Pain Point: Need Data Security
by Leigh-Ann Renz, 2.22.16
Let’s face it: the health and viability of your entire practice depends on maintaining data security. Considering that a single HIPAA violation could shut down your entire agency – and that HIPAA audits are expected to increase in 2016, protecting your clients’ Protected / Personal Health Information (PHI), is more crucial than ever.
“Half of all data breaches now occur in healthcare. Attacks by hackers on healthcare providers have increased more than 100 percent since 2010. The FBI warns that health data is highly valued by criminals, but healthcare lags badly behind other sectors.Health data sells for 10-20 times more than credit card data.” - 4medapproved
Safer Than Paper?
In addition to: enhanced efficiency, reduction of data redundancy, and improved client care, one reason that practices transition from paper to an electronic system is to enhance data security. The common consensus is that it’s much more difficult for someone trying to steal PHI to hack into an EHR than it is to break into a filing cabinet or steal a chart.
However, this is debatable, considering the amount of healthcare data that’s currently in electronic format and the logistics of a potentially malevolent party. In any case, regardless of whether data is inherently safer in a paper format versus electronically, the determining safety factor of electronic data is how vulnerable it is to malicious intent: where that data is stored - and how it's transmitted when shared.
Ie, it doesn’t really make any difference from a HIPAA standpoint that data is in an electronic format: what makes it HIPAA-compliant (or not) is how that electronic data is hosted / housed - how it's transported among the parties involved (practice, hosting site, other providers, users of the EHR, etc) - and the strength of the hosting entity’s HPAA protocols.
I know, I know - I’m guilty of it, too: many systems that follow HIPAA protocols tout that “our EHR is HIPAA-Compliant”. But in all reality, there is no such thing a HIPAA-compliant system. Because HIPAA compliance relies upon the processing of information, a system itself can’t be compliant, only the way in which data is handled (whether on paper, through an EHR, etc).
It's akin to saying "this paper chart is HIPAA compliant": the chart itself can't be compliant. How you store and share the information on that paper chart is what may or may not be HIPAA compliant. Same goes for ePHI (the electronic version of PHI) / EHR.
"Cloud-Based" Doesn't Necessarily Mean More Secure Either
The same goes for Cloud-based systems: while practice management software is advertised as being more secure if it’s “in the Cloud”, what matters is not really whether it’s locally installed or Cloud-based.
You can have a locally hosted system that’s incredibly secure; a Cloud-based EMR that’s not at all safe; a vulnerable local installation; an iron-clad Cloud application – and any variation thereof in between!
How Do You Know if An Electronic System is Safe?
So, how do you know if a practice management system is following HIPAA protocols? Many systems freely share their HIPAA compliance methods on their website; for others, you have to request the information. Many, like PIMSY, are happy to share details with you in a phone call specific to HIPAA Regardless of how you obtain a program’s HIPAA safeguards, you may need to research the methods described.
Sometimes, it’s straight-forward: for example, PIMSY is hosted on the Microsoft Azure Cloud, which lists on its website not only the measures taken to ensure HIPAA compliance – but also the high-profile partners that trust it’s security procedures.
As you research security & compliance measures, be sure to ask specifically how the EHR you might entrust your data to handles: email encryption, data remnants, data transfer vulnerability, and PHI hosting risks.
Vet the Vendor as Well as the Product
You’ll also want to verify that the company putting out the EMR is following HIPAA procedure, and that they’re open to signing your Business Associate Agreements (BAA), to help mitigate your risk & liability. Any EHR you’re considering should be more than happy to share with you how its product, hosting, and company policies protect your practice – and your clients’ PHI!
We're happy to show you how PIMSY can save time, reduce costs, and increase practice profitability.