3 Privacy Concerns for Electronic Forms and Records
Patients want to know that their private medical information is safe.
EMR and EHR systems provide do provide a level of increased security over using traditional paper records. Records require authorization like passcodes to access, there is an audit trail of those who have accessed records, and there’s less likelihood of files going missing.
But that’s not to say that electronic records are 100% secure. According to one report, in 2016 over 377 data breach incidents were reported for the healthcare industry.
The report also found that:
- Healthcare exposed the most SSNs compared to all other industries (business, education, financial, and government)
- The most records exposed by employee error or negligence were in the healthcare sector
- The healthcare industry was hit hardest by hacking, skimming and phishing attacks
Even though electronic records are far safer than paper records, they’re not immune to attack.
But medical practices need to ensure that patients understand what’s at risk and what’s not so they can reassure them that their patient data is as safe as it can be. Here’s what to know:
Privacy Concern #1: Inappropriate Release and Sharing of Private Data
Primary concerns over the privacy and security of electronic healthcare information generally fall into two general categories:
- The inappropriate release of information from individual organizations
- The systemic flow of information throughout the healthcare industry
In the first instance, this means that people are concerned that unauthorized users will be able to access private information on an EMR/EHR system either intentionally (maliciously) or unintentionally.
If patient information is stolen or shared from an authorized user, even accidentally, it can cause serious privacy concerns for the patients involved.
In the second instance, patients might have concerns that patient information is being disclosed to third party sources that might use the information to invade the patient’s privacy.
Inappropriate releases from organizations can happen when authorized users intentionally or unintentionally access or disseminate information in violation of organizational policy or when outsiders break into an organization’s computer system.
For instance, sharing data between providers without the patient’s knowledge would be considered a privacy concern, even in instances where it is technically legal.
While HIPAA requires that practitioners cannot share information without a patient’s knowledge, some parties are exempt from those rules. Life insurers, employers and some school districts are exempt, for example.
This means that potentially embarrassing health information could be shared, like:
- Psychiatric care episodes
- Substance abuse
- Physical abuse
- Abortions
- HIV status
- Sexually transmitted diseases
In one specific case, concern over the health of fellow employees or family members led one group of healthcare workers to access health records of other employees to determine the possibility of sexually transmitted diseases.
It’s important for practices to make sure that only authorized users have access to patient data and that data audits are performed regularly to ensure no information has been transferred without permission.
Privacy Concern #2: Threat of Data Breaches or “Hackers”
While the above concerns are typically caused by insiders – someone within the clinic who has authorized or unauthorized access to sensitive patient data – other causes for concern include unauthorized outside access.
Of the majority of data breaches that occurred in 2017, hacking accounted for 75 breaches out of 233 in the first half of the year, with 1,684,904 patient records being impacted.
Malware and ransomware were specifically mentioned in 29 of those incidents, meaning that security measures currently in place to protect against outside data hacking fell short.
Unlike in instances of insider access, patients and providers have very little control over whether patient data is safe. The burden of security in these cases falls on EMR/EHR service providers and their firewalls and anti-malware software.
As Protenus (a healthcare artificial intelligence company) co-founder and president Robert Lord says, “The healthcare sector will only stop being so vulnerable when the advances in data collection, sharing and analytics are matched with similar advances in our understanding of how to protect patient data.”
Choosing the right EMR/EHR provider is essential to limiting data breaches, but even the most robust EMR/EHR provider is still vulnerable. Until anti-malware technology can keep pace with hackers, vulnerabilities will still exist.
Onsite (physical) protection of the practice itself is also essential, and, in many cases, more within the control of the practice (though patients still have little control).
There is a potential level of threat from unauthorized physical intruders who might steal or attempt to access patient information. This can include vengeful employees, vindictive patients or other malicious intruders who want to damage systems or steal sensitive information.
In these instances, practices and practitioners can attempt to take extra security measures, like ensuring that only certain employees have keys to the building, or installing security systems. But again, not every incident is preventable.
While most providers use trusted EMR/EHR providers, and most have taken steps to ensure the physical safety of their buildings, these outsider incidents can still be cause for concern – especially for patients who have little control over either.
Privacy Concern #3: User Error and “Innocent” Mistakes
A third type of threat is considered non-malicious, but still equally dangerous: insiders who make ”innocent” mistakes and cause accidental disclosures can also cause harm to patients or practices.
Accidental disclosure of personal information can happen in myriad ways, including overheard conversations between care providers in the corridor or elevator, information left on the screen on a nursing station computer, a misaddressed email, or misfiled or misclassified data.
These mistakes may seem innocuous, but can cause the accidental release of patient information to unauthorized or even malicious parties. Even information spoken at the front desk during an initial intake may be overheard by the wrong person.
Practices can train staff on how to properly handle in-office patient data, like referring to patients by their first name only, refraining from gossiping, and using online intake forms. This can help reduce the instances where patient data is shared unintentionally.
But patients also play a role in keeping their own data safe. Helping patients understand exactly how they can prevent data loss or breaches from occurring is equally important as training staff on how to handle private data.
Many patients store their own copies of their medical information online using a Personal Health Record (PHR), access via a Patient Portal. While Patient Portals are great for the patient experience, they can also cause unintentional breaches if patients aren’t careful.
Patients have full control over the health information stored in their PHR, for example, and it can be accessed anywhere, any time over the Internet using a unique password.
If patients give out that password to unauthorized individuals or it is stolen by a third party, that information can be accessed by outsiders, even without the patient knowing.
It’s also important to note that HIPAA security standards and requirements do not necessarily apply to PHR, so be sure to review the security policies and precautions that a PHR uses before entering your medical information.
Practitioners and office staff need to educate each other, as well as patients, in security best practices when it comes to keeping private medical data safe.
Here are a few ways to ensure your patients data is safe.
Final Thoughts
Keeping patient data safe isn’t easy, but it’s important for practices to understand where potential threats might come from so they can stay vigilant in protecting that data.
Practices should train employees on how to properly use EMR/EHR systems so that no data is accidentally released. It’s also important to make sure patients understand how to protect their own data, even as they access Patient Portals online.
It’s equally important to vet your potential EMR/EHR provider to make sure that their systems and software can handle potential outsider threats, and that they have a response process in place should a data breach occur.
By following these steps, practices can reduce the fear that patients may have about their data privacy.