Chapter 1 Privacy and Security of the Electronic Health Record
Vocabulary
Breach: A prohibited disclosure or use of protected health information (PHI), which compromises the security or privacy of the information.
Confidentiality: A legally protected right of patients. An ethical duty of designated healthcare professionals to keep patient information private.
Electronic health records (EHRs): A computerized software system that maintains patient health information, which can be created, managed, and consulted by authorized healthcare professionals and providers from more than one healthcare organization.
Healthcare providers: Also called providers; includes doctors, nurse practitioners, midwives, and physician assistants.
Liable: Legally responsible.
Malware: Malicious computer software that affects the functioning of a computer. It can gather and send a person’s private information to unauthorized parties over the Internet.
Policies: Written plan of activities or behaviors that provides goals for the facility and the healthcare employees.
Privacy: The condition of being private or secret.
Procedures: Detailed steps that describe how to perform specific tasks.
Protected health information (PHI): Includes a patient’s identifiable demographic information, physical and/or mental health information and conditions, and related payment information. Under HIPAA, the security, privacy, and confidentiality of PHI must be safeguarded.
Risk management: Techniques used to lower the risk of accidental loss to a business.
Electronic Medical and Health Records
When patients’ paper medical records were moved to digital versions, they were called electronic medical records (EMRs). The EMR contained the patient’s medical and treatment information for that specific healthcare facility. Digitizing the medical records allowed healthcare providers to have quicker access to the patient’s information and track data over time. Providers in the same facility could review the chart at the same time, which was not possible when the records were in paper form.
A disadvantage of EMRs was the difficulty to share the information with other healthcare providers outside of the facility. For instance, if a patient was initially seen by their provider and then referred to a specialist outside of the facility, the patient’s electronic medical record needed to be printed out and mailed or faxed to the specialist.
As technology advanced, electronic health records (EHRs) were created. EHRs contained the patient’s total health information. The record was shared with healthcare providers and professionals outside of the facility, and information from those visits was added to the EHR. Thus, the EHR was accessed and managed by more than one healthcare facility. For instance, a patient recently discharged from the hospital is being seen by their provider. The doctor can access the X-ray report and medical laboratory reports from the hospital’s EHR. This allows for better patient care.
Information in an EHR
A patient’s EHR contains demographic information, such as name, address, phone numbers, email addresses, date of birth, and Social Security number. It also contains administrative and billing information, including insurance account numbers and claims. The EHR can contain correspondence from other providers, along with forms signed by the patient.
The largest collection of information in an EHR relates to the patient’s health information, which includes the following:
- Personal history: Includes past and current diseases, health concerns, medications taken surgeries, and hospitalizations
- Family history: Includes diseases/conditions with which the patient’s family members were diagnosed
- Progress notes: Written by healthcare providers and include the patient’s signs, symptoms, and concerns; and findings from the physical exam and tests, diagnosis, and treatment plan
- Vital signs: Includes the patient’s heart rate, respiration rate, blood pressure, temperature, weight, and height
- Allergies: Includes medications, environmental, and food allergies
- Immunizations dates: Includes the vaccine type and the date it was administered
- Medical laboratory tests: Includes blood tests, urine tests, etc.
- Radiology images: Includes X-rays, ultrasounds, computerized tomography (CT) scans, magnetic resonance imaging (MRI), etc.
- Other tests results
Patient Portal
Many EHRs include patient portal software. The patient portal is a secure website that allows the patient to interact with their EHR and their healthcare team. Many patient portals allow patients to view test results, read visit and medication summaries, add and revise personal and family health information, and view immunization status. Some patient portals allow patients to message their healthcare team, request prescription refills, make payments, update personal information, schedule appointments, read educational health information, and complete forms.
Privacy and Confidentiality of Health Information
In healthcare, a patient’s records are private and confidential. Privacy and confidentiality of their records give patients the freedom to share their health concerns with their provider (e.g., doctor, nurse practitioner, or physician assistant). Healthcare professionals can only read a patient’s chart if they are working with the patient and/or need information for their job.
Federal and state laws address privacy and confidentiality of patients’ health records. Two important federal laws that address these topics are as follows:
- Health Insurance Portability and Accountability Act (HIPAA)
- Health Information Technology for Economic and Clinical Health (HITECH) Act
Health Insurance Portability and Accountability Act
In the 1980s and early 1990s, billing and payment processes in healthcare moved slowly. It was typical that payments for services provided were delayed for four to six months. During this time, healthcare technology increased, and many software companies were creating electronic healthcare records (EHRs).
Due to the changing times, Congress passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA is a set of national standards that healthcare organizations, providers, and professionals must follow. This law is enforced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). One of the important goals of HIPAA was to safeguard the security, privacy, and confidentiality of protected health information (PHI). Protected health information (PHI) includes identifiable demographic information. It also includes physical and/or mental health information and conditions and related payment information.
