Privacy, Security, and Electronic Health Records
Health care is changing and so are the tools used to coordinate better care for patients like you and me. During your most recent visit to the doctor, you may have noticed your physician entering notes on a computer or laptop into an electronic health record (EHR). With EHRs comes the opportunity for patients to receive improved coordinated care from providers and easier access to their health information. It’s a way to make it easier for everyone to be better informed and more involved in the patient’s health care. However for many of us, EHRs also come with questions and concerns about the privacy and security of our health information. Who can access the information on my EHR? How can I see the information in my record and make sure it’s correct? How is it protected from loss, theft and hacking? What should I do if I think my information has been compromised?
Many of you have heard of HIPAA– the Health Insurance Portability and Accountability Act. The HHS Office for Civil Rights (OCR) enforces the HIPAA Privacy and Security Rules, which help keep entities covered under HIPAA accountable for the privacy and security of patients’ health information. As a former health care lawyer, I know that many health care providers understand and abide by their obligations under the Privacy and Security Rules. Although EHRs allow providers to use information more effectively to improve the quality and efficiency of your care, they do not change the obligations providers have to keep your protected health information private and secure.
Following my recent appointment as OCR’s Director, I had a number of conversations that made it apparent to me that many patients recognize some of the health privacy jargon such as “HIPAA” or “the Notice of Privacy Practices,” but often do not know their rights under the HIPAA Privacy and Security Rules – especially in terms of how these rules relate to EHRs.
The HIPAA Privacy Rule gives you rights over your own health information, regardless of its form. Whether your record is in paper or electronic form, under the Privacy Rule you have the right:
- To see or get a copy of your medical record;
- To request to have any mistakes corrected;
- To get a notice about how your health information is used and shared;
- To say how and where you want to be contacted by your health care provider; and
- To file a complaint if you think any of these rights have been violated. One way to do this is through OCR’s website: www.hhs.gov/ocr.
These rights are spelled out in the Notice of Privacy Practices that is given to you at your doctor’s office or hospital. Your health plan may also send this notice to you in the mail.
Specific to protecting the information stored in EHRs, the HIPAA Security Rule requires that health care providers set up physical, administrative, and technical safeguards to protect your electronic health information. Some safety measures that may be built in to EHR systems include:
- “Access controls” like passwords and PIN numbers, to help limit access to your information;
- “Encrypting” your stored information. This means your health information cannot be read or understood except by someone who can “decrypt” it, using a special “key” made available only to authorized individuals;
- An “audit trail,” which records who accessed your information, what changes were made and when.
In certain circumstances, if your data is seen by someone who should not see it, federal law requires doctors, hospitals, and other health care providers to notify you of a “breach” of your health information. This requirement helps patients know if something has gone wrong with the protection of their information and helps keep providers accountable.
OCR works to help make sure your health information is kept private and secure by your health professionals. We are here to help you understand these rights, how you can take action if your rights are violated and how your health information is required to be safeguarded under the law. The first step is to know your rights. OCR’s website has a wealth of information about your health information privacy rights and I encourage you to visit and explore our website: www.hhs.gov/ocr/privacy.
I also did notice the shift to laptops at my Dr’s office during the last few visits. They were having a heck of a time getting used to the system. I am curious as to what kind of breaches will be seen in the near future however, due to observing situations where the computer was left unattended and open to an active screen while I was in the room.
If a nurse or doctor leaves a laptop unattended without the screen locked this does leave open a security breach. Most Medical Practices and Hospitals train their staff to ensure the screen is locked when they walk away, although old habits are tough to break, especially in the medical field where some nurses and doctors do not understand the reason for change, and fight against it, with the excuse “it makes my job harder”. In IT Departments it is common practice to play pranks on anyone that leaves their screen unlocked. Try browsing to one of those obscene websites, or change the resolution to something unbearable. Lastly, report it to the security officer of the Medical Practice or Hospital.
My doctor also uses laptops or tablets but they are never left in the room. I think that with increased technology also comes some additional responsibility. If you’re not comfortable and expecting breaches in a providers system I think it may be time to switch healthcare professionals. These systems are put in place to ensure better patient care not the opposite.
Re the above comments on laptop use by doctors. There has to be a balance of using technology to make the job more productive versus the risk of private information being accessible by people not authorized. What you don’t want is doctors taking the laptop home in the car or train and then it is left or stolen.
In general electronic health records are safer than paper, if they aren’t accessible online. Stealing paper records isn’t too difficult in small scale. And if EHRs are appropriately encrypted, then even if data is accessed improperly the information is unreadable. Unlike with paper records that can be read by anyone.
Yuriy,
I have to disagree. Paper records take time and effort to find – hence they are less productive for doctors and hospitals but it is this reason why they are more difficult to find and remove an individuals data. Also paper is cumbersome, imagine someone carrying 1000 patient records on paper, know image the same individual carrying 1000 or even 100,000 electronic records – on a single USB!
The scary thing is the sheer number of records someone could take with very little effort.
I don’t want my medical information anyplace, except in a manila file at my
doctors office. This is just more government intrusion in to our lives. And I
don’t trust the government, state or federal. Look at the mess they’ve
created in this country.
My PCP’s office has gone to e-prescriptions, where everything goes right to the pharmacy -no paper to carry around expect in special cases. As a result, I’m inundated by CVS Pharmacy (the Pharmacy I must use according to my BCBS insurance for 3-month or longer prescriptions) for prescriptions.
I get calls “We see you’re running low on some prescriptions that don’t have refills: do you want us to contact your doctor for more?” I say “yes” and then find out I’ve got a month and a half left on some of them.
