Scott R. Roberts
Mercer University
Prior to the Information Age, medical records were all stored in folders in secure filing cabinets at doctor’s offices, hospitals, or health departments. The information within the folders was confidential, and shared solely amongst the patient and physician. Today these files are fragmented across multiple treatment sites due to the branching out of specialty centers such as urgent care centers, magnetic resonance imaging, outpatient surgical centers, and other diagnostic centers. Today’s ability to store medical records electronically has made it possible to easily send these files from one location to another. However, the same technology which can unify the fragmented pieces of a patient’s medical record has the ability to also create a path for privacy and security breaches. This paper will examine how electronic medical records are used, how they are secured, how security is enforced, and what the consequences of security breaches are. It is important for the purpose of clarity to distinguish the difference between electronic medical records (EMR) and electronic health records (EHR). Electronic medical records are an electronic composition of an individual’s medical history including such components as procedures, past diseases, diagnosis, medications, doctor’s names, and allergies. An electronic health record is an electronic means of documenting a patient’s procedures, diagnosis, billing information, etc. at each care facility (Badzek & Gross, 1999). A movement that was first initiated under the Bush administration, accepted by the Clinton administration, and now embraced by President Obama is the creation of the individual electronic medical record. In 2009 President Obama included $36 billion in the stimulus package to create electronic record systems, with the idea that technology will cut costs, eliminate paperwork and help doctors deliver high-quality, coordinated care to patients (Moore, 2009). Although there is a significant difference between an EMR and EHR, both are subject to the same type of security breach, and therefore for clarification purposes are both refereed to as EMRs in the context of this paper. Security breaches of EMRs vary from someone without consent viewing the patient’s information, to a hacker using the information to steal one’s identity. According to Privacy Rights Clearing House, more than 260 million data breaches have occurred in the United States, including those of health related records. Approximately 12 percent of data breaches involve medical organizations (Gellman, 2012). According to Redspin, a provider of Health Insurance Portability and Accountability Act risk analysis and IT security assessment services, more than 6 million individual’s health records were compromised during a period from August 2009 and December 2010 (Author Unknown, 2010). A provision of the Health Information Technology for Economic and Clinical Health (HITECH) Act requires all breaches affecting 500 or more people to be reported to the Department of Health and Human Services. This reporting is to be accomplished within 60 days of discovery. The Redspin report covering the period above involved 225 breaches of protected health information. The amount of people with access to an individual’s health record creates concern with confidentiality. According to the Los Angeles Times, roughly 150 people (from doctors and nurses to technicians and billing clerks) have access to at least part of a patient 's records during a hospitalization, and over 600,000 payers, providers and other entities that handle providers ' billing data have some access (Foreman, 2006) . In an effort to mandate the security of health related information, HIPAA was signed into law in 1996. The original purpose of HIPAA was to allow “Portability” of insurance. The portability component of the law establishes the right for an individual to obtain health insurance despite having pre-existing illnesses. Since Congress did not enact privacy legislation under the original law, the Department of Health and Human Services developed the Privacy Rule, which was published on December 28, 2000 (HIPAA, 2003). “A major goal of the Privacy Rule is to assure that individual’s health information is properly protected while allowing flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being” (Health Insurance Portability and Accountability Act, P.1,1996). The Privacy Rule applies to health insurance plans, health care clearing houses, and to any health care provider who transmits health information electronically. Health care clearing houses are entities that process nonstandard information. Examples of such entities are billing services re-pricing companies, community health management information systems, and value – added networks and switches if these entities perform clearinghouse functions (Health Insurance Portability and Accountability Act, 1996). Entities in general can use the health information for the following reasons: Treatment, payment, and operational reasons. Treatment is the provision which allows for information of a patient to be shared amongst health care providers. The payment provision is used to obtain premiums, determine coverage, and obtain reimbursement for health care delivered. The operations portion can be considered quite vague. Operations include the activities of quality assessment, performance evaluation, audits, and risk rating. Often when breaches occur in the form of non-consented view of a person’s health information, the operations clause is the reasoning stated for the view. Breaches occurring in the form of non-consented