Beginner’s Guide to Security within an EHR

December 7, 2010

One of the most powerful features of an EHR is the instantaneous access that it offers providers to patient information. From a workstation at the office or at home, physicians can access their entire patient panel and quickly drill down into clinical minutiae with a speed and precision that a paper chart can’t touch.

One of the most powerful features of an EHR is the instantaneous access that it offers providers to patient information. From a workstation at the office or at home, physicians can access their entire patient panel and quickly drill down into clinical minutiae with a speed and precision that a paper chart can’t touch.

But this wonderful ease of access also means that a practice may be inappropriately “sharing” sensitive patient information with individuals that have no business seeing it. Interestingly, despite the high-profile cases that hit the airwaves periodically, these privacy violations are more likely to happen within a practice than due to the malicious intent of an outsider.

Fortunately, a good EHR can help you minimize these privacy transgressions. Here is a beginner’s guide to some of the features you should look for:

Granular security: This means that the EHR has the ability to segregate sensitive information within a patient’s chart (e.g., mental health records, STD results, substance abuse information) or restrict access to a particular patient (e.g., a celebrity, participants in a high-profile legal case, workplace staff or relatives), so that only authorized individuals can see. Advanced systems may even allow you to create aliases for certain patients in instances when you want restricted access to a particular set of encounters.

Role-based access: As a corollary to granular security, this EHR feature allows to you define who sees what by their job within the practice. For example, the front desk might be given access to demographics and scheduling data but are prevented from viewing clinical data. While physicians are typically given the highest level of access, role-based security tools can also be used for practices that want to restrict physician viewing to the patients in their immediate group.

Audit trails: It can be impractical to completely lock down your EHR, and therefore you need some software and psychological tools to help you out. An EHR audit trail allows you either to determine all the individuals that have looked at a particular patient (useful if you are concerned about who is snooping on your VIPs) or track the EHR usage of a staff member that may be suspected of inappropriate use. Publicizing the presence of an EHR audit trail is important. At least half of its power is as a deterrent; people behave differently if they know you are watching. 

Bruce Kleaveland is a paid correspondent through Intel’s sponsorship with Physicians Practice.