By 2011, American hospitals, medical professionals and healthcare facilities will start enjoying government incentives for improved electronic healthcare records (EHR). At this point however, the industry is in dire need to plug security leaks in how it handles patient data. According to estimates, the healthcare industry in the United States is vulnerable to US$ 6 billion annually from data breaches in various forms.

The HITECH Act

In 2009, the Obama Administration enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act as part of the Stimulus Package. HITECH included a breach notification regulation, which requires healthcare facilities to notify affected stakeholders of a breach in healthcare records, including patients, the Health & Human Services Secretary and the media. Breaches involving 500 or more persons are to be reported immediately, while reporting of those involving less than 500 is only required on an annual basis.

A survey done by the privacy and data-management firm Ponemon Institute (news, site) found that healthcare organizations are still using archaic data management techniques and run the risk of spending an average of US$ 1 million per year dealing with data breaches. These can be in the form of damage control, litigation and loss of revenue from clients transferring to other facilities, among others.

Poor Data Management

According to Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, a lot of hospitals have bad information-keeping practices that mostly rely on paper records for billing and filing. These do not have privacy controls. Even poor paper shredding techniques can be blamed for data breaches.

Other potential sources of data loss include failure to encrypt electronic records, or even something as simple as losing a laptop computer or USB drive. “These causes are not unique to the industry, but the magnitude of some events stands out and suggests to me that the industry is struggling with the challenges of migrating from a largely paper-based model to one that is being asked to migrate quickly to a networked, digital format,” Ponemon says.

The study finds that healthcare facilities lack resources, procedures and confidence for detecting breaches. According to ID Experts, which sponsored the study, there is too much focus on profit with EHR implementations, rather than risk-management. “Everyone is chasing electronic health record stimulus dollars and there is no allocation or consideration for protecting patient data,” says ID Experts president Rick Kam. “Until there are more enforcement actions, there's just not enough pain to change their investment model in terms of security and privacy.”

How Serious Can a Data Breach Be?

From October 2009 to March 2010, patient information from insurance company WellPoint was accessible to the public through its website, revealing information on 32,000 new clients. Meanwhile, insurance company AmeriHealth Mercy recently admitted to misplacing a USB drive that contained information for 280,000 Medicaid members.

Data included full names, birth dates, addresses, SSNs, telephone numbers, email addresses, financial information, and health records. Patients risk suffering public embarrassment and identity theft, which can be used for both medical and financial purposes.

A class action suit against Wellpoint is underway in Indiana, in which the insurer could be liable for at least US$ 300,000 in damages.

A Move to Secure and Responsible EHR

The HITECH Act provides incentives to eligible professionals and hospitals for implementing qualified EHR systems. Those who fail to comply will be penalized with reduced aid payments, which can amount to stiff losses. Some hospitals and facilities are already underway with upgrading their EHR systems, while some others are considering outsourcing EHR, albeit with some privacy concerns.

Healthcare professionals and facilities might see implantation of EHRs as a significant cost. However, paper-based healthcare record management is certainly inconvenient, not only with the speed of data access, but also with the potential security and privacy risks. Investing in EHRs will result in speedier access to patient information, reduced security risks and a promise of incentives from the government.