What You Need to Know About EHRs and Patient Privacy

The electronic health record, or EHR, is a type of software physicians and behavioral health professionals use to track and sometimes coordinate every aspect of a patient’s care over time. An EHR stores all the data relevant to treatment under a specific provider, including problems, progress notes, medications, medical history and more. Since this data is digital, it is easy to share with providers across health care organizations.

As a relatively new piece of technology in development since 1991, EHR has not always been the most user-friendly. However, as EHRs become more common, innovations continue to transform the face of this technology. The best EHR software is intuitive and helps automate access to and entry of patient information, helping to streamline the workflow. The best EHRs also offer assistance with billing and practice management, making them a full-service solution that covers multiple areas.

Because EHRs handle so much sensitive patient information, you must choose one that has all the informational functionality you need while protecting the privacy of your patients. Understanding the benefits and risks of EHRs will allow you to select one that provides the best value for your investment.

Table of Contents

  1. How EHRs Benefit Patients
  2. What are the Risks to Patient Privacy When Using an EHR?
  3. What Systems Are in Place to Manage EHR Risks?
  4. Moving Toward Patient Privacy: The Future of Medical Data

How do EHRs Benefit Patients?

EHRs came about as a way to improve the quality of care patients can receive from doctors and clinicians. The long list of benefits for patients includes:

  • Accurate, complete and up-to-date information at the point of care
  • Fast access to records to facilitate coordinated care
  • The ability to securely share digitized information with patients and other medical or behavioral professionals
  • More effective diagnoses
  • Reduced medical errors and safer care
  • Improved communication between provider and patient
  • Safer and more reliable prescribing
  • Streamlined billing and coding
  • Enhanced security and privacy of medical data

EHRs create a digital ecosystem of information that makes it easier to pass accurate data back and forth. If you have a new patient referred from a local hospital, an EHR allows you to receive their record electronically rather than dealing with snail mail and faxing. The seamless transfer of that data will put critical information in your hands faster. In emergencies, the speed of an EHR can save lives.

An EHR benefits patients in part by giving them easy access to their medical information. Around 70 percent of all patient records have at least one error in them, and most patients whose providers don’t use EHRs will never bother to request a copy of their information. Digitized records have the benefit of being a centralized repository of information. Patients and providers can rest assured there is one copy of each record, and that changes made will be instantly available to all other providers who need to access the information.

What are the Risks to Patient Privacy When Using an EHR?

When used properly, an EHR is the most secure method of storing and transmitting patient data. If the software or processes get mishandled, however, a few risks to patient privacy appear. These three mistakes are the most common sources of regulatory violations and compromised data.

1. Improper Access to Patient Data

Patients’ right to privacy means their health providers will only release their information to other parties if the patient gives permission, or the law allows the release. Preserving this confidentiality means only a small pool of authorized people should be able to access patient information. Authorizing users involves determining who needs what data, and setting up designated usernames and passwords for access to the system.

The system administrator sets basic standards for passwords, usually including minimum length and intervals at which they need to change. An EHR with security features, access privilege and authentication can be partially automated. Removing some of the human responsibility reduces the chance for error. When possible, a second authentication factor like fingerprint recognition dramatically reduces the risk of the wrong person accessing information.

2. Lax Security Practices

Top-tier EHRs help defend against data theft with encryption, but that doesn’t mean practices can afford to relax when it comes to security. In 2015, there were breaches to more than 113 million patient records — and a single attack compromised 78.8 million of those. Health care has historically lagged behind other industries in terms of adopting general cybersecurity best practices, and that can put patient data at risk.

While larger practices have bigger IT teams to keep an eye on cybersecurity, even the smallest should take some necessary security precautions. You would be surprised how many providers fail to keep up with critical patches to operating systems and firewalls. Out-of-date software of any kind creates vulnerabilities that malicious parties can exploit.

Hackers realize the weakest links are usually not systems administrators or other high-level individuals, but other employees who may not have the training to recognize intrusion. Providing basic cybersecurity training to all employees who interact with or are adjacent to patient data helps to minimize the risk of a breach.

3. Failure to Audit Activity

Audit trails are the most potent monitoring tool an organization can pair with their EHR. These programs allow the appropriate individuals to see who has access to information, and what they have done with it. An audit trail tracks all activity within a system with an astonishing degree of precision. They can generate information including:

  • Date and time stamps for all entries
  • Lists of who accessed what records, and for how long
  • Logs of alterations to records
  • Lists of printed information
  • Number of screenshots taken
  • Exact location and machine used for information requests

All this information provides a crystal-clear vision of how health professionals are handling patient data. Providers can set up alerts for specific types of suspicious activity, such as too many screenshots taken within a certain length of time or someone looking at data they lack the authorization to view.

Regular audits give providers insight into how each employee is using patient information. They can alert you to suspicious or insecure patterns of use, and assist in the creation of plans to improve security.

What Systems Are in Place to Manage EHR Risks?

While digitized health records offer substantial increases in quality of care, it’s essential to manage the risks. To protect patients, HIPAA and the HITECH Act place certain regulations on the use of EHRs.

HIPAA Protections

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) governs how health plans, health care clearinghouses and most health care providers to secure patient data privately. Protected data includes:

  • Any information medical or clinical health care providers put into a patient record
  • Discussions of care or treatment between providers
  • Billing information

Any HIPAA-covered entity must demonstrate they have safeguards in place to protect patient information, and ensure nobody is using or transmitting information improperly. All use and disclosure of data must be limited to the minimum amount necessary to provide treatment. Reasons to share health information include:

  • To coordinate care and treatment
  • To pay providers for your health care
  • To keep designated family and friends aware of your health
  • To protect public health
  • To make legally required police reports

Providers cannot generally share health information with a patient’s employer or sell it for any reason. Providers must be able to restrict who views and alters health information and provide employee training on the safeguarding of health data. In many circumstances, federal law requires health care providers to notify patients if a breach has affected their information.