viewing, such as a staff member at a hospital who has nothing to do with a patient’s care may be high in number, but usually has a small impact on the patient. This type of breach could damage a patient’s reputation, be used as blackmail, or cause embarrassment for the patient. When the viewing is used beyond these examples and by someone with malicious intentions, then the impact could be far more severe. Medical identity theft is becoming a large problem in the United States and can have dire consequences not only on someone’s bank account but on their health as well. Thieves stealing medical records usually have access to all of the patient’s personal information such as social security number, address, date of birth, address, Medicaid/care number, and phone number. Once they have this and your medical records the thieves or someone they sell the information to has what hey need to schedule a doctor’s appointment, have test done, give birth, or have surgery all under the victim’s name. After the person using the stolen identity begins receiving treatment under the victim’s name, another dire consequence develops. The imposter now begins adding medical history to the victim’s medical record. This could lead to the victim receiving the wrong treatment in the future or not receiving the proper treatment. For example if the victim is being seen at a medical facility then the attending physician will pull his/hers record to see what type of history they have and what type of medications they are on. If the imposter has been treated for a condition that the victim does not have, such as cancer, then the victim could be exposed to harmful treatments. Another example would be the victim needing a type of medication for a medical condition; however, the imposter has had the record altered so the condition is no longer in the history (Dixon, 2006). All this may seem implausible, however in the emergency setting in a hospital when the patient is unconscious or has altered mental status; medical treatment is often initiated based on the patient’s medical record. In order to assure all information on a person’s medical record is adequate, it is recommended they occasional review their records to see that the record is accurate. A current event involving the breach of medical records occurred on April 18, 2012 at Emory University Hospital in Atlanta. President and CEO John Fox announced that back up disks of 315,000 patients had come up missing. On these disks were approximately 228,000 social security numbers. Most of the missing information includes patient names, procedures, surgeon names, dates of surgery and diagnoses. Mr. Fox said the missing information belongs to people who had surgery at Emory University Hospital, Emory University Hospital Midtown and Emory Clinic Ambulatory Surgery Center between September 1990 and April 2007 (Byfield, 2012). It is too early to know exactly what will be done with the missing information. However, with the fact that stolen information is being used to conduct fraudulent purchases and steal medical identity, one would speculate that the chances of this occurring to some extent would be high. Fox, in a press conference urged the affected patients to regularly review their credit information and health records. Frequently reviewing credit information and health records are a way to keep an eye on if fraudulent activity has taken place against ones credit or medical records. However, this does nothing for preventing these acts from occurring. In order to keep medical records secure, entities have provisions in place, which some are mandated by HIPAA and the HITECH Act. HIPAA mandates that entities providing health care or handling heath care plans develop and implement policies and procedures that are consistent with the Privacy Rule. The covered entity must also designate a privacy official who is responsible for the implementation of the policy. All entities are required to provide training to workforce members on the Privacy Rule and HIPAA. Entities covered by HIPAA must also “maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule” (Health Insurance Portability and Accountability Act, P.14, 1996). In the event an entity covered by HIPAA is found to not be compliant with any portion of the Privacy Rule, the department of Health and Human Services may impose civil penalties of $100 per failure. This penalty cannot exceed $25,000 per year for multiple violations. A person who knowingly obtains, or discloses health information in violation of HIPAA faces a fine of $50,000 and up to one-year in prison. The criminal penalties increase to $100,000 and five years in prison if the conduct involves false pretense and $250,000 and up to ten years in prison if the conduct involves intent to sell, transfer, or use individual’s health information for commercial advantage, personal gain, or malicious harm (Health Insurance Portability and Accountability Act, 1996). Electronic Medical Records provide for less storage space, faster consulting between physicians, easier billing and faster reimbursement of insurance companies, efficient treatment of patients and an easier way for person’s to view and track their medical records. However, just as any information stored and transmitted electronically, it also creates a means for privacy to be breached. No matter how sophisticated security systems become, people will always manage to defeat them. Therefore, the ultimate responsibility for ensuring confidentiality falls upon the individual person. A frequent review of medical records is just as important, if not more, than the review of credit reports.
