Reply by author to Theresa Baroni's Letter to the Editor to 'The Electronic Health Record: Will Nursing Be on Board When the Ship Leaves?' by Linda Q. Thede (August 18, 2008).
Dear Ms. Baroni,
Your letter raises some interesting questions. With Electronic Health Records (EHRs) one is always concerned with data privacy, just as one is always concerned with the data privacy with paper health records. If an agency is lax in security, it is always possible for the wrong person to acquire confidential information from the record.
Once our country reaches the point when EHRs are shared with other healthcare entities, it is expected that the patient will determine what information will be available to whom. In any case, security is the job of the agency that 'owns' the data. Most healthcare agencies now permit access to electronic records only to those with a 'need to know' the information in the record. Additionally, each agency should have audit trails that provide a record of who accessed what record and when. Then if a nurse, or other individual, suspects that healthcare data has been inappropriately used, under law, they can request that this information be available for the prior six years. With paper records, the data in healthcare records must also be protected, both on nursing units and in the Medical Records offices. With paper records, the lack of an electronic trail may hamper discovering who accessed a record.
The American Recovery and Reinvestment Act (ARRA) of 2009 has expanded the data security rules promulgated under the 1996 Health Information Portability Accountability Act (HIPAA). Under the original law, business associates, such as vendors, were obligated to comply with privacy rules only as specified in their contract with the healthcare agency generating the data. Under the ARRA, HIPAA privacy rules now apply to anyone, who in the course of business, has access to healthcare data.
Please keep in mind that the most dangerous source of privacy leaks is talk, one person talking to another! Conversations you may have with colleagues about another's healthcare data, when there is not a need for the other person to know about this data, is both a breach of ethics and also a breach of HIPAA security rules. Additionally, verbally sharing your own health history can be dangerous. Data privacy is the business of all of us. Avoiding the sharing of a password and logging off when one leaves the computer are designed to prevent data theft or misuse.
Because data security is of concern to many people, the next OJIN Informatics Column will address this issue in more detail. Thank-you for taking the time to express your concerns and raise these questions.
Linda Q. Thede, PhD, RN-BC
Editor, Informatics Column
Center for Democracy and Technology. (2009, March 27). "Improvements and Challenges in Health Privacy Law." Retrieved November 6, 2009, from www.cdt.org/policy/improvements-and-challenges-health-privacy-law.