When Americans envision a doctor or clinician, most think of television shows such ER, M*A*S*H and Grey’s Anatomy, where the doctors are running around saving lives. Not many people think of ‘charting’ as a part of the life-saving mission. However, with the implementation of electronic healthcare software, the electronic chart may be just as critical as any other medical device. The days of paper and pencil are soon to be a thing of the past, especially in clinical environments. Now when you walk into your doctor’s office or hospital, more likely than not you will see your doctor or a nurse coming into the hospital room with a handheld computer or tablet, or documenting via computer at the bedside or at the doctor/nursing station. Physicians and clinicians are documenting your medical visits and history electronically. Hospitals are making huge investments in electronic medical record software, equipment, and infrastructure to support electronic medical records (EMR) and electronic health records (EHR).
An EMR is an electronic version of the patient’s charts, as documented by the clinician, and contains the medical history and treatment of that patient in one department. In contrast, according to the Office of the National Coordinator for Health Information Technology, an EHR is an electronic version of a patient’s entire medical history, which is maintained by the healthcare organization or provider and may include not only the medical history of the patient but “all of the key administrative clinical data relevant to that persons care under a particular provider, including demographics, progress notes, problems, medications, vital signs, past medical history, immunizations, laboratory data, and radiology reports.” An oft-repeated assertion is that the implementation of an electronic system will decrease the cost of healthcare while supplying many additional benefits to the patient.  With the rise of healthcare costs in this country, it is no coincidence that this new method of documenting a patient’s medical record is being heavily influenced, over the past few years, by the government.
This article will first look at the federal government’s push toward the use of EMR and EHR. The article will then review the laws and regulations in place to protect the confidentiality of patient’s medical records. The article will also review some instances where the confidentiality of patient’s EMRs and EHRs were compromised. Finally, this article will present security measures that should be considered to prevent security breaches and unauthorized access to EMRs and EHRs.
Government Push to EMR/EHR. In 2004, President Bush set a goal to use EMRs for most Americans by 2014. The Bush administration concurrently pushed for the implementation and use of EMR systems in healthcare organizations. These systems were to include the ability to share data both within hospitals and between other clinical facilities. Bush’s plan was to include healthcare reforms which had "improved information technology to prevent medical error and needless costs." 
This idea of an EMR and sharing patient data within healthcare organizations continued with the Obama administration. In 2009, the Obama administration provided a five-year plan to move hospitals and clinicians away from paper charts by encouraging the use of technology to document patients’ medical records.  Decreasing the cost of medical care, while at the same time improving patient care, was the stated goal. The plan also allowed doctor offices, hospitals, and other organizations to obtain federal money to help offset the costs of the electronic medical record systems and provided penalties for not utilizing an electronic system. By 2015, “healthcare organizations who do not comply with the plan will face cuts in Medicare payments.” In the process of moving towards EMR Congress began to face new challenges; challenges specifically pertaining to the “electronic” nature of a patient’s medical record.
HIPAA . With the push to use electronic systems to document patient medical records, there are increased concerns regarding the security and privacy of the medical records. These concerns were addressed by the Health Insurance Portability and Accessibility Act (HIPAA). HIPAA is an Act which was passed by Congress in 1996 to establish the guidelines for the transfer and protection of health data.  HIPAA applies to any information about a patient’s medical care which is kept by a covered entity such as: (1) a health plan, (2) a health care clearinghouse, or (3) a health care provider who transmits any health information in electronic form in connection with a transaction. 
The Department of Health and Human Services (HHS) further addressed issues regarding privacy and security by issuing regulations. These regulations are found in the HIPAA Privacy Rule and the HIPAA Security Rule.  The Privacy Rule, issued in 2000, establishes national standards for the protection of certain health information. The Security Rule, issued in 2003, establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule specifically deals with the security of electronic protected health information (or “e-PHI”) and furnishes providers and other healthcare organizations with a set of guidelines to follow. Section 164.306 of the Security Rule provides general rules with which covered entities must comply. The covered entities which utilize electronic documentation of medical records must: (1) ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits; (2) protect against any reasonably anticipated threats or hazards to the security or integrity of such information; (3) protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E; and (4) ensure compliance with this subpart by its workforce.
