Healthcare systems aren't fully implementing voluntary Office for the National Coordinator for Health Information Technology (ONC) guidelines to protect e-health records, according to a new survey by researchers at the University of Texas Health Science Center at Houston.
The report, published in the Journal of the American Medical Informatics Association, found that health organizations have only fully implemented 18% of the recommendations.
Survey authors said to implement the recommendations, systems need to prioritize and fund them, make policy changes and get vendors involved. They also suggested new national policy initiatives to promote health systems to push organizations to follow the recommendations.
The low compliance rate shows that healthcare organizations have a long way to go to properly protect their patient information. That was already evident given the number of data breaches this year.
More than 200 breaches have been reported this year, including 10 affecting more than 100,000 people each. These cases included hacks, thefts, losses and unauthorized access, impacting providers, payers, business associates and government agencies.
Congress is aware of the problem, which goes beyond healthcare companies, and has introduced legislation to demand companies promptly report data breaches. The government would also hold executives criminally accountable.
Dean Sittig, the JAMIA study's lead author, and Hardeep Singh of Baylor College of Medicine, created the Safety Assurance for EHR Resilience (SAFER) guidelines in 2014. The guides were created to help healthcare organizations prioritize EHR safety and develop practices to protect information. It includes 140 recommendations in nine guides.
The study authors surveyed eight healthcare organizations in the U.S. and Australia to gauge progress. The survey was supported in part by the HHS Agency for Healthcare Research & Quality. The researchers found that companies only implemented 25 of 140 SAFER recommendations.
The systems were most likely to have implemented recommendations in three sections: safe health IT (82% compliance), using health IT safely (73%) and monitoring health IT (67%). The safe health IT domain includes recommendations about data and application configuration back up and hardware systems. It also suggests oversight of EHR downtime and reactivation policies.
Sittig and Singh suggested possible reasons health systems haven't implemented the recommendations include issues related to funding, personnel skills and organizational priorities.