Last summer the UVM Medical Center implemented its Electronic Health Record (EHR) system, known as PRISM (Patient Record & Information Systems Management), which provides an “electronic patient chart” to our clinical care providers and staff. It has been a very exciting time for us who work here, both in the clinical and technical spaces, and PRISM is already showing results where they matter most – by helping the UVM Medical Center to provide the best care for our patients.
This isn’t to say that there haven’t been challenges, and that there won’t continue to be. But I think it is safe to say that PRISM is an idea whose time has come, and it is fundamentally changing the way we work at the UVM Medical Center from top to bottom.
There has been much discussion of the growing use of EHRs nation-wide in the media recently, much of it prompted by the passage of the new federal health care reform bill, but the increasing deployment and use of EHRs predates this law. In fact, the UVM Medical Center’s own planning for PRISM began well before President Obama took office, and we feel good that this foresight has positioned us well in light of these recent developments.
One of the concerns we often hear about electronic health record systems centers on patient privacy and security. There are numerous reports in the press of data breaches, not just in health care, but in many industries (and governments) which result in risks to consumers. The electronic, ultra-connected world we live in today provides both significant convenience and significant risk. I’d like to show you how seriously we take the privacy and security of patient information at the UVM Medical Center, what we are doing to ensure that patient information is safe, and to talk about some of the steps we are planning in the near future.
First, let me provide a little background. The Health Care Portability and Accountability Act (HIPAA) instituted in 1996 provides a security framework for Protected Health Information (PHI), and more recent legal changes – including the HITECH Breach Notification for Unsecured Protected Health Information rule implemented by the Department of Health & Human Services in August 2009 – have increased the responsibility on health care organizations like the UVM Medical Center to ensure they are doing everything possible to protect the confidentiality of their patients’ information. The HITECH Act covers a wide range of scenarios, but I want to focus here on data breaches, which are most commonly the result of a lost or stolen portable device, such as a laptop computer, which has PHI on it.
Under the HITECH Act, when an unsecured data breach affecting any patient occurs, the health care organization must notify the affected individual(s) within 60 days and report the breach to the Secretary of HHS. If a breach affecting 500 or more patients occurs, the health care organization must notify the affected individuals and also report the breach to prominent media outlets serving the affected region, as well as to the Secretary of HHS, within 60 days of the breach. Failure to comply subjects the organization to legal recourse.
This recently occurred in Connecticut. On July 7th, insurer Health Net settled with the Connecticut Attorney General regarding a data breach that Health Net reported in November 2009. Because Health Net failed to notify affected members in a timely manner, the Connecticut AG filed suit.
These kinds of data breaches are bad for everyone, so we take the security of patients’ medical information very seriously at the UVM Medical Center. Here are some of the ways we are protecting your medical information:
- All “high-risk” devices use a form of full disk encryption which renders the disk unreadable to an unauthorized user. We are currently in the process of extending this encryption to all remaining devices.
- Any and all transmission of PHI (personal health information) over either the Internet or any “open” network is encrypted as well as it is transmitted.
- Additionally, we do not typically store PHI on the hard drives of devices (like PCs and laptops). Our PRISM system, for example, is delivered in such a way so that no PHI is ever stored – even temporarily – on a local device.
But securing PHI is just one part of the larger PRISM picture: After all, the “p” in HIPAA stands for portability, which is the ability of clinical staff involved in your care to access your electronic record quickly and accurately. This is why the UVM Medical Center works closely with the State of Vermont, with organizations such as VITL (Vermont Information Technology Leaders), and with the federal government to ensure that our EHR will communicate with other organizations throughout the region. The goal is to provide the highest level of confidentiality and appropriate access to our patients’ health records.
And last – but certainly not least – how can you access your “electronic chart” at the UVM Medical Center? After all, isn’t it your information? It certainly is, and that is why we are now in the process of building an on-line patient “portal” which will give you access to your medical information, as well as the ability to interact with clinical staff. All this will be done using state-of-the-art technology to ensure a secure and easy-to-use solution for our patients. This portal, called MyChart, will be made available soon. We look forward to its use, as it is an important stepping stone to our goal of providing leading edge health care to our patients in the region. Stay tuned!
John McConnell is a Web Developer at the UVM Medical Center.