Securing patient records

July 1, 2005

The penetration will only continue to deepen as unintentional electronic errors breach patient confidentiality.

National report - It began in 2001 as a way to provide new confidentiality for patient medical information, yet the Health Insurance Portability and Accountability Act's (HIPPA) impact regarding privacy and security is reaching far into physician offices across the country. The penetration will only continue to deepen as unintentional electronic errors breach patient confidentiality.

Implication real? Whether it's the remnants of medical records left on computer hard drives or paper medical records found in the trash, the potential for serious implications is very real.

Or is it? Although HIPAA's privacy and security deadlines have come and gone, with the most recent being this past April, many experts are concerned about the lack of compliance that physician offices are showing - especially as it relates to securing patient identifiable information.

Safe instead of sorry Most dermatologists prefer to take the "head in the sand approach" when it comes to HIPAA because there is no inspector knocking on their doors, according to Robert A. Greenberg, M.D.

"We've encouraged everyone to comply with the law through completing gap analyses and seriously looking at those areas where a security lapse could occur – information that is offered through numerous updates through the Academy's Web site," says Dr. Greenberg, chair of the American Academy of Dermatology (AAD)'s ethics committee. "It's those day-to-day minor lapses that will impact practices."

While most technology consultants may say that a practice cannot fully comply with HIPAA's rigorous computerized standards without outside help, the truth is that a lot can be done on their own inexpensively, yet, the practice needs to fully realize that complying is much more than passing out a notice regarding patient privacy rights at the front desk. Today's HIPAA is about protecting a patient's records, now and in the future.

One of the first and easiest steps from an electronic standpoint is to set computer screensavers to "time-out" after a maximum of three minutes, according to Lee Barrett, CEO, Claredi, a healthcare electronic data interchange provider, based in Salt Lake City.

"Setting their screen saver is a very easy control on their display set-up - not only does it blank out the screen it may also shut down some applications causing the user to re-log on and re-enter their password," Mr. Barrett says.

Forcing the issue as to how office staff accesses patient records clarifies who has access, as well. Practices wanting to limit access of records can set "role-based access control", a software computer program that is approved by the National Institute of Standards and Technology (NIST) for security.

"Internal monitoring is a key component to minimize risk, but the same level of attention should follow medical records when it leaves the office," Mr. Barrett tells Dermatology Times. "If you're sending patient identifiable information out, make certain that you encrypt the data – this can easily be done through an encryption software program that is downloaded onto your system. Physicians don't realize that if information lands in the wrong hands, it can and will be used for all types of marketing purposes."

Encryption may sound complicated, but companies like PGP Corporation offer software that can be applied and used easily by all sizes of practices to secure data and protect confidential information. The PGP algorithm for encryption is simple and affordable, according to Mr. Barrett.

Related Content:

Practice Management