Are Electronic Health Records ‘Safer’ Than Paper Records?

May 11, 2011

Are electronic records really more risky than paper records? They certainly can be, if proper data and network security procedures aren’t designed and implemented.

The risks associated with electronic health records are frequently mentioned as a reason not to adopt EHRs. The argument goes that the risk is too great with electronic records, because they can’t be protected, particularly from outside hackers. Recent highly publicized data breaches have added fuel to the fire.

But are electronic records really more risky than paper records? They certainly can be, if proper data and network security procedures aren’t designed and implemented. That is just one of the reasons that it is critical that all proper HIPAA Security Rule specifications are followed carefully. The HIPAA Security Rule is much too complicated to address in detail here, but in a nutshell it is intended to protect Electronic Protected Health Information (EPHI) from unauthorized or accidental theft, loss, destruction or access, from individuals either inside or outside the practice.

There is no question that if a breach occurs, it might be possible to compromise many more electronic records. After all, it would take a dolly to cart away even a few hundred paper records, whereas with today’s large-capacity/small-form-factor portable hard drives, a person could store millions of electronic patient records literally inside a small backpack or purse.

However, electronic patient records actually have several important advantages over paper records, even in the area of security. Three of those advantages are discussed below:

First, there is generally no audit trail on paper records. Not only can you not track who may have compromised a paper patient file, it is generally not possible to even tell who accessed a file in the first place, whether for legitimate purposes or otherwise. So in that case, electronic patient records have a big advantage over paper. If a breach or unauthorized access were to occur, it is usually possible to find out who was responsible. This is almost never possible with paper records.

Second, if electronic records are properly secured, they would be encrypted such that even if someone were to breach a medical practice’s network and get to the data, they would not be able to actually decode the data without the encryption key. Just gaining access to the data, and making or taking a copy of it offsite, does not necessarily compromise the data or make it readable. Of course if users within the practice fail to follow the encryption guidelines, all bets are off.

Lastly, data-backup procedures - if properly followed - will allow a practice to recover their patient records in the event of accidental or intentional loss or destruction, such as from fire, flood, or theft. Here is where portability of electronic records and the fact that millions of pages of patient data can be stored electronically can actually pay off. The recent episodes of flooding in the Midwest and tornadoes in the South highlighted the risks of a practice having a massive room full of paper records. It’s not feasible to have even a second copy of all the paper patient records stored offsite.

Paper patient records are not subject to being breached by hackers over the internet, but electronic patient records - if properly secured and implemented according to HIPAA Security Rule best practices - can actually provide key advantages in both the prevention of and recovery from security incidents.

Learn more about Marion Jenkins and our other contributing bloggers here.