Digital health records: Progress made, but how private are they?
PITTSFIELD -- The recording and accessing of health-care records has come a long way.
Written records of patient data have been replaced by digital logs that physicians and nurses can access through closed-circuit electronic systems. And it won't be long before patients can access their health information online through a patient portal, according to Bill Young, the chief information officer for Berkshire Health Systems.
BHS has embraced digital record-keeping to promote efficiency and expediency, but the strategy comes with risks. Digital records also create potential security problems.
"There's an incredible amount of enthusiasm to move into electronic health records, but the emphasis is that the [electronically available] information is very private and very secure," Young said.
Digital health records can include a patient's Social Security number, financial information and personal health information that individuals might not even share with family members.
Patients have to trust that health-care agencies will safeguard that data. But security hasn't always provided the necessary protection.
According to the U.S. Department of Health and Human Services, 19 security breaches of patient medical records have occurred in Massachusetts since 2009. A total of 902,997 individuals across the state have been affected in those breaches, according to the federal Office of Civil Rights. Each breach affected at least 500 people.
In a congressional report on breaches of unsecured protected health information from 2009 to 2010, the most common causes were identified as theft, intentional unauthorized access of protected health information, human error, loss of electronic media or paper records, and improper disposal.
The Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) guide health-care privacy. Since 2009, privacy rules have been changed so that violators can be assessed fines that increase depending on the category of culpability. The maximum fine that can be assessed to a health-care agency is $1.5 million.
HIPAA also has been amended to allow health care agencies to be fined even if they are unaware of a violation.
Richard Kam is the president of ID Experts, an Oregon-based health-care security firm. He said that as patient information becomes increasingly available on devices such as laptops or tablet computers, protection of records should be given extra weight -- although it often isn't.
A study of 80 companies nationwide by ID experts found those firms were under-invested in privacy record-training and that security was inadequate.
The biggest risk that health-care agencies face is from lost or stolen computing devices or employees carelessly or unintentionally leaving data available for others to see, Kam said.
At Berkshire Health Systems, Young said there is a Privacy and Security Committee and there are full-time employees monitoring security. BHS has embraced best-practice methods, such as encryption, the process of encoding information in a way that only authorized personnel can read it.
Young said employees can get fired for visiting areas they aren't authorized to visit.
He acknowledges that security measures aren't the same as they are at financial centers, but he said patients will benefit from being able to access their records from home.
"That is under way," he said. "But it's not going to happen until it's secure."
To reach John Sakata:
On Twitter: @JSakata
Health information act ...
What it is: The Health Information Technology for Economic and Clinical Health Act (HITECH) was enacted as part of the American Recovery and Reinvestment Act of 2009.
What it does: The law promotes the adoption and meaningful use of health information technology.
Additional provisions: A section of the law addresses privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of other federal laws.
Penalties: Four categories of violations that reflect increasing levels of culpability; four tiers of penalty amounts; contains maximum fine of $1.5 million.
Source: U.S. Department of Health and Human Services
TALK TO US
If you'd like to leave a comment (or a tip or a question) about this story with the editors, please email us. We also welcome letters to the editor for publication; you can do that by filling out our letters form and submitting it to the newsroom.