Costa, attorney and associate at Greenberg Traurig, LLP, in Boston, Mass. However, he adds, most of these organizations maintain warehouses where they store paper records that have been transcribed to electronic form. "There is resistance from some about going to a completely electronic format because there are still some questions about privacy," Costa says. "There is definitely still a place for paper-based medical records, but the focus from now on will be on making sure that information can be adequately secured" (Fiske). Frederick Geilfuss, partner in the health law department of Foley & Lardner, in Milwaukee, Wis. says that while many larger providers have already begun the shift, he has not encountered any institutions that have made a complete transition -- an event that he believes is still in the distant future. "There are quite a few doctors out there who are not technologically minded and who prefer paper records," he explains. Changing from paper to electronic records requires organization, as well as technology, because a switch made on a going-forward basis would result in two sets of medical records -- paper and electronic -- with an increased potential for confusion (Fiske).

Health Information Management (HIM) professionals using paper-based systems are confronted by many of the same challenges regarding HIPAA compliance as their colleagues who have switched to electronic records. Although the legislation was originally intended to ensure security and privacy of electronically stored and transmitted information, it has evolved to include all types of communications. "HIPAA extends to any manifestation of patient confidentiality, including what people do in medical offices and what they say about confidential information," explains Henry E. Schwartz, partner in the business and corporate department in the Baltimore, Md., office of Blank, Rome, Comisky, and McCauley, LLP (Fiske).

The HIPAA security requirements for paper-based records are the same as those that apply to oral communications and electronic information, Costa explains. It will be necessary to ensure that the minimal amount of information is disclosed at any time, and providers will need to adhere to restrictions about uses of patient information for medical research and quality assurance purposes. Monetary penalties for noncompliance can range from $10,000 to $250,000, depending upon whether disclosure of information is accidental or for commercial profit, he says. There are also criminal penalties ranging from five to ten years in prison for willful release of patient information without patient consent (Fiske).

While securing paper medical records in either an office or at an off-site facility is often lock-and-key simple, it is always important to monitor and limit employee access to vital and confidential information. "There is really nothing new under the sun, as far as security measures, for paper medical records," says Schwartz. "Medical information has always been confidential, and, in the larger sense, HIPAA didn't change that." Although HIPAA does not specify the means by which requirements must be met, most security measures are simply based on common sense, beginning with an assessment of office practices in order to determine the current state of security for written and oral information, he says (Fiske).

Among the measures that Schwartz recommends are locking medical records files and restricting physical access to them; implementing a policy to ensure that no one enters medical files without authorization and reason to do so; developing a fax policy to ensure that faxed medical information is received by the person for whom it was intended; and, perhaps most simply, not leaving medical files on desks or tables around the office. "It's great that medical records are protected when they are in a storage cabinet," Schwartz comments, "but what happens when someone takes them out to look at them? Does the person leave them lying around while he or she leaves to get a cup of coffee" (Fiske).

As bulky paper records accrue, many healthcare organizations opt to store them in off-site warehouses or storage facilities. Historically, this has not presented any problems of which Schwartz is aware, but he cautions administrators to include security policies in contracts with off-site storage providers. He adds that, when disposed of, paper medical records should always be shredded. "If anyone gets a hold of them," he advises, "they should be unreadable and unrecognizable" (Fiske)

Discussion -- Perhaps EHR's aren't Safe Enough for a National Roll-out?

Will EHR's eventually make patient records safer? The answer, as we will see, is, most likely, yes. However, how do we get there? If we want and need a safer system, we also need a usable, economic system for all types and sizes of medical facilities....

And this country will need solid, well-designed health information technology (HIT) networks to store, distribute, and keep safe all of that private medical information.
As mentioned previously, when President-elect Obama outlined his economic stimulus package earlier this month, he emphasized the need to invest in the healthcare system's infrastructure by pushing for electronic health records (EHR), nationwide: "We will make sure that every doctor's office and hospital in this country is using cutting edge technology and electronic medical records so that we can cut red tape, prevent medical mistakes, and help save billions of dollars each year" (Mahar).

The problem is that the physicians and hospitals who the government expected to invest in electronic health records are least likely to benefit financially. For example, if electronic medical records reduce the number of redundant tests, the insurer and/or the patient enjoy the financial benefit: the physician does not. In fact, if the physician does the tests in his own office, he loses money every time he doesn't need to repeat a test. Over time, health care providers might realize savings from EHRs, but experience suggests that it would take at least ten years (Mahar).

Since insurers would be the first to enjoy savings from more efficient care, it would make sense for them to provide the initial funding for Health Information Technology (it). But so far, relatively few for-profit insurers have stepped up to the plate.

In most developed countries, the government (i.e. taxpayers) has played a major role in developing and funding EHRs. The U.S. decided to wait for market competition to do the job. So far, that hasn't worked out very well, and the new administration seems ready to take a more proactive role. But before making an enormous investment, someone should ask about the state of the art: are EHRs ready for a national roll-out (Mahar)?

The answer, says Dr. Scot Silverstein, the director of Drexel University's Institute for Healthcare Informatics, is No! Over at Dr. Roy Poses' Health Care Renewal, Silverstein has posted an open letter to President Obama, applauding him for the it initiative, but warning that at this point in time "Health Information Technology (HIT) is an experiment" -- at least in the U.S. It is, yet, unproven on a large scale. There have been many warning signs that it is an experiment that could go awry" (Mahar)

Silverstein notes that "after years of effort and billions of dollars spent," the use of HIT in this country remains limited. And where electronic health records are used, "Clinicians (physicians, nurses and others) are struggling to use awkwardly designed HIT, designed as if for quiet, solitary business offices yet costing millions of dollars per hospital."

Silverstein blames information technology experts who do not recognize the difference between healthcare and other industries. They design systems that might work well in a bank but will not cut it in a hectic ER. Silverstein stresses that clinicians must be involved in the design of healthcare it (Mahar).

A 2005 article in the Journal of Biomedical Informatics expands on this point: "Designers of healthcare information technology (HIT) must be exquisitely sensitive to the non-linear, context dependent, fast communication-dependent, interruption-filled, uncertain, and collaborative nature of hospital clinical practice," writes the University of Pennsylvania's Dr. Ross Koppel. The piece concludes: "That some HIT development has occurred without this disciplinary input and wisdom is deeply regrettable (Mahar).

Three years later, little has improved, says Silverstein. Rather than becoming more sensitive to the needs of a hospital, "the healthcare industry and the HIT sector have been reliably tone deaf on these issues, which results in the very low diffusion of HIT. Platitudes, excuses, and blame placed solely on end users (i.e., the clinicians) are the norm" (Mahar).

Yes, a large investment in health it would create jobs but, as Silverstein points out, given the state of vendor-designed EHRs, and the trouble healthcare workers and hospitals are having with them, "While HIT problems may be good for the it and management consulting businesses, they are not good for the healthcare business, already struggling under great financial duress."

If phrases like "HIT hell" and "irrational exuberance" don't give you pause, consider another open letter to the Obama Healthcare Team on TheHealthCareBlog.com (THCB). This missive was penned by David C. Kibbe MD MBA, a Family Physician and Senior Advisor to the American Academy of Family Physicians who consults on healthcare professional and consumer technologies, and Brian Klepper PhD, a health care market analyst and a Founding Principal of Health…