Julie Kirst, Editor

Implementation of the electronic medical record (EMR) continues to grow, and as it does, more clinical engineering departments find themselves involved in the process. Touted as a way to make health care safer, electronic patient data available to many people through multiple devices also carries a serious privacy risk that everyone involved with it needs to be aware of. Has your organization taken steps to encrypt patient information?

In January of this year, Connecticut Attorney General Richard Blumenthal filed a lawsuit against Health Net of Connecticut, claiming the company did not secure patient medical records and financial information prior to a security breach that affected 446,000 Connecticut enrollees. In the release, Blumenthal said, “Health Net enrollees in Connecticut were exposed for at least 6 months—most likely by thieves—before Health Net notified appropriate authorities and consumers.” As a result, he asked for a court order blocking Health Net from continued HIPAA violations by requiring the encryption of any protected health information contained on a portable electronic device.

The HIPAA Privacy Rule protects the privacy of individually identifiable health information. In addition, the HIPAA Security Rule sets national standards for the security of electronic protected health information, and the Patient Safety Rule protects identifiable information being used to analyze patient safety events and improve patient safety—all of which are enforced by the Office for Civil Rights through the US Department of Health & Human Services.

In response to the lawsuit, Absolute Software—a company that provides products and best practices for health care organizations to protect patient data—sent a release stating that the data breach represents a “a widening trend in the health care industry as more and more companies and facilities switch to digital medical records.” It stated that while hospitals and clinics are conscious of their methods for securing data, many related organizations that have access to the data might not use the same level of security to safeguard this information.

Want more information? Visit these Web sites:

The American Health Information Management Association: www.ahima.org

The Office for Civil Rights: www.hhs.gov/ocr/privacy

Absolute Software: www.absolute.com

This presents a very disturbing scenario since the type of information contained in our records is our most private. As the push continues toward the EMR, do we have a safety net?

In April, the American Health Information Management Association (AHIMA) stated medical identity theft is on the rise—with 1.5 million new victims each year—and the Federal Trade Commission’s (FTC) Red Flags Rule that requires health care workers and other professional groups to develop, implement, and monitor identity theft prevention programs remains stalled due to the FTC’s continuing battle for enforcement that involves lawsuits, lobbying, and legislation. AHIMA said resistance to the rule, which has a June 1, 2010, enforcement deadline, involves two charges—that the rule lacked clarity and the FTC overreached its charge and applied it to too many types of businesses.

In the meantime, where does that leave us? Stephen Midgley, VP of global marketing at Absolute Software, said, “It is vital for each company that accesses patient information to take a multilayered approach to ensure patient data security.” The question remains: Is our patient data safe? What safeguards does your hospital use? Share your best practices with colleagues and blog about it with us. Also look for our EMR overview article in the June issue.

Julie Kirst