Hermit’s Pediatrics is a small practice serving the health care needs of children in a small, rural community. The practice has always used paper health records. However, the practice founder, Dr. Melody Hermit, learns that under the American Recovery and Reinvestment Act (ARRA) of 2009, the Centers for Medicare and Medicaid Services (CMS) is offering significant incentives to eligible healthcare professionals who effectively adopt electronic health records (EHR). She sees an opportunity to move into the electronic age.
It takes some time for Dr. Hermit and her staff to get accustomed to using the EHR instead of the paper record, but they quickly see some real advantages. Information in the EHR is always easy to find and is well-organized. Things are going smoothly until one morning when Dr. Hermit and her staff discover that all of their patient records are gone from the EHR. Inadvertently, the system upgrade that was rolled out the night before has overwritten the storage partition containing the records. Luckily, the records had been backed up just before the wipe-out, and are eventually reloaded within a few hours.
Several months later, Dr. Hermit receives an irate phone call from a patient’s mother whose child has been diagnosed with sickle cell disease. The mother’s anger is triggered when a neighbor expresses her sympathy, although the mother has not discussed the diagnosis with anyone. Dr. Hermit questions her staff and learns that the receptionist discussed the child’s diagnosis with the mother’s neighbor after checking his medical records. Dr. Hermit is astounded that the receptionist could even view the patient information, particularly given that the EHR is supposed to be HIPAA compliant according to Planet, the software developer. She is equally surprised when she walks into the reception area only to witness that another patient’s record is in full-sight of those waiting for their appointment. To top Dr. Hermit’s frustration, the Planet software server suffers a malicious software attack. As a consequence, the EHRs of many patients have been compromised, and many others might have been made vulnerable.
Dr. Hermit is now rethinking her decision to adopt an EHR to qualify for the incentive payment after all. The clinic may be better off using paper records until she retires.
Case Study Questions
1. Hermit’s Pediatrics has experienced risks to information confidentiality, data integrity, service availability, and the business itself. Identify the consequences, the vulnerabilities exploited, and the ways these risks could have been mitigated.
2. What are some of the risks that are not addressed by HIPAA, but an EHR software subscriber may need to consider?