The Security Scrutinizer with Howard Anderson

Clinics: A Long Way to Go on Security

HITECH as a Catalyst for Risk Assessments
Clinics: A Long Way to Go on Security

The Centers for Disease Control and Prevention says that roughly 10 percent to 27 percent of office-based physicians are using a fully functional EHR system. That's according to the agency's preliminary 2010 estimates based on a National Center for Health Statistics survey.

The HITECH Act electronic health record incentive program is designed, in part, to entice more physicians to jump on the EHR bandwagon.

The HITECH EHR incentive program has the potential to energize security efforts at clinics. 

Another new federally commissioned survey found that 41 percent of office-based physicians plan to take advantage of the HITECH EHR incentive program, with about 81 percent of hospitals planning to participate. That survey was commissioned by the Department of Health and Human Services' Office of the National Coordinator for Health IT, which administers the incentive program.

Risk Assessment

To earn incentives for implementing EHRs, hospitals and physicians must conduct a risk assessment and take action to mitigate the risks they identify.

Although the HIPAA security rule, which became effective in 2005, already required healthcare providers to conduct a risk analysis, many smaller clinics have yet to comply with that requirement. For many, the security rule "has slipped under the radar," says Robert Tennant, senior policy adviser at the Medical Group Management Association. (see HITECH: Security Reminder for Clinics) So HITECH is serving as a valuable reminder to clinic administrators of the importance of addressing security issues, he notes.

Conducting a risk analysis "is very foreign for most practice administrators," Tennant acknowledges. "Most are not experts in the fields of encryption and user authentication and those types of tactical details."

So the HITECH EHR incentive program has the potential to energize security efforts at clinics as well as serve as a catalyst for automating records. And that's good, because moving from paper to electronic records without taking security precautions is a recipe for disaster.

The standards for certifying EHR software for the incentive program require the applications to have numerous security functions. But so far, the incentive program doesn't spell out that any of these functions must be used.

As more clinics make the leap to EHRs, let's hope they take full advantage of the software's security capabilities to mitigate the risks they've identified. Otherwise, the federal list of major health information breaches could grow rapidly as more patient information is digitally stored.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.