Example Of Essay On Security For Ehr And HIPAA

Introduction

Computers and internet connectivity have revolutionized the way organizations operate. This trend has not been lost on the healthcare industry. Care institutions are embracing the use of Information and Communication Technology (ICT) through the implementation of electronic health records (EHRs). EHR refers to “longitudinal electronic records” of the pertinent health information of patients such as diagnoses, demographics and past health history (NIH National Center for Research Resources, 2006, p. 1). Such information arises from the daily activities in clinical settings. This paper provides a historical overview of the EHRs and evaluates their purpose, benefits and risks. Moreover, it also highlights the legal and security implications of EHR adoption in healthcare settings. This analysis concludes by recommending a viable process that medical centers can use to monitor HIPAA violations.

Historical overview of EHRs

The development of EHRs stem from the groundbreaking research conducted by Academic Medical Centers (AMCs) in the 1900s. However, the novelty of the EHR concept lies with the works of Hippocrates, who developed the earliest known medical record (NIH National Center for Research Resources, 2006, p. 2). He conceived a medical record that could store information regarding the prognosis and probable causes of illnesses. Examples of earlier projects include COSTAR, TMR, and TDS. These projects allowed data entry by clinicians. However, they had limited functionality, causing frequent technical breakdowns. The advancement in computing and programming technologies in the late 1900s expanded the scope of EHRs. Modern EHRs have a wide range of applications such as computerized physician order entry (CPOE), clinical decision support systems (CDS), and Health Information Exchange (HIE) (Menachemi & Collum, 2011). CDS assists practitioners in making clinical decisions through the provision of updated health information. CPOE enables clinicians to place orders for certain medical services and tests. The HIE facilitates real-time sharing of patient data between care institutions for accurate decision-making.

Purpose, benefits and risks of EHRs

The purpose of EHR is to capture and integrate patient data obtained from clinical processes and ancillary medical services in a manner that benefits both patients and caregivers. EHRs have several clinical, organizational and societal benefits. In the healthcare environment, EHRs improve both the quality of care and safety. CDS systems provide relevant information for making accurate and quick diagnoses. Modern EHRs have reminders that increase adherence to clinical guidelines. Reminders on issues such as vaccinations are critical in reducing the mortality and morbidity. Patient safety has greatly improved due to the mitigation of medical errors resulting from poor penmanship. Organizational benefits of EHRs include increased revenues, averted costs, and fewer malpractice claims. EHRs reduce billing errors, thus mitigating revenue loss through fraud. Furthermore, it eliminates costs such as paper files and redundant tests. The healthcare institutions that adopt EHR are forced to adhere to these guidelines, thus, improving regulatory and legal compliance. Compliance reduces costly malpractice claims that impose high legal attorney fees and reputation loss. The society also benefits through the increased quality of evidence-based research. EHRs provide health data that public health researchers can use to investigate the causes and prevalence of diseases. The research outcomes facilitate the monitoring disease epidemics and disease demographics. Despite its apparent benefits, EHRs suffer several drawbacks such as high implementation and maintenance costs, additional costs associated with personnel training, disruption of normal workflow and breaches in patient privacy and security guidelines.

Emerging legal issues

Crucial legal issues have arisen concerning the automation of medical records. These issues revolve around medical liability, documentation guidelines, and data ownership. EHRs have compounded the definition and scope of those actions that amount to medical malpractice. They accumulate voluminous data that practitioners sift through when making clinical decisions. The information overload increases the chances of overlooking key health findings (Sittig & Singh, 2011). This omission constitutes negligence even though part of the blame stems from the absence of comprehensive data search tools. In some cases, the evidence-based data used by CDS systems may be outdated or unfit for treating emerging clinical conditions. Legal issues arise where practitioners make contrary decisions to the ones provided by CDS systems. Patients may file malpractice lawsuits for such decision even when the alternative treatment intervention poses negligible risks (Sittig & Singh, 2011). Secondly, the format for electronic documents differ from one EHR system to another. This disparity causes confusion on what constitutes the billing process. Insurance companies also encounter difficulties in determining the inclusion criteria for some services in reimbursement claims. Thirdly, EHRs have raised questions regarding third party disclosure of patient data. The HIPAA Act permits disclosure of de-identified patient data to public health researchers without obtaining consent from individuals. This rule has caused anxiety in patients because modern technologies enable re-identification of data sets. Some individuals are advocating the right to dictate their preference for or against electronic storage of their medical records. Hence, the government faces the challenge of defining data ownership protocols to quell the mounting fears.
The Health Information Technology for Economic and Clinical Health Act (HITECH) places the responsibility for implementing health information systems on the Department of Health and Human Services (HHS). The department fulfills this mandate through agencies such as the Centers for Medicare and Medicaid Services (CMS), the Office of the National Coordination for Health Information Technology (ONC), and the Executive Office of Health and Human Services (EOHHS) (Massachusetts eHealth Institute [MeHI], n.d.). The CMS coordinates the adoption of EHR among the healthcare entities covered by it through incentives. ONC oversees the nationwide implementation of health information systems through the activities of its regional extension centers (RECs). The EOHHS oversees the statewide adoption of health information systems.

