Welcome to the new Outpatient Surgery website! Check out our login FAQs.
Are Your EMRs Secure?
Answer these five questions to see if you're taking the necessary steps to protect patient information from prying eyes.
Lisa Gallagher
Publish Date: June 10, 2008   |  Tags:   Healthcare IT

Recent news of data breaches involving the health information of celebrities like Farrah Fawcett, Britney Spears and Maria Shriver has cast a spotlight on the Health Insurance Portability and Accountability Act and the difficulties of keeping patient data secure in the digital age. While you may be tempted to shrug off those high-profile cases — thinking, "That couldn't happen at my facility" — the reality is tens of thousands of patient records have been compromised so far this year, according to the Privacy Rights Clearing-house (www.privacyrights.org), in breaches occurring at both large hospital systems and smaller medical centers across the country.

The "2008 HIMSS Analytics Report: Security of Patient Data," commissioned by risk consulting firm Kroll Fraud Solutions, found a "significant blind spot" at U.S. hospitals regarding the frequency, cause and severity of patient data breaches. As your facility makes the leap from paper to electronic medical records, are you taking the necessary steps to protect your patients' health information? Take this quiz to test your knowledge of the risks, regulations and best practices of EMR security management. The answers may surprise you.

1. True or false: The Health Insurance Portability and Accountability Act is not being enforced.

a. True
b. False

Correct answer: b. The widespread impression that the HIPAA Privacy Rule is not enforced has led many "covered entities" to whom this law applies to shrug off the importance of compliance. However, the Centers for Medicare & Medicaid Services has hired PriceWaterhouseCoopers to conduct random audits at locations with a reported violation of the law and report the results to the government. CMS is expected to publish its own report highlighting the areas where HIPAA compliance is failing (without revealing the names of the audited organizations) by Sept. 30, the end of the agency's fiscal year.

In addition to federal regulations, 39 states have passed laws requiring healthcare organizations to notify patients when their health information has been breached. Trends indicate the remaining states may soon follow suit.

2. What's the greatest hurdle you'll face in trying to meet HIPAA requirements as you convert to EMRs?

a. Lack of commitment from senior management
b. Lack of resources, both financial and staff
c. Staff's failure to recognize the value and importance of data security
d. All of the above

Correct answer: d. Ensuring the privacy and security of patient data isn't new — it's part of the culture of health care, beginning with the Hippocratic Oath. What's changed is the digital accessibility of patient information. Staff can now access multiple electronic patient files virtually instantly — and breaches can happen on a much larger scale. Before going digital, follow these steps to strengthen your organization's commitment to data security.

  • Lead by example. If you want your clinicians and staff to comply with the law and with your own facility's policies, data security must be woven into your organization's strategic goals from the start. You can't achieve the kind of successful EMR implementation recognized by the HIMSS-sponsored Davies Awards of Excellence (www.himss.org/davies) if your organization's senior leadership isn't fully committed to the goal of data security.
  • Allocate resources. One way to show your facility's commitment to HIPAA compliance is to assign enough money and personnel to get the job done. But EMR security management is a relatively new line item in most healthcare facility budgets, and all too often, managers and administrators fail to see the benefit of investing in data security until after a breach has occurred (see "Patient Data: Protect or Pay" on page 40). Avoid potential breaches and their consequences by implementing a data security program at the start of your digital transition. With the right allocation of resources for staff, training and technology, it may take you up to two years to put all the necessary components in place. The investment in time and money will have been well worth it.
  • Change the culture. Openness and information sharing have always been part of the care-giving culture, because medical care demands collaboration. The culture shift you must now embrace is the idea that protecting the security of patient information is part of providing care. Share this philosophy with your entire team and reinforce it regularly so they understand the ramifications of data breaches for both patients and your facility.

Patient Data: Protect or Pay

One of the most common challenges compliance officers face in trying to convince their organizations to invest more in data security is quantifying the financial impact of a potential breach.

