Privacy, Security, and Electronic Health Records

Health care is changing and so are the tools used to coordinate better care for patients like you and me. During your most recent visit to the doctor, you may have noticed your physician entering notes on a computer or laptop into an electronic health record (EHR). With EHRs comes the opportunity for patients to receive improved coordinated care from providers and easier access to their health information. It’s a way to make it easier for everyone to be better informed and more involved in the patient’s health care. However for many of us, EHRs also come with questions and concerns about the privacy and security of our health information. Who can access the information on my EHR? How can I see the information in my record and make sure it’s correct? How is it protected from loss, theft and hacking? What should I do if I think my information has been compromised?

Many of you have heard of HIPAA– the Health Insurance Portability and Accountability Act. The HHS Office for Civil Rights (OCR) enforces the HIPAA Privacy and Security Rules, which help keep entities covered under HIPAA accountable for the privacy and security of patients’ health information. As a former health care lawyer, I know that many health care providers understand and abide by their obligations under the Privacy and Security Rules. Although EHRs allow providers to use information more effectively to improve the quality and efficiency of your care, they do not change the obligations providers have to keep your protected health information private and secure.

Following my recent appointment as OCR’s Director, I had a number of conversations that made it apparent to me that many patients recognize some of the health privacy jargon such as “HIPAA” or “the Notice of Privacy Practices,” but often do not know their rights under the HIPAA Privacy and Security Rules  – especially in terms of how these rules relate to EHRs.

The HIPAA Privacy Rule gives you rights over your own health information, regardless of its form. Whether your record is in paper or electronic form, under the Privacy Rule you have the right:

  • To see or get a copy of your medical record;
  • To request to have any mistakes corrected;
  • To get a notice about how your health information is used and shared;
  • To say how and where you want to be contacted by your health care provider; and
  • To file a complaint if you think any of these rights have been violated. One way to do this is through OCR’s website: www.hhs.gov/ocr.

These rights are spelled out in the Notice of Privacy Practices that is given to you at your doctor’s office or hospital. Your health plan may also send this notice to you in the mail.

Specific to protecting the information stored in EHRs, the HIPAA Security Rule requires that health care providers set up physical, administrative, and technical safeguards to protect your electronic health information. Some safety measures that may be built in to EHR systems include:

  • “Access controls” like passwords and PIN numbers, to help limit access to your information;
  • “Encrypting” your stored information. This means your health information cannot be read or understood except by someone who can “decrypt” it, using a special “key” made available only to authorized individuals;
  • An “audit trail,” which records who accessed your information, what changes were made and when.

In certain circumstances, if your data is seen by someone who should not see it, federal law requires doctors, hospitals, and other health care providers to notify you of a “breach” of your health information.  This requirement helps patients know if something has gone wrong with the protection of their information and helps keep providers accountable.

OCR works to help make sure your health information is kept private and secure by your health professionals.  We are here to help you understand these rights, how you can take action if your rights are violated and how your health information is required to be safeguarded under the law. The first step is to know your rights. OCR’s website has a wealth of information about your health information privacy rights and I encourage you to visit and explore our website: www.hhs.gov/ocr/privacy.

32 Comments

  1. John Wilcox says:

    I also did notice the shift to laptops at my Dr’s office during the last few visits. They were having a heck of a time getting used to the system. I am curious as to what kind of breaches will be seen in the near future however, due to observing situations where the computer was left unattended and open to an active screen while I was in the room.

    • Shane Sparks says:

      If a nurse or doctor leaves a laptop unattended without the screen locked this does leave open a security breach. Most Medical Practices and Hospitals train their staff to ensure the screen is locked when they walk away, although old habits are tough to break, especially in the medical field where some nurses and doctors do not understand the reason for change, and fight against it, with the excuse “it makes my job harder”. In IT Departments it is common practice to play pranks on anyone that leaves their screen unlocked. Try browsing to one of those obscene websites, or change the resolution to something unbearable. Lastly, report it to the security officer of the Medical Practice or Hospital.

    • mike says:

      when i see a nurse or a doc come in to see me with a laptop or tablet, i say ty and leave. i preferr paper records. they cannot be hacked or read by others

  2. My doctor also uses laptops or tablets but they are never left in the room. I think that with increased technology also comes some additional responsibility. If you’re not comfortable and expecting breaches in a providers system I think it may be time to switch healthcare professionals. These systems are put in place to ensure better patient care not the opposite.

  3. Re the above comments on laptop use by doctors. There has to be a balance of using technology to make the job more productive versus the risk of private information being accessible by people not authorized. What you don’t want is doctors taking the laptop home in the car or train and then it is left or stolen.

