As EMRs gain greater adoption, multiple types of fraud resulting from exposure of health data has skyrocketed, according to a report by market research company Javelin Strategy & Research.
Fraud has increased 112 percent in one year, from 3 percent in 2008 to 7 percent in 2009. Those numbers are sobering and a reminder that privacy and security needs to stay a top priority as HHS works to put out the final rule making and the industry awaits guidance from the federal government.
The work being developed by the HIT Standards Committee's Privacy and Security Workgroup should be a big help in terms of laying out the blueprint for the industry to follow. When those standards are finalized, implementation plans will be easier to create and follow through.
Small physician practices and safety-net providers have limited or no resources for IT privacy and security of EMR and EHR implementation. With that in mind, ONC devised the regional extension center concept to help those with limited resources have successful EMR and EHR implementations. It is absolutely critical that the RECs across the country help these entities early on with best practices, particularly regarding organizational policies and procedures.
It should be a given that the EHR/EMR vendor community should have a secure infrastructure. I've heard from many an IT expert that we have the technology to secure and keep private patient information, so in theory we shouldn't have any significant gaps on the technology side. And the vendor community should be continuously working through any privacy and security compromises once they occur.
Interoperability ad health information exchange applications and tools bring another complex layer to the privacy and security issue. But again, the technology should not be a weak link. Entities that participate in HIEs and regional health information organizations should look to RECs for guidance - if they don't already have privacy and security policies in place that are operational and successful.
I'm not saying that these suggestions will eliminate inappropriate access to patient data. There will always be special circumstances such as the recent case of inappropriate access to patient data at Griffin Hospital in Derby, Conn. Essentially, a previously but not currently affiliated radiologist from the hospital gained access to patient records from the hospital's PACS system and then contacted the patients to offer professional services at another hospital. Griffin Hospital only discovered the breach when patients who were contacted by the radiologist then contacted the hospital. The PACS is on a secured network and can only be accessed by password. The radiologist had used the password of an authorized clinician to gain access.
What to do in this case? There was a system in place for authorized users only and the infrastructure was secured. Can deterrence make a difference? This is an instance where severe consequences must be spelled out early on to let staff know what happens when you mishandle data. Did this radiologist really think he or she could get away with this without being detected? That's another topic, but it goes to show that you have to be prepared for any kind of potential breach.
There will always be multiple entry points and weak links to electronic patient data, but if we can make the infrastructure and technology, the policies and procedures as iron-clad as we can, and continuously monitor and update, we ought to positively impact fraud increase even as EMR and EHR adoption spikes, and gain trust from the community for the efforts.
