The Path to Paperless

Keeping Your ENR Secure

By Peter J. Polack, MD, FACS

Gaps in security lead to unauthorized access.

We recently had to replace our aging mail server — the computer that handles all of our e-mail and communications — and some of the partners were dismayed to learn the cost of replacement. So they asked if we could just use a free e-mail service such as Google's Gmail. After doing some research, however, it became clear that there were more issues involved than the cost of the solution, mostly regarding security and privacy.

Ensuring Data Security

Most EMR systems maintain what is known as an audit trail, which tracks every change made to a record, when and by whom. Without an audit trail, it would be nearly impossible to tell if a patient's record had been altered.

It is the responsibility of the practice to deal with such issues as access to records with minimal downtime, proper backup of the data with redundancy and a disaster recovery plan that is regularly tested. To do so, it is critical to determine who controls the patient information and who has access to that information.

The two main types of EMR systems available are server-based and Web-based. In server-based systems; the patient data is typically located on a computer or server in the doctor's office. The practice, therefore, is responsible for maintaining the security of the patient records. In a Web-based system — also known as ASP (application service provider), the doctor accesses the EMR system via the Internet and the data is located off-site, usually on the server of the EMR vendor or a third party. Sometimes the information is stored on the same server as information from other medical practices. There is the potential for the information to be accessed by someone other than an authorized party.

Who “Needs to Know?”

Access to patient information should be on a “need to know” basis. There may also need to be additional provisions for restricted types of visits such as patients with HIV, mental health issues or those undergoing drug treatment.

HIPAA rules determine how patient health information may be shared electronically. A medical practice needs to ensure the confidentiality of the patient information not only within its domain, but also with third parties who have access to the same information (outside vendors, laboratories, consultants, etc.).

This could even apply to anyone who potentially has access to patient records, such as your cleaning service or maintenance contractors. Check with an attorney or look online for examples of Business/Vendor Associate Agreements for HIPAA compliance that you can use.

Other potential gaps in information access include:

► unattended computer monitors
► printers or faxes located in ‘public’ locations
► lost or misplaced laptops with critical information
► smart phones or PDAs that are not password-protected
► a wireless network with inadequate security encryption
► employees downloading unauthorized software.

So why couldn't we use Gmail? A medical practice would need to enter into a Vendor Associate agreement with Google, Inc. and require Google to adhere to the practice's procedures and policies for privacy of patient information. It is improbable that Google would agree to sign these types of agreements and expose itself to liability. OM

Peter J. Polack, MD, FACS, is co-managing partner for Ocala Eye, a multisubspecialty ophthalmology practice located in Ocala, Fla. He is also founder of Emedikon, an online practice management resource for physicians and administrators.