Many concerns have been raised about electronic health records (EHRs) over the last several years, but often lost amid the discussion of Meaningful Use is the issue of security. The recent emergence of several news stories over breaches into EHR systems has thrust privacy and security issues into the spotlight and given both users and non-users of the technology much to reflect on.

Breach and Error

Before any individual cases were reported, an article for the website ModernHealthcare.com noted that “nearly 21 million individuals had their medical records compromised in breaches large enough to require public reporting to the Office for Civil Rights at HHS.” Specifically, the article reports that the HHS site lists 477 breaches since September 2009, which have affected more than 500 people. The nature and severity of the breaches likely vary, nevertheless 477 breaches represents a significant number in less than three years, especially when you consider the relatively slow adoption rates of EHRs. Only days after this report, Bloomberg reported a case of cyber-terrorism in which hackers encrypted health records and held data for ransom. The attack occurred against a small practice in a northern Illinois suburb and compelled the doctors to shut down the EHR and report it to authorities. According to Bloomberg, more than 7,000 patients were affected.

Another recent story, although not necessarily related to a security breach, also created headlines regarding EHRs and patient safety. According to the Contra Costa Times, a new computer system at Contra Costa medical facilities recommended what could have been a fatal dose of an inmate’s heart medication. The administering nurse recognized the error and did not administer as the system had indicated. Nonetheless, this case and the recent reports of system breaches remind us that EHRs remain on fragile ground. Indeed, as digital communication and cloud-based servers are used more in both our own industry and others, security will be an ongoing concern that technology companies continue to address. We may be no less secure now than in the paperbased era, but stories like this are a reminder that there will be speed bumps along the way and that what may be a small glitch in a system could have serious implications if an error occurs in practice or if patient records are compromised.

Unfortunately, given how new much of this technology is, enacting specific precautions to protect yourself, your practice, and your patients against malfunction or breach is a challenge. Nevertheless, if you use an EHR or are considering investing in one, learning the company’s security profile is critical. Also, the HHS site offers additional information, including risk analysis guidance and a HIPAA security rule kit that can assist in guiding setting the appropriate measure to avoid instances of breach or patient rights violations.

While the continued emphasis of the discussion regarding EHRs will be on their utility as well as the evolving Meaningful Use rules and guidelines for their use, it is important to remember that security and privacy are also works in progress. Of course, most EHR systems are very safe, however, in the medical world, sometimes all it takes is a small glitch or weakness for something significant to occur or develop. No doubt many of the issues reported recently will be addressed and resolved, but as physicians, it is our job to ensure that we are using these systems in the safest way possible, and that means contacting EHR manufacturers to ensure optimal safety and reliability. As we gain more familiarity with our EHRs and digital means of communicating, we should never forget the underlying importance of these issues in practice.

The Note Cloning Question

Just a few months after reports of EHR security breaches, a recent article in The New York Times has caused another stir regarding EHR use.1 The article spotlighted the controversial issue of EHR “upcoding,” and it appears to have had an impact on regulatory bodies, as both the Department of Health and Human Services (HHS) and the Office of the Inspector General (OIG) have been active in attempting to understand the degree to which note-cloning has affected Medicare payments.

Regulatory Investigation

The primary point of the investigation, as the Times article suggests, is that some clinicians using EHRs may be cloning notes and billing for higher services. An example of this would be if a clinician uses a template note for acne patients and then changes one or two details each time so the notes are not the same. No doubt, “cloning” notes does not constitute sound medical practice, however, the controversy stemming from these recent concerns raises more important questions about the intended use of EHRs. From a regulatory standpoint, it will be difficult to evaluate the longitudinal cost of patients. In other words, it would be easier for regulators to look at one patient’s notes over time, rather than look at one note from all acne patients.

In the immediate future, it remains unclear how HHS and other regulatory agencies will react to this story and how it might affect the current atmosphere surrounding the use and adoption of EHRs. In October, several members of Congress lobbied Director of HHS Kathleen Sebelius to halt all funds to the EHR incentive program in order to deal with the issue. Whether incentive dollars will be delayed is difficult to predict; nevertheless, it is clear that the Federal government is taking the issue of upcoding seriously and will likely issue changes to the program in some capacity. Therefore, clinicians should expect the possibility of audits for EHR-related matters.

Implications for Practitioners

Although we cannot predict what the future holds for EHR incentives and regulation based on these recent events, we can draw some conclusions based on what we’ve seen so far. In a broader sense, the controversy over cloning underscores many of the uncertainties that clinicians have had about the incentive program and the mass adoption of EHRs in the US. While the intent behind the program is respectable, the execution was bound to be haphazard given the shifting conditions on which we define medicine and medical care in the digital age. Apart from any ethical considerations about cloning notes, a very practical issue arises out of where regulators draw the line regarding how cloning is defined. EHRs have a built-in potential to streamline the process of medical care. However, now it appears that regulators are growing uncomfortable with their new reality.

All clinicians should expect greater scrutiny of their EHR records and should avoid any activities that may warrant speculation about whether upcoding is taking place. A note should always reflect the progression of the patient. Though the adjustment to EHRs hasn’t been easy for many clinicians, EHRs afford us many conveniences when it comes to synthesizing and streamlining care for patients. But it bears mentioning that EHRs fundamentally make it easier for physicians to “embellish” a note, since they are built on a certain structure and template. In the future, physicians should be wary about taking certain built-in shortcuts that EHRs may allow.

As for matters of regulation, predicting the government’s actions is always a challenge. Nevertheless, this note-cloning controversy calls to mind the familiar trial attorney mantra: “If it’s not in the chart, it didn’t happen!” But in the digital age, the government may be revising this to: “If it’s in the chart, it may or may not have happened, and it may or may not have been medically necessary.”

Adapted and reprinted from Practical Dermatology 2012.

Mark Kaufmann, MD is co-chair of the Dermatology workgroup for CCHIT. He is on the Medical Advisory Board of Modernizing Medicine.

  1. “U.S. Warning to Hospitals on Medicare Bill Abuses.” By Reed Abelson and Julie Creswell. The New York Times.