Encryption and Electronic Health Records: A Q&A with Paul Fowler (Pt. 1)

In this two-part Q&A blog post, the Axway Editorial Staff talks with Paul Fowler, Axway’s vice president of Healthcare Innovation, about electronic health records and the new HITECH Act.

AXWAY: The compliance deadline for the HITECH Act changes, including the breach notification requirements, is February 17, 2010. How will that affect healthcare professionals starting next month?

PF: The HITECH Act was part of the president’s stimulus bill. What it basically was designed to do was stimulate the adoption of electronic health records (eHR) in the health industry. (eHRs are mandated by 2015.) Like all bills, it covers several areas. In one area, it gives physicians, hospitals and other folks a minor financial stimulus to adopt an eHR system. The healthcare interchanges and the healthcare record companies need to transmit these records to other partners, and to do that, they will need infrastructure, a robust B2B system to act as a backbone. But one of the more interesting things about the HITECH Act is that it puts teeth into the HIPAA law. HIPAA’s been around for years; it specified how eHR should be stored and even how your private health records should not be used. Previously, there was a law that stated that the only time you actually could get caught with a HIPAA violation was if somebody caught you stealing electronic records. The people who had to complain about it were the people victimized by the breach, i.e., the patients. In 99.9% of all scenarios, nobody cares about these breaches, because they simply don’t know; if your medical information gets leaked to a healthcare company, you don’t know it. So this old law had limited penalties. The only time anyone got in trouble was when, for instance, a famous person’s records were revealed and made news. But now, with this new HITECH Act, they’ve increased the fines and created an agency that will actually do an inspection on HIPAA compliance. That’s a law with real teeth, and it’s good for everybody.

AXWAY: What are you seeing hospitals doing to make themselves iron-clad against violating the HITECH Act and HIPAA in general? What are some steps all hospitals should take?

PF: What I’m seeing is that most hospitals are hiring Chief Privacy Officers, senior-level people in the organization, to demonstrate to both the government and the customers that they’re serious about HIPAA and healthcare privacy. Hiring this person is a good start. Second, a hospital needs to do a complete systems review and a technical roadmap and ask themselves, “Where are we relative to this? What is our risk?” These Chief Privacy Officers are really risk managers. They need to do a complete systems audit. Third, they need to safeguard against liability in the event that a partner has a breach. They need to do an extended audit, and have an extensive understanding of the people they’re actually exchanging information with, and ask, “Are they compliant with the information that they’re giving and receiving?” Hospitals need encrypted email, yet the email that comes in and out of the hospital is often not encrypted. Anybody can intercept it. It can be forwarded anywhere. They need the ability to send encrypted email so that they know that if anybody intercepts it, the only people who can read it are the people it’s intended for, the people who could decrypt it.

(To be continued.)


  1. The most beneficial part of an EHR to our health care system will be the information sharing that will be possible with data standards. It will allow doctors from one institution to view and contribute to the records generated at another institution, increasing safety and efficiency. This will also give us
    information about the effectiveness of our care, which can guide practice and

    public policy.

  2. […] Encryption and Electronic Health Records: A Q&A with Paul Fowler (Pt. 2) (To read the first part of this blog post, click here.) […]

Comments RSS TrackBack Identifier URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s