8 Malpractice Dangers in Your EHR

Neil Chesanow


August 26, 2014

In This Article

Passwords Can Be a Problem in Court

Many physicians feel that the security requirements recommended to protect patient records are too onerous. Password sharing is a case in point. Especially in a small practice, where staffers are like family, forcing everyone to use a separate password, and changing passwords at regular intervals, may seem like overkill. Is it a good idea for everyone to use the same password?

The answer is no. Steven Waldren, MD, senior strategist at the American Academy of Family Physicians, recently told Medscape that rather than being under the radar, small physician practices are among the most vulnerable to hackers and identity thieves.[2]

Employees may be unwitting accomplices by using a password-protected EHR computer to download videos or music during lunch or after hours, creating an open door for hackers -- "a rich new environment for cyber criminals to exploit," according to the FBI.[2] You can learn who is doing this if each staffer has a separate password. If everyone uses the same password, lots of luck.

"Disclosure of psychiatric or sexual histories or other sensitive information ... leads to profound embarrassment, ruined careers, or loss of professional and personal opportunities," Sharona Hoffman writes.[1] "These, in turn, can generate litigation against those responsible for security breaches."

Last April, Medscape reported that physicians can expect criminals to increasingly target their EHRs for patient information that they can sell on the black market for $50 per chart.[2] Identity thieves can use patient data to obtain free medical care, including prescription drugs, or open new credit accounts. They also can use pilfered information about a physician to file bogus insurance claims.

HIPAA mandates that you notify affected patients following the discovery of a breach of unsecured protected health information. "If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its Website for at least 90 days or by providing the notice in major print or broadcast media where the affected individuals likely reside," the law says.[3] If the breach affects more than 500 residents, you must send a press release to appropriate media outlets serving the protected area.

Keep in mind that every entry, correction, or emendation to patient information is recorded in the EHR, as well as the time and date it was made and who made it. If a password registered to you is used by several staffers, it may make it seem as though you changed patient records in ways that you didn't authorize or even know about -- until a plaintiff attorney raises the issue in discovery.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.