Monday, October 31, 2011

Quick Guide To Electronic Health Records



A hospital’s 4-year financial incentive for implementing Electronic Health Records (EHR) is $11 million (AHC Media LLC, 2011). This was established by the Health and Information Technology for Economics and Clinical Health Act (HITECH) signed by President Obama in 2009[i] (Klein, January 2011).  With incentives like that why isn’t every hospital and physician on the bandwagon?  There are several ethical risks associated with the benefits of EHR. The risks all fall under the umbrella of data security.
Patient privacy is at the top of the list for data security. If the information is breached, patient’s sensitive information is subject to comprise. This information could be social security numbers, family history, contact information and even diagnoses of diseases. These are all examples of information that should not be obtained by unauthorized persons (Kopala & Mitchell, July-September 2011.). According to JONA Healthcare Law “When data is stored, “secure” files are vulnerable to being compromised, despite firewalls, encryption, and password protection” (Kopala & Mitchell, July-September 2011., p. 85 Par.9).  This is the most important ethical issue because sensitive information like a patient being diagnosed with an STD could be compromised and published for all to see. The likelihood of this happening is what all participating hospitals are betting against (Kopala & Mitchell, July-September 2011.).
To be eligible for the incentives of EHR, your networks’ “risk assessment must be based upon National Institute of Standards and Technology (NIST) guidelines” (AHC Media LLC, 2011, p. 1 Par.6). McGuiness notes these guidelines are explained in special publication 800-30 released by NIST which states “Risk assessment is the process of identifying the risk of a system and determining the probability of occurrence, the resulting impact and additional safeguards that would mitigate this impact” (Mcguinness, 2007, pp. slide1-2).  The results of the assessment could be low, medium or high. In the event that a hospital produces a high risk outcome they are advised to make changes to better secure the data on their systems (Mcguinness, 2007).
Another doctrine comes in to play when discussing EHR, Health Insurance Portability & Accountability Act.  According to Walsh, the standards are too flexible. The standards must apply to large hospital as well as small doctors’ offices. He goes on to say that the HIPAA risk assessment does not strictly define “reasonable” and allows organizations to poorly protect patient records (Walsh, 2011). Every patient would like the results of their hospitals’ risk assessment to be low. According to Healthcare risk management,”70% of hospitals say that protecting patient data is not a top priority and 67% have less than two staff members dedicated to protection management” (AHC Media LLC, 2011, p. 1 Par.1)[ii].  These study results and trends are shocking at best and do not help the debate for EHR.
When a patient is set up with an EHR the patient owns the record. Only physicians with a need to know may access the files.  The patient can choose to allow or deny third parties to view personal record through a waiver. As you can tell there are policies in place to protect the patient through security. If the patient chooses their files can be view by anyone in the healthcare field disregarding their role and need to know.  Another security precaution explained by Kopala & Mitchell is the monitored record utilization by chief privacy officers. So in the worst case that your information is compromised you will likely have an idea of who viewed your record. Also patients must be notified if there is a breach of information no later than 60 days either by first-class mail or e-mail. The notification also identifies steps for victims to take to protect themselves. If the breach involves over 500 individuals the media must be notified as well as the Secretary of Health and Human Services (Kopala & Mitchell, July-September 2011.).
Although the security risk may seem daunting, there are benefits to EHR implementation. Decreasing medical errors, cost savings, improved patient care, and the ability to track quality indicators are some of the benefits (Kopala & Mitchell, July-September 2011.). With all avenues of Information Technology, data security is paramount. The question is; are we willing to take the ethical risk to profit from the advent of Electronic Health Records.



[i] HITECH was signed on February 17th as part of the American Recovery and Reinvestment Act.
[ii] Data found according to Poneman Institute Reference from a landmark study.


Works Cited


AHC Media LLC. (2011, Feb). HIPAA Regulatory Alert: Importance of security risk assesments rise with advent of electronic health records. Healthcare Risk Management, 1-3.Retrieved from http://proquest.umi.com.ezproxy.umuc.edu/pqweb?did=22720413.
Klein, C. A. (January 2011). Electronic health records 101. The Hurse Practitioner, Vol. 36, No.1, 15-18. DOI-10.1097/01.NPR.0000391179.47878.3a.
Kopala, B., & Mitchell, M. E. (July-September 2011.). Use of Digital Health Records Raises Ethics Concerns. JONA'S Healthcare Law. Ethics and Regulations, Vol 13, No. 3, 84-89. DOI-10.1097/NHL.06013e37822aefcd.
Mcguinness, T. (2007, 01). Risk-assessment Process NIST 800-30. Retrieved 10 2011, from Slide 5hare. Retrived from http://www.slideshare.net/timmcguinness/risk-assessment-process-nist-80030.
Walsh, T. (2011, 01). Security Risk Analysis and Management: An Overview (Updated). Retrieved 09 2011, from Ahima:Body of Knowlege.Retrived from http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_048622.hcsp?dDocName=bok1_048622.




No comments:

Post a Comment