EMR and Privacy

EMR and Privacy; what do we tell our patients?


Print This Post Print This Post


The widespread adoption of electronic medical records in primary care confronts us with a number of legal and ethical pitfalls and we must be clear about where our responsibility begins and ends. Our primary responsibility is to document our patient care for the benefit of our patients’ health and welfare. This includes as a byproduct, sharing data not only with them, but with third parties including insurers and public health agencies. Our patients are responsible for supplying us with accurate information that we cannot obtain elsewhere either because it is subjective (e.g. history of illness) or because it is protected information (e.g. records of treatment outside our office to which we do not have their expressed permission to access). Our responsibility is to not share any data with third parties without our patients expressed permission (i.e. a signed release of information) unless that information is required by law (e.g. reportable conditions like communicable diseases or child abuse). Our EMR systems (or for that matter records which are not stored electronically, but contain personally identifiable health information) are required by the Health Information Privacy and Accessibility Act (HIPAA) to ensure that both the privacy and the security of such information is protected.

Regarding data security, HIPAA does not specify a particular technical solution. The summary website above states:

“The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting Electronic Protected Health Information (e-PHI).

Specifically, covered entities must:

1.    Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
2.    Identify and protect against reasonably anticipated threats to the security or integrity of the information;
3.    Protect against reasonably anticipated, impermissible uses or disclosures; and
4.    Ensure compliance by their workforce.

The Security Rule defines “confidentiality” to mean that e-PHI is not available or disclosed to unauthorized persons. The Security Rule’s confidentiality requirements support the Privacy Rule’s prohibitions against improper uses and disclosures of PHI. The Security rule also promotes the two additional goals of maintaining the integrity and availability of e-PHI. Under the Security Rule, “integrity” means that e-PHI is not altered or destroyed in an unauthorized manner. “Availability” means that e-PHI is accessible and usable on demand by an authorized person.

HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan. Therefore the Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments. What is appropriate for a particular covered entity will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources.

Therefore, when a covered entity is deciding which security measures to use, the Rule does not dictate those measures, but requires the covered entity to consider:

•  Its size, complexity, and capabilities,
•  Its technical hardware, and software infrastructure,
•  The costs of security measures, and
•  The likelihood and possible impact of potential risks to e-PHI.

Covered entities must review and modify their security measures to continue protecting e-PHI in a changing environment.

This last statement puts us in the difficult position of deciding what technical security measures are sufficient in a world in which even the most highly sophisticated data systems in both public and private sectors have been breached. Within the past month Anthem Blue Cross of Indiana and Premera Blue Cross have reported the theft of both medical and financial data on millions of subscribers.[1] Even as a fairly tech savvy physician, I do not pretend to have sufficient Information Technology (IT) expertise to address this issue; here’s what I am doing currently.

As volunteer medical director for a free clinic for uninsured adults that operates out of a church one day a week and currently using paper charts, I have recommended that any device containing any personally identifiable information (PII) on clients be encrypted and that no email that we send to one another contain PII unless it is encrypted. We do have a fax machine (not shared with the church) to communicate with laboratory, imaging, and subspecialist consultants that uses standard fax protocols; we do our best to avoid faxing to a wrong number. We have a volunteer counseling service and, after much debate, decided to keep the behavioral health records in the patient folders so that they can be shared by medical staff and the counselors can see the medical data; the counseling staff keeps some notes on their own personal devices and they have agreed to keep those devices physically safe and encrypted. The room in which patient files and the fax machine is located is kept locked when the clinic is not in operation and everyone who has a key to this room has undergone basic HIPAA training and has signed an agreement to abide by HIPAA standards of privacy and security.

I am in the process of introducing an EMR system to this practice and I will keep you posted in future blogs of my progress.

Charles Sneiderman, MD, PhD, DABFP
Medical Director, Culmore Clinic
Falls Church, VA


Published on April 21, 2015



  1. Petersen A. 2015 is already the year of the health-care hack — and it’s only going to get worse. Washington Post. March 20, 2015. http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/20/2015-is-already-the-year-of-the-health-care-hack-and-its-only-going-to-get-worse/. Accessed April 9, 2015.