EMR and EHR Data Breach: What Do I Do Now?

Posted on August 11, 2011 I Written By

Dr. West is an endocrinologist in private practice in Washington, DC. He completed fellowship training in Endocrinology and Metabolism at the Johns Hopkins University School of Medicine. Dr. West opened The Washington Endocrine Clinic, PLLC in 2009. He can be contacted at doctorwestindc@gmail.com.

Brian Franklin from Virco Lab Inc recently wrote me after reading my blog posts regarding EMR and EHR data theft (Data Breaches and EMRs: Bad guys or Just Dumb Mistakes?, and EMR Data Theft Returns!).  He asked whether I knew of any best practices for or guidance for what EMR and EHR vendors should do in the event of a detected privacy breach.  Of course, I haven’t heard much about this and admitted so, but it wasn’t hard for my inquiring mind to do a quick Google search for “EMR, EHR privacy breech best practices” and turn up this earlier article from 3/30/2010, HHS Proposes Best Practices for EHR Security Breach Reporting.

Apparently there is an “Adoption/Certification Workgroup of the HHS Health Information Technology Policy Committee advisory workgroup”.  Try saying that three times fast!  Their earlier draft proposal “encourages physicians and hospitals to adopt an electronic reporting system for health information security breaches. It also encourages patients to be involved and to report errors, omissions and other mistakes in their health records.  The recommendations involve EHR vendors as well, suggesting that they enhance EHR functionality so that “feedback” buttons can be used to quickly report data problems when using the EHR systems.” 

Unfortunately, this really doesn’t answer the question for the small office endocrinologist who just found out his low-testosterone patient’s file just got accidentally faxed to their workplace instead of back to the referring doctor.  The article goes on, “These best practices are expected to be included in the second phase of “meaningful use” of EHR systems, starting in the fiscal year 2013.”  So, apparently no rush and probably why Brian ended up wondering about this in the first place.  Sounds a bit of a while off, surprisingly even now in 2011.

The workgroup stated that the goal for incorporating these standards is to establish a “patient-centered” approach to health IT safety. This patient-centered approach would include confidential reporting, liability protections, whistle-blower protections, patients engaged in the system and transparency.

At the end of the article, readers can click a link to get to an original article and draft proposal.

Dr. West is an endocrinologist in private practice in Washington, DC.  He completed fellowship training in Endocrinology and Metabolism at the Johns Hopkins University School of Medicine. Dr. West opened The Washington Endocrine Clinic, PLLC, as a solo practice in 2009.  He can be reached at doctorwestindc@gmail.com.