Electronic health records have many advantages, but one of these advantages also poses a potential security threat to the facility and a patient’s privacy. The primary concern over increased file sharing is the creation of more access points for the highly sensitive data that healthcare entities manage. Digital data can have multiple access points, but no one person can monitor or control all of the access points once data gets forwarded, downloaded, uploaded or transferred.

EHR’s allow for information to be more readily available to doctors, specialists and hospitals—but it’s also more readily available to hackers and ill-intentioned employees. With portable devices becoming more popular allowing data to be transferred and transported more easily, theft is likely to become easier and more commonplace.

Many directors and facilities are asking, “What can we do to help protect our patients and company?”

Facilities should have a security infrastructure built with the five following components:

1. Physical Safeguards

Medical facilities and other places where patient data is accessed should be equipped with alarm systems and locked offices. All computer equipment and portable devices used to access EHRs should possess special screens that shield them from secondary viewers to protect patient privacy.

2. Administrative Safeguards

Organizations should employ or contract with a designated security force to perform workforce training and audits. Other vital steps include: control of information access, periodic security reassessments, monthly reviews of user activities, staff training, and enforced organizational policies.

3. Technical Safeguards

Organizations should always use secure passwords, backup data, perform virus checks, and apply data encryption to ensure controls on access to EHR. Audit logs should also be implemented to monitor users and measure that electronic patient data doesn’t have improper changes. This can be further reinforced by requiring secure, authorized electronic exchanges of all patient information and data sharing.

4. Policies & Procedures

Healthcare facilities should create a set of written policies and procedures to assure HIPAA security compliance. These should include documentation of security measures, written protocols on authorizing users and record retention.

5. Organizational Requirements

An organization’s requirements should include breach notification and associated policies for business associate agreements; this should be reviewed and updated regularly.


When a healthcare organization or other HIPAA covered entity suffers a data breach the cost can be damaging not only to an entity’s bottom line, but also to the reputation of its brand.

When a new technology enters the industry, it’s not a matter of “if” a data breach will happen; it’s a question of “when?” If you need to hire EHR IT professionals who specialize in consulting, assessments, implementations, migrations or upgrades, contact Morgan Hunter Healthcare!