Patients have certain rights regarding how their health providers share their information. They have the right to:

  • Request a copy of their records
  • Request that you correct their information when appropriate
  • Be notified about how the use and transmission of their information
  • Decide they must approve any use or sharing of their data for purposes like marketing
  • Receive reports on when and why a provider shared their information

If a patient feels they have experienced a violation of their HIPAA protections, they can file a complaint with the Department of Health & Human Services. The top five HIPAA violations to be aware of are:

  • Failure to perform an adequate risk analysis
  • Failure to ensure HIPAA compliance in business associate agreements
  • Failure to use encryption or equally strong security measure on portable devices containing patient data
  • Taking longer than 60 days to issue breach notifications
  • Improper disclosures of protected health information

HIPAA violations can result in severe fines depending on their severity, and the hit to a provider’s reputation can be difficult to recover from.

HITECH Protections

The Health Information Technology for Economic and Clinical Health Act, or HITECH, passed as part of the American Recovery and Reinvestment Act of 2009. The act anticipated the growing adoption rates of EHR in health care, and expanded patient protections set forth by HIPAA. The following three facets of HITECH are the most important for providers using an EHR.

  • Broadened HIPAA enforcement: HITECH implemented mandatory penalties for entities that demonstrate “willful neglect.” These penalties can cost up to $250,000 for a first violation, and up to $1.5 million for repeated infractions.
  • Expanded breach notifications: The act tightens the requirements for breach notifications. Health care providers must notify every patient of any breach of unsecured data related to their protected health information, or PHI. When a breach exceeds 500 records or more, the organization must notify HHS.
  • Health information access: Patients can request their PHI under HIPAA, but HITECH makes it explicit they must be able to access it in electronic form if the provider uses an EHR system.

Comprehensive, quality EHR systems are designed and updated with HIPAA and HITECH in mind. Being able to rely on your EHR for essential compliance minimizes mistakes and takes the headache out of meeting requirements.

Moving Toward Patient Privacy: The Future of Medical Data

The passing of HITECH led to a boom in the widespread adoption of EHR. Among office-based physicians, adoption of EHR systems more than doubled between 2008 and 2017. With this technology situated firmly in the mainstream, it’s worth looking to the future to see how EHRs will develop in the future. Here are three of the top trends to look out for.

  • Richer content: Today’s EHRs mostly reflect the digitization of paper records. In the future, these systems will be able to provide highly nuanced and detailed representations of each patient’s history. EHRs offer enhanced capabilities for photo documentation as well as mapping functionalities to bring a patient’s history together in a clickable, interconnected story.
  • Enhanced diagnosis: Many EHRs are pushing the boundary between recording tool and diagnostic assistant. They may soon be able to analyze massive databases of patients to find information to support provider decisions. A behavioral health professional might be able to use these analysis capabilities to better predict the efficacy of different treatments.
  • Improved patient engagement: Many EHR systems offer a patient portal, which has already made it significantly easier for patients to interact with their information. Future iterations of the patient portal might integrate technology like pre-appointment surveys input directly into the EHR interface.

The future of medical data with EHR systems will also provide better integrations for remote medicine. As home medical devices continue to become more sophisticated, their capabilities may produce valuable medical information for both patients and providers. One example of partnerships between tech and health care entities is the new relationship between Apple and Community Health Systems (CHS).

Apple Health Records is an app that allows patients to receive their health records from CHS-affiliated care and store them securely on their phone with encryption. This go-between app is the perfect example of how EHR systems can give patients better control of their information, and we are likely to see an increase in such apps as EHRs evolve.

Stay Secure With ICANotes Behavioral Health EHR

Keeping your organization’s EHR secure is not a step you can overlook or circle back to later. Preserving the integrity of private health information is crucial to providing the best standard of care, retaining the trust of your patients and remaining compliant with both HIPAA and HITECH.

ICANotes is a behavioral health EHR system that treats HIPAA compliance as a core focus. We stay abreast of all the newest technology to encrypt your data and prevent unauthorized access to your organization’s servers. The ICANotes system provides peace of mind with a suite of industry-leading security features that make compliance easy.

All data within ICANotes remains encrypted, and it’s easy to set up tiered privileges to restrict access to the appropriate parties. Individual authentication with optional biometric backup ensures enforcement of those access controls, and audit trails bring valuable transparency to the whole system. In addition to offering top-tier security built into the program, the ICANotes Behavioral Health EHR offers the most clinically robust system on the market.

Start a Free Trial

Watch a Live Demo


Related Posts

  1. Behavioral Health EHR Adoption Best Practices
  2. How Artificial Intelligence (AI) Impacts Healthcare Technology
  3. How Tech’s Big 4 Could Impact Healthcare IT Usability
  4. Tips for Keeping Patient Records Secure


  1. https://www.aafp.org/practice-management/health-it/product/intro.html
  2. https://www.beckershospitalreview.com/ehrs/medical-record-errors-are-common-hard-to-fix-report-finds.html
  3. https://www.hipaajournal.com/category/healthcare-cybersecurity/
  4. https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html
  5. https://www.hhs.gov/hipaa/for-professionals/special-topics/hitech-act-enforcement-interim-final-rule/index.html
  6. https://www.hipaajournal.com/common-hipaa-violations/
  7. https://dashboard.healthit.gov/quickstats/pages/physician-ehr-adoption-trends.php
  8. http://hmi.missouri.edu/mohit/Behavior_Health_Report_2016.pdf
  9. https://www.healthcareitnews.com/news/community-health-systems-makes-apple-health-records-available-100-affiliated-hospitals