No sensitive information was exposed during the interlude, but the episode gives insight into why Family Medical Associates takes what Spangler describes as "a conservative approach" to data access. Not only did the group bolster its firewall against unwarranted outside intrusion, it put limits on what its own staff can see on the EHR, an ambulatory system from Greenway Medical Technologies that has been in place for five years. The practice even takes the extraordinary step of maintaining any employee medical records on paper-in a locked cabinet-and not on the EHR. "We can restrict access to our online charts, but you don't want records inappropriately accessed by other staff," she explains. "We are all for access if it results in better care. But we are quick to limit access if there's a risk of a security breach."
This balancing act between granting access to electronic health records while maintaining their proper security challenges provider organizations industry-wide. The whole point of the EHR is to facilitate access to critical data. Moreover, just about everybody in a provider organization needs access to some portion of the record to do their job-be it patient registration, order entry or discharge planning.
Clear-cut, executive-endorsed data access policies are the first step in finding the elusive balance. And any number of technologies can help the many providers struggling with the issue to bring the policies into reality. The data security arsenal includes tools for data encryption, identity management, and system auditing. Infrastructure set-ups with remote hosting help too, by keeping data from being stored on devices. These tools go a long way in helping providers operate both ethically and legally. Yet the formation of health information exchanges and the proliferation of personal devices represent even greater challenges to keeping health information protected. "It exceeds risk to the company," Spangler says. "We're talking about patients' lives."
Policy formation
At San Diego-based Sharp Healthcare, the balancing act begins with a high-level information security committee that formulates policies in play across the seven-hospital, $2.25 billion delivery system. Highly automated on the clinical front, Sharp runs a common inpatient system, from Cerner; an ambulatory EHR, from All scripts; and a PACS, from Fuji, says committee member Bill Spooner, who serves as senior vice president and CIO. Also included on the committee are representatives from the medical group, the compliance office, and information systems. "We think through the tougher issues," Spooner says. "And when you get down to the tough issues, it turns into a little politics between top management and the medical staff. Maintaining access and security is a tough balancing act. It's not always a discussion where everybody leaves feeling great."
A couple of years ago, for example, the committee tackled the question of screen time-outs. Thousands of Sharp employees access its clinical information systems on a routine basis. The issue was how long should a log-in screen remain active after a staff member had signed in. "We had intense conversations," says Spooner. On one side, physicians argued that the screens in their offices should stay up indefinitely, since no one else was using the room. Yet, physicians take lunch breaks, and their system screens could be inappropriately used by someone else.
"We need some controls," Spooner says. "But you get into a delicate conversation. Should the log-in last for 15 minutes, 30 minutes, or three hours? It's subjective. We're trying to interfere with physicians as little as possible while protecting the organization. But on the part of the user, this is not an objective analysis. It becomes an emotional analysis. People believe the log-in screens get in the way of their productivity." Sharp ultimately opted for 15-minute time-outs, with some variation among workstations deemed as either private or public. "It is tough to administer anything more granular," Spooner says.
At many organizations, education around data security policies begins during orientation and training. Steve Porter, CIO at Phoenix-based Touchstone Behavioral Health, takes new hires right into the EHR audit logs during initial training.
"You have to explain to users that there is a balance between the access they want and security regulations," he says. "When there's a conflict, security always wins." Conducting regular access audits is standard operating procedure at Touchstone, which serves a juvenile population. And showing system users exactly how I.T. conducts the audits reinforces the importance of clinically necessary access, he says.
Role-based access
Upholding a common industry norm, Touchstone grants access to its EHR, from Credible Wireless, based on user role. At Sharp, when the health system deploys new software, the project team responsible for the implementation determines which staff roles need access, Spooner says. Such role-based access depoliticizes a potentially controversial topic, and also reminds staff of the sensitivity of information housed within a clinical I.T. system.
Even at smaller organizations like Family Medical Associates, role-based access is a workable norm. "Physicians get full access and nurses can see just about everything," says Spangler, the administrator. "If you're a billing coordinator, however, your main emphasis is billing. None of the administrative staff has access to the clinical chart. Billers might get access to the superbill, but that's it."
Touchstone is even more stingy when it comes to granting access to the clinical portions of its EHR. Touchstone employs some 140 case managers, behavioral health therapists and physicians, CIO Porter says. But clinicians are limited to viewing the records only of their own caseloads. "We assign a subset of our client base to the individual team supervisors," he says. "The team leaders can go in and control which of their staff is appropriate to review the chart. That really locks it down."
