Many industries, including healthcare, have undergone a significant digital revolution during the last few decades. Electronic health records (EHRs) are one of the technologies that many healthcare organizations have implemented. Many healthcare practitioners rely on EHRs to access patient information, schedule medications, laboratories, and screening tests, and receive clinical decision assistance to guide the care process. A key issue with electronic-based health records and other tasks that enhance patient care is that computer systems and software may be unavailable sometimes. Healthcare practitioners encounter planned and unplanned EHR downtime incidents during which part or all EHR functions are unavailable (Larsen et al., 2017). The purpose of this essay is to evaluate a downtime in an EHR system that affected patient care and caused potential unauthorized access to patient health information. The analysis will begin by describing the EHR downtime scenario regarding HIPAA, legal, and other regulatory obligations. Next, the writer will describe how the scenario ended and provide recommendations for what should have been done. Next will be a presentation of the advantages and disadvantages of technology in healthcare and the professional and ethical principles appropriate to the scenario’s ending. Finally, the writer will summarize the lessons learned from this scenario and reflect on how the new knowledge will impact future behavior as a healthcare professional.
HIPAA, Legal, and Regulatory Discussion
HIPAA establishes rules and regulations that protect the privacy of patients who are clients of a healthcare organization that provides care to them. Health information must be safeguarded and accessed only by a responsible healthcare provider. The HIPAA Privacy Rule outlines various nationwide standards to protect patient health information (Rosenbloom et al., 2019). HIPAA was established in 1996 by the US government through the Department of Health and Human Services (HHS) to develop standard rules focusing on patient information disclosure, ensuring that patient information is safeguarded. Consequently, the Office for Civil Rights (OCR) is mandated to enforce the HIPAA Privacy Rule, which, if breached, can result in civil money penalties or jail terms.
Healthcare organizations are responsible for enforcing and ensuring that their health practitioners observe protocol in securing patient identifiable health information from unauthorized access and use. The HHS has ensured that all hospitals have adopted appropriate privacy policies to assist healthcare practitioners in handling and safeguarding patient information, particularly when utilizing technology for healthcare delivery. Accordingly, hospitals must integrate privacy procedures into their policies and only collect necessary information (Rosenbloom et al., 2019). The minimum necessary standard ensures that healthcare organizations evaluate the practitioner’s practice and ensure limited access to patient information. Moreover, hospitals must seek patient authorization to use their information for treatment, payer processes, and other healthcare operations. Finally, hospitals should train their practitioners on HIPAA rules and regulations. Fostering HIPAA awareness through training practitioners makes them more compliant with HIPAA rules and regulations.
Scenario Ending and Recommendations
In October 2020, Sonoma Valley Hospital, located in California, confirmed the occurrence of a security incident that resulted in an EHR downtime. This event was a network security incident that shut down its computer systems, resulting in a “significant downtime” (Davis, 2020). Files were encrypted using ransomware in attempted intimidation of the hospital to pay a fine to decrypt their files. The incident, a part of a larger effort aimed against many healthcare organizations across the US, is thought to have been carried out by a Russian state-sponsored threat actor. According to the hospital’s administrator, the attack was discovered the same day, and the intruders were expelled from the network immediately. The hospital used backups to recover encrypted data; no ransom was paid. However, possible unauthorized access to the protected health information (PHI) of approximately more than 60,000 patients cannot be ruled out (Davis, 2020). Patient Information such as patient names, addresses, diagnoses, insurer affiliation, number of claims, and secondary payer data might have potentially been accessed by the attackers.
As the situation evolved, the hospital implemented its business continuity plan, enabling patient care to continue even if its computer systems were unavailable. The hospital’s emergency room continued to function the entire time, and elective and non-elective surgical procedures were still being performed. The incident disrupted a few diagnoses and treatments, but most patients’ diagnoses and treatments remained uninterrupted (Davis, 2020). The patient portal remained operational indefinitely, though new results were not posted for the next two weeks.
The Sonoma Valley Hospital has a business continuity plan that effectively backs up its EHR system. However, it could have taken a more proactive approach to safety in its EHR system. Sittig and Singh (2018) provide two recommendations for more proactive safety practices in the EHR age that would have been useful for Sonoma Valley Hospital in mitigating the consequences of EHR downtime. First, the hospital should have established an information technology team to assess and address any downtimes that might have impacted patient data. Most computers store patient data with internet connections, making them vulnerable to malware attacks. Second, the hospital should have prioritized patient safety concerning health information technology by reorienting its clinical governance structure to facilitate proactive risk assessment. The management needs to have invested in cybersecurity measures to safeguard PHI from adversaries seeking to hack the EHR system or introduce malware.
