Sarah B. Galeli
Loyola University Chicago School of Law, JD 2020
In a time when data breaches occur fairly frequently, whether it’s credit card information being stolen from department stores or a credit reporting bureau breach affecting hundreds of millions of customers, keeping personal information private seems to get harder every day. That fact may give patients pause when they are asked to sign up for an electronic health record account. A 2017 survey listed electronic health record management as one of patients’ top concerns. Changes in recent years have led to changes in compliance measures that make electronic health records security an added benefit to patients and ensure the continued increase of their adoption.
Regulatory changes supporting EHR implementation
The implementation of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act created changes in title II of the Health Insurance Portability and Accountability Act(“HIPAA”), specifically the portion of HIPAA that contains the privacy protections for patients and the security requirements of health and medical records. The goals were two pronged: 1) encourage the adoption of electronic health record (“EHR”) systems with incentive programs and 2) strengthen the HIPAA privacy and security rule. To accomplish these goals, the Department of Health and Human Services (“HHS”) began producing training materials and a Guide to Privacy and Security of Electronic Health Information. There are also many private companies that provide training and education to covered entities to ensure the workforce receives complete and accredited continuing education once an EHR system is in place.
HITECH Act not only changed the training and education required of the workforce of covered entities, it also put in place mandatory auditing requirements. Audits were previously required when a complaint was filed against a covered entity and when a covered entity reported a breach. Now, entities are periodically audited to ensure proper compliance with requirements for covered entities from internal and external sources. The audit protocol has continued to be updated by HHS and through additional Centers for Medicare and Medicaid Services (“CMS”) Promoting Interoperability (“PI”)Programs’ Meaningful Use of Audit Requirements that were placed on EHR vendors. The auditing requirements for the PI program include covered entities that retain all Attestation Module responses (attesting to a completed audit) and supporting documentation for six years from the date post-attestation.
The Centers for Medicare and Medicaid Services (“CMS”)Promoting Interoperability Program, originally the EHR Incentive Programs, were put in place in 2011 to encourage healthcare providers to “adopt, implement, upgrade, and demonstrate meaningful use of certified EHR technology.” The program has been implemented in stages the first of which established the requirements for creating electronic copies of patients health information. The second stage has focused on “ensuring that the meaningful use of EHRs supported the aims and priorities of the National Quality Strategy”, which was the impetus for these programs and legislation. For covered entities to continue to receive funds during the second stage of the PI program, EHR must include a wider breadth of information and detail is required regarding patient and specific detail regarding the covered entity sending prescriptions to pharmacies to prevent unauthorized prescriptions. This too requires training and continuing education for the workforce of the covered entities.
Electronic Health Records produce positive outcomes
Studies have shown that there is an increased use of electronic health records. This is a true testament to the success of the HITECH Act legislation, incentive programs, and their benefit to patient centered care. While the decreased medical costs and stronger security measures benefit medical providers and patients alike, better patient health outcomes will ensure that adoption rates continue to increase. According to a National Cancer Institute 2017 Health Information Trend Survey, 85 percent of respondents who accessed an electronic health record did so to view test results. That same survey showed that 62 percent performed one or more health-related tasks, such as requesting prescription refills, completing paperwork or making appointments. These tasks are ones that can still be completed over the phone but can be done more efficiently through the electronic health records system. Efficient recording of these tasks also leads to a more informed patient and less repeated or unnecessary tests, prescription refill problems, or duplicate paperwork. The convenience of using EHR systems as well as the improved patient centered care will likely play a key part of increasing patient adoption.
An important aspect of electronic health records is that all doctors, within the same hospital network, will have access to the same health records and lab results. Recent studies have shown that the use of electronic health records in health systems results in better outcomes for patients. In one study, using data from 2008-2013, observed that adoption of electronic health records could show lower thirty-day mortality rates over time, as more patients and medical providers utilize the technology. Another study, focused on the impact of electronic medical records on healthcare delivery at a teaching hospital in Kenya, showed that electronic medical record systems led to increased productivity in healthcare delivery, better clinical decision making, and increased interaction and collaboration between healthcare providers. These efficient outcomes and positive attributes seem to correlate across the board, no matter the age range, medical condition, or geographical location of the patient. These outcomes also appear to be increasing with the continued adoption of electronic health record systems by patients and medical providers alike.
As long as healthcare providers continue to implement training and education programs and auditing procedures according to the HITECH Act, HIPAA, and the PI programs, regulatory initiatives should continue to lead to successful, patient-centered care. The efficiency for the healthcare provider, the benefits to the health and involvement of the patient, and better outcomes to the community of patients as a whole show promise for the future.