WASHINGTON, Sept. 15 (UPI) -- While there are some legitimate concerns about the security of electronic health records, they are much easier to keep protected than the paper records most healthcare providers still rely on, security experts say.
"The security we use for paper records is having someone watch them," said Harry Rhodes, director of practice leadership at the American Health Information Management Association, at a congressional briefing Friday. "The problem is, not matter how diligent you are, you can't stay diligent all the time."
Currently, most patient records at doctors' offices and hospitals are stored in paper files. Momentum has been building for a switch to electronic health records that would be stored in computer networks and accessible to patients and healthcare providers. President Bush has set the goal of having such records for most Americans by 2014, and health information technology bills have passed both houses of Congress.
A mounting body of evidence points to the fact that the records can improve patient health outcomes and reduce costs by making patients' medical information easily accessible to multiple medical professionals.
The aftermath of Hurricane Katrina also highlighted the limitations of paper records. Most of the individuals who were displaced left their medical records behind, including 150 children undergoing chemotherapy whose parents had to recall from memory at what stage they were in their treatment.
Most of the records left behind were destroyed -- virtually erasing much of the region's medical history.
Aside from being lost in natural disasters or being stolen, paper medical records can also be raided by staff who have motives ranging from curiosity to maliciousness to financial gain, Rhodes said, a phenomenon that is responsible for about 80 percent of paper-record misuse cases.
Private investigators may pay staff members to find information in paper records for use in court cases. Or they may ask them to alter or destroy medical information in patient files, he said. "The thing about a paper record is that it's very hard to reproduce a paper record after it's destroyed."
Studies have also shown that, even when all parties are acting with the best of intentions, medical records can be lost or misplaced.
A 2005 study at the University of Colorado found that in a typical primary care setting, information is missing in almost 14 percent of visits, while a study of Veterans Administration hospitals found that patient consent forms were missing 8 percent of the time.
Much of the vulnerability of paper records comes from the fact that a patient's entire medical history file -- which often has no backup copy -- must be passed back and forth between providers, John Morrissey, director of knowledge at the National Alliance for Health Information Technology, told United Press International.
In a recent report, called A Day in the Life of a Medical Record, Morrissey followed patients' charts as they traveled through a hospital. One chart changed hands 17 times in one day, passing through a variety of unsecured environments like wheelchair pockets and open on a desk where it could be seen by other patients.
In health systems with multiple facilities, records are also transported by vans or taxis, Morrissey added.
And each time the patient's entire medical record is passed to the next person it is exposed to "another set of hands and another set of eyes," he said.
In smaller towns, those hands and eyes could belong to a patient's neighbors, said Morrissey. "You can't run a hospital with people who live outside the community. There's a good possibility the people who deal the records know the patients. How do you know your neighbors haven't taken a peek?"
Current electronic health record technology has the capacity to address many of the security problems surrounding paper records, said Nicholas Augustinos, director of the Internet Business Solutions Group and Cisco Systems, at the briefing.
Electronic records are less likely to be lost or misfiled, and because they need not be transported they are easier to keep safe, he said.
At the point of care, access is password-protected so that only authorized healthcare providers can see records. In addition, Augustinos said, it is possible to have different levels of authorization so that staff see only what they need to see. Anytime a user enters a system, their movements in it are traced, creating a record of any tampering or unauthorized use.
Although there are still some security problems with electronic records to be addressed, he said, they will be much easier to solve than the problems in keeping paper records secure. "Electronic security is hard enough. Paper security is practically impossible."
But Internet hackers may not be the biggest threat to the privacy of electronic records, said Deborah Peel, founder of the Patient Privacy Rights Foundation.
A bigger threat may be caused by the very companies who keep electronic health records, she said, because electronic health information can be compiled, bought and sold -- sometimes without a patient's consent.
"Many companies are using medical records in ways that have nothing to do with caring for patients. Patients need to be able to control who has access to their records."