HITECH Act. The Obama administration signed into law several programs to encourage the use of technology in healthcare. One such law was the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The HITECH Act was enacted and became effective in February 2009 and was part of the American Recovery and Reinvestment Act. Generally this act provided incentives for healthcare organizations to implement EHR and supported the meaningful use of technology to improve healthcare. Additionally, HITECH Act further “addressed privacy and security concerns associated with the transmission of electronic health data by enforcing the HIPAA rules.” The HITECH Act established penalties and culpability for violations of HIPAA. Specifically, section 13410(d) of the HITECH Act revised section 1176(a) of the Social Security Act (“the Act”) by establishing: (1) Increasing levels of culpability reflected in four categories of violations; (2) four corresponding levels of penalty amounts that significantly increase the minimum penalty amount for each violation; and (3) a $1.5 million maximum penalty amount for all violations of an identical provision.
Benefits and Security Issues of Electronic Records. Studies have shown that the utilization of electronic health records provides many benefits to both patients and healthcare organizations.  Many medical record software programs allow for clinicians to quickly access a patient’s medical record, which is much more efficient than waiting for a staff member to deliver the paper chart. By having access to the patient’s medical record more readily, clinicians can also review patients’ past medical histories more quickly, which may contribute to the reduction of medical errors, decrease patients stays, and decrease the cost of patient treatment. Some EHR/EMR systems include features such as risk management alerts, allergy checks, and medication conflict checks, all of which may assist in the reduction of medical errors. The electronic systems, if utilized properly, should improve the efficiency and the effectiveness of patient treatments.
However, even with the projected benefits of EHR/EMR there are some risks. One of the biggest risks of using an electronic medical record is the same risk shared by any electronic file: security. As mentioned above, entities covered by HIPAA requirements must ensure data security and integrity of confidential patient information. Organizations implementing EHR and EMR systems must be diligent in creating strong data security policies and procedures or prepare to be hit with fines and penalties for violations.
Unfortunately, there have been numerous instances where the lack of electronic medical records data security allowed hackers and others to gain unauthorized access confidential medical information. A recent article by Fast Company reported that “According to HIPAA records, nearly 21 million Americans have had their EMRs stolen or lost since 2009.”
In March, 2012, the Utah state health department reported a data breach had occurred. Personal identification, social security numbers, diagnosis information, and medical billing information of 280,000 Utah residents were stolen by computer hackers. The breach occurred due to an error at the password authentication level, which allowed the computers hackers to bypass the security system in place.
Another instance of poor electronic medical record security occurred in a Georgia hospital in April 2012. Ten backup discs containing approximately 315,000 patient medical records were lost, including information such as medical procedures and medical diagnoses. Investigations conducted at the hospital indicate the discs were not properly secured and were removed from the hospital in February, 2012.
Electronic data theft also occurred in Libertyville, Illinois this past July. On July 20, 2012, a surgery practice reported that hackers breached their security and gained remote access to patient electronic medical records on their server. The hackers demanded a ransom for the electronic medical records and other information such as emails, which the hackers had encrypted. The surgery practice turned off the server where the medical records were located to cut off the hacker’s access.  The surgery practice offered patients affected by the security breach one year of free credit-monitoring service as an apology. 
Many other breaches due to failed security measures have occurred. The public is entitled to be made aware of breaches pursuant to section 13402(e)(4) of the HITECH Act. The HITECH Act requires a list of breaches of unsecured protected health information affecting 500 or more individuals be posted. Additional instances of security violations and breaches of electronic medical records can be found on the department of health and human services website.