I also get, “We see you’re not taking statins for cholesterol: do you want us to contact your doctor – otherwise please take this “notice” to him.” I reply, “My total cholesterol has always been between 127-157 in my every-three month blood tests for the past decade. My HDH is typically in the mid 50′s and my LDL is in the 70′s or 80′s. That’s among the lowest 5% of the population.” But they come back with “Diabetics are recommended to be under 70 for LDL.” Yeah, based on studies done by statin manufacturers to get the old under 100 number (listed on the American Diabetes Assn. webpage) lowered.
My doctor agrees that adding another med for such a thing is nearly ridiculous.
EHR seems to make a lot of sense but as always with sensitive data, we have to make sure that they are kept completely safe and confidential.
I like the assumption that a password and encryption will secure your information. I am an active duty soldier and we have been on the electronic record system for a decade. My information has been stolen at least three times, once by hacking and twice by lost laptops. Although I was notified each time, the notification came at least a month after the fact. Fighting the ID theft and medical visit charges made in my name has been fun. And there was absolutely zero help from the army or the army’s health insurance carrier, Tri-care West and South. They would not even call back when I reported the fraudulent claims. This never happened with paper. Also, the author says we have a right to request corrections of errors in your record. He does not say you have a right to get the error corrected. My record says I have hypertension and take medication for it. I do not, and never have. They will not remove it no matter how many times I request it. I have even been told, “Just leave it and file for disability when you retire”. Also, have fun getting a copy of your record. It took several forms and phone calls with no result. I finally just had a friend violate HIPPA and print it for me. With the old paper folders you just signed for them and went to a copy machine. I hope America enjoys the federal health care system that we in the military have now. It sure is a time waster.
Jet, they are required to respond to your request to amend your record. If they do not agree to your request to amend the incorrect information, you can submit a statement that they are required to include in your medical record. See this page from the Dept of Health & Human Services for more information. http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/medicalrecords.html
The REAL privacy threat is from your Employer. Whenever they collect yearly health information from existing employees or from new hires. If you think everyone in your HR department is properly trained in HIPPA practices then you need to think again. Many an employee has been discrminated against, mistreated, and even fired (for another reason of course) because an employer or their staff finds out about health information that should have remained private.
Remember that little 3 month probation period for new hires? This isn’t so much a testing period to determine if the new hire is a good fit for the job, it’s also a way to weed out those who have pre-exisitng conditions that the employer dosn’t want to deal with. For YEARS it has been the employers who determined who should have and who should not have health care in this country.
10 years from now everyone will agree that the Affordable Care Care is one of the best plans to be implemented since the US Constitution.
I have noticed one problem with Electronic health records But the fault is the doctors. I went to a doctor and they had just switched to EHR’s. But the doctor was so busy typing on the computer he hardly looked at me. One time he told me to pull up my left pants leg so he could look at it. I pulled up the right one and he never even looked. I left and never went back. when they called about the bill I told the girl what happened and that I would not pay it. I never heard from them again.
This all will get more complex than the common folk can manage in a very short time or even now.
But then again complexity bills cost and that is exactly what this program is headed for unless we standardize and streamline patient, medical records, and healthcare portal access.
Every object in the medical data path is a managed identity chain, including the phone the doctor uses to the zero client portal the patient accesses. The systems being presented by big data are silo operations with dollars associated to in and out access to data.
The only standard is the name service logging the chains of identities during any transaction and giving the end user…a record management portal that can be as simple as a form or an entire medical record.
I wish for the day that I can go to MyPatientID.com or MyMedicaliD.com, or MyHealthcareID.com and be authenticated even by MyPhoneID.com or MyComputerID.com on my way there.
I want a QR code displayed on an LED screen next to my bed if I am a patient so my family, nurse, doctor, or clergy can scan and get access quickly. Simple standard request to a complex problem.
I want to be able to change my healthcare provider and not change my GUI healthcare portal.
I want MyEmergencyID.com to link to MyBiometricID.com to chain MyMedicalID.com data to whatever police scans me on the side of the road and link my data withing seconds. That may save my life. That is what matters to me but if I am an immigrant, would I ever do this…well, maybe if I registered at MyImmigrantID.com and gave some minimal information and only gave access to registered MyHealthcareID,com persons. Even if I created an MyAutonomousID.com
A gloated overpriced network of networks of medical complexity to be managed and controlled by governments is not in the best interest of the end user… whether autonomous or validated.
So, what I’m saying, software comes and goes and is a select-able object, but a name service is a door that is always there.
I hope we can get this under control before it is too out of hand which I think it is. Just because government has the power to create and manage exchanges does not give it the right to manage my personal data. Google, Facebook, and other social networks are in this battle as well, but we seem to not think of governments as playing this role but they are and have been.
At the end of the day, I feel I have the right my forefathers fought for. Freedom
Freedom to protect and manage my digital data.
Freedom to choose the providers of service to me and my family without oversight and eavesdropping by government or employers.
Freedom to be autonomous if I so choose.
Freedom to manage the chains of responsibility of my data which is me.
Freedom to interact in a global world environment without government eavesdropping.
Freedom to own products and services without exploitation or tracking.
Freedom to research and comment autonomously.
Freedom to protect my children’s digital footprints.
Even this post required an email address to post. “Trackable of course” “will not be published but required. Ironic when you see the heading of this article…”Privacy”
Great that digital medical data is finally reaching our door posts. now my medical records can be accessed by the appropriate person from anywhere anytime. this will make diagnosis better since doctors will have full medical history