References
Author Unknown. Breach Report 2010, Redspin Inc. Dec. 2010. Retrieved from http://www.redspin.com/resources/whitepapers-datasheets/index.php on April 19, 2012. Badzek, L., Gross, G. Confidentiality and Privacy: At the Forefront for Nurses. The American Journal of Nursing, Vol. 99, No. 6 (June, 1999), pp.52-54. Lippincott Williams & Wilkins. Retrieved April 18, 2012 from http://www.jstor.org/stable/3472150. Byfield, E. 315,000 Patients ' Information Disappears From Emory Healthcare. WSBTV. Retrieved April 18, 2012 from file:///F:/Ethics%20information%20age/315,000%20patients%27%20information%20disappears%20from%20Emory%20Healthcare%20_%20www.wsbtv.com.htm Dixon, P. MEDICAL IDENTITY THEFT: The Information Crime that Can Kill You, March 3, 2006. World Privacy Forum. Retrieved from http://www.worldprivacyforum.org/pdf/wpf_medicalidtheft2006.pdf on April 24, 2012. Foreman, Judy (26 June 2006). "At Risk of Exposure”. Los Angeles Times. Retrieved April 23 , 2012. Gellman, R. Fact Sheet 8a: HIPAA Basics: Medical Privacy in the Electronic Age. Privacy Clearing House. March, 2012. Retrieved April 19, 2012 from http://www.privacyrights.org/fs/fs8a-hipaa.htm. Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d-9 (2010).
Moore, J. Electronic Medical Records Stimulus Package. Dec. 2009, Retrieved from http://www.electronicmedicalrecords.com/emr-stimulus-hitech-act.php on April 19, 2012.
References: Author Unknown. Breach Report 2010, Redspin Inc. Dec. 2010. Retrieved from http://www.redspin.com/resources/whitepapers-datasheets/index.php on April 19, 2012. Badzek, L., Gross, G. Confidentiality and Privacy: At the Forefront for Nurses. The American Journal of Nursing, Vol. 99, No. 6 (June, 1999), pp.52-54. Lippincott Williams & Wilkins. Retrieved April 18, 2012 from http://www.jstor.org/stable/3472150. Byfield, E. 315,000 Patients ' Information Disappears From Emory Healthcare. WSBTV. Retrieved April 18, 2012 from file:///F:/Ethics%20information%20age/315,000%20patients%27%20information%20disappears%20from%20Emory%20Healthcare%20_%20www.wsbtv.com.htm Dixon, P. MEDICAL IDENTITY THEFT: The Information Crime that Can Kill You, March 3, 2006. World Privacy Forum. Retrieved from http://www.worldprivacyforum.org/pdf/wpf_medicalidtheft2006.pdf on April 24, 2012. Foreman, Judy (26 June 2006). "At Risk of Exposure”. Los Angeles Times. Retrieved April 23 , 2012. Gellman, R. Fact Sheet 8a: HIPAA Basics: Medical Privacy in the Electronic Age. Privacy Clearing House. March, 2012. Retrieved April 19, 2012 from http://www.privacyrights.org/fs/fs8a-hipaa.htm. Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d-9 (2010). Moore, J. Electronic Medical Records Stimulus Package. Dec. 2009, Retrieved from http://www.electronicmedicalrecords.com/emr-stimulus-hitech-act.php on April 19, 2012.
