The U.S. health care system is gradually migrating from paper to electronic health records — a move that is meant to improve the quality of care and reduce health insurance and other costs. But is the move endangering the safety of your patient information?
Electronic health records allow patients to play a more active role in their care and “help doctors by facilitating access to the information they need when and where they need it,” says Erin Mackay, a health information technology specialist with the nonprofit National Partnership for Women & Families in Washington, D.C.
© Ed Kashi/VII/Corbis
Hackers recently broke into the computer system of multistate hospital chain Community Health Systems and stole 4.5 million patients’ names, addresses and Social Security numbers, though not health records. They also breached the Obamacare website HealthCare.gov but didn’t access consumers’ personal information. Still, federal officials say electronic health data can be vulnerable to security and privacy risks. Should you be worried?
Wide access to electronic health records
Just about any person who is involved in the delivery of a patient’s care is able to have access to an electronic health record, says Don Donahue, an adjunct associate professor of health care administration in the graduate school at the University of Maryland University College.
That includes nurses, billing and claims officers, doctor’s office staff members, and database and network administrators, adds Julie Chua, an information security specialist with the U.S. Department of Health and Human Services, or HHS.
“People who have different responsibilities would have differing levels of access” to the records, Chua says. “It is based on the functions necessary to perform their assigned duties.”
The risks, say HHS officials, include the potential for inappropriate access and record tampering. But paper records might carry the same risks.
Those with access might include you
It’s important to note that patients may also be able to access their digital records, says Mackay.
“Many providers are already establishing online patient portals where patients can remotely and securely log in and view their clinical health information,” she says.
And patients value having that information available, according to a survey commissioned by Mackay’s group. Nearly three-quarters (73 percent) of consumers whose doctors use electronic health records said the system has a very or somewhat positive impact on the overall quality of care.
Can your records be hacked?
Regardless of whatever safety measures health care providers have in place, no computer system is completely secure, Chua says. It’s possible that your information could land in the wrong hands.
More than 200 health information security breaches were reported to the government in 2012, according to the most recent HHS report. More than half — 53 percent — involved the theft of computers or paper records, while 9 percent were a result of hacking.
Health care providers need to put safeguards in place to protect patient information from these sorts of threats, says Rachel Seeger, a spokeswoman with the HHS Office for Civil Rights.
A further problem is that the health care industry responds slowly to security incidents, according to a study from security ratings firm BitSight Technologies. It shows that the average data breach goes unfixed for more than five days, the longest among all the industries BitSight evaluated.
What a hacker could do
A hacker could damage a patient’s reputation, says Mackay.
“The risk is that people’s very personal and private health information could be exposed,” she says. “Particularly sensitive information like HIV test results or substance abuse history could potentially be used to hurt that person.”
In many ways, health records are akin to financial records, Donahue says. They contain personal information, including your Social Security number and home address, and “can subject an individual to identity theft,” he says.
How can you keep your records safe?
It’s important to understand the rights you have involving your health information, Mackay says. For example, consumers can and should ask doctors for specific information on how their records are shared, and with whom.
The health privacy law known as HIPAA, or the Health Insurance Portability and Accountability Act, says your rights must be detailed in a document called a “Notice of Privacy Practices,” says Seeger.
She adds that the burden of protecting your sensitive personal information is on health care providers. If you’re concerned that your doctor’s standards may be too lax, the best advice may be to change doctors.
Meanwhile, more and more patients have the ability to download their own health information to a mobile or other device. Once the data is in your hands, you’re responsible for protecting it, says Peter Ashkenaz, a spokesman for the Office of the National Coordinator for Health Information Technology.
“It’s no different than when a doctor gives them a paper record and they leave it on the subway,” he says. “You just want to make sure that you treat it like you do all of your other personal information.”