Privacy, Security, and Electronic Health Records
Health care is changing and so are the tools used to coordinate better care for patients like you and me. During your most recent visit to the doctor, you may have noticed your physician entering notes on a computer or laptop into an electronic health record (EHR). With EHRs comes the opportunity for patients to receive improved coordinated care from providers and easier access to their health information. It’s a way to make it easier for everyone to be better informed and more involved in the patient’s health care. However for many of us, EHRs also come with questions and concerns about the privacy and security of our health information. Who can access the information on my EHR? How can I see the information in my record and make sure it’s correct? How is it protected from loss, theft and hacking? What should I do if I think my information has been compromised?
Many of you have heard of HIPAA– the Health Insurance Portability and Accountability Act. The HHS Office for Civil Rights (OCR) enforces the HIPAA Privacy and Security Rules, which help keep entities covered under HIPAA accountable for the privacy and security of patients’ health information. As a former health care lawyer, I know that many health care providers understand and abide by their obligations under the Privacy and Security Rules. Although EHRs allow providers to use information more effectively to improve the quality and efficiency of your care, they do not change the obligations providers have to keep your protected health information private and secure.
Following my recent appointment as OCR’s Director, I had a number of conversations that made it apparent to me that many patients recognize some of the health privacy jargon such as “HIPAA” or “the Notice of Privacy Practices,” but often do not know their rights under the HIPAA Privacy and Security Rules – especially in terms of how these rules relate to EHRs.
The HIPAA Privacy Rule gives you rights over your own health information, regardless of its form. Whether your record is in paper or electronic form, under the Privacy Rule you have the right:
- To see or get a copy of your medical record;
- To request to have any mistakes corrected;
- To get a notice about how your health information is used and shared;
- To say how and where you want to be contacted by your health care provider; and
- To file a complaint if you think any of these rights have been violated. One way to do this is through OCR’s website: www.hhs.gov/ocr.
These rights are spelled out in the Notice of Privacy Practices that is given to you at your doctor’s office or hospital. Your health plan may also send this notice to you in the mail.
Specific to protecting the information stored in EHRs, the HIPAA Security Rule requires that health care providers set up physical, administrative, and technical safeguards to protect your electronic health information. Some safety measures that may be built in to EHR systems include:
- “Access controls” like passwords and PIN numbers, to help limit access to your information;
- “Encrypting” your stored information. This means your health information cannot be read or understood except by someone who can “decrypt” it, using a special “key” made available only to authorized individuals;
- An “audit trail,” which records who accessed your information, what changes were made and when.
In certain circumstances, if your data is seen by someone who should not see it, federal law requires doctors, hospitals, and other health care providers to notify you of a “breach” of your health information. This requirement helps patients know if something has gone wrong with the protection of their information and helps keep providers accountable.
OCR works to help make sure your health information is kept private and secure by your health professionals. We are here to help you understand these rights, how you can take action if your rights are violated and how your health information is required to be safeguarded under the law. The first step is to know your rights. OCR’s website has a wealth of information about your health information privacy rights and I encourage you to visit and explore our website: www.hhs.gov/ocr/privacy.
I also did notice the shift to laptops at my Dr’s office during the last few visits. They were having a heck of a time getting used to the system. I am curious as to what kind of breaches will be seen in the near future however, due to observing situations where the computer was left unattended and open to an active screen while I was in the room.
If a nurse or doctor leaves a laptop unattended without the screen locked this does leave open a security breach. Most Medical Practices and Hospitals train their staff to ensure the screen is locked when they walk away, although old habits are tough to break, especially in the medical field where some nurses and doctors do not understand the reason for change, and fight against it, with the excuse “it makes my job harder”. In IT Departments it is common practice to play pranks on anyone that leaves their screen unlocked. Try browsing to one of those obscene websites, or change the resolution to something unbearable. Lastly, report it to the security officer of the Medical Practice or Hospital.
My doctor also uses laptops or tablets but they are never left in the room. I think that with increased technology also comes some additional responsibility. If you’re not comfortable and expecting breaches in a providers system I think it may be time to switch healthcare professionals. These systems are put in place to ensure better patient care not the opposite.
Re the above comments on laptop use by doctors. There has to be a balance of using technology to make the job more productive versus the risk of private information being accessible by people not authorized. What you don’t want is doctors taking the laptop home in the car or train and then it is left or stolen.
In general electronic health records are safer than paper, if they aren’t accessible online. Stealing paper records isn’t too difficult in small scale. And if EHRs are appropriately encrypted, then even if data is accessed improperly the information is unreadable. Unlike with paper records that can be read by anyone.
Yuriy,
I have to disagree. Paper records take time and effort to find – hence they are less productive for doctors and hospitals but it is this reason why they are more difficult to find and remove an individuals data. Also paper is cumbersome, imagine someone carrying 1000 patient records on paper, know image the same individual carrying 1000 or even 100,000 electronic records – on a single USB!
The scary thing is the sheer number of records someone could take with very little effort.
I don’t want my medical information anyplace, except in a manila file at my
doctors office. This is just more government intrusion in to our lives. And I
don’t trust the government, state or federal. Look at the mess they’ve
created in this country.
My PCP’s office has gone to e-prescriptions, where everything goes right to the pharmacy -no paper to carry around expect in special cases. As a result, I’m inundated by CVS Pharmacy (the Pharmacy I must use according to my BCBS insurance for 3-month or longer prescriptions) for prescriptions.
I get calls “We see you’re running low on some prescriptions that don’t have refills: do you want us to contact your doctor for more?” I say “yes” and then find out I’ve got a month and a half left on some of them.
I also get, “We see you’re not taking statins for cholesterol: do you want us to contact your doctor – otherwise please take this “notice” to him.” I reply, “My total cholesterol has always been between 127-157 in my every-three month blood tests for the past decade. My HDH is typically in the mid 50′s and my LDL is in the 70′s or 80′s. That’s among the lowest 5% of the population.” But they come back with “Diabetics are recommended to be under 70 for LDL.” Yeah, based on studies done by statin manufacturers to get the old under 100 number (listed on the American Diabetes Assn. webpage) lowered.
My doctor agrees that adding another med for such a thing is nearly ridiculous.
EHR seems to make a lot of sense but as always with sensitive data, we have to make sure that they are kept completely safe and confidential.