Just say 'no' to mixing EMRs, laptops

March 1, 2011

Add this pair of items to the list of bad matches: laptop computers and patients' medical information.

HITECH regulations

"Laptops are sometimes more mobile than we want them to be, and therein lies a problem," Dr. Pass said. "It's very important that optometrists and other health-care providers understand their obligations under the HITECH regulations."

According to the HITECH Act, one obligation providers face is to "utilize technologies and methodologies to protect the electronic transmission of health information from incursion from unintended sources." The information contained in EMRs must be made unusable, unreadable, or indecipherable to the unauthorized. It may be relatively easy to meet these obligations using password-protected computers that contain encrypted data and never leave the office.

Remote homework

Laptop computers present a different scenario. In many cases, an employee who simply wants to do a good job will load EMRs or other sensitive patient information onto a laptop or other mobile storage device to work on at home. While you can't condemn the employee for being hard-working, the risks of allowing employees to do this simply aren't worth it.

"I strongly advise practitioners not to allow any patient information to leave the office," Dr. Pass said. "This means on laptops that can be stolen, or 'jump' or 'flash' drives that can be lost."

Dr. Pass suggested that a better option is setting up a password-protected virtual access network, whereby employees can remotely access information in the office's computer system.

"The information never leaves the office's system. It's not downloaded onto the remote computer. It's not foolproof, but it is safer if employees really must work remotely at times," he said.

Security breech laws

The information on most stolen laptops is usually never accessed, Dr. Pass added. Most computer thieves are simply looking to sell the computer for cash, and will often wipe the computer's memory clean before they sell it. That does not, however, prevent the provider who reports a stolen laptop from being subjected to tedious security breech notification regulations.

Having to notify patients that their personal information may have been stolen is not only harmful to a practice's image and worrisome to patients, it can also be expensive. (HITECH breach notification guidelines and procedures can be found at the HHS Web site, http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/).

Security breech laws vary from state to state. Under the "Red Flag" rule, which applies to financial institutions and other businesses, such laws can entail providing credit monitoring services or other safeguards for all individuals whose information may have been breeched.

"There has been a great deal of lobbying to try to eliminate health-care practitioners from having to be compliant with the Red Flag rule," he said. "Much of what that rule covers is already covered by the HITECH Act and the Health Insurance Portability and Accountability Act (HIPAA). But the bottom line is that health-care providers need to be very aware of their responsibility to protect patient information."