One of my partners asked if our practice could use free GMail instead of replacing our old and failing mail server (not free) and having to purchase the licensing for the Microsoft software (definitely not free). When I looked into it, it turned out to be a bit more complicated than just deciding between a free mail service or one that has recurring expenses.
You see, with the advent of recent privacy regulations, there are increasing responsibilities being placed on the shoulders of medical practitioners to insure the protection of patient medical information. Before we get down to the details, let’s discuss some terminology:
Privacy vs. confidentiality. According to Gary Kurtz, in an article in the Journal of Healthcare Information Management, privacy is the right of an individual to control disclosure of his or her medical information. Confidentiality is the understanding that the information will only be disclosed to authorized personnel. This is what is known as a “need to know” basis.
Information Security. Since patient information will be increasingly common in a digital-only format, loss of electronic medical records could have an adverse impact on patient care. So it is up to the guardian of that information, typically the physician, to ensure that there are proper procedures for protecting both the safety and the integrity of that data.
The data safety relates to such issues as access to the information with minimal downtime, proper backup of the data with redundancy, and a disaster recovery plan which is regularly tested.
Integrity refers to processes which insure a true, uncorrupted and legal record. Most EMR systems maintain what is known as an audit trail, which tracks every change made to a record, when and by whom. Without an audit trail, it would be nearly impossible to tell if a patient’s record had been altered. Imagine a physical chart written on a dry-erase whiteboard – changes could be made at any time without discovery.
That said, the two main issues of information security relate to Who is controlling the information and Who has access to the information.
Who controls the information. Previously we discussed the two main types of EMR systems available: server-based and web-based. In server-based systems, the patient data is typically located on a computer or server in the doctor’s office. The upside: the doctor has ultimate control over the information. The downside: the practice is responsible for maintaining the security of the patient records, something which most medical practices have little experience with.
In a web-based system, the doctor accesses the EMR system via the internet, and the data is located off-site, usually on the server of the EMR vendor or a third party. The upside: these entities usually have a lot of experience with information technology security processes as well as the resources to implement them. The downside: the information may be stored on the same server as information from other medical practices; there is the potential for the information to be accessed by someone other than an authorized party. In addition, loss of the internet connection means loss of access to your patient files.
Who has access to the information. As stated above, access to patient information should be on a “need to know“ basis. There may also need to be additional provisions for restricted types of visits such as patients with HIV, mental health issues, or those undergoing drug treatment.
HIPAA (the Health Information Portability and Accountability Act) determines how patient health information may be shared electronically. So a medical practice would need, according to HIPAA language, to insure the confidentiality of the patient information not only within its domain, but would also need to take any steps necessary to make sure that third parties who have access to the same information (outside vendors, laboratories, consultants, etc.) maintain confidentiality as well. This could even be carried, in the extreme perhaps, to anyone who potentially has access to patient records, such as cleaning service companies or maintenance contractors. A practice would be well-advised to sign Business/Vendor Associate Agreements for HIPAA compliance with these companies. You can find many examples of these online that you can use.
Other potential gaps in information access include:
- computer monitors within sight of other patients (these should be locked if an employee leaves her station)
- printers or faxes located in ‘public’ locations
- lost or misplaced laptops or thumbdrives with critical information and without password protection
- passwords taped on monitors (you should have a strict password policy including passwords which expire periodically)
- doctor or staff smart-phones or PDAs which are not password-protected
- a wireless network in the office with inadequate security encryption
- unattended EMR workstations (these should automatically lock after a short period of inactivity)
- unauthorized software downloads which could allow breach of the network
So, going back to our story about GMail…for a medical practice to use GMail for its email service, it would need to enter into a Vendor Associate agreement with Google Inc. and require Google to adhere to the practice’s procedures and policies for privacy of patient information (and every medical practice that used GMail would have to do the same). Needless to say, Google is highly unlikely to agree to signing these types of agreements with possibly thousands of doctors, and be potentially exposed to significant liability.