A Review of HIPAA EHR Security Regulations

Join Our Mailing List

Focus on the Hospital Industry

Carol S. MillerBy Carol S. Miller BSN MBA

With the implementation of EMRs, Internet access, intranet availability throughout the hospital and physician complexes, as well as from home or any virtual site, the potential for security violations and associated vulnerabilities may have already caused serious harm to many hospitals and to the IT community in general.  Implementation of HIPAA security standards across the United States at hospitals, clinics, medical complexes, universities, federal facilities such as the VA, DoD or IHS and others have been inconsistent.  In addition, the HIPAA privacy regulations have given the responsibility for the patient health record to the patient — the impact of which has not been fully addressed nor is it supported by healthcare IT rules and regulations.

In Control?

Throughout the entire healthcare industry, there are concerns over who has access, who is in control, and whether the release of information impacts the privacy and security of the patient medical information or presents a risk to patient well-being, the quality of patient care, compliance issues, and potential fines to the hospital community.

The simple fact is that security is a problem that could have a catastrophic effect on any hospital.  Most Chief Information Officers have increased their “security-related” and “computer specialist” staff to address security issues, but most believe that their security is still vulnerable and needs to be improved.  Understanding a complex group of technologies and processes that have been built and modified many times over the years, especially at a large university or medical center complex, will be not only time-consuming, but also costly.  Security, like complex IT systems, was never designed in any organized manner.  It simply expanded as more and more access was made available, patient rights were defined, technology capabilities expanded, and more Internet-related communications and document-sharing occurred.

Hospital Security Concerns

Further, HIPAA security requirements were thrown into the mix in an era when hospital budgets were shrinking, and hospitals were trying to meet their costs through consolidation or reduction of programs and staff.

The prime concerns for information security are:

  • confidentiality – information is accessible only by authorized people and processes;
  • integrity – information is not altered or destroyed; and
  • availability – information is there when you need it.

Hospitals will continue to review, update and further document their security issues, monitor changes, and develop processes to mitigate the problems.  Gap analyses will continue to determine where vulnerabilities are or potentially could occur.  This process will be time consuming, but will enable the hospitals to determine how each system is integrated into their portfolio of systems and applications, and how it will be integrated with new technology.  Most importantly, it will facilitate identification of the detailed process of requesting, securing, and approving access to confidential patient records, systems, or applications.  It will enable hospitals to move forward with other technology enhancements in a secure manner.

Patchwork Security Quill

As stated previously, security has grown piecemeal as needs have been integrated with system, application, and software program growth.  It is literally a patchwork of various security functions and restrictions that may just be applicable to a certain application or software product or may be applicable to several applications but not all.  Various security software or SaaS packages have been deployed at different facilities across the United States that provide firewalls, access controls, tracking systems, and various other HIPAA security compliant capabilities; however, even with all these controls no one person within a hospital environment is fully aware of all the security requirements, security structures, the integration of the security network or whether any of the security network works efficiently and effectively.  Building a basic understanding of the entire network is the basis for developing and improving the entire HIPAA-related security process.  Besides the security involved within the hospital systems and through the Internet, there is still the issue of physical security, security theft or inappropriate access to patient information.

Typical Security Queries

The following list provides examples of typical questions related to security of information stored either on the laptop or on an accessible Intranet site from the laptop that should be addressed. All of these questions relate to additional time and expense in having an assigned individual monitor all aspects of this tracking process:

  • Is there an accurate record or log of each piece of equipment referenced at the hospital?
  • Do I know how many of the laptops are portable and used at home?
  • Are personal digital assistants (PDAs) and laptops encrypted and is the employee required to change passwords frequently?
  • Do I know how many of these portable systems are used for personal services?
  • Do I know how many of these laptops are used by family members?
  • Do I know how secure the portable systems are?
  • Do I know if they are just password protected or whether other security measures are in place?
  • Is every piece of equipment accounted for when employees leave, including PDA, laptop, CD, DVD, or other storage devices?
  • Do I know who can access confidential patient information from a remote office or home?
  • Is there a defined process for discarding old computers and old media?
  • Do employees know the hospital’s reporting process if their laptop is stolen or hacked?
  • Is virus and spyware software continually updated?
  • Are employees provided with information on how to secure their laptops or blackberries?
  • Do employees know what to do when attachments from unknown sources are sent and/or downloaded?
  • Does the employee use home-burned CDs/DVDs on their laptop?
  • Is system backup maintained by every employee?
  • Do employees know to “log off” when leaving their desktop or is there an automatic “log off” capability built within the system?

