The US Department of Health and Human Services Health Improvement Technology and Quality Improvement Division lists a variety of risks to both electronic and paper patient records. These risks include:
- The risk of inappropriate access
- The risk of record tampering
- The risk of record loss due to natural catastrophes
Inappropriate access
One of the biggest risks with patient records is that of inappropriate access by those without permission, this could be family members, caregivers or even complete strangers.
With paper records, this often happens when records are left about, on desk, counters or other service areas, sent to the wrong fax machine etc. Prevention of access is time consuming and cumbersome, requiring locked areas or storage cabinets, sign in and out sheets and other methods of record tracking, which in a busy clinical environment can often be overlooked.
With Electronic Health Records, inappropriate access is a slightly more complex issue. Either someone has accessed records with a different person's username and password, has not logged out or has used records in breach of their permissions levels. The highest risk situation of course is a data breach by someone outside of the organization due to hacking or lack of security.
Record Tampering
Alteration of patient data is not only a breach of patient privacy, but also incredibly dangerous to patients, as it can result in treatment injury by misdiagnosis, of fraud in the case of insurance records. Changes could include erasures of data, changes in dates fraudulent entries or any other addition of modification to patient data.
With paper the risks are obvious. Anyone in the chain of responsibility for the records has the opportunity to tamper with them. It is then virtually impossible to find out who did the tampering or when it has happened.
Electronic records are more secure, as any changes to a record are usually logged to a user account. Assuming that users use proper security measures with regards to their login details, it is hard for a third party to modify information with their login details. Other risks include access by an external third party or hacker (which should be hard if the organization has proper IT security in place) or a member of the IT staff with admin rights accessing the system inappropriately.
Damage or Loss Due to Natural Disaster
Acts of god such as fires, floods, hurricanes and tsunamis are much harder to prevent. These are generally of more risk to paper records, as these can be destroyed, whereas any good system of electronic record keeping should have both on-site and offsite backup in case of disaster.
What are the risks of old style, hard copy records to patient privacy?
Mislabeling, Misfiling and Losing Records
Human error can happen anywhere, especially in stressful environments where people are often overworked, as is often the case in a busy hospital or surgery. It is easy for single copies of paper records to get left behind, misplaced or filed in the wrong room, box or file.
As electronic records are stored in a central database and backed up, and should have consistent rules with regards to metadata conventions (i.e. naming, tagging and categorizing files) it is much harder to misfile, mislabel or lose records.
What are the risks of EHR to Patient Privacy?
Record Degradation & Data Loss
All records deteriorate over time, with paper records this could mean fading (especially with thermal fax paper), but proper humidity controlled storage should ensure that paper lasts for a long time. With electronic records however, degradation isn’t slowly over time, instead its often instant and catastrophic - such as with a hard drive failure, scratched backup disks or worse. Luckily, new technology such as cloud storage, and high speed internet with offsite backups reduces the risk of degradation and data loss significantly with new EHR solutions.
Technological Obsolescence
While paper records might seem out of date, they do not necessarily become obsolete. Older legacy computerized record systems have become obsolete over the years. As computers have become faster and programs have been able to offer more options, many early providers have stopped operating or supporting older products. Any system that you use should be able to stand the test of time, and data should be able to be used if you move to another system.
How Does FAMCare Help to Ensure Patient Privacy?
GVT’s software complies with the Standards for Privacy for Individually Identifiable Health Information under the Health Information Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). HIPAA data qualities include:
- Integrity
- Availability
- Confidentiality
How FAMCare Ensures Data Integrity
- Our hosting facilities are SSAE-16 Type II Audited Organizations
- Enterprise level hosting provided to our clients and systems
- Our hosting is camera monitored, requires escorted access with biometric scanning
How FAMCare Ensures Data Availability
- Backup that can be restored seamlessly in the case of disaster or national emergency
- We use secondary data locations and offsite backups as well as cloud storage to ensure that data is protected.
- Antivirus, firewalls, VPNS and login audits are also used to bulletproof your data storage.
- Test recoveries are run every six months, backups are run every day, in the case of disaster involving a single server, a replacement can be up and running within three hours. Encrypted archives are shipped off site once a month. Even if everything was destroyed in our data center, we could be up and running within a month at absolute maximum.
- Restoration of data after a disaster is available on a 24 hour a day, 7 days a week basis.
How FAMCare Ensures Data Confidentiality
- Encryption up to database level including patient identifiers such as first name, initials, last name, date of birth, gender and ZIP code.
- Username and password based multi-level security model (Remember that patient data confidentiality is also the responsibility of the health care provider and special care must be taken to ensure the security of all staff logins)
- User types to limit access based on job role
- Auto sign off after a period of inactivity to ensure users are not left logged in by accident.
Looking for more information?
Contact us to access our latest Whitepaper discussing GVT FAMCare’s approach to HIPAA, PHI and Patient Privacy