Security Considerations to Better Protect EMRs/EHRs. These instances demonstrate the problems that may arise with lax and inadequate security. The error at the password authentication level in Utah emphasizes the need for healthcare organizations to closely securitize the security provided by software venders and the implementation of user security. Healthcare organizations should be mindful of all the people within the organization having access to the software, provide only the appropriate level of security access for each individual or type of user, and limit the number of users with administrative access to the system. Healthcare organizations should consider whether the medical record software under consideration has features that prevent users from utilizing other user’s logins. Such features may include default idle time-out, which automatically logs a user out of the system after a certain period of inactivity. Another feature organizations should use is the option that prohibits a user from logging in from multiple locations with the same ID at the same time. A user logging in from multiple locations simultaneously is generally an indication of sloppy security at best, and an active security breach at worst. Another security feature to be considered is the use of biometric authentication capability. These are features to consider in EMR/EHR software and may prevent unauthorized access, manipulation, or loss of data in EMRs/EHRs.
The incident at the Georgia hospital highlights the need to consider not only user-level security access to the software, but also physical access to the computer equipment itself. Furthermore, if removable media (such as disks) are to be utilized, procedures need to be developed that ensure their custody is properly kept.
Interface security is another area to consider. Sometimes medical record software interfaces or connects to other software generally, which may not be as secure as the medical record software. While it is not known exactly how the hackers in the incident at the medical practice in Libertyville gained access to the server, it is believed by some that they obtained access through a security vulnerability contained in other software on the server.
Other security features of and policies related to EMR/EHR software should also be considered, such as, system downtime procedures, interface downtime procedures, software upgrade procedures, remote access capabilities, among others. Further, Healthcare organizations should know who has the ability to modify the computer software code on the healthcare organization side and the software vendor side. While the user of EMRs/EHRs creates additional challenges in the area of security that did not exist with paper records, by considering the foregoing security issues health care organizations can better protect against EMRs/EHRs security breaches.
Conclusion. In the days of paper medical records, it would be very difficult for a person to carry hundreds of medical records out of a hospital without being noticed. However, in the age of computers, stealing hundreds of thousands of medical records by hacking into a server is very much possible. While with paper records only a few records are likely to be affected at a single time, now it is possible for thousands of records to be affected at one time electronically.
Hospitals must regularly update their security and network infrastructure to ensure safety of EHRs/EMRs. There may never be a completely “hacker proof” solution to ensure absolute security of EHR/EMR. But by considering the security issues addressed above, healthcare organizations can further position themselves against EMR/EHR security breaches, while still being able to take advantage of all the positive benefits EMR/EHR can generate.
 EMR vs EHR – What is the Difference?, Office of the National Coordinator for Health Information Technology, at http://www.healthit.gov/buzz-blog/electronic-health-and-medical-records/emr-vs-ehr-difference/ (last accessed Sept 4, 2012).
 Richard Hillestad, James Bigelow, et al., Can Electronic Medical Record Systems Transform Health Care? Potential Health Benefits, Savings, And Costs, 24 Health Affairs 5, 1103 (Sept. 2005), available at http://content.healthaffairs.org/content/24/5/1103.long.
 Health Insurance Portability and Accessibility Act of 1996 (“HIPAA”), Pub. L. No. 104-191, 110 Stat. 1936.
 42 U.S.C. 1320d-1(a).
 45 C.F.R. § 164.306 (2007), available at http://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-part164.pdf.
 123 Stat. 226 (2009); Pub.L. No. 111-5.
 Meaningful Use, Introduction, Centers for Disease Control and Prevention, CDC (Jun 3, 2011), at. http://www.cdc.gov/ehrmeaningfuluse/introduction.html (last accessed Sept. 4, 2012).
Neal Ungerleider, Medical Cybercrime: The Next Fronteir, Fast Company, Aug. 15, 2012, at http://www.fastcompany.com/3000470/medical-cybercrime-next-frontier.
 Breaches Affecting 500 or More Individuals, U.S. Dept. of Health & Human Services, at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html.
Lydia Andrasz is a graduate of The John Marshall Law School and a founding member of Nexus Legal Group. In addition to handling litigation, she consults on electronic medical record issues in both the legal and medical industries. Prior to Nexus, she worked for a healthcare software company for almost 12 years and was responsible for the implementation and support of EMR software in over 200 hospitals nationwide. She was the Director of Support Services and her teams were responsible for developing hospital EMR policies/ procedures, product risk and software defect analysis, and more. She can be reached at firstname.lastname@example.org.