You May Also Find These Documents Helpful
-
The medical group could face significant penalties due to security breaches of medical information. Physical safeguards should have been implemented to assure that equipment with electronic information systems that contained patient data are safe from unauthorized intrusion. Technical safeguards cover the electronic protected health information and control access to it. Advocate Medical Group has failed to ensure proper HIPAA policies and procedures were implemented in the…
- 808 Words
- 4 Pages
Good Essays -
The article “Will Electronic Medical Records Improve Health Care?” was written by Larry Greenemeier. This article talks about how Electronic Medical Records are helping the health care system, the opportunities and costs, the cost of getting it wrong, and talks about how private your records really are. Electronic Medical Records affect health care in many ways. According to my research Electronic Medical Records reduce costs and improve patient outcomes. Electronic Medical Records contain a patient’s full medical history on a computer or electronic device instead of over paper. This allows primary care providers fast and instant access to patient data that is secured. Because of Electronic Medical Records patients’ medication and health…
- 374 Words
- 2 Pages
Satisfactory Essays -
Bowman, D. (2012). Report: Data breaches from unencrypted devices up 525% in 2011. Retrieved from http://www.fiercehealthit.com/story/report-data-breachesunencrypted-devices-525-2011/2012-02-01?utm_medium=nl&utm_source=internal Dreyer, T. (2011, March 8). How bar coding and scanning at bedside ensure quality care and safety [Blog post]. Retrieved from http://blogs.zebra.com/blog/bid/51053/How-Bar-Coding-and-Scanning-at-BedsideEnsure-Quality-Care-and-Safety Dudley, G. (2004). Electronic records, patient confidentiality, and the impact of HIPAA. Retrieved from http://www.psqh.com/octdec04/dudley.html Durben Hirsch, M. (2012). EHRs a major cause of patient info breaches. Retrieved from http://www.fierceemr.com/story/ehrs-major-cause-patient-info-breaches/201204-12…
- 4110 Words
- 17 Pages
Best Essays -
Changes in healthcare and advancements in technology have allowed for new and exciting opportunities to intergrade in the two fields. The government has supported healthcare facilities during this transition since 2009, by providing stimulus money to assist in the transition from paper to electronic medical records (EMR). The Obama administration will start fining healthcare facilities that have not made this transitioned to EMRs by 2015. In order to take advantage of this opportunity and to avoid fines, we must heed this mandate.…
- 726 Words
- 3 Pages
Good Essays -
Hospitals, doctor’s offices, and care givers must meet the criteria of Electronic Health Record Program to become eligible for the Medicaid and Medicare Services (CMS). The first year, hospitals and Eligible Professionals (EP) do not have to demonstrate their important use, but are obligated to approve or upgrade to an (EHR) for them to receive payments for the services rendered. All work must be documented correctly in stage 1, (data capture & sharing)- stage 2 (Advance clinical processes), or stage 3 (Improved Outcomes)…
- 391 Words
- 3 Pages
Satisfactory Essays -
Lack of security for patient records can lead to legal and financial consequences that jeopardize patient care, proprietary practices, and competitive advantages.…
- 1146 Words
- 5 Pages
Powerful Essays -
When it comes to privacy it has become a major concern to both patients and the medical staff. HIPAA and privacy rules help to protect the patient’s privacy. “The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically (2003).” Over time many studies have been conducted that shows that patient want to be in control over who can access their information. The privacy of patients has increased over the years with many different ways to keep personal information private.…
- 1058 Words
- 5 Pages
Better Essays -
R. Hillestad et al. “Can Electronic Medical Record Systems Transform Health Care? Potential Health Benefits, Savings and Costs,” Health Affairs 24, no.5 (2005): pp.1103-1117.…
- 1696 Words
- 7 Pages
Powerful Essays -
Today, you have more reason than ever to care about the privacy of your medical information. They were once stored in locked file cabinets and on dusty shelves in the medical records department. Your doctor’s used to be the sole keeper of your physical and mental health information. With today's usage of electronic medical records software, information discussed in confidence with your doctor’s will be recorded into electronic data files. The obvious concern the potential for your records to be seen by hundreds of strangers who work in health care, the insurance industry, and a host of businesses associated with medical organizations. Fortunately, this catastrophic scenario will likely be avoided.…
