Healthcare entities and their associates should be embarrassed! Why are healthcare providers not wholeheartedly supporting HIPAA security? HIPAA should be loudly proclaimed from the treetops as an opportunity to make real the promise of continuity of care.

Most Americans believe their health records are shared among their healthcare providers. The caveat to this is that there is a need to protect the confidentiality and security of each individual's health information.

Moreover, clinicians are skeptical in giving up the paper record for concern the electronic health record might not be readily available. In effect, there is an ongoing dilemma between consumers with concerns for confidentiality and security of their health information, and clinicians with their concern for the availability of the EHR.

A Major Impetus to Achieving EHR

HIPAA should be a major force to achieving the EHR. The EHR provides the basic foundation for a data repository and decision support resource necessary for technologies such as Computerized Practioner Order Entry and e-communication.In his "Escape Fire – Lessons for the Future of Healthcare," Don Berwick readily articulates that although we certainly need for patients and providers to talk one-on-one, that just is not getting the communication necessary to eliminate the estimated 98,000 annual preventable inpatient deaths identified in the Institute of Medicine study, "To Err is Human." Clinicians are not doing a good job communicating patient information with each other. They certainly talk to the patient, but "their piece of the pie" is not effectively integrated into the whole patient picture.

When multiple clinicians are involved in the care of a patient, such as physician specialists, pharmacists, nurses, therapists, and dieticians, often the left hand does not know what the right hand has done, or is doing. A simple example is when a drug causes an allergic reaction, and then as others are brought into the case, there is a repeat of the drug - and reaction – all because of lack of communication in the history of this patient's care. This scenario happens when there is no complete and easily accessible patient history.

A supermarket has more of the information it needs to process groceries at the checkout register than a doctor has to take care of illness in the exam room. Disparate and non-interoperative medical records have no standards and no universal unique personnel identifier. What's wrong with this picture?

HIPAA and Best Practice Technologies

The banking industry established the paradigm shift of unique identifiers and security provisions years ago with the ATM card. You can go anywhere and access your banking accounts and review your information. The information is secure and protected. Yes there is the occasional highly publicized identity fraud case but the system has adapted to that.

A study by the Massachusetts Technology Collaborative cited the barriers to EHR and CPOE implementation, and it offered solutions to the barriers. Behind all these solutions, although not said by the study, is my strong sense that if covered entities embraced the HIPAA security standards of confidentiality, integrity and availability for electronic protected health information, then we can proceed with universal implementation of the EHR.

Let's get personal. If you were ill, would you not want the provider taking care of you to have your current and complete health history available to them?

HIPAA sets the security standards necessary for consumer and clinician acceptance of protected health information. The information is kept confidential and seen only by those "with a need to know". Its integrity is maintained because it has been encrypted and is auditable through a record of who accessed it. Verifying the information upon entry into the EHR can further enhance its integrity, such as EHR accepting only lab results within logical test value ranges and medications pertinent to diagnosis. The protected information is available immediately to all covered entities.

HIPAA security must be accepted as a basic foundation for the EHR. HIPAA's confidentiality, integrity and availability makes the EHR "best practice". The EHR will provide the data necessary for technologies such as CPOE to be required as "best practice". All this comes because HIPAA security is "best practice".

Stephen L. Priest, FHIMSS, CPHIMS, teaches graduate courses in health administration at Saint Joseph's College in Maine and at New England College in Henniker, N.H. He recently taught a 30-hour two-week course on HIPAA security. Contact him at www.professorsteve.com and steve@professorsteve.com.