Clinics: A Long Way to Go on Security
HITECH as a Catalyst for Risk AssessmentsMost physicians' offices are novices when it comes to using electronic health records. And many also are novices on the subject of health information security.
The Centers for Disease Control and Prevention says that roughly 10 percent to 27 percent of office-based physicians are using a fully functional EHR system. That's according to the agency's preliminary 2010 estimates based on a National Center for Health Statistics survey.
The HITECH Act electronic health record incentive program is designed, in part, to entice more physicians to jump on the EHR bandwagon.
Another new federally commissioned survey found that 41 percent of office-based physicians plan to take advantage of the HITECH EHR incentive program, with about 81 percent of hospitals planning to participate. That survey was commissioned by the Department of Health and Human Services' Office of the National Coordinator for Health IT, which administers the incentive program.
Risk Assessment
To earn incentives for implementing EHRs, hospitals and physicians must conduct a risk assessment and take action to mitigate the risks they identify.Although the HIPAA security rule, which became effective in 2005, already required healthcare providers to conduct a risk analysis, many smaller clinics have yet to comply with that requirement. For many, the security rule "has slipped under the radar," says Robert Tennant, senior policy adviser at the Medical Group Management Association. (see HITECH: Security Reminder for Clinics) So HITECH is serving as a valuable reminder to clinic administrators of the importance of addressing security issues, he notes.
Conducting a risk analysis "is very foreign for most practice administrators," Tennant acknowledges. "Most are not experts in the fields of encryption and user authentication and those types of tactical details."
So the HITECH EHR incentive program has the potential to energize security efforts at clinics as well as serve as a catalyst for automating records. And that's good, because moving from paper to electronic records without taking security precautions is a recipe for disaster.
The standards for certifying EHR software for the incentive program require the applications to have numerous security functions. But so far, the incentive program doesn't spell out that any of these functions must be used.
As more clinics make the leap to EHRs, let's hope they take full advantage of the software's security capabilities to mitigate the risks they've identified. Otherwise, the federal list of major health information breaches could grow rapidly as more patient information is digitally stored.