An electronic health record (EHR) is one of the most important systems in use by healthcare organizations today, but implementing EHR into a medical practice can often be a guessing game. As recently as 2015, only 75 percent of hospitals were utilizing an EHR, according to Health Affairs. That has grown to 99 percent, as reported by Healthcare Informatics. This dramatic rise was a response to the Centers for Medicare & Medicaid Services (CMS), which began implementing monetary penalties for hospitals that don't have EHR implementation.
A good electronic health record drives many aspects of a healthcare practice — from ordering medications and recording health conditions to providing a place where patients may access their own medical histories. While it's not uncommon for organizations to switch EHRs after learning that the product chosen is not meeting their needs, the security of a new system — along with its compatibility with existing technology — should be taken into consideration.
Who is Responsible for EHR Data?
If a healthcare practice stores its own data, the practice is responsible for security and patient data. Therefore, the practice should restrict access while also storing, backing up and retaining the patient data per federal and state regulations.
However, if a practice enters a business agreement with a third party that specializes in cloud storage, then the latter becomes responsible for the security, storage, backup and retention of the data. But the practice would still be considered responsible for restricting access to this information.
EHR Implementation & Security in 4 Steps
When it comes to restricting data, Physicians Practice recommends four areas of EHR vulnerability that need careful consideration:
- Secure Devices: Any smartphone or laptop that is used to access a system that interacts with the EHR should be locked (password protected) and encrypted. Encryption ensures that any data stored on the device cannot be accessed if it's lost or stolen. Similarly, desktop computers should be locked when not in use. Devices that can access a practice's systems should not be used on public Wi-Fi — thieves can employ these networks to hack into devices and use their permissions to steal data.
- Secure Networks: Federal regulations require that data be encrypted while it's transmitted. Encryption ensures that data transfers cannot be intercepted and stolen. Only devices and employees who need to use the networks for business purposes should have access to them.
- Secure Data: Data should always be kept secure — whether that's on the business's server or by a third-party vendor. Data security is centered around keeping the wrong users out, and letting the right ones in. While data security can be time-consuming and require a substantial financial investment, data storage is often viewed as an economy of scale because smaller businesses will invest more per record stored. When kept behind a firewall, the data will also be guarded against unauthorized access. Physicians should also be mindful of whether their medical equipment can interact with the data server securely. Newer ultrasound systems offer features such as automatic encryption so that data are always transmitted securely. They also use whitelisting, which lets the machine know the users or systems it may interact with.
- Safeguard Computing Practices: Safe computing practices are taught, and employees should be trained on a regular basis to recognize both old and new threats to a practice's security. These dangers can range from email phishing (emails that contain links that look legitimate but lead to malicious content such as viruses), web browser pop-ups and even viruses that are introduced through portable devices like thumb drives. Password creation and record access on a "need-to-know basis" should be part of any organization's standard operating procedures.
Choosing a New EHR Requires Forethought
If a practice has an existing system that isn't working, implementing EHR upgrades or an entirely new one may be the next move. Vendors should provide specifications and be knowledgeable about which systems can be integrated with their products. Private practices may also have to think about sharing records with hospitals. For example, if a gynecologist from a private practice often sends or receives records from a hospital system where they're performing surgery, they may want to consider the kind of system the hospital is using. Chances are that an EHR will come with more options than a practice may use, but management should to be prepared with a list of "must-haves" to ensure their needs will be met.
In addition to driving a practice, EHRs can attract new customers. Patients often expect technological perks such as online test results and alternative ways to communicate with their physicians through secure messaging or telehealth. Those who look for this sort of accessibility when choosing a gynecologist may be interested in learning more about the types of security a practice has in place.
Consumers may hear about data breaches and HIPAA violations on a regular basis, but they're also more open to new avenues of communication and care, which should have their privacy in mind. An EHR can play a central role in that effort.
