Docs taking unnecessary risks with patients' data, attestation

Despite the increasing importance of keeping data in electronic health records and elsewhere secure, physicians still are failing to take needed precautions, according to a chat held on an Oct. 16 Internet radio show produced by HITECHAnswers.

For instance, 83 percent of physicians now are using mobile devices, such as iPhones, laptops and thumb drives in their practices, but more than half are not using simple security to protect the EHR data on those devices, according to Rick Kam, president and co-founder of Portland, Ore.-based ID Experts. This is especially problematic since such devices also are a key to access a practice's entire EHR database.

Physicians also are failing to encrypt that data, which is required for mobile devices in Stage 2 of Meaningful Use, and already is a "safe harbor" under HIPAA if the device is lost or stolen. Since many of these devices have built-in encryption features, providers should turn the feature on. For instance, the encryption feature on an iPhone is in its iTunes application, Kam said.

Kam also recommended that that providers activate or invest in geolocation software for their mobile devices. Such software can hold electronic patient data so that if the device is lost or stolen, it can be determined if the device is merely in the physician's garage and safe, or if the data is at risk and the device needs to be wiped clean.

Physicians are taking a different kind of risk if they attest to Meaningful Use without having completed their annual risk analysis, as required both in Stage 1 and Stage 2. Kam relayed that at a recent conference, many physicians had attested to Meaningful Use, but all of them admitted that they had not actually conducted the risk analysis, which he said points to a "knowledge gap" between attesting and understanding what they're attesting to.

"They're exposing themselves to potential prosecution for attesting to something they're not doing," Kam said.

CMS has started to audit attesting providers to ensure that they have met the attestation requirements.  

Both HIPAA and the Meaningful Use program require providers to conduct risk analysis of security vulnerabilities of their electronic patient records, including those in their EHRs. The National Institute of Standards and Technology published a guide last month to help providers meet this obligation.

To learn more:
- listen to the show