The feeling of innovation that comes from using an EHR can also be matched by the fear that a HIPAA violation is more likely to occur.
I sometimes feel completely overwhelmed by the technology that I have at my disposal practicing as a physician assistant. We use both inpatient as well as outpatient EHRs. This EHR allows us to be much more efficient in our delivery of patient care and much more efficient in our sharing information with other healthcare professionals with whom we do business.
I have never really cared for the handwritten record. I have lousy handwriting and creating a long detailed note is time-consuming and tiring, and it is easy to leave out information in trying to complete the task. Although I’m in my sixth decade of life, I have worked very hard to stay abreast of technology and I am thankful that I type much faster than I can write. When widespread implementation of EHRs became a reality, I was very happy and an early adopter of this technology.
As I have written about in previous blogs, there are significant hazards with computerized physician order entry (CPOE) and the EHR. Not the least of which is a new category of mistakes related to “cloning” information (and the inadvertent cloning of bad / erroneous information), among other things. A new problem related to EHRs is emerging.
HIPAA violations caused by EHRs are becoming increasingly prevalent. Many practices are adopting “cloud-based” EHRs, and this increases the potential for breaches of patient confidentiality. In January, HHS issued new rules, which tighten the regulations regarding HIPAA violations. Reporting requirements for breaches, and potential breaches are much stricter now. They also have extended it to scrutiny of “business associates” of physicians and facilities practices.
For example, if the company that you pay to archive your old, out-of-date records causes a breach of patient confidential information, your practice could also be liable for that breach. Another example would be the vendor that you may use for shredding your paper records. If some worker at the shredding company decides to chuck your files into the dumpster as opposed to actually shredding them, you could be held liable for that breach of patient information. It is all pretty sobering.
It has caused me to think very carefully about all of the electronic data that I create, look at, and transmit every day. When there was a physical, paper record in the inpatient and outpatient environments, it was easy to secure that document in a physical way. This is no longer the case. That data can be reached on the Internet, on the remote and local servers, or by leaving it accessible on a computer terminal in the clinic and inpatient environment. Technology sometimes makes things easier and more complicated at the same time!
We are all reminded continuously in the inpatient environment about patient record confidentiality and my inpatient facility’s diligence in protecting patient confidentiality has motivated me to look at my own practice outside of the inpatient environment. Reading about the new rules has made me analyze patient health data use and storage in our private practice also. The potential for dramatically increased penalties should encourage all clinicians to analyze their patient record security as well as their relationships with “business associates.”
In researching my own private practice EHR “cloud” provider, I’m happy to report that our software is completely HIPAA-compliant and everything is secure regarding the transmission of patient data and pictures across the Internet. I was further assured that the data connection across the Internet uses 256-bit encryption, which is more than double the security that banks offer. I’m now motivated to look at every aspect of our data collection, storage, and dissemination systems to make sure patient confidentiality is protected.
Like it or not, the electronic age of the practice of medicine is in full swing, and spreading rapidly to all parts of the healthcare system. We have little choice in the modern practice of medicine other than to accept the new reality and do our best to become fluent in the new electronic language.
This blog was provided in partnership with the American Academy of Physician Assistants.