EHRs typically contain personal information, such as health insurance, prescription drugs, financial details and Social Security numbers, making this data very valuable and a common target for identity theft. Physicians are being encouraged to do more to protect their patients’ data.
Thieves can use personal information to access medical care, obtain prescription drugs, and even file false income tax returns. According to the Identity Theft Resource Center, more than 7 million patient records were compromised as of September 2014.
The Department of Health and Human Services (HHS) claims that federal measures have been put in place to address this problem. In its most recent report, the HHS referenced the HITECH Act, which requires entities covered under the HIPAA to notify affected individuals, the HHS, and, in some cases, the media, of any healthcare data breaches. This act also requires that businesses report breaches to covered entities. These requirements are designed to promote accountability of covered entities and business associates.
HIPAA-covered entities are also required to conduct security risk assessments of their EHR systems. Failure to perform such an assessment can be costly. As a way to encourage these assessments, the potential for fines when a data breach occurs is significantly lower for a company that’s able to prove they’ve done everything in their power to prevent a breach.
Small practices may find the task of securing data to be daunting. Many of them lack the staff and specialized IT security knowledge. However, there are steps that small and large practices alike can take to tighten the security of their EHRs.
The HHS provides an online risk assessment tool that any office staff can use. In order to reduce liability, it’s recommended that practices change their passwords often, ensure there are adequate firewall protections, use highly encrypted data, and install anti-virus software. Practices may also want to grant EHR access to only a few select staff members as another preventative measure. Emailing unencrypted patient data can also put information at risk. HIPAA rules that prohibit the use of non-encrypted sensitive patient health information have not yet become widely implemented so it’s up to the provider to make sure their patients are aware of the risks.
By following these guidelines, practices can reduce their liability, save money, and protect vital patient information.
Author: Lauren Daniels