In 2007, the Minnesota legislature passed a law mandating that by Jan. 1, 2015, all health care providers adopt Electronic Health Records (EHRs). A grassroots group of psychotherapists concerned about security of confidential client information challenged the mandate.
The distinguishing feature of HER systems is interoperability, the capacity to exchange data online with other EHR systems. EHRs thus introduce a critical change regarding the security of client information. Large numbers of client records are stored in one place and connected to other similar places. In January 2015, the Office of the National Coordinator for Health Information Technology observed: “As health IT systems have become increasingly connected to each other, cyber threats have concurrently increased at a significant rate. In an interoperable, interconnected health system, an intrusion in one system could allow intrusions in multiple other systems.”
In addition, EHRs share dangers with other types of electronic medical records. For one thing, psychotherapists must surrender physical custody of client files to vendors and IT professionals. Further, though files may be encrypted, encryption does not guarantee security. The weak link is passwords. The February 2015 MIT Technology Review stated: “Encryption is great for securing data in transit and at rest, but if the credentials and keys are compromised it does little to protect the data. . . . It’s ridiculously easy for cybercriminals to find the information they need to compromise almost any organization.”
Passwords are eminently vulnerable to theft. In August 2014, The New York Times reported that Russian hackers had stolen 1.2 billion user name and password combinations.
Methods for stealing passwords proliferate. Keylogging programs that record and transmit keystrokes – say, when entering passwords and other sensitive information – have been infecting computers via malware for years and are evolving.
Now keylogging hardware has been developed that records keystrokes without malware resident on the target computer, meaning data theft can be invisible to security software. For example, researchers at Georgia Tech have used an antenna and receiver to read the idiosyncratic electromagnetic signatures of different keystrokes on a computer in a room nearby.
With cybercriminals becoming more sophisticated, it’s understandable that cybercrime is on the rise. According to Pricewaterhouse Cooper’s Global Economic Crime Survey 2016, 54 percent of U.S. companies experienced cybercrime within the last two years compared with 44 percent within the previous two years.
Further, health care information is an increasingly frequent target. Of the seven largest data breaches of 2015, three were in the health care industry: Anthem, Premera Blue Cross and Excellus BlueCross BlueShield.
Health care information offers several options for cybercriminals: theft of credit information, theft of medical identity (used to pay for expensive procedures) and ransom schemes. In February data files of the Hollywood Presbyterian Medical Center were encrypted by malware and the hospital was forced to pay the hackers in bitcoins to obtain the decryption key.
Following the Anthem breach last February, The New York Times mentioned a worse form of ransomware, particularly worrisome to psychotherapists, in which criminals “threaten to reveal medical information unless they are paid.” Should this become prevalent, the effect of EHRs on client disclosure– already problematic – would be difficult to calculate.
With enormous numbers of providers, provider employees and vendor employees all having access to interrelated EHR systems over periods of years, human error can provide countless opportunities to steal passwords and encryption keys. Further, prior to their discovery, breaches are typically active for months and sometimes years, as in telecommunication giant Nortel’s 10-year breach.
These vulnerabilities affect liability insurance. You may find an exclusion listed on recent renewals of your APAIT Business Office Insurance Policy for “Access Or Disclosure Of Confidential Or Personal Information.”
EHRs are here to stay, and many integrated care settings will choose to adopt them. But it is critically important that psychotherapists stay aware of potential dangers and safeguard their freedom to make informed decisions about client privacy. Mandates to use EHRs, whether by government or managed care, eliminate client choice regarding the security of their most deeply personal information.
So what could you do about a mandate to adopt EHRs in your state? In Minnesota, I wrote a PDF on the subject and emailed it to all licensed psychologists, using a list of email addresses bought from the Board of Psychology. It spread to other psychotherapy professions, and numerous psychotherapists wrote me back expressing strong interest.
I then sought advice from national health care consultant and policy expert Twila Brase, president of Citizens’ Council for Health Freedom (CCHF), who provided expertise, legislative contacts and organization and contributed long hours to our efforts. CCHF is a conservative group and surveys suggest that most psychotherapists are, like me, liberal. In our campaign, opposite sides worked together in common cause.Our Democrat-controlled Senate made it an uphill battle. Democrats were generally uninterested in supporting a proposal that in any way challenged EHRs, a part of the Affordable Care Act. But EHRs are not requisite to the ACA’s basic mission to bring insurance coverage to all.
We also had to act without the support of our professional organizations, which were reluctant to endorse an initiative they worried could compromise the profession’s chances of receiving reimbursement from Medicare or other third party payers. But a broad mandate is not required for interested psychotherapists to choose EHRs and obtain any associated benefits.
Finally, the Minnesota Department of Health, which gathers data from EHRs, mounted a strong effort against our initiative. They distributed a PDF to legislators proclaiming that the mandate did not “require that patient information be placed online.”
Be that as it may, eventually more than 500 psychotherapists and other health care providers joined our campaign, and together we mounted a crusade of opinion-page articles, petitions, an opinion survey, a website and repeated contacts of legislators.
We won a partial victory. In May 2015, Gov. Mark Dayton signed a law exempting from the mandate all individual providers as well as group providers that do not receive third-party payments, such as charity clinics.
The EHR mandate is an example of increasing top-down control of psychotherapy by state and national governments, managed care organizations and professional organizations. These efforts must be balanced against our right and ethical duty to protect our clients and, more broadly, to choose how we practice our profession. We can do much to maintain this balance.
Stephen Huey, Ph.D., is a licensed psychologist in private practice in Minnetonka, Minn. He may be reached at email@example.com.