Two important standards to be aware of as a healthcare professional are as follows:
- Standard 2 – Privacy Rule: This standard requires healthcare facilities (e.g., clinics, hospitals, pharmacies, nursing homes, etc.) to protect patient health information.
- Standard 3 – Security Rule: This standard requires healthcare facilities to protect patient information when it is electronically transmitted and stored.
The following sections provide a brief summary of these two standards. For more information see the U.S. Department of Health and Human Services Health Information Privacy web page.
Standard 2: Privacy Rule
The formal name for the “Privacy Rule” is the Standards for Privacy of Individually Identifiable Health Information. The Privacy Rule protects all individually identifiable health information, which includes the following for each patient:
- Demographic data (name, address, phone numbers, email addresses, date of birth, and Social Security number)
- Past and present health information (e.g., physical and mental health information, surgeries and procedures, medications)
- Payment for past and present health services
The Privacy Rule protects patient information that is transmitted to other healthcare facilities and services, whether in writing (paper), electronically, or orally. This information is called protected health information (PHI). The Privacy Rule specifies situations when the PHI can be used or disclosed with and without the patient’s written authorization.
A patient’s written authorization is required when the patient requests PHI to be disclosed to a third party, such as another person or healthcare facility. For instance, Tom gives written authorization for the doctor to talk to Jane, his daughter, about Tom’s diagnosis. Another example is when Susie is moving and wants to see a new doctor. She needs to provide a written authorization to have her records transferred to the new healthcare facility.
No written authorization is required for the following activities:
- To the individual: Patients can see their health information, without completing a written authorization (record release form).
- Treatment, payment, and healthcare operations (TPO): Treatment relates to the actions taken to care for the patient. Payment refers to the reimbursement for the services provided. Healthcare operations relates to the healthcare facility’s activities required to run their business. This may involve such activities as legal services and quality improvement.
- Uses and disclosures with an opportunity to agree or object: When asked, the patient can give informal permission for another to hear their information. For instance, a patient is accompanied by their significant other. The patient gives permission for the significant other to remain in the room during the examination.
- Incidental use and disclosure: Healthcare professionals must always take reasonable precautions, so patients’ information is not overheard. If an incidental disclosure occurs, no written authorization is required from the patient.
- Public interest and benefit activities: Local and state laws may require the release of PHI in certain situations that involve law enforcement and public health activities. PHI can also be given to coroners, medical examiners, and funeral directors.
De-identifying Protected Health Information
HIPAA’s direct patient identifiers can be used to link protected health information back to a specific person. Direct patient identifiers include the following:
- Names
- Addresses
- Dates (e.g., treatment, admission, and discharge dates; birth and death dates)
- Social Security number
- Telephone and fax numbers
- Medical record numbers
- Biometric identifiers (e.g., finger, retinal, and voice prints)
- Health insurance beneficiary numbers
- Account information
- Full-face photographs and any comparable images
- License plate number and drivers’ license numbers
- Device identifiers and serial numbers
- Web universal resource location (URLs), Internet Protocol (IP) addresses, and email addresses
- Device attributes or serial numbers
Many times, the direct patient identifiers are removed from the PHI for research, healthcare operations, and public health purposes. Once the PHI has been de-identified (e.g., the direct patient identifiers have been removed), HIPAA does not restrict the disclosure of the information. For instance, the county health department requests all hospitals in the area to provide information on the patient deaths within the last month. The hospitals would remove all of the patients’ identifying information and just provide a list of reasons of death to the county. There would be a low risk of the information being linked back to the patients involved.
Quick Summary
Healthcare professionals and providers:
- Can only view patient health records if they are working with the patient. They can only view information required for their job.
- Cannot view their own health record or that of their friends and family members.
- Must not discuss what they see and hear in the healthcare setting related to patients.
- Violations can result in loss of one’s job and fines.
Standard 3: Security Rule
The Security Rule focuses on the protection of the electronic protected health information (ePHI). The Security Rule contains administrative, physical, and technical safeguards important to ensuring the security of the ePHI.
Administrative Safeguards
One of the focuses of the administrative safeguards is to identify and prevent potential risks to the ePHI. Today, cyberattacks are the greatest threat to ePHI.
The administrative safeguards category includes administrative policies, procedures, and actions to protect ePHI. Typically, a security officer or an appointed person is responsible for ensuring the Security Rule requirements are implemented and followed in the facility. Administrative safeguards used in healthcare facilities include the following:
- Written policies and procedures for identifying and reducing the risk to ePHI
- Security risk analysis that identifies potential threats with corrective action plans
- Risk management program to prevent unauthorized disclosure of ePHI
- Employee training on privacy and security practices
Reporting Breaches
Healthcare professionals and providers must follow the facility’s electronic security policies and procedures. Violating these may cause a breach of ePHI.
