Resource:
Preparing for Security and Privacy Risks Engendered by HIEs and EHRs
As organizations race to meet compliance with the HIPAA Final Omnibus Rule, the growing number of users and records in health information exchanges (HIEs) and electronic health records (EHRs) systems will bring new security and privacy risks.
We know that electronic health records (EHR) and health information exchanges (HIE) offer new ways to collaborate and share information. However, we do not fully know all the risks to information security and patient privacy that electronic health records and health information exchanges create. For example:
- If a breach at another institution exposes patient information you provided to an HIE, what is your liability for the exposure?
- Where should the lines be drawn between security and privacy—if a medical professional has authorized access to an electronic patient record, should he or she be able to access all the information in it?
- Will the security and privacy policies and systems developed to protect information from unauthorized users make it impractical for patients to review their own medical records?
These are just a few of the new issues that health information exchanges and electronic health record systems are raising. The more that information is shared, the harder it becomes to maintain its security. The fact that EHR and HIE systems are covered by HIPAA, the HITECH Act and other regulations does not make them secure; EHRs and HIEs are also governed by the Law of Unintentional Consequences, which has proven to be more powerful and pervasive than formal information security regulations over the years.
To date, electronic health records and health information exchanges have not been a leading source of data breaches and there have been relatively few reported incidents. However, this may say more about their utilization than it does about their security. Risk is relative to scale. Look to the Internet for an analogy.
After several years of limited use, in 1982 the Internet was poised for explosive growth because of new standards and technology enablers. Internet fraud was practically non-existent at the time. Today, 30 years later, we know much more about Internet security, but online fraud is a multibillion dollar global problem that is growing worse, not better.
While EHRs and HIEs are at different stages of maturity, adoption of each has been fairly limited and both will expand significantly in scale and adoption over the next few years. As the number of users and the amount of records in HIE and EHR systems grow, so will the security and privacy risk.
Health care organizations can help keep their information secure and maintain patient privacy by preparing for the new, specific risks that EHR and HIE systems introduce. Maintaining privacy and security as the use of these systems grow will require a comprehensive approach that includes changes to policies, processes and systems throughout the enterprise. This whitepaper will help you in your preparation, by identifying potential threats and vulnerabilities created by using electronic health records and participating in health information exchanges, presenting recommended responses, and sharing current research, knowledge and best practices related to maintaining data security and patient privacy in EHR and HIE environments.
Download the full whitepaper to learn more about the current health care privacy and security landscape.
