State Leadership Conference

Electronic health records can improve the accuracy of diagnoses and the quality of treatment, promote coordination among health-care providers, increase clients' participation in care and lower costs.

But there's still a lot of anxiety among psychologists about how to keep electronic patient information safe, Stacey Larson, PsyD, JD, director of legal and regulatory affairs in APA's Practice Directorate, said at APA's State Leadership Conference in March.

Even worse, she said, "electronic health records can't reach their full potential unless both patients and providers are confident that patients' data are private and secure." By their very nature, electronic health records are designed to be "interoperable," meaning they can be shared with other health-care providers. But some psychologists worry that the ease with which information can be shared might mean private patient information gets out to the wrong people, said Larson.

What's more, the terms used to discuss safeguards — such as privacy, confidentiality and security — can be confusing. Larson set the crowd straight: Privacy is the patient's right to determine what is shared or withheld. Confidentiality is the provider's obligation to respect patients' privacy. Security is how to meet that obligation with respect to unauthorized access, through the use of such tools as encryption, access controls and audit functions to see who has accessed what information.

The Health Insurance Portability and Accountability Act (HIPAA) covers electronic health records, and the HIPAA Final Rule — released on Jan. 25 with a compliance deadline of Sept. 23 — makes some enhancements to patient privacy protections, said Alan Nessman, JD, senior special counsel for legal and regulatory affairs in APA's Practice Directorate.

One important change is in the area of breach notification. Following a security breach, such as hacking or laptop theft, practitioners must now conduct a risk assessment to determine the likelihood that protected health information was actually compromised. If so, they must report the breach to affected patients and the federal government. If data were encrypted, reporting won't be required in most cases.

The federal government has also ratcheted up enforcement, said Nessman. In the past, he said, the Department of Health and Human Services only enforced major breaches. These days, the department is actively looking for problems. In fact, the government has made examples of a few smaller providers who hadn't made efforts to safeguard information and then experienced a breach.

A big enforcement concern is that some practitioners who use electronic health records don't realize they must comply with the HIPAA Security Rule, too. That rule requires practitioners to conduct a structured risk analysis and establish measures to guard against security risks. Encryption, for instance, is becoming standard practice. The APA Practice Organization has tools to help with Security Rule Compliance and will be providing resources for complying with the recent changes.

Another compliance strategy is to take a minimalist approach to clinical record-keeping. If you must keep psychotherapy notes, said Nessman, keep them in a clearly defined part of the electronic health record with a higher level of security, in electronic form outside the electronic health record system or on paper.

There are even simpler things you can do to protect patients' privacy, said Nathan Tatro, the Practice Directorate's project manager for practice research and policy. Set up your electronic health record with "role-based access," which allows staff to access only the information they need to do their jobs. If you're using a mobile device to communicate with clients, limit the patient information you store on it, set your device to lock after a few seconds of non-use and use a password. "I can't tell you how many people I've seen who don't lock their smartphones," said Tatro, adding that there are also apps that can remotely wipe out a phone's content if it is lost or stolen. Also make sure your home and office wireless Internet connections are secure.

Above all, said Nessman, don't panic.

"Security issues for electronic health records can seem complex and daunting; there's all this jargon, so it can feel like 10 techno-geeks got together to write the rules," he said. "My message is that there are simple ways to do it, and we're here to help members do it."

Rebecca A. Clay is a writer in Washington, D.C.