According to the Initial Set of Standards for Electronic Health Records patients must be provided with their health information (most certainly protected health information -PHI- under HIPAA) electronically and securely within 96 hours.

How to Secure Health Records

You may be wondering how can patient information be secured. The best way to secure information is by encrypting the media. However, note that patients must be able to decrypt the information on their own computer equipment. One of the product Experior Data implements is called PGP Portable. For example, the patient provides a USB drive for you to copy the PHI onto it. PGP Portable encrypts the entire USB device after the information is copied to it. The patient must provide a passphrase during the encryption process. When the patient goes home he/she inserts the USB drive into their home computer and is prompted for the passphrase. After the passphrase is entered access to the patient information is provided.

Related articles by Zemanta

• HIEs are Beginning to Link Patients Directly to their Own Health Data (projecthealthdesign.typepad.com)
• Pushing ONC to Act on Consumer’s Behalf (chilmarkresearch.com)
• Medfusion Maintains Leadership in Patient Portal Performance (medicineandtechnology.com)
• How to Get $20 Billion for Using Electronic Medical Records (blogs.wsj.com)

Web Services At Forefront

If you intend on implementing electronic records and apply for the Electronic Health Record Incentive Program (EHRIP) you must demonstrate “meaningful use” of the electronic health record system. One of the provisions in EHRIP is information sharing. The authors of the EHRIP specifically set out to standardize on two protocols for information sharing:

• SOAP
• REST

Both of these technologies are know as web services. Essentially, web services provide information sharing capabilities using structured data files called XML. The purpose is to use these open standards so that applications developed by different vendors could communicate and share information.

Securing Web Services

In terms of security it is important to ensure that the transmission between applications using these web services is properly encrypted using SSL technology. In addition, considerations should be made to implement network and host intrusion prevention systems to ensure the security and integrity of the systems transmitting the shared information. For example, accepting SOAP requests will require you to set  up a DMZ infrastructure. Servers sitting in the DMZ will need to accept SOAP requests and send them. It is the traffic to and from these servers, and the servers themselves, that need to be protected.

Related articles by Zemanta

• Web Services Hacking And Hardening (slideshare.net)
• The XML Security Relay Race (devcentral.f5.com)
• Health IT Buzz – HHS Launches Healthcare Blog to Communicate with Dr. Blumenthal (ducknetweb.blogspot.com)
• Here’s the rule for meaningful use (clinicalit.blogspot.com)

Filed under “you just can’t make this stuff up” from our friends in Lake Geneva, Wisconsin:

‘ ‘There were two nurses that independently took a picture each of an X-ray of a patient,’ Walworth County Undersheriff Kurt Picknell said.
The patient was admitted to the emergency room with an object lodged in his rectum. Police said the nurse explained she and a co-worker snapped photos when they learned it was a sex device. Police said discussion about the incident was posted on her Facebook page, but they haven’t found anyone who actually saw the pictures.”

Well, contrary to common sense one has to wonder at what point do you say to yourself, “hey, I probably shouldn’t take a picture of an X-Ray belonging to a patient and post it on Facebook”. Although its not known if the X-Ray contained protected health information (PHI), we would venture to say that posting the X-Ray is probably not a good idea. I mean they could have encrypted it!

Related articles by Zemanta

• Medics suspended over Facebook antics (guardian.co.uk)
• NHS staff suspended for playing The Lying Down Game’ (telegraph.co.uk)