The Legal Risks That Accompany an EMR

There’s an old football expression that cautions ball carriers not to run downfield ahead of their blockers. It’s a wise piece of advice. Without the protection and security of a dedicated blocking scheme, the ball carrier isn’t likely to get far before he’s pancaked.

As more physician practices look to take advantage of government incentives from the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 by rushing to adopt electronic health records, they could find themselves in the same predicament as those unprotected ball carriers.

Rather than getting caught up in the excitement of the transition to EMRs, it’s important to make sure that data security is a top priority for everyone in the practice. That’s because security, just like blockers paving the way for the ball carrier, will only be as strong as the practice’s weakest link.

Need to know

Scott Byers, chief executive officer of Diversified Information Technologies, says that the first thing everyone in a medical practice needs to understand is that in making the transition to an EMR they’re handling sensitive data and information.

“Sometimes that gets lost on people,” Byers says. “They suddenly have all this information, but they forget the sensitive nature of it.”

He explains that the starting point for any practice making the transition is to determine the employees who need to have access to the information in order to carry out their day-to-day duties.

“An x-ray technician is carrying out a specific assignment,” Byers explains. “He or she doesn’t need to have access to the entire patient file, so don’t expose the file to someone who doesn’t need to see it.”

Byers says that the same thought process that goes into securing the information contained in a physical or paper file needs to be considered with an electronic file. Exposure to the data is the critical point, and he suggests performing thorough background checks to ensure that employees are properly vetted before they have access to any type of patient information.

“Think things through so that you don’t create fail points,” Byers says. “There are always going to be some, but you work to minimize them and do things to support those fail points.”

Education is key

Medical practices need to focus on the human element when discussing information security. Aggregating information in a central location, as is the case with an electronic medical record, creates a target-rich environment. Proper training and governance are critical when designing and implementing information security solutions.

“Awareness training is a key component,” Byers says. “You can do it upfront to get people to start to think about it, but it’s not a once and done kind of thing. It’s something that we do, and I would encourage others to do on a regular basis.

By starting that set-up process, the entire culture of the practice will be changed, as well as the workflow and information.

Byers says that in additional to legal risks, there are also care risks inherent in switching to an EMR, but he doesn’t believe they’re any different than those that apply to using physical or paper files. If the practitioner doesn’t make a note of something, no matter what form the file takes, the information will be lost forever.

“I don’t see the care risk changing,” he says. “And the legal risk can be minimized by the controls that can be put in place if you workflow it and think things through. If you don’t, you’re not going to get the benefit of these tools.”

Double exposure

Byers explains that often when a medical practice moves from a physical-based record system to an electronic system, it operates in dual mode for a period of time. That’s an important aspect that is often overlooked.

Once the practice has converted to the electronic system, you still need to figure out how to convert the physical files and then destroy them properly once they've been incorporated into the new system.

“And for the foreseeable future there’s always going to be some form of paper in this system, and how you fit that in and convert that is an important component to the workflow,” Byers says. “You have to factor those exceptions into your workflow.”