- 321 Words
- 2 Pages
Satisfactory Essays -
“The electronic health record (EHR) is an evolving concept defined as a longitudinal collection of electronic health information about individual patients and populations. Primarily, it will be a mechanism for integrating health care information currently collected in both paper and electronic medical records (EMR) for the purpose of improving quality of care”. (p. 1).…
- 943 Words
- 4 Pages
Good Essays -
In efforts to reform the United States healthcare system and create a nationally unified data exchange system the federal government has established an incentive program to eligible professionals and hospitals. The federal government has turned to certified electronic health record (EHR) technology to help facilitate the process of broadening health IT infrastructures. The federal government views EHR system used in meaningful ways as the key to reforming the healthcare systems. Meaningful use of the EHR systems can also improve the overall quality of healthcare, insure patient safety, as well as reduce the cost of healthcare to individuals (Bigalke & Morris, 2010, p. 116).…
- 2452 Words
- 10 Pages
Powerful Essays -
The electronic health records fits seamlessly with a central cost-saving of health care reform: to shift U.S. health care from an expensive, pay-per-service system based on quantity to one that emphasizes quality. The goal now is to have medical payments reward good care -- in a way that's difficult to do with paper records.…
- 936 Words
- 4 Pages
Good Essays -
Protecting patient’s privacy is of the most important when it comes to the health care field. There are many individuals who want to steal information which is not theirs, but allows them to this information to get what they want and this is, called identity theft. This paper will take a look at the incident at St. John’s Hospital and what should be done with patient information and what not to do with unwanted files. This paper will also take a look at the management plan and code of conduct.…
- 1863 Words
- 6 Pages
Better Essays -
Electronic medical records are becoming one of the newest technologies in today’s world. Electronic medical records not only help in reducing medical errors, but they are easier to store, take less time to file and are much easier to recover in a natural disaster. People still worry about privacy but knowing that HIPAA still provides protection provides some relief. Many worry about their jobs, but in research it hasn’t seemed to affect jobs, with unemployment rates at an all-time high, this is good news.…
- 1249 Words
- 5 Pages
Better Essays -
Electronic medical records are believed to be the way of the future. Hospitals and other healthcare settings are increasingly turning to electronic records over traditional paper records. However, many still have not made the leap and continue to use paper instead of electronic. Healthcare practices must weigh the pros and cons before deciding which records management system to use. An electronic health record (EHR) is a representation of all a patients’ data; know as a digital version of a patient’s paper chart. Paper-based records are the most common method of recording patient information for most doctor’s offices and hospitals in the United States. The digital information is usually stored in a database and is accessible from everywhere via a network and EMRs contain mainstream data normally found on a patient's medical records. It contains all information ranging anywhere from a patient’s medical history, diagnoses, medications, treatment plans, immunization dates, allergies, radiology images, and laboratory and test results that have been combined and structured in a digital form. It allows for an entire patient history to be viewed without the need to track down the patient’s previous medical record volume and assist in ensuring data is accurate, appropriate and legible. It reduces the chances of data replication, as there is only one modifiable file, which means the file is constantly up to date when viewed at a later date and eliminates the issue of lost forms or paperwork. There have been many issues debating if this is a good system, and pros and cons that go hand in hand. Electronic records have many benefits, including accessibility. They are currently the preferred system because of how easily they make it for doctors to coordinate patient care. Accessing electronic records is a lot easier and faster than waiting to receive paper ones. This can greatly speed up doctor collaborations in patient care and perhaps…
- 1184 Words
- 5 Pages
Powerful Essays