Electronic Health record is the acquisition, storage and retrieval of health care information in digital form. It has the potential to improve the safety, efficiency and quality of data being utilized in the health care industry. (Wilder, 2010). Electronic health records would become an easy and ready source of information for research and administrative purposes for the development of public policies (Wilder, 2010). However, concerns and issues with protection of the data are threatening to derail the implementation of electronic health records. This article proposes strategies to address these issues.
Concerns with the privacy and security of electronic health records are in two broad categories. One is concerned with inappropriate release of such information from individual organizations and the second is concerned with systemic flow of information throughout the healthcare system.
Inappropriate release from organizations can result from either authorized users that intentionally or unintentionally access and disseminate the electronic information in ways that violate the laid down rules and policy. Outsiders can also break into the database holding that information and steal it. The other category about systemic concerns refers to situations whereby health information of individuals become disclosed to people or organizations that do not require the information and may even use it in ways that contravene the interest of the patient in particular, or in ways that clearly show that the privacy of the patient has been violated.
Electronic health record stored in local databases in organizations are susceptible to both external and internal agents that may violate both confidentiality and security policies of the organization.
A threat can arise from an insider who makes mistakes in accessing electronic information and thereafter leads to accidental disclosure of the information. This can be in the form of conversations among colleagues or even electronic messages from one worker to another. If this kind of breach is the case, the parties involved should be cautioned and if they are found to have committed the error knowingly, they should be punished to serve as a deterrent to others. Another threat can also arise from workers who clearly abuse authorized access granted to them in accessing electronic health information. Such workers should be punished for violating the privacy policy and they can even be prosecuted if possible to serve as a deterrent to others.
Another scenario can arise if an individual deliberately accesses the information solely for commercial reasons so that they can profit from it. The breach is unconnected with the care of patients, or even honest mistakes. this is clearly a criminal act that needs to be prosecuted by the appropriate authorities. Electronic health records could also be accessed solely for vindictive purposes to damage and disrupt the database that holds the information. This also is a misdemeanor that must be punished because it clearly an intentional breach of laid down rules. Such individuals if caught should also be punished. Another way of dealing with threats within an organization is to provide barriers and obstacles that prevent unauthorized access to the information. This might be in the form of authenticating each individual that seeks health information with a view to denying such requests to individuals that are clearly not in need of that information because they are not involved in the care of the patient and neither are they involved in any administrative duties that would require them to access such information. However, this form of mitigation is more expensive to implement because it might require the procurement of additional equipment to implement. It can also lead to bottlenecks in making use of the system whereby users who readily need the information are made to go through bureaucratic protocols before they are allowed to access the information, which might even affect the efficiency and effectiveness of care that patients receive.
In tackling the problem with systemic abuse, it is important to note that a wide range of people potentially access electronic health records, the primary care physician, health insurance company, clinical laboratory, pharmacy, consulting physician, the hospital administration and accrediting organization to mention a few. It is clear that a lot of work would need to be done to ensure safety of electronic health record in this regard. These different individuals only need certain aspects of the electronic record to work with. In this regard, there is a need to classify the content of such records so that each individual is only granted access to the section of the record that they require to function.
Data Protection and Electronic Health Records
In implementing electronic health records, it is important to ensure data safety and integrity even in the face of having different individuals access electronic information for various uses. The issue arises about effective classification of health care information such that providers do not have access to more information than is needed for them to perform their functions. The question then arises: How do we develop a comprehensive taxonomic system in order to effectively classify electronic health records so that individuals only have access to information that they need to perform their functions.
Healthcare Informatics and Electronic Health records.
Under the EMTALA, the duty of the Health informatics professional is to maintain the health record of individuals transferred to and from a hospital. GAO (2001).
The Federation of American Hospitals is a trade union comprising of representatives of investor-owned and managed hospitals and health systems in the United States. They are employers of labor, which includes Health informatics professionals.
References
Federation of American Hospitals (2012). Who we are. http://www.fah.org/fahCMS/WhoWeAre.aspx
GAO (2001). EMERGENCY CARE EMTALA Implementation and Enforcement Issues. United States General Accounting Office. Report to Congressional Committees. GAO-01-747.
J Wainer et al (2008). Security Requirements for a Lifelong Electronic Health Record System: An Opinion. Open Med Inform J. 2008; 2: 160–165. Published online 2008 December 24. doi: 10.2174/1874431100802010160.
Trina Adams (2004). Lessons from the central Hampshire electronic health record pilot project: issues of data protection and consent. BMJ 2004; 328 doi: 0.1136/bmj.328.7444.871.
http://www.bmj.com/content/328/7444/871.full
Bruce, Wilder (2010). Electronic Health records: Emerging and Future Legal Issues. Wilder & Mahood PC. www.wildermahood.com/ACBA-EHR-Paper_2010-5-14.pdf
