Web-Based Liability in Outpatient Rehab
A leading outpatient EMR advertises the ability to “access your patients’ records anywhere, anytime, from any Internet-enabled device.” Is this convenient? Sure. Is it safe? No.
Practice owners bear enormous liability for breaches in patient health information. For example, the practice owner is responsible for:
- Establishing an internet protocol that clarifies which type of websites can and cannot be accessed
- Establishing internet protocols to define how downloads are approved in advance
- Establishing protocols to define how executable files are approved, prior to being run
- Establishing protocols to define if and how external storage, such as thumb drives, are used
- Establishing adequate antivirus and malware protocols
- Ensuring that patient health information cannot be accessed from any computers that do not comply with everything listed above
If your practice uses a web-based EMR that allows your staff to “access your patients’ records anywhere, anytime, from any Internet-enabled device,” then
You, the practice owner, are responsible for everything listed above for any internet-enabled device that any of your employees use. Anywhere and anytime.
There is no ambiguity in the law: It is your patient health information and YOU are responsible for its security. This is a classic example of the law outpacing certain companies’ technology.
Avoid Web-Based Liability
Systems 4PT’s cloud-based access uses a sophisticated and much more compliant approach to patient health information. With our approach, the practice owner decides which computers are allowed to access patient records.
Systems4PT also takes security one step further in that, through our technology, raw data is never transferred to the local computer, while web-based EMR’s use a web browser and, by definition, need to transfer that raw data to your computer to be displayed and edited.
You want convenience. You want to trust that your EMR provider understands Federal law and has your best interests in mind. But accessing patient health information is not the same as navigating to Facebook or opening a weather app.
Given that the practice owner bears civil and criminal liability for breaches in HIPAA law, using a web-based EMR that allows any employee to “access your patients’ records anywhere, anytime, from any Internet-enabled device,” is an unacceptable liability.