Electronic Medical Records (EMR) and Electronic Health Records (EHR) are great tools that allow for data exchange between providers and faster access to a person’s medical history. Along with this ease of access comes the potential for abuse.
Healthcare workers use these systems to manage patient information, but access to a patient’s records should be limited to only those with responsibility for a patient's care.
Unauthorized access to a person’s electronic medical records has become easier and abuse is estimated to be high. The beauty of EMR & EHR systems is that audit trails are built in. So unauthorized access is easily detected, and in fact, it is relatively trivial. Organizations just need to compare the list of caregivers that SHOULD have access to those that have accessed a person’s electronic medical record. And, in the age of digital medical records, these unauthorized views are far too common.
EXAMPLE EMR DATA BREACHES:
Kayne West and Kim Kardashian had their baby in the Cedars-Sinai Hospital in Los Angeles, CA. on June 24, 2013. Between June 18 and June 24, 2013, Kim Kardashian’s medical records were inappropriately accessed. The hospital fired 5 individuals who accessed Kim’s medical records outside of their scope of employment. In addition to the 5 fired for accessing Kardashian’s records, a Sixth person was fired for accessing the records of 14 patients in that same time period.
In October of 2013, the Allina Health System in Minnesota notified approximately 3,800 patients that one of its medical assistants had improperly accessed their Protected Health Information (PHI) over approximately three years between February 2010 and September 2013. The record system which covers all of the Allina Health System, allowed the employee to access not only records at the clinic that in their employed location, but also records from other locations within the organization. The employee in this case, accessed: patients names, dates of birth, clinical health data, health insurance coverage information and partial Social Security numbers.
"We deeply regret that this occurred and want you to know we are committed to protecting the privacy of our patients’ personal information," the Allina website said. "To help prevent similar incidents from happening in the future, we are evaluating our policies related to protecting patient information, examining our computer security programs and continuing to educate employees on their obligation to maintain the privacy of patient information."
FEDERAL EMR MANDATES:
The Health Insurance Portability and Accountability Act (HIPAA) prohibits doctors, their staff and medical professionals from disclosing patient information without their permission. Violating HIPAA is a serious offense which can result in fines and criminal charges.
The Office of the National Coordinator's (ONC) Health Information Technology Certification (HITC) programs mandate that EHR technology meet minimum audit log requirements. All changes and actions to the patient record must be captured, in addition to dates and time of the action, user identification and ID of the patient record being accessed.
In addition to ONC requirements, the HIPAA Security Rule along with the Health Information Technology for Economic and Clinical Health (HITECH) Act have specific requirements pertaining to audit logs and patient privacy.