Advantages and Disadvantages
Technology is a great asset for healthcare systems mainly because it has facilitated and improved communication between healthcare practitioners and their patients or within interprofessional healthcare teams. Before technology’s introduction in the healthcare industry, there was a high likelihood of miscommunication, owing to many patients visiting the hospital at a time. Electronic Health Records (EHRs) have made it simple for healthcare practitioners to store and retrieve large patient data sets (Wang et al., 2018). Another advantage is that technology has significantly decreased medical errors. Technology has made it easier for healthcare professionals to coordinate electronic prescription filling. Furthermore, technology has simplified information access for healthcare providers. Electronic databases and other resources are available to healthcare professionals, particularly when they intend to learn more about a particular condition or disease.
However, the inappropriate use of technology can compromise healthcare information systems, such as cloud-based EHR systems. Cloud-based EHR systems store PHI on external servers meant for web-based access, meaning that cybercriminals can attack them over the Internet when they identify a security weakness. When an EHR system is hacked, cybercriminals can access sensitive patient information and use it illegally. Next, technology poses challenges for healthcare systems, particularly when there are issues with system unavailability (Larsen et al., 2017). A patient’s life may be endangered due to EHR system downtime since the healthcare provider may not be able to retrieve clear components of the patient’s condition that may be critically required for urgent treatment. Finally, some patients may not be able to access their health information from cloud-based EHR systems because they lack access to the Internet, forcing them to visit the hospital physically, even in cases where it is possible to receive health care remotely through telehealth.
Professional and ethical principles guide the appropriate use of healthcare technology. HIPAA law establishes speciﬁc guidelines for safeguarding the privacy and security of PHI, including confidentiality, integrity, and availability (Rosenbloom et al., 2019). Confidentiality entails safeguarding the privacy of PHI. Integrity refers to the procedures to handle PHI to prevent unauthorized changes or destruction. Availability aims to maintain the functionality of the hardware and software used for PHI storage and access. Health care is typically guided by the ethical tenets of respect for autonomy, nonmaleficence, beneficence, and justice (Sulmasy et al., 2017). Respecting autonomy entails giving people the freedom to live their life as they choose. Nonmaleficence entails stopping oneself from using technology to harm patients. Beneficence entails both using technology to deliver benefits and avoiding harm. Lastly, justice proposes an equitable division of technological resources and responsibilities.
Conclusion and Reflections
Technology has significantly contributed to the improvement of the way healthcare professionals provide care. EHRs, for instance, has made it easier for healthcare professionals to store and retrieve information on many patients. However, technology has some downsides that can cause harm or even result in the patient’s death. For instance, a technological compromise might cause significant incidents like EHR downtime, which could interfere with how healthcare professionals handle and manage patient care. Healthcare organizations should learn about the various issues associated with using healthcare information systems and devise solutions to avoid repeating the same mistakes. This new knowledge will benefit future healthcare practitioners. It will be simpler to choose a suitable healthcare information system to prevent the drawbacks of technology use, understand the errors that technology may introduce, and act per the principles guiding the appropriate use of healthcare technology.
Davis, J. (2020, October 27). Security Incident Drives Sonoma Valley Hospital to EHR Downtime. Health IT Security.
Larsen, E., Fong, A., Wernz, C., & Ratwani, R. M. (2017). Implications of electronic health record downtime: An analysis of patient safety event reports. Journal of the American Medical Informatics Association, 25(2), 187–191. doi:10.1093/jamia/ocx057
Rosenbloom, S. T., Smith, J. R., Bowen, R., Burns, J., Riplinger, L., & Payne, T. H. (2019). Updating HIPAA for the electronic medical record era. Journal of the American Medical Informatics Association, 26(10), 1115–1119. https://doi.org/10.1093/jamia/ocz090
Sittig, D. F., & Singh, H. (2018). Toward more proactive approaches to safety in the electronic health record era. The Joint Commission Journal on Quality and Patient Safety, 43(10), 540–547. doi:10.1016/j.jcjq.2017.06.005
Sulmasy, L. S., López, A. M., & Horwitch, C. A. (2017). Ethical implications of the electronic health record: In the service of the patient. Journal of General Internal Medicine, 32(8), 935–939. doi:10.1007/s11606-017-4030-1
Wang, Y., Kung, L., & Byrd, T. A. (2018). Big data analytics: Understanding its capabilities and potential benefits for healthcare organizations. Technological Forecasting and SocialChange, 126(1), 3–13. https://doi.org/10.1016/j.techfore.2015.12.019