Patients trust physicians most to protect personal data
■ Some see electronic medical records as a threat to their privacy, a new survey finds.
Patients trust their doctors over other parties, such as insurers, the government and employers, to protect their health information. But some believe electronic medical records may make their data less secure, according to a survey.
In late January, CDW Healthcare surveyed 1,000 American adults who had visited a physician or hospital in the past 18 months. Sixty-eight percent said their physician office was responsible for protecting their personal health information, and 67% trusted their doctor's office the most to maintain that information. Employers were least trusted, at 7%.
In addition to health information, the majority of survey respondents (79%) said they believed their doctors' offices were responsible for protecting their financial information, personal identifying information (91%) and family information (94%).When asked what impact EMRs would have on privacy protections, 40% said they would have a somewhat negative effect and 9% said they would have a significantly negative impact. Only 27% said EMRs would have a somewhat or significantly positive effect.
Even though physicians are the most trusted, "they have to be aware that right now your patients have a big, big concern about going to the electronic medical record, and I think part of the onus is on the physician to ease those feelings for their patients," said Bob Rossi, vice president of CDW Healthcare.
CDW has found that many physicians are not equipped to provide the data security their patients expect. The group surveyed 200 physician practices in 2010 and found that 30% did not have basic anti-virus software protection and 34% did not use firewalls.
As many practices begin to adopt EMRs, surveys like this should serve as a warning to physicians that security needs to be a part of the adoption process, Rossi said. And it's something that needs to be continually updated and monitored.
Not protecting patient data could cost practices a lot more than their patients' trust. Under the HITECH Act of 2009, fines for violating HIPAA laws range widely, from $100 to $1.5 million per violation. In addition to federal fines, a 2009 study by the Ponemon Institute placed the average cost of security breaches at $204 per medical record -- $144 in indirect costs, such as lost business, and $60 in direct costs, such as setting up credit monitoring for victims.
The CDW report made recommendations to help physicians protect themselves. Among the recommendations was to take steps to meet reasonable security standards, such as installing firewalls and anti-virus software.
Encryption is another security step that health care organizations often miss. Under HIPAA, if data are stolen but are encrypted, the organization is exempt from fines and from notifying the Dept. of Health and Human Services that a breach occurred.
The CDW report suggests that health care organizations conduct a security risk assessment at least once a year.