Not all Americans are convinced when it comes to the adoption of electronic health records (EHRs). The Richmond Times-Dispatch reports that there are lingering concerns about the security of EHRs. According to a 2009 study mentioned in the article, although the majority of respondents thought it was important for providers to have electronic medical records, 59 percent did not think the records’ confidentiality could be assured, and three quarters of respondents thought it likely that an unauthorized person would get access to patient records. Considering that experts are predicting an increase in medical information theft, it’s not an unfounded fear. There were more than 275,000 cases of medical data theft in the U.S. last year.
The Health Information Technology for Economic and Clinical Health (HITECH) Act, which took effect in September 2009, addressed security concerns by imposing stricter privacy requirements and penalties on healthcare organizations and their business associates. Among other provisions, the act broadened the scope of information that is covered under privacy requirements, and required practitioners to report all security breaches to the Secretary of the Department of Health and Human Services. Parties such as the Healthcare Information and Management Systems Society (HIMSS) are watching the HITECH Act with interest. Last November, the organization published a report titled “Evaluating HITECH’S Impact on Healthcare Privacy and Security.” Nearly one-third of hospitals reported experiencing a data breach in the past year, even though the overwhelming majority had taken security precautions such as risk assessment and data encryption. Large hospitals experienced a significantly higher number of breaches.
The disparity stems from a variety of factors, says Lisa Gallagher, Senior Director of Privacy and Security at (HIMSS). “Organizations understand what they need to do to protect the data,” says Gallagher. However, healthcare organizations today exist in a changing threat environment where attacks against healthcare data are on the rise. Organizations may still be in the process of implementing their electronic systems. In addition, with all the operating costs inherent in running a healthcare organization, security may be underfunded. Gallagher believes that healthcare organizations need to practice risk management on a comprehensive basis—not just checking off rules and regulations, but managing their electronic systems based on a continuous, ongoing risk analysis.
With U.S. healthcare providers required to implement digital records by 2015, security is a top concern of both the public and industry insiders. A provision of the HITECH Act that requires healthcare organizations to notify patients of data breaches is a positive step, says Gallagher. However, she adds that providers shouldn’t wait until something bad happens to address security concerns with their patients. Healthcare organizations should communicate their policies and procedures, along with their commitment to privacy and security, to the patient ahead of time.
The Times-Dispatch reports that cost is also a concern. Proponents of EHR systems argue that electronic records save money, but cost-effectiveness data has been mixed. Harvard Medical School found that EHRs improved quality but did not save on administrative or overall costs. A 2006 analysis in Health Affairs suggested that automated billing systems may find documentation justifying a higher bill than a human might find. Finally, a 2006 study by HIMSS found that some clinics easily paid off and profited from their electronic systems, while other clinics incurred a significant financial risk. In addition to the initial investment, switching to a digital system means more hours spent in training to bring staffers up to speed.
If a system is implemented effectively, it can be worth the investment. Sameer Bhat, Founder and VP of Sales at EMR provider eClinicalWorks, says that electronic systems can help healthcare organizations improve efficiency in three key areas: automation of front office functions such as appointment reminders and insurance verification, physician point of care, and real-time clinical decision support. Sometimes an electronic system has unintended benefits. Bhat recalls a medical practice that celebrated the opening of a new exam room—a room that had previously been used to store paper records. The new exam room allowed the clinic to accommodate more patients and therefore increased productivity.
Charlie Jarvis, VP of Healthcare Services and Government Relations at EHR provider NextGen, says that healthcare organizations need to perform an effective workflow analysis before they actually implement an electronic system. Switching to an electronic system fundamentally changes the way a medical practice operates. For example, with paper charts, the process is more sequential: Only one person can handle the patient’s record at a time. An electronic record, however, can be viewed simultaneously by the doctor, the front desk, and the checkout staff. Jarvis says that simply automating a paper process doesn’t work, and organizations have to make necessary changes in the way they do business in order to take full advantage of the technology.
In your opinion, how can healthcare organizations make electronic health records worth the investment? Will healthcare providers be able to calm public worries over data security?