One common remuneration to patients whose data has been compromised is to provide one year of free credit monitoring. However, the cost of credit monitoring for one year can total thousands or even millions of dollars, as evidenced by recent security breaches at hospitals where records were either lost (on a laptop computer) or mistakenly posted on the Internet.

Research from the Ponemon Institute's 2007 Cost of Data Breach Study found that the average cost of a breach could be as high as $197 per record or $6.3 million per incident. And that's not even taking into account the loss of patient trust that can have larger consequences for your facility. Incorporating security management into the overall hospital budget is therefore a much smaller expense than many owners and managers may realize.

— Lisa Gallagher, BSEE, CISM

3. Who are the most common causes of data security breaches at healthcare organizations?

a. Hackers
b. Employees of the organization
c. Outside contractors and vendors
d. Identity thieves

Correct answer: b. According to the HIMSS Analytics survey of senior healthcare executives, more than 80 percent of respondents whose organizations had experienced a security breach said the data was compromised by an employee of the organization, whether deliberately or inadvertently. In addition, only 56 percent of respondents to the HIMSS Analytics survey whose organizations experienced a security breach notified the patients involved, indicating that many healthcare facilities don't recognize the need to report breaches or notify patients with exposed records. Although HIPAA doesn't mandate internal reporting and patient notification of data breaches, those steps are an essential part of overall risk management and are required by law in many states. You can greatly improve your ability to detect and report breaches by allocating more financial and staffing resources to monitoring how your employees handle EMRs.

4. What's the best way to get your employees to follow the established security protocols for EMRs?

a. Train employees so they understand why security protocols have been established.
b. Monitor employees on the job to uncover inappropriate behavior before there is a security breach.
c. Distribute a checklist to employees so they can easily follow security protocols.
d. All of the above.

Correct answer: a. The best strategy for ensuring data security is prevention. Before a breach happens at your facility, institute mandatory training for any employee who accesses patient records, including physicians, nurses, anesthesia providers and other clinicians, as well as administrative and clinical staff who must either view or enter information into the EMR.

While this solution sounds almost too basic, it's a step you must build into your staff schedules. Develop a thorough, step-by-step training program on HIPAA and your facility's data security protocols to give clinicians and staff the tools they need to keep patient records secure and recognize and report breaches. What may be obvious to a compliance officer is not obvious to everyone; give employees the chance to ask questions as they learn.

On the Web

To view the HIMSS Analytics Report on patient data security, go to www.krollfraudsolutions.com/about-kroll/HIMSS-Patient-Data-Security-Study.aspx.

And for more information on HIPAA compliance and enforcement, go to www.hhs.gov/ocr/privacy/enforcement

5. What steps should your security compliance officer take to uncover inappropriate behavior before there is a security breach?

a. Conduct unannounced and random audits of different departments by observing on-the-job employee behavior.
b. Dismiss any employee who breaches the security of patient records; train the remaining employees.
c. Talk to employees about how they do their jobs and how they access patient records.
d. Assume employees understand the importance of security; monitor only after a security breach occurs.

Correct answers: a and c. Dismissing the employee who violated the security policy appears to be the obvious and best solution, but that only removes the offender. The key is to stop security breaches before they occur.

EMR management strategies will differ depending on the size of your facility. It is much easier to monitor EMRs in small- to mid-size healthcare organizations (under 100 beds) than it is in large hospital systems (100+ beds), which must rely mainly on technical security controls to protect patient data from prying eyes. According to the HIMSS Analytics survey, identity theft is three times more likely to happen at a larger facility than it is at a smaller facility.

While technical solutions like passwords and encryptions are valuable tools for any surgery facility, don't assume technology is going to do all the work for you. Appoint a compliance officer to conduct unannounced and random audits and, on a more basic level, talk to employees regularly about how they do their jobs and access patient records. Personal interviews, particularly in small- to mid-size facilities, allow compliance officers to gather more data about how security breaches might occur — information you can then use to improve your facility's data security program.