Patient data security

Data security is vital in care settings. EHRs contain sensitive patient information whose unauthorized access may have disastrous effects on the wellbeing of patients. Unauthorized access makes patients susceptible to identity theft and fraud. Furthermore, high-profile patients such as celebrities and political figures require anonymity when they visit care establishments. Their diagnostic information and procedures such as sexually transmitted diseases, substance abuse, and cosmetic surgeries should be safeguarded (AHIMA e-HIM Work Group on Security of Personal Health Information, 2008). This precaution stems from the constant media harassment faced by these people. As such, organizations can implement both physical and access protocols. Physical controls include security personnel in areas where workstations and storage media are located. Security guards assess a users’ access authority before permitting them into the workstations. Logical access protocols include the use of passwords, signature stamps, aliases to protect VIP patients or sensitive information, and date and time stamps. Role-based access is also necessary for data security because it designates the type medical data viewed by personnel, based on the sensitivity of the information and the position held by the employees.
The HIPAA Security Rule enumerates a set of national security standards that guarantee the privacy of specified health information retained or transmitted electronically by healthcare providers (U.S. Department of Health and Human Services [HHS], n.d.). This rule ensures that only the authorized personnel views sensitive patient information. The law has increased the technicality and cost of EHR systems since vendors have to add safety measures to these systems. This functionality involves additional programming, computer coding, and frequent technical upgrades to block software loopholes that cyber hackers may exploit. Hence, the initial cost of a comprehensive EHR is usually high and may deter its implementation by providers. The security rule has also increased patients’ awareness on their data security rights. Patients have the right to establish the disclosure requirements regarding their health records. Care organizations have also been affected by the security rule. The law obligates them to implement technical, administrative and physical controls to ensure data security. These safeguards have had significant cost implications for institutions.

Admissibility of evidence

Generally, the hearsay rule refutes the use as evidence any verbal or written information obtained from outside the court. However, “the Federal Rules of Evidence (803(6))” exempts EHR documents under certain conditions through a lengthy, complicated legal process (AHIMA e-HIM Work Group on Defining the Legal Health Record, 2005). First, the EHR custodian must determine the validity of the request for a health record. Validation entails confirming the identity of the patient to which the record belongs. The custodian must also verify that the format of the request meets the legal requirements. These formats include subpoenas, court orders, and patient consent forms. Upon certification, the custodian may release the relevant information. After that, the admissibility of such documents must be established through an authentication process. Authentication traces the authorship of health records by ascertaining items such as signatures, rubber stamps, watermarks, timestamps and date stamps. The law dictates that electronic documents are admissible only when generated by a system deemed accurate and trustworthy by passing reliability and integrity tests (AHIMA e-HIM Work Group on Maintaining the Legal EHR, 2005). Finally, the custodian must testify in court about the admissibility of the records generated from EHRs. The testimony attests that the submitted copies are the genuine replicas of the original documents. In some cases, the court demands the official signature of a witness or a notary public to corroborate the custodian’s testimony.

