Your patients may be concerned about the confidentiality and security of their health information in an EHR. Don’t wait for them to ask. Instead, provide them with information about EHRs, especially the benefits EHRs can bring to them as patients. Reassure patients that you have a system to proactively protect the privacy and security of their health information. Your staff should be able to speak to the confidentiality and security of your EHR as well. To preserve good patient relations, follow your policies and procedures for communicating with patients and caregivers if a breach of unencrypted ePHI ever occurs. OCR and most state attorneys general strictly enforce breach procedures. A multi-faceted communications plan will help you avert patient concerns about EHRs and privacy.
- Inform patients that you place a priority on maintaining the security and confidentiality of their health information. ONC and other federal agencies have developed consumer education handouts that you may want to use or adapt.
- Address patients’ individual health information rights, which include the right to access or obtain a copy of their electronic health record in an electronic form.
- Educate patients about how their health information is used and may be shared outside your practice. In some cases, depending on state law and the nature of information you are sharing, you may need to obtain a patient’s permission (consent or authorization) prior to exchanging his/her health information.
- Notify affected patients and caregivers when a breach of unsecured PHI has occurred, in accordance with your updated policies and procedures. Patient relations on security issues should be an integral part of your overall patient engagement strategy.
Consumer communications should be culturally appropriate. Consider the various languages, communication needs, and trust levels of different patient populations. If a particular group has some distrust of the medical establishment, take extra steps to reassure them that you are safeguarding their information. Be prepared to discuss and answer the questions that concerned patients and their caregivers may have.
Online Communications with Patients .If you plan to interact with patients via online platforms (e.g., email, texting, a patient portal for your EHR, or social media), you must meet the Security Rule and Meaningful Use standards for the secure messaging of e PHI. Remember that a provider who is emailing and texting patients and/or other providers is creating a security risk for the ePHI unless the transmission is encrypted.