Electronic health records (EHR) hold great promise for improving healthcare quality while reducing costs. EHRs make it easier for patients to access their personal health information, and they allow healthcare providers the ability to access patient information—quickly and easily— and, as a result, be better informed and provide better individual care. The challenge, however, for both providers and their IT teams, is on the nuances of how to maintain a secure EHR system.
Benefits of EHR Systems
As mentioned above, the benefits of EHR systems are many. Healthcare providers can get quicker, more accurate access to information and provide better, more expeditious care; individuals can more effectively monitor their own care and be better informed; and payers (insurance providers) stand to benefit from a more comprehensive view of a patient’s health status and treatment, enabling them, for example, to recommend less costly medications in certain instances.
Progress is being made to standardize EHR technology, which will not only allow interoperability between systems but also simplify it so that patients can more easily understand their data.
EHRs and Security: A Thorny Matter
While without question EHRs provide many benefits, security, however, remains a lingering issue. The value of private health data to thieves has been described by Forbes as “exponentially larger than a stolen credit card.” And the past year saw several high-profile healthcare data breaches. Security concerns have left consumers wary of EHRs, and healthcare firms scrambling to maintain the trust of patients while concurrently striving to remain compliant with all relevant regulations. Speaking of regulations, let’s explore more fully.
Who is Subject to HIPAA Regulations?
Per the U.S. Department of Health & Human Services (HHS) Office of Civil Rights (OCR), the HIPAA Privacy and Security Rules regarding protection of all electronic protected health information (ePHI)—which includes data stored within EHRs among other technologies—apply to “health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form.” These groups are defined as Covered Entities under HIPAA.
Beyond providers of EHR software and the technology providers that leverage EHRs as a function of their business, any business that either creates, transmits, or stores ePHI is a Business Associate by law and must comply with HIPAA.
What’s Required by HIPAA and HITECH
Compliance with these regulations generally, and maintaining a secure EHR system specifically, is a complex and detailed process. It’s also important to note that maintaining a HIPAA-compliant EHR system is not the same thing as total HIPAA compliance.
The HIPAA Security Rule requires that both covered entities and business associates protect electronic protected health information (ePHI) by referencing a list of some 75 specific security controls and safeguards, and regularly assessing the security of their systems, applications, and databases that contain patient information against that list.
Compliance should be an ongoing process, especially when adopting new technologies or preparing for cybersecurity threats. As such, regular assessments of security programs and the procedures in place to protect ePHI are critical.
In order to protect ePHI, OCR requires anyone that comes into contact with sensitive healthcare data to implement administrative, physical, and technical safeguards that are deemed either “addressable” or “required” for entities to perform. These may include access controls, methods for encryption, and certain audit controls (just to name a few) all intended to do the following:
- Ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance within their workforce.
In addition to the policies, procedures, and documentation that is required to uphold compliance, these requirements are enough to make any provider or IT team occasionally lose sleep at night, but there are things to do that make it manageable. Let’s take a look.
What EHR Providers and Businesses Leveraging EHRs Need to Do
Again, any organization that handles personal healthcare data needs to comply with HIPAA requirements. More broadly, though, not just for regulatory compliance but to build consumer trust and fully realize the benefits of EHRs and other electronic health information, healthcare firms must implement processes and technology to protect sensitive patient data from any unauthorized access. This includes changes to policies, procedures, and technology such as greater—but careful—adoption of cloud computing. As mentioned earlier, it’s important to view EHR security as but one component of a broader HIPAA-compliant program. Especially for companies that leverage EHRs as a function of their business model. As noted by Healthcare IT News, “just because their EHR system is compliant with HIPAA security standards, their entity as a whole may not be fully compliant. Every healthcare organization under HIPAA is responsible for the protection of patient data, regardless of whether they use a vendor to process or store their patient records.
Here are some things you can do to provide greater protection overall for sensitive healthcare data and to ensure your compliance, but by no means is this a comprehensive list:
- Start by designating a HIPAA compliance officer or member of your team whose job it is specifically to manage this process, stay on top of changes, and/or interface with your managed services provider on all things related to compliance.
- Encrypt all sensitive data, in every situation, whether it’s in transit or at rest.
- Restrict access to your ePHI data to only those for whom access is necessary, and protect that access with secure passwords and PINs that are required to be changed on a regular basis.
- Conduct security risk assessments on a regular basis. HIPAA compliance requires that this be done annually, but if you’re working with a trusted provider, who can remotely monitor your network and devices, they might recommend doing this more often to ensure ongoing security.
The Role Cloud Plays in EHR and HIPAA Compliance
Moving data and applications to the cloud can play a key role when it comes to EHR security and HIPAA compliance. Shawn Wiora, CIO of a Texas-based hospice and elder care provider, pointed out in an interview that although security is one of the primary reasons healthcare providers are wary of embracing cloud computing, “The vast majority of health care breaches, he noted, have happened at companies with on-premises systems.”
In an interview with eWeek, Wiora stated he was “putting every CIO and board of directors on notice that if they are not going to the cloud, they are doing a disservice to patients because no one can say they have better IT security infrastructure than the cloud providers. Their ability to attract and retain top security personnel is second to none.”
Forbes echoed this point, noting “Cloud services are increasingly popular with healthcare organizations—and they do offer distinct security advantages compared to on‒premise solutions.”
Healthcare firms are best served by adopting a thoughtful hybrid cloud strategy, enabling them to scale their IT infrastructure and capitalize on the cost advantages of cloud computing, without putting patient data at risk. The standard industry definition of hybrid is a blend of private cloud, public cloud, on-premise, virtualization, etc. Another approach to hybrid cloud is how we do it at OnRamp: The blending of private cloud with colocation and other cloud delivered services. In many instances, this more personalized approach with a trusted vendor partner is the way healthcare entities are trending.
Health IT Security reports on the hybrid cloud trend predicting “nearly half of large (healthcare) enterprises will have hybrid cloud deployments by the end of 2017” and with the small to midsize healthcare entities right there as well.
Lastly, what about public cloud? It’s obvious that healthcare data breaches can be disastrous, and there’s been no shortage of those occurrences in the past several years. Reliance on public cloud, and potentially exposing millions of patient records seems like a risk.
How to Choose the Right Partner
When planning your hybrid cloud strategy, do your homework and select knowledgeable partners to help. Choose a datacenter partner that:
- Understands and offers options for secure hybrid cloud hosting and colocation.
- Utilizes stringent security and audit controls, and maintains appropriate data center certifications.
- Is fully HIPAA-compliant, has documented processes, and will sign a Business Associates Agreement (BAA).
- Employs experts in data security who are fully invested in you and your business.
For EHRs to reach their full potential in improving healthcare, empowering patients, and lowering costs, patient trust is essential. Securing EHRs as part of a broader effort aimed at patient information security and HIPAA compliance is vital to establishing and maintaining that trust. Technology, and specifically hybrid cloud computing, has a critical role to play in achieving compliance and data security. More broadly, technology combined with policies, procedures, and the right partners are the keys to compliance and peace of mind for your organization.
Additional Resources on this Topic: