Breach highlights the importance of regular audits

While electronic medical record systems are great tools that could change the way that healthcare is delivered in the U.S., they can also cause problems if they are not monitored stringently. It is important for all practices to make sure they are doing everything in their power to make sure that their patients' records are safe. One of the best ways they can do this is to ensure that only a select number of individuals within a practice can access these files by changing the passwords for the system regularly and only giving it to authorized personnel. 

Recently, Health Data Management reported that Riverside Medical Group, a large group practice in Virginia, experienced a security breach but is working hard to make it up to its patients. For example, they are offering their patients up to $1 million in identity theft insurance with no deductible, and one year of free credit monitoring services. This is in response to a breach that was discovered during a routine audit in November 2013. 

Protecting personal information
According to the news source, between September 2009 and October 2013, a nurse within he practice accessed the files of patients who were no longer part of the practice. The offending employee was fired, but no criminal charges were pressed because she did not commit identity or credit theft, despite the fact that patients' Social Security numbers, names, addresses, dates of birth, problem lists, medications, medical history summaries and other personal information were compromised. 

This story highlights the importance of conducting regular audits to make sure that patient information is safe. It is important for patients to feel as though their personal information is protected, or else they may be reluctant to access information through patient portals – something that providers need their patients to do if they want to successfully complete stage 2 of the meaningful use incentives program. 

HealthIT.gov explained that it is the responsibility of a practice to make sure that their patients' personal health information is secure. One of the first steps practices can make is to create a security plan. This plan should clearly identify a privacy and security office, and a strategy that can be put in place in the event of a security breach. HealthIT.gov explained that one of the keys to keeping patient information safe is proper training. A practice staff needs to know how to implement procedures, policies and audits so they can spot when a breach may have occurred. 

Once practices have a plan in place they will be able to talk to patients and put their minds at ease. Patients may have concerns about the security of their health information, but they may not bring it up to their doctors. Rather than waiting to see if a patient is feeling concerned, doctors can take control of the situation and mention everything patients should know about their EHRs. 

Furthermore, once practices have a security plan they can attest to the security risk analysis meaningful use objective. However, before practices can do this they must make sure that they have all the proper documentation or they may find themselves facing legal trouble. 

"Do not register and attest for an EHR Incentive program until you have conducted your security risk analysis (or reassessment) and corrected any deficiencies identified during the risk analysis. Document these changes/corrections. Providers participating in the EHR Incentive Program can be audited. When you attest to meaningful use, it is a legal statement that you have met specific standards, including that you protect [electronic personal health information]," explained HealthIT.gov.