Electronic Health Records, Security and You

John McConnell is a Web Developer at Fletcher Allen.

Last summer Fletcher Allen implemented its Electronic Health Record (EHR) system, known as PRISM (Patient Record & Information Systems Management), which provides an “electronic patient chart” to our clinical care providers and staff.  It has been a very exciting time for us who work here, both in the clinical and technical spaces, and PRISM is already showing results where they matter most – by helping Fletcher Allen to provide the best care for our patients. 

This isn’t to say that there haven’t been challenges, and that there won’t continue to be.  But I think it is safe to say that PRISM is an idea whose time has come, and it is fundamentally changing the way we work at Fletcher Allen from top to bottom. 

There has been much discussion of the growing use of EHRs nation-wide in the media recently, much of it prompted by the passage of the new federal health care reform bill, but the increasing deployment and use of EHRs predates this law.  In fact, Fletcher Allen’s own planning for PRISM began well before President Obama took office, and we feel good that this foresight has positioned us well in light of these recent developments.

One of the concerns we often hear about electronic health record systems centers on patient privacy and security.  There are numerous reports in the press of data breaches, not just in health care, but in many industries (and governments) which result in risks to consumers.  The electronic, ultra-connected world we live in today provides both significant convenience and significant risk.  I’d like to show you how seriously we take the privacy and security of patient information at Fletcher Allen, what we are doing to ensure that patient information is safe, and to talk about some of the steps we are planning in the near future.

First, let me provide a little background.  The Health Care Portability and Accountability Act (HIPAA) instituted in 1996 provides a security framework for  Protected Health Information (PHI), and more recent legal changes  – including the HITECH Breach Notification for Unsecured Protected Health Information rule implemented by the Department of  Health & Human Services in August 2009 – have increased the responsibility on health care organizations like Fletcher Allen to ensure they are doing everything possible to protect the confidentiality of their patients’ information.  The HITECH Act covers a wide range of scenarios, but I want to focus here on data breaches, which are most commonly the result of a lost or stolen portable device, such as a laptop computer, which has PHI on it.

Under the HITECH Act, when an unsecured data breach affecting any patient occurs, the health care organization must notify the affected individual(s) within 60 days and report the breach to the Secretary of HHS.  If a breach affecting 500 or more patients occurs, the health care organization must notify the affected individuals and also report the breach to prominent media outlets serving the affected region, as well as to the Secretary of HHS, within 60 days of the breach.  Failure to comply subjects the organization to legal recourse.

This recently occurred in Connecticut.  On July 7th, insurer Health Net settled with the Connecticut Attorney General regarding a data breach that Health Net reported in November 2009.  Because Health Net failed to notify affected members in a timely manner, the Connecticut AG filed suit.

These kinds of data breaches are bad for everyone, so we take the security of patients’ medical information very seriously at Fletcher Allen.   Here are some of the ways we are protecting your medical information:

  • All “high-risk” devices use a form of full disk encryption which renders the disk unreadable to an unauthorized user.   We are currently in the process of extending this encryption to all remaining devices.
  • Any and all transmission of PHI (personal health information) over either the Internet or any “open” network is encrypted as well as it is transmitted. 
  • Additionally, we do not typically store PHI on the hard drives of devices (like PCs and laptops).  Our PRISM system, for example, is delivered in such a way so that no PHI is ever stored – even temporarily – on a local device.

But securing PHI is just one part of the larger PRISM picture:  After all, the “p” in HIPAA stands for portability, which is the ability of clinical staff involved in your care to access your electronic record quickly and accurately.  This is why Fletcher Allen works closely with the State of Vermont, with organizations such as VITL (Vermont Information Technology Leaders), and with the federal government to ensure that our EHR will communicate with other organizations throughout the region.  The goal is to provide the highest level of confidentiality and appropriate access to our patients’ health records.

And last – but certainly not least – how can you access your “electronic chart” at Fletcher Allen?  After all, isn’t it your information?  It certainly is, and that is why we are now in the process of building an on-line patient “portal” which will give you access to your medical information, as well as the ability to interact with clinical staff.  All this will be done using state-of-the-art technology to ensure a secure and easy-to-use solution for our patients.  This portal, called MyChart, will be made available soon.  We look forward to its use, as it is an important stepping stone to our goal of providing leading edge health care to our patients in the region.  Stay tuned!

John McConnell is a Web Developer at Fletcher Allen.

This entry was posted in Electronic Health Record, HIPAA. Bookmark the permalink.

6 Responses to Electronic Health Records, Security and You

  1. Paul, you can contact our Health Information Management folks at 802-847-2846, M-F 8am-4pm for assistance.

  2. Pingback: Improving Your Care with Electronic Health Records: A Physician Perspective | Fletcher Allen – Health Care Blog

  3. nabeel says:

    This has been a concern for a lot of physicans over the last 2-3 years. I can agree with them but as a physican implementing EHR or EMR one must do research with their IT rep to insure patient saftely.

    Nortec EHR is a company I believe will have both parties interest had hand.
    “Using Nortec EHR, providers are able to monitor and better manage care for patients, promote patient safety, while reducing cost and improve overall patient health because of better continuity and coordination in patient care.”

    Visit http://www.Nortecehr.com for more current information on how nortec can help keep your office safe.

  4. Richard Fink says:

    PRISM dosen’t seem to make the nurse’s job any easier or faster. I noticed nurses recording BP readings on their hands or scrap paper. No current tests have shown up on my health chart. Lab tests sent to FAHC not scanned in, so requested a second time, while results were in my paper file.

  5. Bill says:

    First off, there is no such thing as a “secure computer”. Security is a relative thing. Pentagon computers have been hacked into and they will have a much higher level of security than any hospital or physician’s office will have. The news is full of stories about medical record breaches from “secure” electronic medical records, sometimes several thousand at a time. If your records are obtained and end up on the World Wide Web, just remember the saying “once on the web, always on the web”.
    In addition, HIPAA took away much of the control of your medical records and gives easy access to many thousands of HIPAA approved entities, whether you like it or not. Our medical records are THE MOST PRIVATE of all our personal information but somehow our constitutional right to privacy has been totally obliterated by the federal government through HIPAA. On your next visit to the doctor, ask for the privacy policy and read it! It TELLS YOU who gets access and you don’t have any say other than to add to the already long access list.

  6. Melanie Provenzano says:

    Are u the same with the van?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s