The U.S. Department of Health and Human Services has issued repeated warnings regarding the threat posed by unsecured medical records. Illicit exposure of medical records can have a negative impact on the patient’s health plan as well as employment and lead to severe complications. Though federal law mandates fines up to $250, 000 and up to ten years in prison for illegally accessing/distributing medical records, it still happens putting a lot of patients into considerable distress.
The Open Server Dilemma
Recently, Glens Falls Hospital announced that the medical records of more than 2,300 of its patients were stored on an unprotected computer server by an external records contractor for more than four months. It is yet to be verified whether any sensitive information was illegally accessed. The vulnerable records include medical transcripts that contained details such as diagnoses, lab results and ER records. Though the open server was taken offline following the discovery of the situation, there is as yet no way to make sure whether any of these records have been downloaded or accessed. Fortunately for the patients, addresses, social security numbers and financial information were not stored on the open server.
Need for Best Practices
This brings us to the importance of security measures for sensitive medical records. When these records are entrusted to an outside service provider, whether for storage purpose as above, for medical record review or other purposes, the prime consideration should be security. The provider should be HIPAA compliant and have secure file transfer protocols to prevent any kind of data loss. HIPAA violations can lead to severe consequences with new state regulations imposing heavy penalties on wayward disclosure of medical records.
EMRs are particularly vulnerable because they are associated with the following concerns among others:
- If EMR systems are hacked, patient data can be altered
- Even authorized users may misuse patient data
- Issues related to long term data management
Any entity handling medical records needs to approach the concept of security and confidentiality in an assiduous way, focusing on best practices to safeguard vital information. Dedicated effort is essential at every step, with stringent policies, user guidelines as well as outstanding and foolproof monitoring capabilities if this bug of insecurity is to be effectively contained.