    • PVThach says:

      With EHR, the data (Hard drive/USB) should all be encrypted so that if it fail in the wrote hand, it is not accessible. Provider that does not encrypted their data should be penalized for not such taking basic step.

  4. Yuriy says:

    In general electronic health records are safer than paper, if they aren’t accessible online. Stealing paper records isn’t too difficult in small scale. And if EHRs are appropriately encrypted, then even if data is accessed improperly the information is unreadable. Unlike with paper records that can be read by anyone.

  5. Yuriy,

    I have to disagree. Paper records take time and effort to find – hence they are less productive for doctors and hospitals but it is this reason why they are more difficult to find and remove an individuals data. Also paper is cumbersome, imagine someone carrying 1000 patient records on paper, know image the same individual carrying 1000 or even 100,000 electronic records – on a single USB!

    The scary thing is the sheer number of records someone could take with very little effort.

  6. frank mack says:

    I don’t want my medical information anyplace, except in a manila file at my
    doctors office. This is just more government intrusion in to our lives. And I
    don’t trust the government, state or federal. Look at the mess they’ve
    created in this country.

    • Mattblack says:

      The manila envelope is fine, but it means that your allergies, drug sensitivities, and existing conditions will not be available to the ER you get taken to after an accident, to the pharmacist filling your order from a partly legible handwritten note, or to the locum when your doctor goes on vacation, gets sick, or retires.

      There is no backup for the manila envelope, so if there is a fire, flood, or other event, your records are gone and cannot practically be recovered.

      It also means that it is harder to spot correlations if your records aren’t kept electronically, so your doctor may never know that you have an illness shared by many others in your occupation, for example. That may have serious health implications for you because an illness that might be easy and cheap to address early on, may easily go undetected until some time after it is in full force. At which time it may be far more difficult and more expensive to treat, or may even be too late to treat.

      Seems like a high price to pay for that manila envelope!

  7. The_Mick says:

    My PCP’s office has gone to e-prescriptions, where everything goes right to the pharmacy -no paper to carry around expect in special cases. As a result, I’m inundated by CVS Pharmacy (the Pharmacy I must use according to my BCBS insurance for 3-month or longer prescriptions) for prescriptions.

    I get calls “We see you’re running low on some prescriptions that don’t have refills: do you want us to contact your doctor for more?” I say “yes” and then find out I’ve got a month and a half left on some of them.

    I also get, “We see you’re not taking statins for cholesterol: do you want us to contact your doctor – otherwise please take this “notice” to him.” I reply, “My total cholesterol has always been between 127-157 in my every-three month blood tests for the past decade. My HDH is typically in the mid 50′s and my LDL is in the 70′s or 80′s. That’s among the lowest 5% of the population.” But they come back with “Diabetics are recommended to be under 70 for LDL.” Yeah, based on studies done by statin manufacturers to get the old under 100 number (listed on the American Diabetes Assn. webpage) lowered.

    My doctor agrees that adding another med for such a thing is nearly ridiculous.

  8. Tom Boulders says:

    EHR seems to make a lot of sense but as always with sensitive data, we have to make sure that they are kept completely safe and confidential.

  9. Jet Hays says:

    I like the assumption that a password and encryption will secure your information. I am an active duty soldier and we have been on the electronic record system for a decade. My information has been stolen at least three times, once by hacking and twice by lost laptops. Although I was notified each time, the notification came at least a month after the fact. Fighting the ID theft and medical visit charges made in my name has been fun. And there was absolutely zero help from the army or the army’s health insurance carrier, Tri-care West and South. They would not even call back when I reported the fraudulent claims. This never happened with paper. Also, the author says we have a right to request corrections of errors in your record. He does not say you have a right to get the error corrected. My record says I have hypertension and take medication for it. I do not, and never have. They will not remove it no matter how many times I request it. I have even been told, “Just leave it and file for disability when you retire”. Also, have fun getting a copy of your record. It took several forms and phone calls with no result. I finally just had a friend violate HIPPA and print it for me. With the old paper folders you just signed for them and went to a copy machine. I hope America enjoys the federal health care system that we in the military have now. It sure is a time waster.

  10. Bear says:

    The REAL privacy threat is from your Employer. Whenever they collect yearly health information from existing employees or from new hires. If you think everyone in your HR department is properly trained in HIPPA practices then you need to think again. Many an employee has been discrminated against, mistreated, and even fired (for another reason of course) because an employer or their staff finds out about health information that should have remained private.

