The more things change, the more they stay the same. The increasing use of Electronic Health Records (EHRs), “cloud-based” applications, Application Service Providers (ASPs), and offsite electronic storage has led to an increase in laws and court rulings governing them—and these could affect your practice.
Expect more oversight from federal and state governments. Two reports recently issued by the inspector general of the Department of Health and Human Services found that the drive to connect hospitals and doctors via EHR is being “layered on systems that already have glaring privacy problems.” Audits of health systems in seven large hospitals in different states found 151 security vulnerabilities, most of which were classified as “serious.”
Among the serious problems were inadequate passwords, computers that did not automatically log off inactive users, and unencrypted patient data on laptops. Most hospitals had problems with wireless access (an inability to detect unauthorized intrusion), lack of firewall, and not updating computer software to defeat known bugs.
As security issues and oversight move through the electronic systems, one area of interest is sure to be external vendors providing ASP services, which have made EHRs possible. Web-based programs for medical records, charts, and financial information are discoverable, making doctors responsible for information to which they have reasonable access.
To protect your practice and your patients, strongly consider the following:
- Make sure that whatever model is used, there is data security and adequate encryption.
- Build in a backup service. How many times have you had trouble checking your e-mail in the last year? Imagine how your office might be crippled if the service goes down.
- Review your contract with storage providers to limit data recovery costs in the event of a failure.
- Review your contract with EHR providers to clarify what should happen in the event of a subpoena of records.
To address the growing risk posed by the implementation and storage of EHRs, The Doctors Company leadership participated in the development of Medical eRisk Considerations. These considerations are intended to help medical professionals with all aspects of liability concerning EHRs, including personal health records, social media, and electronic prescriptions.
- David Troxel is Chief Medical Officer of The Doctors Company.