“California Tightens EHR Security: New law requires that everyone leave breadcrumbs when using an electronic health record”
EHR security is not a new issue by any means. We have often heard stories in the news media regarding major security lapses by well-known health providers (in California and other states) that have resulted in sensitive and private health information being compromised. Security breaches occur among smaller and lesser known providers as well. The security of health information is most certainly a valid concern. As a patient, I would not want my personal health information leaked out to the public, and neither would any readers of this blog post. To mitigate this security issue, the Governor of the State of California, Jerry Brown, has signed into law SB850 - the Confidentiality of Medical Information Act, which establishes rules for securely managing changes to patient information contained in EHRs
According to the InformationWeek article, “Beginning January 1, 2012, hospitals, physician practices, and other healthcare stakeholders that manage patient information will be required to track and log any changes that are made to information stored in EHRs, as well as protect the confidentiality of medical information contained in EHRs.” This law essentially gives regulators in the State of California more authority to ensure integrity of health information and penalize offenders. California has already levied heavy fines against guilty parties. In many ways, this law is similar to its Federal counterparts.
The portion of the bill that caught my attention is the requirement of an EHR system to "automatically record and preserve any change or deletion of electronically stored medical information”, including who accessed the information and what information was changed. In my opinion, any EHR system worth its salt would have this audit trail feature built-in. Providers should look elsewhere if the EHR vendors they are evaluating don’t have this option. Perhaps those with an EHR system already are using a third party security solution. It is my perspective that it is best to have this feature incorporated into the system.
Even in the long term care space in which I work, all leading EHR vendors tailoring solutions to the vertical have deeply integrated rights based access, electronic signatures, audit trails, and reporting tools to ensure the integrity and security of health information. These tools are necessary to comply with HIPAA and other similar laws. With the similarity to federal laws, it may seem that SB850 is redundant or excessive. However when it comes to the security of health information, we cannot afford to be lax. Providers who take necessary precautions to ensure the safety and protection of health information need not worry. Just continue to do what you are doing.
