Privacy, Security, and Electronic Health Records
Health care is changing and so are the tools used to coordinate better care for patients like you and me. During your most recent visit to the doctor, you may have noticed your physician entering notes on a computer or laptop into an electronic health record (EHR). With EHRs comes the opportunity for patients to receive improved coordinated care from providers and easier access to their health information. It’s a way to make it easier for everyone to be better informed and more involved in the patient’s health care. However for many of us, EHRs also come with questions and concerns about the privacy and security of our health information. Who can access the information on my EHR? How can I see the information in my record and make sure it’s correct? How is it protected from loss, theft and hacking? What should I do if I think my information has been compromised?
Many of you have heard of HIPAA– the Health Insurance Portability and Accountability Act. The HHS Office for Civil Rights (OCR) enforces the HIPAA Privacy and Security Rules, which help keep entities covered under HIPAA accountable for the privacy and security of patients’ health information. As a former health care lawyer, I know that many health care providers understand and abide by their obligations under the Privacy and Security Rules. Although EHRs allow providers to use information more effectively to improve the quality and efficiency of your care, they do not change the obligations providers have to keep your protected health information private and secure.
Following my recent appointment as OCR’s Director, I had a number of conversations that made it apparent to me that many patients recognize some of the health privacy jargon such as “HIPAA” or “the Notice of Privacy Practices,” but often do not know their rights under the HIPAA Privacy and Security Rules – especially in terms of how these rules relate to EHRs.
The HIPAA Privacy Rule gives you rights over your own health information, regardless of its form. Whether your record is in paper or electronic form, under the Privacy Rule you have the right:
- To see or get a copy of your medical record;
- To request to have any mistakes corrected;
- To get a notice about how your health information is used and shared;
- To say how and where you want to be contacted by your health care provider; and
- To file a complaint if you think any of these rights have been violated. One way to do this is through OCR’s website: www.hhs.gov/ocr.
These rights are spelled out in the Notice of Privacy Practices that is given to you at your doctor’s office or hospital. Your health plan may also send this notice to you in the mail.
Specific to protecting the information stored in EHRs, the HIPAA Security Rule requires that health care providers set up physical, administrative, and technical safeguards to protect your electronic health information. Some safety measures that may be built in to EHR systems include:
- “Access controls” like passwords and PIN numbers, to help limit access to your information;
- “Encrypting” your stored information. This means your health information cannot be read or understood except by someone who can “decrypt” it, using a special “key” made available only to authorized individuals;
- An “audit trail,” which records who accessed your information, what changes were made and when.
In certain circumstances, if your data is seen by someone who should not see it, federal law requires doctors, hospitals, and other health care providers to notify you of a “breach” of your health information. This requirement helps patients know if something has gone wrong with the protection of their information and helps keep providers accountable.
OCR works to help make sure your health information is kept private and secure by your health professionals. We are here to help you understand these rights, how you can take action if your rights are violated and how your health information is required to be safeguarded under the law. The first step is to know your rights. OCR’s website has a wealth of information about your health information privacy rights and I encourage you to visit and explore our website: www.hhs.gov/ocr/privacy.