When a breach of ePHI occurs and impacts 500 or more individuals, healthcare organizations must notify the secretary of the U.S. Department of Health and Human Services (HHS) by completing a breach report form within 60 days. If the breach impacts fewer than 500 individuals, then the healthcare organization must complete the breach report form no later than 60 days after the end of the calendar year when the breach was discovered.
To view breach cases currently under investigation, go to Cases Currently Under Investigation web page.
Physical Safeguards
The physical safeguards focus on the protection of the computer network and the computer equipment. Healthcare facilities use surveillance cameras and alarms. Computer equipment should be labeled with identification numbers and security cables to prevent theft. These are some additional physical safeguards:
- Inventory all workstation equipment, portable devices, and medical devices that use, collect, or store ePHI. It’s important to know what equipment is being used, the location of the equipment, and who is using it.
- Staff members must only have access to the part of the software they need to complete their job. Therefore, a provider would have greater access to a patient’s EHR than the receptionist, for example.
- Workstations must have security features to prevent unauthorized individuals from accessing or viewing the EHR. These security measures include the following:
- Unique strong network passwords for each staff member
- Monitor filters, privacy screens, or privacy filters, which allow visualization of the information only to those directly in front of the screen
- Network log-out procedures
Computer Equipment
Healthcare professionals and providers must keep computer equipment and electronic devices used for ePHI safe and secure. Any loss, theft, or unauthorized use of the devices must be reported immediately to the facility’s security officer.
Technical Safeguards
Technical safeguards focus on protecting the ePHI through the use of technology, policies, and procedures. Technical safeguards include the following:
- Using audit trails, which record a user’s activity in the software.
- Using authentication, which is a process of confirming the person logging into the computer. This may include behavioral biometrics such as voice, signature, or keystroke recognition. It may also include physiological biometrics such as facial, fingerprint, iris, or hand geometry recognition.
- Monitoring the log-in process and identifying if multiple login attempts are being made. This can indicate an unauthorized person is attempting to get into the network or EHR.
- Having the computer automatically log-off the network or EHR after a period of inactivity.
- Backing up the network at least once a day. The data backup process means the network files are copied, and the copy of the files are stored offsite. If a disaster, cyberattack, or other type of situation occurs that impacts the integrity of the network files, the copied files can be used to restore the network.
- Using encryption software, which changes the ePHI to non-readable or encrypted data (ciphertext). To read the information, the user needs to enter a password for the decryption to occur.
- Using a firewall, which is hardware or software that acts as a filter between the Internet and the network. A firewall protects what data from the Internet can enter the network.
- Installing and using antivirus, anti-malware, or virus protection software to identify and remove malware from the network.
Health Information Technology for Economic and Clinical Health Act
The Health Information Technology for Economic and Clinical Health (HITECH) Act was passed in 2009 as part of the American Recovery and Reinvestment Act. This law is enforced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). The HITECH Act helped to enforce HIPAA in these ways:
- Increasing the penalties for privacy and security violations. The penalty increases based on the gravity of the violation. Penalties range from $100 to $1.5 million per calendar year. Healthcare facilities or businesses and individuals can be penalized and fined.
- Making healthcare facilities or businesses personally liable for compliance with HIPAA.
- Selling a patient’s PHI without their written authorization is prohibited.
Learning Activities
Privacy and Security – Flash Cards
Application Exercise 1
Using the Internet, research a patient portal software. Write a paragraph describing what you learned through your research. Include the name of the software and the website(s) you used.
Application Exercise 2
Review the latest breach cases on the Cases Currently Under Investigation web page.
What are the most common types of breaches? What are the most common locations of the breached information?
A computerized software system that maintains patient health information, which can be created, managed, and consulted by authorized healthcare professionals and providers from more than one healthcare organization.
Also called providers; include doctors, nurse practitioners, midwives, and physician assistants.
The condition of being private or secret.
A legally protected right of patients. An ethical duty of designated healthcare professionals to keep patient information private.
Includes a patient’s identifiable demographic information, physical and/or mental health information and conditions and related payment information. Under HIPAA, the security, privacy, and confidentiality of PHI must be safeguarded.
Written plan of activities or behaviors that provide goals for the facility and the healthcare employees.
Detailed steps that describe how to perform specific tasks.
Techniques used to lower the risk of accidental loss to a business.
A prohibited disclosure or use of protected health information (PHI), which compromises the security or privacy of the information.
Malicious computer software that affects the functioning of a computer. It can gather and send a person’s private information to unauthorized parties over the internet.
Legally responsible.