    Remember that little 3 month probation period for new hires? This isn’t so much a testing period to determine if the new hire is a good fit for the job, it’s also a way to weed out those who have pre-exisitng conditions that the employer dosn’t want to deal with. For YEARS it has been the employers who determined who should have and who should not have health care in this country.

    10 years from now everyone will agree that the Affordable Care Care is one of the best plans to be implemented since the US Constitution.

  11. Chester says:

    I have noticed one problem with Electronic health records But the fault is the doctors. I went to a doctor and they had just switched to EHR’s. But the doctor was so busy typing on the computer he hardly looked at me. One time he told me to pull up my left pants leg so he could look at it. I pulled up the right one and he never even looked. I left and never went back. when they called about the bill I told the girl what happened and that I would not pay it. I never heard from them again.

  12. Tim says:

    This all will get more complex than the common folk can manage in a very short time or even now.
    But then again complexity bills cost and that is exactly what this program is headed for unless we standardize and streamline patient, medical records, and healthcare portal access.

    Every object in the medical data path is a managed identity chain, including the phone the doctor uses to the zero client portal the patient accesses. The systems being presented by big data are silo operations with dollars associated to in and out access to data.

    The only standard is the name service logging the chains of identities during any transaction and giving the end user…a record management portal that can be as simple as a form or an entire medical record.

    I wish for the day that I can go to MyPatientID.com or MyMedicaliD.com, or MyHealthcareID.com and be authenticated even by MyPhoneID.com or MyComputerID.com on my way there.

    I want a QR code displayed on an LED screen next to my bed if I am a patient so my family, nurse, doctor, or clergy can scan and get access quickly. Simple standard request to a complex problem.

    I want to be able to change my healthcare provider and not change my GUI healthcare portal.

    I want MyEmergencyID.com to link to MyBiometricID.com to chain MyMedicalID.com data to whatever police scans me on the side of the road and link my data withing seconds. That may save my life. That is what matters to me but if I am an immigrant, would I ever do this…well, maybe if I registered at MyImmigrantID.com and gave some minimal information and only gave access to registered MyHealthcareID,com persons. Even if I created an MyAutonomousID.com

    A gloated overpriced network of networks of medical complexity to be managed and controlled by governments is not in the best interest of the end user… whether autonomous or validated.

    So, what I’m saying, software comes and goes and is a select-able object, but a name service is a door that is always there.

    I hope we can get this under control before it is too out of hand which I think it is. Just because government has the power to create and manage exchanges does not give it the right to manage my personal data. Google, Facebook, and other social networks are in this battle as well, but we seem to not think of governments as playing this role but they are and have been.

    At the end of the day, I feel I have the right my forefathers fought for. Freedom

    Freedom to protect and manage my digital data.
    Freedom to choose the providers of service to me and my family without oversight and eavesdropping by government or employers.
    Freedom to be autonomous if I so choose.
    Freedom to manage the chains of responsibility of my data which is me.
    Freedom to interact in a global world environment without government eavesdropping.
    Freedom to own products and services without exploitation or tracking.
    Freedom to research and comment autonomously.
    Freedom to protect my children’s digital footprints.

    Even this post required an email address to post. “Trackable of course” “will not be published but required. Ironic when you see the heading of this article…”Privacy”

  13. Kaunda says:

    Great that digital medical data is finally reaching our door posts. now my medical records can be accessed by the appropriate person from anywhere anytime. this will make diagnosis better since doctors will have full medical history

    • KR says:

      Electronic medical records does not mean your record is accessible anytime, anywhere. All it means is it is accessible within the confines of the individual provider/group in which it was created. In order for the records to be universally available a lot more needs to be accomplished. All of this comes at a cost. Currently, the cost includes attention pain to patients. It takes extra time to use electronic medical records, providers are under the gun already with increasingly more complex rules and regulations, increasing operating costs, decreasing reimbursements. The rules related to HIPPA, security etc are very confusing and at times conflicting. No help is readily available to sort through the maze. The providers are responsible to research, learn, implement all the rules that would confuse any attorney. Their livelihood, professional reputation & license or continually threatened if naive mistakes are made. Healthcare has become a business. Providers went into medicine but have become business professional whose commodity is people. They have not requested this major alteration to the professional description.
      Patients have yet to realize the ‘good ole days’ are ending. Back when your provider did all the paperwork your insurance carrier required, submitted and accepted whatever payment was sent. Often waiving the copay. All this as a courtesy. Now, people feel the providers are ripping them off. Or, ignoring them when they are struggling to meet the regulation overload. Yes, something has to give. Government not insurers ask the everyday provider what might work better and improve patient outcomes. Instead of blaming the end of the line person that has little if any influence patients need to be more proactive. Voice concerns to the elected officials. Government being involved in healthcare has resulted in changes.
      We are only just beginning to see those changes, many people do not recognize the outcomes of these changes. One of which is the increasing numbers of talented, caring (yes, caring) providers who are dropping insurance based practices and switching to cash models in order to provide the care to their patients that is in the patients best interest not the insurance companies version of best care. Without jumping through the hoops and obstacles imposed by the insurance companies staffing needs decrease and productivity related to direct patient care increases. Most of the time the overall cost of care is significantly lower. Another trend is retirement or career changes. A sad consequence that is not in any patients best interest. At this rate the those that survive may be more business than health minded major groups run by corporate administrators. Yes, offices will look nice, state of the art equipment, secure electronic stations in every treatment area. Doctors will probably have assistants not to help with patients but to act as buffers and transcriptionist to maximize use of the EMR. Either in the room with you or in the hall connected by a microphone to hear the doctor and your replies. Now there is a lot of privacy. There is no perfect solution but the direction we are heading is not going to reap the outcomes most people imagine. Sad but realistic.

  14. ppgbio says:

    In general electronic health records are safer than paper, if they aren’t accessible online. Stealing paper records isn’t too difficult in small scale. And if EHRs are appropriately encrypted, then even if data is accessed improperly the information is unreadable. Unlike with paper records that can be read by anyone.

  15. JMudder says:

    My PCP is totally baffled by having to carry her laptop, plugging it in and then waiting for it to boot, logging in and then attempting to navigate to the right screen. That consumes at least 5-10 minutes of time, each appointment.
    We went over the information in those records, the wrong kidney was listed as being removed, a major neurological disease was not recorded, drug allergies weren’t included, and better yet “I didn’t know you were an addict? I’ve been treating you for 20 years”. It took 5 minutes to figure out that my “addiction” was nicotine, because I once smoked.
    Now imagine being brought to an ER, not being given pain relief because you are an “addict”, being given penicillin because it doesn’t list you as allergic, or the treating physician not knowing that you only have one kidney, and are allergic to the dye’s used for certain XRay’s. Yes, the errors were cleared up, but somehow they keep re-appearing, possibly because an old record is overwriting the current record. Few patients or doctors re-review the medical records with each yearly physical.

  16. EMR software are in the market from many years but now more and more medical practices are implementing emr software and i belive that it’s use will continue to accelerate in the coming years because government wants medical records to be managed more efficiently and for that reason they are offering incentives to the practices that are using emr software and how can one forget about the penalties that are about to come in 2015.

  17. My doctor also uses laptops or tablets but they are never left in the room. I think that with increased technology also comes some additional responsibility. If you’re not comfortable and expecting breaches in a providers system I think it may be time to switch healthcare professionals. These systems are put in place to ensure better patient care not the opposite.

  18. Linh Vu says:

    But information technology also help people have better health care. Such as people can find information about their dieasse. and prevent that dieasse.

  19. Elliot Barry says:

    Your article is really awesome! Electronic Health Record are helpful for physician to keep maintain privacy & security of there records records. With EHRs comes the opportunity for patients to receive improved coordinated care from providers and easier access to their health information.

  20. Kat says:

    Can a doctor take the tablet/laptop (used to access electronic health records) home to complete SOAP notes? Is there any breach of HIPAA regulations?

  21. MIchael says:

    We have to bill Medicare by the patient’s name on the Medicare card, or we don’t get paid. The problem is that the patient name on their Medicare card is very often different from their legal name, driver license, or insurance card. Until all providers, including CMS, insist on legal names on the Medicare card/insurance cards, we will have continued confusion and fraud.

  22. Marye Minor says:

    What about genetic information? Who will have access to it and how will it be used?

  23. Thomas Xavier says:

    I think with encryption and safe data practises, in theory, our data is safe, but as has been demonstrated in the past – the point of failure is rarely technical but largely human error (remember that cabinet minister who forgot a briefcase on the subway in London?). There should be clear guidelines and regulations (with consequences should there be a lapse in security) for the people who handle our data on a day to day bases.

    EHR makes medical histories more accessible (and far easier) which in turn allows for faster diagnosis of potential problems – this technology is too valuable to forgo and thus we should make sure HIPAA is aggressively enforced, especially in this day and age where trust is so easily lost with regards to the cloud etc.

Leave a ReplyComment Policy


*