHR systems enable users to conduct regular reviews and flag suspicious activity that could lead to HIPAA violations. Reviews can also prevent mistakes caused by human error, which we cover in more detail with the follow-up to this report. Many EHR systems with auditing capabilities and patient portals can be set up to send notification emails to patients every time their information is accessed. This transparency allows patients to quickly report possible breaches if a notification email is received when they did not log into their account. As with most things, the sooner you become aware of a problem, the sooner you can fix it—and audit trails will make the fixing a great deal easier. WHAT’S AT STAKE: Practices adopting EHRs with minimal or nonexistent auditing features are automatically making things more difficult. Without this feature, you’ll have to manually record every action taken that deals with patient information or face heavy consequences when—not if—a security breach occurs. Password ProtectionThis one might seem like a no-brainer, but it goes beyond simply requiring users to create a password to access their information. Because of the sensitive nature of patient data, EHRs should offer additional access controls such as:
Get Price Compare Products Password settings within drchrono’s EHR systemOf course, passwords are another area where human error can cause a lot of problems. And, while you can only do so much to make sure your patients take their passwords seriously, physicians have to accept responsibility for this potential privacy weakness as well. A study in 2017 found that 73 percent of medical professionals have violated password security protocol by using a co-worker’s password to access their EHR. Knowing this, you’re naturally going to want to enact a few strict best practices when it comes to using passwords in your own office. For example, you might want to set up password requirements so that when they’re created they are complex and difficult to guess. WHAT’S AT STAKE: If passwords are simple, shared among users or never changed, the odds of accidentally allowing outside access to patient information increases exponentially. Data EncryptionEncrypting your data can go a little way towards helping cover over any lackluster passwords or sticky notes stuck to computer monitors (though I have to seriously recommend not writing down your password and leaving it where anyone walking by can see). By coding the information in a way that can only be deciphered by authorized programs or users in possession of the access code, EHRs can make transferring patient data (such as test results or diagnoses to patients via patient portals or medical histories to referrals) safer. Additionally, encryption can minimize damage in the event your data is stolen. It can also allow for securing information within your office when paired with a role-based access control, so only staff members with clearance can see the decrypted information. Data encryption is not a required feature for HIPAA certification, but it’s absolutely something you want to look into when evaluating EHR products. If a software vendor you’re interested in does not offer this security option, make sure you know why—Is it due to cost? Do they use a third-party to encrypt data?—and that you’re happy with their reason for not doing so. WHAT’S AT STAKE: Practices using EHRs without data encryption are most vulnerable when transferring data, which is required for things like treatment plans, referrals and prescriptions. Without encrypted data, hackers or unauthorized users can view and steal patient information. Next Step: Assess Your RiskNow that you’re fully aware of the many built-in EHR security measures, you’ll want to begin researching products to find the best system for your practice. First, though, you should conduct a security risk assessment. HIPAA requires all “covered entities” to conduct one of these security risk assessments at least once a year, or any time changes are made to security protocols. There are several tools to make these assessments easier, or practices can hire third-party or consultant firms to make the assessment for them. No matter what route you take, your security risk assessment should reveal a few important things:
Once you determine where your potential problems lie, you can work on establishing a stronger plan to prevent them—whether that means adopting a new EHR system, creating stronger best practices for your team or both. What type of safeguards are needed to secure an electronic health record system?A few of the safety measures built in to electronic health record ( EHR ) systems to protect your medical record may include: “Access control” tools like passwords and PIN numbers, to limit access to patient information to authorized individuals, like the patient's doctors or nurses. "Encrypting" stored information.
What is an appropriate security protocol that should be implemented with electronic health records?Some of those EHR security features are:. HIPAA and HITECH Compliance.. Audit Trails.. Data Encryption.. Password Protection.. ONC-ATCB Certification.. What are the top three electronic health record platforms?Looking for the best Electronic Medical Record (EMR/EHR) for your practice? Epic, Praxis EMR, Cerner, GE Centricity, Nextech, eClinicalWorks, Athenahealth, Allscripts, Nextgen, Meditech.
Which 2 of the following are barriers to electronic health records?EHR system costs, lack of buy-in, along with usability and training often come up as barriers to implementation.
|