Recommendation

The process for tracking HIPAA violations in a medical center is very essential. The process should involve five vital steps. Firstly, the administration of the medical center should conduct a security risk analysis. This analysis requires the identification of the organizational areas or transactions prone to violations and medical malpractices. After identifying the risk sources and their outcomes, the center can solicit an EHR system that best mitigates these problems. Secondly, the center should update its documentation and data handling procedures in accordance with the HIPAA guidelines. This stage involves customizing and displaying its Notice of Privacy Practices (NPP, which reflect the center’s procedures regarding the use, safety, transmission, and disclosure of protected health information. The absence of the NPP or non-compliance with its provisions serve as signals for HIPAA violations. The center should also introduce “end-of-day clinical evaluation” routines (Sterling, 2015). At the end of each day or shift, designated personnel should review the medical dealings by checking whether the recorded payments and charge entries correspond to the posted transactions and patient visits respectively. This evaluation eliminates the loopholes for committing insurance fraud or embezzling company funds.
Thirdly, the center should employ data privacy and security officers. The duty of the officers is to develop and enforce data safety protocols throughout the organization. They also document HIPAA breaches committed by employees by maintain incident logs for further administrative action. Audit trails also fall within their mandate. Such trails enable them to track all transactions involving the retrieval of patient health records by recording their time, date, personnel accessing the data, and the nature of the activity performed. Attempts by unauthorized employees to obtain medical records generate alerts notifying the officers of the breach. Fourthly, the center should conduct regular employee training on HIPAA regulations and the consequences of their breach to the organization. The majority of the lower-level employees undertaking administrative duties are unaware of HIPAA regulations. Hence, they exhibit a laxity in handling patient information that may pose result in medical liability. Therefore, training will increase their awareness of and compliance with HIPAA rules. Lastly, the center should conduct annual EHR audits. These reviews should be conducted by both internal and external auditors to ascertain the efficiency of the system in generating accurate records. Furthermore, auditing enables the discovery of fraudulent money trails within the system. Audit results assist the management team to determine areas that need further improvement.

Conclusion

In conclusion, EHRs have significantly improved the quality of care provided by increasing the efficiency of resource use, speed of data access, and accuracy of medical records. Furthermore, their use has averted costs associated with redundant tests and procedures. The epitome of its advantages lies with the admissibility of EHR documentation as evidence in certain court proceedings. However, the application of EHR to health transactions has raised legal issues regarding medical liability, data ownership and documentation that need to be addressed through the specificity of legislations. Moreover, healthcare institutions must comply with the HIPAA privacy and security rules in order to counter the cybercrime pandemic. Other drawbacks of EHR include high implementation and maintenance costs, equipment breakdowns, and disruption of workflow. Despite the challenges, the benefits of EHRs supersede these adverse effects.

References

AHIMA e-HIM Work Group on Defining the Legal Health Record. (2005). The Legal Process and Electronic Health Records. Journal of AHIMA, 76(9), 96A-D. Retrieved from http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_028134.hcsp?dDocName=bok1_028134
AHIMA e-HIM Work Group on Maintaining the Legal EHR. (2005). Update: Maintaining a Legally Sound Health Record?Paper and Electronic. Journal of AHIMA, 76(10), 64A-L. Retrieved from http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_ 028509.hcsp?dDocName=bok1_028509
AHIMA e-HIM Work Group on Security of Personal Health Information. (2008). Ensuring Security of High-Risk Information in EHRs. Journal of AHIMA, 79(9), 67-71. Retrieved from http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_039956.Hcsp ?dDocName=bok1_039956
Massachusetts ehealth Institute (MeHI). (n.d.). Government Agencies. Retrieved April 7, 2015, from http://mehi.masstech.org/ehealth/government-agencies
Menachemi, N., & Collum, T. H. (2011). Benefits and drawbacks of electronic health record systems. Risk Management and Healthcare Policy, 4, 47-55. Retrieved from http://www.ncbi.nlm.nih.gov/pmc/articles/PMC3270933/
National Institutes of Health National Center for Research Resources (NCRR). (2006). Electronic Health Records Overview. Retrieved from http://www.himss.org/files/HIMSSorg/content/files/Code%20180%20MITRE%20Key%20Components%20of%20an%20EHR.pdf
Sittig, D. F., & Singh, H. (2011). Legal, ethical, and financial dilemmas in electronic health record adoption and use. Pediatrics, 127(4), e1042-e1047. Retrieved from doi:10.1542/peds.2010-2184.
Sterling, R. (2015, February 25). Defend your practice against HIPAA violations. Retrieved April 7, 2015, from http://medicaleconomics.modernmedicine.com/medical-economics/news/defend-your-practice-against-hipaa-violations?page=full
U.S. Department of Health and Human Services. (n.d.). Summary of the HIPAA Security Rule. Retrieved April 7, 2015, from http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html