What are the privacy and security risks of electronic v. paper health records?

U.S. Department of Health and Human Services

Search
Health Resources and Services Administration HRSA.gov Toolbox
A-Z Index | Questions? | Order Publications

HRSA HomeGet Health CareGrantsLoans & ScholarshipsData & StatisticsPublic HealthAbout HRSA

HRSA Home > Health IT > Toolbox > Health IT Adoption Toolbox > Privacy and Security

About
What are the privacy and ● Share
●

security risks of electronic

● ● ● ●

Health Information Technology Toolboxes help

Health IT Adoption Toolbox

v. paper health records? health centers, safety net providers, and
ambulatory care providers with electronic and
online resources and technical assistance to
improve patient care. More>
Meaningful Use Most privacy and security risks apply to both paper and electronic records.

However, the way that these are exploited and can be mitigated is different.
Quality Improvement More Information
Having a good understanding of risks is important to ensure that an
Financing Get Updates
organization makes informed choices regarding the privacy and security

Staffing and Expertise policies and procedures that they apply. In the sections below, we discuss the Contact Us

risks that are common for both paper and electronic records. We also discuss
Technology Assessment
risks that are different based on the patient record format.
Opportunities for Collaboration

THREE RISKS COMMON TO BOTH PAPER AND ELECTRONIC

System Implementation
RECORDS
Organization Change Management
These include: 1) the risk of inappropriate access, 2) the risk of record
Open Source and Public Domain Software tempering, and 3) the risk of record loss due to natural catastrophes.

Evaluating, Optimizing, and Sustaining

1. The Risk of Inappropriate Access

Personal Health Records
Regardless of format, patient records are subject to the risk of inappropriate
Privacy and Security
access.

Electronic Prescribing

http://www.hrsa.gov/healthit/toolbox/HealthITAdoptiontoolbox/PrivacyandSecurity/securityrisks.html (1 of 5) [10/21/2011 11:49:51 AM]

What are the privacy and security risks of electronic v. paper health records?

Paper Records

For paper records, the risk materializes in the form of gaining access to record

storage areas; finding records left on counters, exam rooms or copy machines;

receiving misdirected fax copies; and other similar events. Inappropriate

access can be accidental or intentional. Since access to paper records implies

physical access, securing against inappropriate access is accomplished by

segregating records into separate locked storage areas; restricting physical

access to storage areas; recording sign in and sign out procedures; and

maintaining records handling training and other similar procedures.

Electronic Records

With electronic records, inappropriate access manifests itself in one of two

ways: 1) an unauthorized user gains access to the EHR data; or 2) an

authorized user violates the appropriate use conditions. For example, if office

staff access the records of a friend or colleague that visited the practice.

Electronic records can be subject to 'serendipitous' access in situations such

as when a user account is left open or a passerby is able to view data on the

screen or manipulate the EHR features. Electronic records can also be subject

to breaches of network security that may allow a hacker to gain access to user

credentials and thereby to bypass the access control protections.

2. The Risk of Record Tampering

Medical records can be altered in a number of ways, including back dating,

fraudulent entries, erasures, or other modifications.

Paper Records

Anyone who has access to the paper record can remove pages, add entries,

erase or otherwise tamper with authentic entries.

http://www.hrsa.gov/healthit/toolbox/HealthITAdoptiontoolbox/PrivacyandSecurity/securityrisks.html (2 of 5) [10/21/2011 11:49:51 AM]
What are the privacy and security risks of electronic v. paper health records?

Electronic Records

The ability to make changes to an electronic record depends upon the rights

assigned to a user. Users with data modification privileges can generally add,

delete, or modify data or entire records. Data can also be tampered with by

directly accessing the files stored on the EHR servers using a server account

rather than an EHR user account.

3. The Risk of Record Loss Due to Natural Catastrophes

Fires, floods or other environmental disasters attack physical locations and can

result in the complete loss of both paper and electronic medical records.

RISKS MORE COMMON TO PAPER RECORDS

1. The Risk of Mislabeling Misfiled or Lost Records

Paper records must be manually filed. The shear volume of records increases

the likelihood that records are lost because they are incorrectly filed or never

returned to the file room. On the other hand, electronic records are rarely lost

because they are never removed from the EHR system. EHR records are

indexed in multiple ways allowing for fast searches and accurate retrieval.

RISKS MORE COMMON TO ELECTRONIC RECORDS

1. The Risk of Record Degradation

Paper records deteriorate slowly. With proper storage controlling exposure to

light and humidity, paper records can last for hundreds of years. If necessary,

significantly deteriorated paper records can be copied to create new originals.

Electronic records can degrade catastrophically -- tapes break, a bearing

http://www.hrsa.gov/healthit/toolbox/HealthITAdoptiontoolbox/PrivacyandSecurity/securityrisks.html (3 of 5) [10/21/2011 11:49:51 AM]
What are the privacy and security risks of electronic v. paper health records?

breaks on a piece of hardware, optical media is scratched. Such failures can

happen at any time without warning. Depending on the type of storage and the

amount of damage, it may be impossible to recover the affected data.

2. The Risk of Technology Becoming Obsolete

Retrieval and use of paper records is not affected by technological changes.

Even where paper records are stored on film or micro-fiche, the expected

technology life cycle is sufficiently long to avoid obsolescence concerns.

Electronic records depend upon computing technologies that have notoriously

short lifecycles. For the past several decades, Moore's Law and its variants

have been operating with respect to computing, storage and networking

technologies. Following such laws, various performance characteristics of new

computing systems double each year or two at a cost of one half that of the

previous generation. This means that during the life of an average medical

record, the computing technologies will have undergone multiple generational

changes. With each technology generation, previous technologies lose market

value and manufactures cease production. This means that the technology

upon which the EHR system depends will become unsustainable as

replacement parts become unavailable and while operating systems and

database platforms lose vendor support.

Developed by the Health Resources and Services Administration as a resource for health
centers and other safety net and ambulatory care providers who are seeking to implement
health IT.

Ask Questions | Viewers & Players | Privacy Policy | Disclaimers | Accessibility | Freedom of Information Act | USA.gov | WhiteHouse.gov |

Recovery.gov

http://www.hrsa.gov/healthit/toolbox/HealthITAdoptiontoolbox/PrivacyandSecurity/securityrisks.html (4 of 5) [10/21/2011 11:49:51 AM]

What are the privacy and security risks of electronic v. paper health records?

http://www.hrsa.gov/healthit/toolbox/HealthITAdoptiontoolbox/PrivacyandSecurity/securityrisks.html (5 of 5) [10/21/2011 11:49:51 AM]