Electronic medical records, who's protecting your information.

Posted at: 10/31/2013 5:54 PM
Updated at: 10/31/2013 11:25 PM
By: Benita Zahn

"I think it's more secure, in general" says  Dr. James Storey. He works at Upstate Neurology where he and the rest of his bustling medical practice have made the switch to electronic medical records. But embracing these records is a work in progress. Since you can't lock them away as you would with paper files the practice compliance officer is always tweaking and tightening protection protocols.

Making the switch to electronic medical records - EMR-S is mandated under HIPAA.  The health insurance portability and accountability act.

And HIPAA mandates certain protections: a strong 'system' password, monitors that automatically time out so information doesn't linger on computer screens and careful training for staff.

And it addresses the vulnerability of information on mobile devices.

William Henderson, the compliance officer for Upstate Neurology says of that information "It's only stored on our servers. So what happens is, when I call up a patient on a device I see that. The moment I'm done with it, that is gone. It is not there. You can take that device, you can do anything you want with it. You will find not a trace of anything about you."

That's what they do at Upstate Neurology. Henderson says, ask what your doctor does.

A secure system limits access to records to only those who need to see them to do their job.

At Upstate Neurology, Henderson explains, system users leave an electronic footprint left every time records are accessed and he regularly reviews them, looking for potential problems.

He adds, there are also limits on what doctors should share with other doctors - Minimum necessary is what that's called.

" The days of just simply saying send me everything in the patient's medical record, those are long gone." says Henderson.

Each of your doctors who use EMR-s should ask for your consent to share information. And you have the right to say no.

HIXNY, the health information exchange of New York, links medical offices and hospitals in our 17 county area from Columbia and Green counties to the Canadian border.

HIXNY finds most patients grant that approval. Currently, more than 50 % of medical offices are connected to HIXNY which also, monitors usage.

Mark McKinney is the CEO of HIXNY. He says " We know who accesses what records, how long they access it for, what they view it for. We can audit that and we can track all of that. Equally important is that we also have the ability to backup and safeguard the records from being lost or destroyed."

Even so, McKinney says, patients need to be proactive.

Read the materials you're given about HIPAA, know what you're signing and look around the office. That's something Albany Med's compliance officer, Noel Hogan always does.

" Have they turned the monitor around. You can't protect it forever but if they have a monitor and the world can see it, that doesn't tell me they're too aware of HIPAA and responsive to protect your records. I look for those kind of things."

In an emergency - if you're unconscious or otherwise unable to speak - a hospital can, what's called, break the glass and access your medical records without your consent, to better treat you.

"As soon as that occurs our systems record that activity and that event and then we audit 100% of all those activities" says McKinney, "to insure that a physician does break the glass in an appropriate manner."

If you think a medical office is playing fast and loose with security you can file a complaint with Health and Human Services, explains Tyler Wrightson of Grey Castle Security.

"And then they'll go in and investigate these organizations and see if they're doing things in a secure way. And if they're not, they'll fine those organizations and come up with what's called a corrective action."

There can even be criminal penalties under HIPAA.

"So in some cases" says McKinney "Yes they can go to jail or be fined very substantial amounts of money."

Despite all this, the experts say, there is no 100% guarantee your records won't be compromised, so be alert.