A legal expert with management consultancy firm Kurt Salmon Associates warned that healthcare professionals and medical informatics service providers must agree on principles of accountability in the event of a data breach in an electronic health record (EHR) system, according to Information Week.
Gerald Nussbaum, an attorney and director of technology services at Kurt Salmon, advised that transparency, accountability and preparation for data breaches were crucial steps that every healthcare provider utilizing a clinical informatics system must take. Nussbaum delivered his comments while speaking at the American Health Information Management Association (AHIMA) Legal EHR Summit in Chicago last week.
“Nothing is secure from breaches,” Nussbaum said, as quoted by the news outlet. He added that healthcare providers should approach due diligence as an ongoing project between providers’ healthcare IT and legal departments, and that healthcare facilities should ensure that adequate measures are taken to back up patient information in the event of a breach or a change in their clinical informatics service provider.
A key concern regarding a potential breach in information security stems from questions of ownership of the patient data contained within a medical informatics system. Guidelines set forth under the Health Insurance Portability and Accountability Act do not stipulate who owns the information in an EHR, nor do they indicate who would be responsible in the event of a breach of data security.
Security of patient data is a primary concern of the Office of the National Coordinator for Health Information Technology (ONC). With the passage of the The Health Information Technology for Economic and Clinical Health (HITECH) act, the ONC committed to improving healthcare IT standards for medical professionals. Last year, the ONC launched an 18-month initiative focusing on educating physicians and healthcare IT professionals of data security best practices, and implementing support functions such as data backup services to mitigate the risk of information breaches and losses.