What Every Individual Should Know
We live in a tech-savvy culture. Handwriting has transitioned to typewriters; typewriters became computers; computers turned into tablets; and the tech-advancements train isn’t slowing down anytime soon. This reality is reflected in the healthcare industry, as written doctors’ notes and screeching fax machines have gone to electronic health records that are created, stored and tracked by all kinds of electronic means. With this age of technology comes challenges as well, such as protecting your clients’ security.
But what does this mean for healthcare providers who must protect the safety and confidentiality of the personal health information of each patient? For instance, guarding your clients from potential security breaches.
Scanning the Value of Electronic Health Records
In an article on the US National Library of Medicine website, Donna P. Manca, MD MClSc FCFP, identifies the value of utilizing electronic health records, saying, “Electronic medical records improve quality of care, patient outcomes, and safety through improved management, reduction in medication errors, reduction in unnecessary investigations, and improved communication and interactions among primary care providers, patients, and other providers involved in care.”
Dr. Manca continued, “Electronic medical records improve the work lives of family physicians despite some subjective concerns about implementation costs and time. Electronic medical records have been demonstrated to improve efficiencies in work flow through reducing the time required to pull charts, improving access to comprehensive patient data, helping to manage prescriptions, improving scheduling of patient appointments, and providing remote access to patients’ charts.”
Further Proof of Value to Security
The Office of the National Coordinator for Health Information Technology also identifies the many monumental benefits of healthcare providers’ use of electronic medical records, saying:
“Electronic medical records (EHRs) and the ability to exchange health information electronically can help you provide higher quality and safer care for patients while creating tangible enhancements for your organization. EHRs help providers better manage care for patients and provide better health care by:
- Providing accurate, up-to-date, and complete records about patients at the point of care
- Enabling quick access to patient records for more efficient care
- Securely sharing electronic information with patients and other doctors
- Helping providers more effectively diagnose patients, reduce medical errors, and provide safer care
- Improving patient and provider interaction and communication, as well as health care convenience
- Enabling safer, more reliable prescribing
- Helping promote legible, complete filing and accurate, streamlined coding and billing
- Enhancing privacy and security of patient data
- Helping providers improve productivity and work-life balance
- Enabling providers to improve efficiency and meet their business goals
- Reducing costs through less paperwork, raised safety, reduced duplication of testing, and improved health.
Appreciate the Good, Guard Against the Bad
Along with all the benefits of electronic medical records, however, their use also ups the ante on ensuring the safety and security of the private health information they contain. For this reason, the U.S. Department of Health and Human Services (HHS) implemented the HIPAA Security Rule as a way to help healthcare providers to guard against – and to be better prepared to react against – potential security breaches or incidents.
This could events such as:
- The compromised integrity of data
- Theft or misuse of information
- Lost or stolen computers or other forms of media storage
- Natural or physical disasters
- Identity theft or hackers.
The Necessity of an ePHI Risk Analysis
The HIPAA Security Rule requires that a risk analysis of electronic personal health information (ePHI) is completed to establish security measures that could reduce the occurrence and impact of such risks that could be anticipated.
Sourcing HHS, an ePHI risk analysis basically requires:
- The review of the presence of all electronic medical records that your organization creates, receives, maintains or sends. This can include hard drives, laptop computers, backups, smart cards, and all other forms of electronic media.
- The documentation of all data collection, including how ePHI (as shown in HIPAA regulations) is stored, received, sent and accessed; who has access to it; and how they go about accessing it.
- The assessment of current security measures, and based on the relevant data collected, all possible threats (human, natural, environmental, etc.) and any potential weaknesses (lack of strong security controls, inconsistent or non-existent policies, etc.) must be recorded.
- These risks and weaknesses must then be categorized into high, medium and low risk levels to determine the most likely threats to guard against and the impact that each of those threats could have.
- At that point a list of corrective actions – policies in place, training on new processes, physical safeguards, etc. – should be implemented, reviewed and regularly updated.
The Consequences of Failing
The risk analysis process is extensive and very time consuming, which initially caused some resistance to using the process. However, one key way that HHS enforces the importance of abiding by this rule is by necessitating it prior to receiving Medicare and Medicaid EHR incentive payments. These “Meaningful Use” payments are only provided after a risk analysis has been completed, identified security holes have been corrected and you have attested to their conclusion.
Furthermore, the rewards for adopting and demonstrating meaningful use of electronic health records could look like eligible physicians and other health care professionals receiving up to $63,750. However, the failure to demonstrate meaningful use can result in penalties – starting at 1% of Medicare Part B reimbursements and increasing each year to a maximum of 5%. In 2017, more than 170,000 U.S. healthcare providers faced these type of penalties.
You are Not Alone – SecureMed has Your Back!
Although the implementation of a risk analysis for ePHI can seem overwhelming to even small or medium-sized healthcare facilities, there is help available! Especially with the increased document and data security measures implemented in Alabama in 2018, now – more than ever before – consider contacting SecureMed to discover on how you can minimize your risks of ePHI getting into the wrong hands. Learn how to reduce the impact of data breaches and increase your reasonable efforts to protect your patients’ electronic health records!