EHR Disclosures: Tackling the Challenge

Federal Official Discusses Rule-making Efforts
EHR Disclosures: Tackling the Challenge
Accounting for disclosures of patient information from electronic health records will prove to be "a very daunting challenge," a representative of the agency working on writing the requirement acknowledges.

As it prepares a rule spelling out requirements for providing patients with an accounting of disclosures of information from EHRs to those outside the organization that created the records, the U.S. Department of Health and Human Services' Office for Civil Rights "hopes to put the onus on electronic health records vendors", says Adam Greene, senior health information technology and privacy specialist at the office. The rule, he says, likely will include specific requirements for how EHR software must accommodate these disclosures.

In that way, some of the difficulties involved in reporting disclosures will be eased for healthcare organizations, he contends.

Greene's comments came Aug. 16 at the 2010 Legal EHR Summit in Chicago, sponsored by the American Health Information Management Association.

The Office for Civil Rights left the disclosure accounting requirement out of its recently released final rules for the Medicare and Medicaid EHR incentive payment program created under the HITECH Act, saying it needed more time to work on the details. In July, Susan McAndrew, deputy director for privacy at the Office for Civil Rights, said the office would issue a disclosure accounting rule later this year. She acknowledged this rule-making task is proving difficult. "There is a wide range of opinion on all aspects of this new requirement, including the primary factors we should take into account when balancing benefits to individuals against the burden on covered entities."

Accessing Records

In his presentation at the conference, Greene also addressed the challenge of providing patients with copies of their electronic records.

One of the final rules for the EHR incentive program, which spells out how hospitals and physicians must "meaningfully use" EHRs to earn incentives for stage one of the program, requires providers to give patients access to copies of their electronic records. Greene says this can be accomplished in several ways, including:

  • Via a patient portal;
  • By exchanging information from the EHR with a personal health record application;
  • By downloading records to a CD or USB drive.

He noted that electronic records provided to patients can be unencrypted, "as long as you inform the patient about the risks."

Other Security Steps

Greene also offered insights on other security steps hospitals and clinics should take as they implement electronic records, including:

  • Conduct a risk assessment or update an existing one. "An EHR creates a whole new ballgame for risk analysis," he says.
  • Properly train the workforce so they recognize new security challenges. Security policies developed as a result of a comprehensive risk analysis will prove worthless unless staff is aware of them and knows how to comply, Greene stresses.
  • Create a contingency plan for steps to take when an EHR system is unavailable.
  • Appropriately monitor access to EHRs and maintain physical safeguards to prevent loss or theft and to address environmental hazards. To make his point, Greene quipped about avoiding having "a secure server next to an open window in front of a radiator."
  • Be sure to activate and use all the security features included with an EHR. "It doesn't do anyone any good to have encryption features that are not turned on," he stresses. "And make sure that your hardware supports all of the EHR's security features."
Because so many of the major breaches reported to the Office for Civil Rights so far have involved the theft or loss of unencrypted portable computers and media, Greene reminds hospitals and clinics to make widespread use of encryption.

In addition to the roughly 130 major breaches reported so far, the Office for Civil Rights had received more than 7,500 reports of breaches affecting less than 500 individuals as of mid-July, Greene notes. Many of those smaller cases, he says, have involved paper records and fax machines. He urges hospitals and clinics to take steps to make sure that faxed records wind up at the appropriate destination.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.