EHR Adopters Need 'Culture of Privacy'A HITECH Strategy for Physician Groups
"Nobody would ever ask a patient to disrobe in the waiting room, but yet we disrobe patient information frequently in the waiting room," she says.
Many group practices are installing EHRs in hopes of earning incentive payments from Medicare or Medicaid under the HITECH Act. In an interview (transcript below), Amatayakul:
- Stresses the need for a thorough, well-documented risk assessment, which is required under HIPAA as well as the HITECH EHR incentive program;
- Emphasizes the importance of encryption, especially to protect data on mobile devices and media;
- Urges EHR shoppers to ask software vendors about access control capabilities, audit logging, data integrity controls, authentication options and encryption.
Amatayakul is president of MargretA Consulting, which specializes in EHRs and compliance issues. Before forming the company, she helped found and served as the first CEO of the Computer-based Patient Record Institute, now folded into the Healthcare Information and Management Systems Society. She also was associate executive director of the American Health Information Management Association, associate professor at University of Illinois, and director of medical record services at the Illinois Eye and Ear Infirmary. She is a member of the adjunct faculty in the health informatics program at the College of St. Scholastica.
HOWARD ANDERSON: Physician practices across the country are preparing to implement electronic health records in hopes of receiving federal financial incentives under the HITECH Act to help pay for some of the costs. As practices implement their first records systems, what are some of the most important initial steps that they should take to ensure the records are secure and patient privacy is protected?
MARGRET AMATAYAKUL: Any practice that has been exchanging electronic transactions, even if only through a clearinghouse for their claims, is required to comply with the HIPAA privacy and security rules. And so, adding the electronic health record is really over and above what should have been going on all along. And ... we could really go back to the Hippocratic Oath for privacy compliance.
I think that when you do introduce an electronic health record, you are really introducing a mission-critical system, and you are certainly making your electronic components much more visible to your patients. And so, there certainly is a greater risk. ... So the first thing that people ought to do is to evaluate the security that they do have today, what the EHR vendor is offering ... and consider the best practices, and then say, "Is this enough for us?" And then they should add the necessary components.
Risk AssessmentANDERSON: What tips do you have for smaller practices, in particular, which have limited resources and are attempting to do a risk assessment, as you described it, as required under the incentive program?
AMATAYAKUL: Again, the risk analysis was required under HIPAA, so hopefully this will be an evaluation and a review and updating, and not the first time they've done this. But, in any event, we know that some practices may not have done it as formally as they probably should. And it is always a good thing to try to document your risk analysis ... just in the event that there could be any sort of breach and any sort of investigation audit.
There are tools, however, at the healthit.gov website has and also NIST, the National Institute for Standards in Technology. In particular, healthit.gov has a document called "Reassessing Your Security Practices in the Health IT Environment, a Guide for Small Healthcare Practices." It is only 11 pages, and very, very readable, and gives you a really good set of things to look at, and important considerations. And one of the things that I really like about the document is that it addresses not just privacy and security from a confidentiality perspective, but it reminds us of what I call the "CIA" of security -- confidentiality as well as integrity and availability.
As we move toward a mission-critical EHR system, obviously we want to keep it secure, and we want to ensure patient privacy, but we need to also make sure that the data doesn't get messed up in any way as part of any sort of transmission or even just during retention and storage. And we want to make sure that it is available to the providers and anybody else who has authorized access when it is needed. Because you can't have a lot of downtime in a mission-critical environment. You have to have stronger disaster recovery and emergency mode access procedures. So you really need to pay attention not just to keeping everything safe, which is vitally important, but making sure you have contingency plans and data integrity controls as well.
Role of EncryptionANDERSON: Health records software certified for the new HITECH incentive program must include a long list of security capabilities, but there is no clear mandate that clinics must actually use any of those capabilities. Which security capabilities would you advise clinics to use in their early days of implementing EHRs? For example, how should they apply encryption?
AMATAYAKUL: Well, let me address encryption first. With the federal breach notification requirement ... HHS has issued guidance that unsecured protected health information that is lost, stolen, etc., and that somebody may have access to, and could end up producing harm, is a breach. And the only way, really, to protect that information is to encrypt it.
And so, laptops should be encrypted, media should be encrypted -- if you're going to give patients CDs ... the best practice, certainly, is to encrypt those CDs. If you are going to take a laptop home, it is best, of course, to not download data onto that laptop, but use it only to remotely access your information, so that it never resides on that laptop. But, just in the event that you can't have that capability, you really need to encrypt your laptop. If you are transmitting data via tapes or discs to another location for backup, even if you are only taking them home, those should be encrypted.
