(This article is an autorebuttal to my article, Protect Your Client Records: Put Them On the Internet)
I would like to bust a myth (not “mythbust,” of course – that’s copyrighted.) It goes like this:
“Electronic records are safer than paper records because you can’t encrypt paper.”
I think it’s important to understand why this statement is at once totally right and dangerously wrong.
Encryption Is A Strong Tool, But It’s Only a Tool
It is true that if you properly use strong encryption for your electronic info, it is super, extremely, very, very hard for a bad guy to read that info. They would have to bust the encryption to do so.
It is easier to make encryption than it is to break encryption, so those of us who wish to keep our info safe by encrypting it are ahead of the game. Good encryption is hard to get past so long as the owner of the encryption uses and maintains it properly.
The only encryption equivalent for paper is to put it in an extremely strong safe or vault such as a fire safe. That is harder and more expensive to do than encrypting electronic data. Thus you can hear some people saying, “Electronic records are safer because you can encrypt them.”
The problem with this statement is that while it is certainly true from a certain point of view, it ignores the following facts about security:
1) Security measures, such as encryption, need only be used when your identified security risks call for them:
I wouldn’t call the police and ask them to put my client on a hold because he told me he was feeling sad today. The self-harm risks do not indicate such a costly intervention.
Similarly, the real-world risks to paper records usually don’t indicate a need to pay the costs of going electronic so that you can use encryption.
Electronic records almost always call for the privacy protection that encryption provides, especially because good encryption is so low-cost. For paper, any equivalently strong measure would be too costly when compared to the benefits.
If your unique situation (as we are all unique with unique circumstances) is such that your paper records are still under high intrusion risk even when sitting in a double-locked file cabinet, maybe you should consider stronger measures such as a more robust cabinet, an alarm system, or things of that nature. Or you may determine it makes more sense to go electronic so you can access the wider variety of security measures available.
For most of us, however, the risk of intrusion into properly double-locked file cabinets is usually pretty low – largely because the cost to bad guys is bigger than the reward of perpetrating said intrusion.
2) Making a big system change, such as switching from paper to electronic records, only makes sense if you gain real value from doing so:
Implementing a system poorly or with little positive motivation can easily result in a poorly secured system. Additionally, the purpose of security is to support your normal operations by keeping everyone involved in those operations (your clients, you, staff, etc.) safe and working with as few barriers as reasonably possible.
As stated above, properly handled paper records are typically at low enough risk of outside intrusion that going electronic purely for the improved security measures is generally not worthwhile.
Here are some examples of situations where going electronic might be worthwhile:
- You are required by Federal law to use an electronic health record system (most mental health folks are not. See here for more info.)
- You practice in Minnesota as part of a group practice (and thus are required by state law to use an electronic health record system. Not sure what I’m talking about? Go check out Annie Schwain’s e-health seminars at Voda Counseling in the Twin Cities.)
- You work at multiple offices and find yourself transporting paper records a lot. Paper records are at increased risk of loss or theft while being transported. A well encrypted computer or drive, or keeping your records online, would be a better solution for most people in terms of both security and efficiency.
- You are a traveling therapist who works with clients remotely from wherever the wind takes you. (See point 3 and my raging jealousy for more details.)
- You coordinate care with other clinicians regularly and need to edit the same client record or share records a lot.
- You have handwriting so terrible it isn’t legible even to you (this one just might be autobiographical…)
- You wish to gain the efficiency and convenience of a cloud-based practice management system.
- A third-party payer, EAP, etc. requires you to submit certain items electronically and you need an electronic record system to do it the way they want you to.
- You are storing very sensitive materials, such as credit card numbers or health records of high-security risk individuals. Here, the added security measures available for electronic records could be desirable, depending on how you feel about the alternative of beefing up the physical security of your office.
If none of these apply to you and you can’t find any new reasons that aren’t on the list, there’s likely no compelling reason to go electronic. Bear in mind, of course, that more and more compelling reasons will be coming our way in the near future.
3) Paper Actually Has Some Security Advantages Over Electronic
Have you ever experienced any of the following?
- The hard drive on your computer spontaneously fails one day without warning, taking all your data with it.
- You “forget” to back up your electronic data for several weeks and then your computer is lost, damaged, suddenly virus-riddled or stolen (along with those three weeks of information!)
It’s easy to forget that security is not only about confidentiality of information but also about maintaining the integrity and availability of that information. In fact, HIPAA requires we do all three of those things.
If you are ill equipped or simply can’t afford to reliably maintain the integrity of your electronic information, such as by keeping back ups and keeping your equipment secure, paper may have some advantages for you.
Paper doesn’t get viruses or spontaneously fail. In fact, if well cared for, paper can last tens or hundreds of years. Most of us only need it for somewhere between 5-10 years after termination, however.
Conversely, if your data backup plan and your policies and security measures for protecting your devices all work well for you and are easy enough for you to use, then going electronic can be great.
The Big Synthesis
In the end, the important point is that while encryption is a fantastic tool, please don’t use it as “a solution in search of a problem.” It should only be applied when you find problems that are solved or partially solved by using encryption.
Not everyone is ready to ditch their paper records yet. If you are feeling pressure to do so, please consider your practical needs and requirements rather than ruminate about which is more or less secure.
If you are interested in electronic records, there are number of resources to help you find the right tools and solutions for you:
- Easy Safe Harbor From HIPAA Breach Notification: Now on Your Computer and Smartphone
- Protect Your Client Records: Put Them On the Internet
- Electronic Health Records in Mental Health: Are They Required or Otherwise Necessary?
- Meaningful Use and Mental Health Professionals (Tame Your Practice)
- Rob Reinhardt’s Reviews of Online Record Systems (Tame Your Practice)
- Therapy Tech with Rob and Roy on Electronic Records (YouTube, 54 min. video)