In the past few years, hospitals and health care providers have mobilized vast resources in order to computerize the documents that constitute each patient’s medical record. Health care organizations spend millions of dollars each year on systems designed to access, display, and report on the information they collect and store in the Electronic Medical Record (EMR). In fact, one of the components of the Affordable Health Care Act stipulates, through EHR incentive Programs, the continued development and implementation of the EMR in a widespread initiative to make patient information available to health care providers no matter where they are.
It is entirely possible, even probable, that the health care organization you have chosen for your personal health care needs is currently using an EMR or is in the process of implementation. As essential as it is for providers to be able to access your medical information quickly, you may still feel uneasy as stories of hacking and cyber terrorism proliferate in the media.
For many people, the introduction of the EMR as a repository for Protected Health Information (PHI) has raised legitimate concerns regarding the security of the medical data the EMR contains. In 1991, concerns over the security of electronic PHI prompted the introduction of the Health Information Portability and Accountability Act (HIPAA). According to rules codified in 45 CFR Part 164 Subpart C, HIPAA requires health care organizations that utilize an EMR to provide satisfactory answers to critical security questions, including:
- What privacy procedures should be followed by an organization that implements an EMR?
- What technology should be utilized to create backup systems and disaster recovery procedures?
- What continuing education programs are required for health care staff who routinely handle PHI?
- What mechanisms for authorization, modification, restriction, and termination of access to PHI should be implemented?
- What policies are required for responding to breaches of security in the EMR?
- What procedures should be followed when a request for access to PHI is received from employers, law enforcement agencies, patients and patient families?
- How can access to PHI be restricted to only those employees who need it to complete their job responsibilities?
- How can access to hardware containing PHI be limited?
The question on most people’s minds is simple: “Who can access my medical information? “ According to 45 CFR Part 164.502, a provider or organization covered by HIPAA may disclose PHI, without patient consent, for the purpose of providing treatment or to expedite insurance payments. All other disclosures of PHI by health care organizations or providers must be authorized by the patient in writing or, as codified in 45 CFR Part 160 Subpart C, must be done in response to an information request by the court. In all cases, only the minimum information necessary to fulfill the request may be released.
Despite the safeguards afforded by HIPAA, you may be wondering whether hackers could possibly gain illicit access to the system containing your PHI and wreak havoc with your personal data. You may also be wondering if the value of storing your PHI in a centralized database is worth the risk to your privacy. If you were to ask health care providers, the answer to the second question would be a resounding "yes”: According to a July 2011 article in HealthTechnica, the benefits of having a patient’s comprehensive medical record instantly available at the point-of-care far outweigh—in the mind of the provider—the minimal risk to the security of a patient’s PHI.
In an era of increasing incidents of cyber terrorism and hacking, the public has legitimate concerns as to the efficacy of the safety systems that protect the security of their PHI. If you share these concerns, you should be comforted by the fact that stringent laws, most notably the HIPAA, have been enacted to provide elaborate system and data security in each EMR implementation. When you visit a provider who utilizes an electronic medical record, you will no doubt agree that the minimal risk to the security of your PHI is far outweighed by the tremendous increase in continuity and quality of care that you receive.
Floyd Bevins blogs about current issues healthcare and health information systems. Several schools offer degrees in health informatics, including University of Illinois at Chicago and Boston University.