The Challenge of Electronic Medical Records

A few years ago, our medical histories were known only to our physicians and a small circle of family and friends. Today, with the emergence of computerized medical records, our histories are available to hundreds of individuals. While these new technologies can enhance the quality of patient care, they can also present new risks that threaten patients' privacy rights. In this first of three articles dealing with computers and patient confidentiality, we'll briefly cover the steps health care organizations should take in order to protect patient care information.

Every health care organization -- regardless of size, scope or complexity -- should assess its current Information Security Policies, procedures and protocols in order to identify and understand its risks and exposures. Here are some general questions to ask:

• Does your organization have a confidentiality policy?
• Do you require employees to read this policy and sign a confidentiality agreement?
• Does your organization comply with federal and state statutes, as well as with accreditation standards?
• Do you have written policies regarding the transmission of medical information via e-mail and facsimile?
• Do users have their own user-ids and passwords or are accounts shared?
• Do you have a plan to handle a breach of confidentiality, especially one that could result in adverse publicity and litigation?

If you answered "no" to any of these questions, your organization may be at risk. Once you've assessed these risks, the next step is to develop a comprehensive Information Security Policy. This policy should cover patient care, personnel and business information. The document should clearly show your organization's commitment to maintaining the confidentiality, security and integrity of all of its informational resources.

A health care organization's Information Security Policy should comply with all federal and state statutes, as well as with Joint Commission standards. It should be easily understood by all staff from the retired volunteer who works at the information desk to the thoracic surgeon. And, the policy should be enforceable.

Specific policy protocols should clearly define who is authorized to have access to what information, and under what conditions information can be released without patient consent. The policy should also spell out how very sensitive information such as drug and alcohol abuse records, mental health records and information regarding HIV/AIDS and genetics will be protected. And, it should cover specific protocols for protecting the health care records of employees, public figures, battered women, and abused children.

Once the policy is adopted by an organization, the next step is to conduct educational awareness programs. New staff orientations, in-service programs and mandatory educational awareness programs provide ideal forums in which to share and communicate an organization's security policies and protocols.

During these programs, staff should learn what their organization is doing to safeguard its informational resources. They should learn what they are expected to do in order to protect patient confidentiality at all times during the handling, storing, transferring and disposing of patients' medical records.

Next Issue: We'll examine developing a comprehensive Information Security Policy in greater detail.