News accounts and criminal convictions involving unauthorized access or theft of electronic health records by health care facility or medical practice employees are raising renewed concerns about the privacy and security implications associated with the surging development and use of electronic health records systems (EHR). While providers who implement EHR systems often feel confident in the security offered by firewalls, passwords and encryption protection imbedded in their EHR systems, a potential threat to patient privacy remains simply in the fact that a large number of a provider’s employees may have broadly-defined access rights to virtually all of a provider’s patient records. Whether such broad access is permissible under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) intended is a question upon which varying views of industry experts and lawmakers can be found. Stakeholder views may differ based on clinical, operational, financial and personal privacy considerations.
Under the HIPAA privacy regulations, with a few limited exceptions, when making disclosures or using PHI outside of treatment, a covered entity must make reasonable efforts to limit PHI disclosures to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request, or otherwise obtain an authorization from the patient. See 45 C.F.R. § 164.502(b). The minimum necessary requirement is to be implemented by identifying “those persons or classes of persons, as appropriate, in [the covered entity’s] workforce who need access to protected health information to carry out their duties” and “for each such person or class of persons, the category or categories of protected health information to which access is needed and any conditions appropriate to such access.” 45 C.F.R. § 164.514(d)(2)(A) and (B). Thus, a design issue in developing or purchasing a HIPAA-compliant EHR system is whether or not the system includes technology that reasonably and appropriately limits access to patient information to only those members of the workforce who need it, or so-called role-based access capability. While the classification of access rights and limitations on the categories of PHI that can be viewed may add complexity and expense to an EHR system, this HIPAA requirement should not be overlooked. Additionally, among other safeguards, the ability to log information system activity (e.g., record the user’s identity, time, type and extent of data accessed), and to perform security audits and forensic investigations on an EHR system, are important components needed to facilitate a covered entity’s compliance with the HIPAA privacy and security regulations, and to reassure patients that their privacy is indeed being protected during this period of rapid EHR expansion.