EHR security: It's everyone's battle
EHR security-that's an IT thing, right? Sure it is.
But is it just an IT thing? Far from it, says Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, Ariz. HIM professionals will naturally have their hands on their facility's EHR, and there's never enough information, training, and policies on security.
"From mid-sized to small hospitals, the first thing people do when they talk about EHRs is they immediately equate it being electronic, so IT owns it," Ruelas says. "Of course, that's not the case. IT is certainly very integral in providing the infrastructure. … Sometimes we forget maybe it's not just IT, and really it's all of us, especially those folks who touch the medical records. It is an organizationalwide effort trying to get an EHR to work."
It's also a struggle to keep it secure. Luckily, HIM professionals can-and should-be involved in the security effort since, as Ruelas says, they will be constantly touching the electronic record. "You are going to be putting some of the most sensitive data in a single location," he says, "which can be compromised or really there can be losses."
What the government says about security
How do you avoid those losses?
The Office of the National Coordinator for Health IT (ONC) published its Guide to Privacy and Security of Health Information in May. The guide says a risk analysis, such as the one required in order to obtain meaningful use incentives, is best practice.
"Risk analysis is an ongoing process that should provide your medical practice with a detailed understanding of the risks to the confidentiality, integrity, and availability of e-PHI," says ONC.
In addition, the HIPAA Security Rule, §164.308(a)(1)(ii)(A), requires a risk analysis:
HIPAA requires that covered entities "implement policies and procedures to prevent, detect, contain, and correct security violations" by conducting "an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by the [organization]."
Here's what you should identify in your analysis:
- Security vulnerabilities (e.g., improperly configured user access controls that allow staff to inappropriately view patient health information)
- Threats to PHI (e.g., theft of portable devices that store or can access patient information)
Your risk analysis can lead to a security update, which "could be updated software, changes in workflow processes or storage methods, new or updated policies and procedures, staff training, or any other necessary corrective action that needs to take place to eliminate security deficiency or deficiencies identified in the risk analysis," ONC writes in its report.
A security risk analysis is like examining and testing a patient to assess clinical risk and diagnose a condition, states the report. "Just as you use a diagnosis and other clinical data to plan treatment, you will use the risk analysis to create an action plan to make your practice better at protecting patient information."
Engaging staff on EHR use
HIM professionals, in doing their part to contribute to EHR security efforts, must reach out to all users of the EHR. But before you do that, advises Ruelas, take inventory on who uses the EHR system and how heavily they use it. Once you have that information, you'll be able to give more weight to the input from the largest group of stakeholders.
"One of the biggest problems is not getting input from users," Ruelas says. "Do I know exactly what the RNs need? When's the last time I treated a patient? Get your feedback but scale your feedback through your users. If the RNs are the largest component using the EHR, then weigh that input much more heavily than you would, say, a chief medical officer or the chief RN. For whatever reason, their feedback gets amplified much more. But let's get those users who use it every day and not just leadership."
One thing on which you should engage leadership, though, is EHR encryption. Under the HIPAA Security Rule §164.312, technical safeguards, encryption is addressable. That means it's up to you.
"If data is lost or stolen, you can't do anything about that, but you can do things to protect the data," Ruelas says. "A lot of these data breaches out there could have been protected with encryption. Who wouldn't want to trade that and go back and revisit encryption?"
In addition, some government folks think encryption should be mandatory. The HIT Policy Committee, a privacy/security workgroup for ONC, said in May 2010 that encryption should be required for one-on-one exchanges between providers regarding treatments. The work group suggested that encryption should ideally be required (mandated through meaningful use/certification criteria or a modification to the HIPAA Security Rule) when the potential exists for transmitted data to be exposed. Moreover, exchanges should include the following encryption features:
- No ability for facilitator to access content
- Limits on identifiable (or potentially identifiable) information in the message
- Identification and authentication
No further formal actions have been taken as a resultof the recommendations. The breach notification interim final rule creates a safe harbor for unsecured PHI that is encrypted by certain standards; in other words, covered entities and business associates don't need to notify individuals of breaches involving such encrypted PHI.
Tips for HIM professionals
HIM professionals have a "large amount of experience" when it comes to handling EHRs, Ruelas says. Directors who have risen through the ranks know what it's like to work with coders, release of information staff, and medical record technicians, among others. As such, HIM professionals are "your most valuable knowledge base when it comes to reviewing, managing, and audit trails," Ruelas says. "They know how the EHR system is supposed to be accessed. They would be the best person to know if the process is violated."
If you're not already involved in the design of the EHR system, you need to work through the process to track audit trails, Ruelas says. "Make sure as an HIM director you understand what it is that the system can provide and then wave a red flag to getpeople's attention if there is something that needs extra attention," Ruelas says. For example, if Nurse Smith accessed a record, but the access log shows that she did so while she wasn't on the clock, then you've got a red flag in your audit trail.
Further, ensure your patients know their privacy rights and empower them to make responsible decisions regarding their medical records. "People need to understand that when you look at patient privacy, we think who's responsible-nurses, doctors and medical records folks, etc.," Ruelas says. "You know who also gets left off? Patients. They are just as responsible. Just because a patient may be uncomfortable, they are still in the strongest position to say no" and protect their confidentiality.