November 11, 2014
The 10 Biggest Risks for Businesses Using EHR or EMR
Electronic health records (EHR) or Electronic medical records (EMR) have revolutionized medical offices by making patient data easier to access. At the same time, this technology has contributed to thousands of data breaches across the country, violating dozens of federal privacy laws like HIPAA and FACTA.
The costs of insecure patient health records could cripple your business if federal enforcement agencies find that you are in noncompliance with privacy standards. Don’t act before it’s too late. Ten of the biggest risks associated with EHR/EMR include:
- HIPAA violations are increasing each year.
The Department of Health & Human Services reported 12,915 individual HIPAA complaints in 2013 – the highest year on record. In the same year, HHS also conducted more than 4,000 HIPAA investigations of private businesses and offices. Enforcement is getting tougher and more businesses than ever before are being targeted for HIPAA violations. Research suggests that this trend will only continue over the next 4 years.
- Lost or stolen hard drives result in enormous data breaches.
In 2010, Emory Healthcare in Atlanta, Georgia announced that the medical records of 300,000 patients were jeopardized after an employee lost 10 backup disks containing electronic health records, social security numbers, and payment information. This incident reveals that a huge data breach can occur relatively easily and could be potentially disastrous if this data is stolen. Hospitals and clinics report thousands of cases of stolen electronic devices each year as well, contributing to more than 25% of all privacy violations. If these valuable storage devices aren’t properly stored or disposed of, it could cost your company millions to resolve the dispute.
- Fines and punitive damages are collected per violation.
Federal standards are very straightforward when it comes to the penalties associated with HIPAA, FACTA, and PCI violations. The costs to your business could be astronomical because enforcement fines are levied per violation. If a hard drive containing the EHR data of hundreds of patients is lost, the Office of Civil Rights (OCR) can fine you for each and every confidential document that was breached. In other words, you could pay a minimum of $100 or as much as $25,000 for each individual breach in patient data.
- HITECH and HIPAA violations are bankrupting some businesses.
When Congress passed HIPAA and later addendums like HITECH, they never imagined that this legislation would force some businesses to close their doors. After an unfortunate burglary in late 2011, Impairment Resources LLC was hit with half a million dollars in damages after the robbers made off with the electronic medical records of more than 14,000 patients. Unable to make these payments, the San Diego-based business had to file for bankruptcy in 2012. This is not an isolated incident and businesses across the country are dealing with the same problems.
- FACTA regulations are getting even stricter.
The Fair and Accurate Credit Transactions Act of 2003 (FACTA) currently stipulates that all printed receipts cannot display more than the last five digits of the cardholder’s account number. While the law does not specifically address Internet purchases, several courts have decided that consumers are guaranteed the same rights in digital transactions. Electronic financial records often contain this data and could cause your business to be held liable for any FACTA damages if this information is ever breached.
- Identity theft doesn’t have to occur to be held liable for damages.
Many businesses mistakenly assume that they are only held liable for privacy violations if the data breach results in identity theft. This is almost never the case. As long as federal enforcement agencies can prove that information was not properly destroyed, they can still issue any fines or damages that are associated with HIPAA, FACTA, or PCI violations. Identity theft is a worst-case scenario, but not a prerequisite for privacy violations and liability.
- Erasing data from hard drives is never enough.
It is another common misconception that simply pressing “delete” is enough to properly dispose of sensitive EHR/EMR contained on medical hard drives. Even if you think this is enough, experienced hackers can easily retrieve the data you thought was erased. The only way to ensure that this information is completely inaccessible is to use a hard drive destruction service.
- Medical service providers must meet the same financial standards that banks do.
The Gramm-Leach-Billey Act of 1999 (GLBA) ensures that private medical information is treated no differently than financial records. This legislation mandates every business to provide a privacy policy and opt-out provision for each customer at the point of sale. In other words, medical offices must meet the same financial privacy standards that regulate banking activity. Any violations of GLBA standards could result in steep fines or even criminal prosecution.
- More than 1,000 medical data breaches have occurred since 2005.
Privacy Rights Clearinghouse keeps track of all data breaches across the United States and the cause of each violation. Accounting for more than 1/3 of all medical breaches are lost or stolen portable devices like laptops, hard drives, and CD’s. Since 2005, more than 30 million private healthcare records have been compromised.
- Electronic medical records (EMR) are more likely to cause data breaches.
While paper medical records can easily be shredded, many medical offices overlook the security problems associated with electronic medical records. Hacking, insecure firewalls, and a host of other risks can jeopardize thousands of patients at a time. Reactive measures are never a solution and businesses can almost never reestablish their reputation after a data breach occurs. The only defense is preemptive security – properly disposing of all old electronic devices and having the adequate network protection to keep you and your patients safe.