Security Administrators and Managers

Hospitals are employing security administrators and security staff to identify potential risks, vulnerabilities, risk scenarios, and develop policy and procedures to address all of these issues.  HIPAA compliance reviews and approval processes from HIPAA officers or legal counsel will be an added process for the hospital as part of any security consideration.  All of these security review processes, requirements, and staffing represent new and most likely unbudgeted costs with higher-than-anticipated associated costs to the hospital.  Costs need to be based on the affiliated risk, and the associated manpower or technical systems/software required to fix the risk; these indirect costs (i.e., not direct labor costs related to patient care) are being met from the hospital profits.

Risk Assessment Queries

Every covered entity should complete a risk assessment and review it periodically.  Focus areas that need to be addressed in the risk plan include the following:

  • workforce clearance (does the job require access to patient information and is it documented in the job description);
  • training (ongoing awareness and reminders); and
  • termination (what are the processes and procedures for assuring that a terminated employee does not have future access to any confidential patient information).

Today it is important for all hospitals to focus on contingency plans and disaster recovery to prevent any arbitrary loss of patient information.  Hospitals need to plan for and demonstrate that disasters such as Katrina or 9/11 or Japan or Alabama will not affect the security of the systems or access to patient information.

Many hospitals provide routine reviews, and system maintenance and updates to combat potential security problems or concerns with regard to confidential patient information.  However, inadvertent or even intentional changes to systems can cause serious data problems as the data integrates throughout the hospital IT environment.  Security breaches at this level can come from inside or outside the hospital.  They can be malicious or accidental and they can be related to system function disruption or data degradation.  They can relate to potential failures to properly share data and coordinate information.  They can also be the cause of major patient clinical errors, physician dissatisfaction, inaccurate record information, duplication of records, and as always, additional cost to the hospital that must identify the potential breach, develop a solution, and correct the issue at hand.

Main Concern

Direct access to information is probably the biggest security issue.  It affects personnel access to the systems they need in their daily jobs and tends to be poorly controlled.  Because hospitals need to provide access to information, they are sometimes lax about who has that access.  As an example, ask any hospital to not only identify each access user on the system, but also identify who uses each specific application.  Few hospitals have that capability. They would require additional resources to develop not only a major computerized index, but also the time and attention to monitor and to change users’ rights to access.  Many hospitals routinely request that the business or IT manager provide access for new employees that is similar to what another comparable staff person has — not really addressing the particular “right to know” or determining whether the new employee really needs a particular level of access.  Experience within the hospital environment also shows that many of the staff still have the same access to systems that they have had for years, even though they may have changed positions several times.

Finally, many staff have access to confidential patient information, yet few of the hospitals have ever linked this “right of access” to a background check.  Access to the hospital system is given to employees to perform a job.  In turn, the hospital is widely opening its doors to access a wide range of financial or confidential information, or even competitive information.  Many of these hospitals have employed designated staff to change and delete access rights, or allow read-only access, or read/write access; however, vulnerability still can exist.  Security is a trade-off between control and flexibility and there will always be weak points.  For those hospitals that have in place a comprehensive security review process, policy and procedures, and a contingency plan, the risks and liability can be limited.


Regardless of the cost, HIPAA security and privacy regulations have changed the hospital environment.  The hospital and its IT and security staff need to be proactive.  There is simply too much at stake and potentially too many issues where mistakes could cause the hospital a serious system problem or result in a large fine.  HIPAA and the responsibility to provide reasonable patient care risk reduction mandate secure healthcare IT operations.  To do less simply allows patient care and healthcare delivery outcomes to be exposed to unacceptable levels of unnecessary risk.

About the Author

Carol S. Miller has an extensive healthcare background in operations, business development and capture in both the public and private sector. Over the last 10 years she has provided management support to projects in the Department of Health and Human Services, Veterans Affairs, and Department of Defense medical programs. In most recent years, Carol has served as Vice President and Senior Account Executive for NCI Information Systems, Inc., Assistant Vice President at SAIC, and Program Manager at MITRE. She has led the successful capture of large IDIQ/GWAC programs, managed the operations of multiple government contracts, interacted with many government key executives, and increased the new account portfolios for each firm she supported.

She earned her MBA from Marymount University; BS in Business from Saint Joseph’s College, and BS in Nursing from the University of Pittsburgh. She is a Certified PMI Project Management Professional (PMP) (PMI PMP) and a Certified HIPAA Professional (CHP), with Top Secret Security clearance issued by the DoD in 2006. Ms. Miller is also a HIMSS Fellow, Past President and current Board member and an ACT/IAC Fellow.


Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.

Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com


Product DetailsProduct Details

%d bloggers like this: