Pritts: Press EHR Vendors for AnswersDemand Information on Privacy, Security
Hospitals and physician groups implementing electronic health records need to take the initiative to make sure that their EHR vendors are adequately addressing privacy and security issues, says Joy Pritts, chief privacy officer at the Office of the National Coordinator for Health IT.
ONC, a unit of the Department of Health and Human Services, is taking a leadership role in the HITECH Act electronic health record incentive program.
"It is difficult sometimes to move privacy and security into the forefront of vendors' thoughts because there are so many other fun things to do with an EHR," Pritts told the audience at the Oct. 1 opening session of the American Health Information Management Association conference in Chicago.
"Some of the stories we hear in the field are really frightening," Pritts says. She notes that some vendors, unfortunately, have advised their customers to turn off the encryption and audit log functions of an EHR if they want to avoid slowing down system performance.
"Vendors should create easy-to-use privacy and security features in their products and communicate the importance of those features to their customers," she stressed.
Questions for EHR Vendors
Pritts urged audience members, many of whom manage patient records, to ask their EHR vendors to:
- Demonstrate the EHR's auditing function, which tracks who accesses records;
- Provide information on how the EHR can be used to securely provide patients with a copy of their records;
- Pinpoint how they will offer extensive privacy and security training. "Vendors vary greatly in the amount of training they offer to users," Pritts said.
Change the Culture
Pritts sounded a clear theme in her keynote presentation: "We're all responsible for creating a culture where privacy and security are respected and valued."
She told AHIMA members that leadership at provider organizations "must set the tone," adding, "They have to send the message that protecting privacy and securing health information is good for our patients and it's also good for business."
Key steps provider organizations should take to build a culture that values privacy, Pritts said, include:
- Use technology that has built-in privacy and security features and take full advantage of those features;
- Consider privacy and security as integral components of patient care;
- Hold daily "huddles" to discuss privacy and security issues as they arise; and
- Make sure to offer frequent privacy and security training and consider it "an essential part of the overall strategic plan."
Pritts also provides insights on ongoing ONC projects. For example:
- The Privacy and Security Tiger Team, an ONC advisory body, in October will begin studying the issue of which patient authentication techniques should be used for emerging state health insurance exchanges and for other records access purposes.
- ONC soon will release educational materials on mobile device security issues. It's also preparing a report on consumer attitudes on mobile health.
- It's conducting a pilot of data segmentation within EHRs, enabling patients to, for example, designate which specific portions of their records should not be exchanged.
- Later this month, it will launch a trial involving using tablets to help educate patients about health information exchange and obtain their consent (see: Using Tablets to Obtain Patient Consent).
- ONC soon will reveal the results of a study on how providing patients with better access to their records affects the doctor/patient relationship and the outcomes of care.