We're finding that encryption utilities are a lot easier to use these days; they come embedded in more of our newer operating systems that very likely will be the platform for your electronic health records. So it is just vital that you consider encryption, definitely for any data that is going to move around anywhere, and potentially for data at rest, as well.
Now, with respect to the first part of your question, the software certification process refers to the HIPAA requirements. There are 18 standards. HITECH has reiterated that those standards are essential ... And they're not just healthcare standards. They're standards you would expect to have your bank apply to your financial accounts; credit cards, certainly, apply those same standards. ... You really need to look upon HIPAA more so from the protection standpoint, and say, "I need to protect this data. I need to ensure confidentiality, integrity and availability. What are the things that I should do? What are the standards of practice across all industries that will make this work the best for me?"
AuthenticationANDERSON: In some cases, should that include two-factor authentication at clinics, do you think?
AMATAYAKUL: Yes, and I'm seeing more and more of that. ... First of all, a lot of times, hospitals are interested in allowing physicians to access through a portal their patient's records. And hospitals want to make sure that not just anybody and everybody in the physicians' office has access, but only those people who the physicians designate should have access. And so biometrics or a token that you carry with you, over and above just the user ID and password, really makes it more secure. And I'm seeing a lot of hospitals give out hard tokens to their provider community to enhance the protection of remote access.
The other thing, of course, is that we are going to be required in our EHRs to do e-prescribing, and the Drug Enforcement Administration has issued an interim final rule enabling e-prescribing of controlled substances, so long as two-factor authentication with a hard token is included in that process. There still needs to be, as I understand, some guidance delivered as to how the process actually will work, and I don't believe that we are yet able to be up and running on that. But, that will be coming very soon, and so, that that will round out the capability of doing e-prescribing for all of the prescriptions, so we won't have to be printing some to paper and transmitting others through the e-prescribing health information exchange infrastructure.
So I think that we will find that we will want ... to use a hard token to ensure better security all around.
Privacy, Security QuestionsANDERSON: As physician groups shop for an EHR system, what specific questions should they ask software vendors about privacy and security issues, and should those questions be different, depending upon whether the practice plans to host its own system or access it remotely via cloud computing?
AMATAYAKUL: Take a look at the access controls; does this system that you are buying have the capability of determining, "You have access to this, and somebody else in the office has access to that," depending upon their job responsibilities? If everybody has access to anything they want, it really should not continue, and the capabilities should exist in products to be better in controlling access. HIPAA requires that you have the capability for emergency access, which we often call "break the glass," which should be such that if anybody does need access in an (emergency) situation where somebody absolutely has to get at that record, it is very simple just to do one more click, to say, "I am doing this because it is an emergency" or whatever reason. ...
Audit logging is vital. I prefer to see stronger access controls, so we keep people out that don't have a need to know. But if you do find that you've got somebody accessing information that they shouldn't have, the only way you can prove that is by using audit logging. A lot of the products that have been circulating in the past for small physician offices did not to have that capability, but it is a requirement of HIPAA, and will be a requirement as we move forward. So make sure you have audit logging capabilities that can be turned on. And it is easy enough to use.
Obviously, there are data integrity controls that will be built into this software, and you should ask about them. Ask about encryption, obviously, and make sure that you have the authentication processes that you need -- certainly, user ID and password, and definitely, then, the second layer of authentication, the hard token, if you plan to use that for your e-prescribing. And ask about utilities, like antivirus or anti-malware. And then you can go above and beyond to look at different kinds of firewalls and intrusion detection, data loss prevention - there are obviously lots of utilities you could add. ... If you are going to be looking cloud computing, the other thing that you really need to look at is redundancy in network capability, because again, remember the CIA of security is not just keeping the information secure but also available. And a lot of times, the physician has only one means to get out, and get to their data -- to the application service provider -- and if that goes down, then there's no availability. And so, I always encourage physician offices to have a backup, even if it is only an extra DSL line. So look for something that is an affordable backup for your network capability.
And then, obviously, you need to look at the service level agreement in terms of all sorts of things ... such as data ownership and ... the ability to get at source code, and so forth, if the company should go bankrupt.
A Culture of PrivacyANDERSON: Finally, is there any other advice you would give to your practices regarding steps they can take to ensure the information in their newly installed EHR system is secure and remains private?
AMATAYAKUL: Something that comes to mind is making sure that people know about privacy and security -- to really create a culture that values privacy and security. Nobody would ever ask a patient to disrobe in the waiting room. But yet, we disrobe patient information all the time in a waiting room and in different parts of the office. Likening information privacy and security to personal privacy and safety, I think, goes a long way to contributing to that culture of privacy.