How does an EMR Back up your Data?

The backbone of HIPAA is data backup, recovery, and retention. The advent of cloud-based EMRs has made that process vastly more efficient. Cloud-based EMRs (e.g CarePaths’ eRecord, Valant, etc) that are ONC certified, automatically encrypt and back data up, usually on a continuous or near continuous basis, e.g. every 5-15 minutes. Data is then stored offline in a different physical location and the data is archived. Server farms that meet HIPAA requirements have further security in place.

_Will downloading my data and maintaining it on my local machine, provide me with more protection? _ NO. You cannot make your data more secure by downloading it and archiving it, whether to your local machine or, for that matter, a safety deposit box. There are risks to maintaining your data on your local machine: you could lose your data if your laptop is lost or stolen. In addition, your local machine could be hacked.

Nor are paper files perfectly secure. If you had a patient who was being targeted by the NSA or a hacker, the interested party would theoretically be able to access all phone calls between you and your patient, and, in all likelihood, be able to determine when you saw the patient via the GPS device on the patient’s cell phone. Credit card payments, claims submissions, emails and texts could also be monitored. Bottom line there is no such thing as perfect data security. Even a paper file is not perfectly secure as Daniel Ellsberg would readily attest.

Will downloading my data assure me of greater access to my data?

Yes. The main reason for downloading data is not security; it is having access to it. Maintaining data on your local machine would be helpful if there is a world wide internet meltdown or a local internet outage. While the the data that is archived by your EMR company will almost certainly be recoverable, the issue is immediacy of access. So, for instance, you get sick on the same day your local Internet provider goes down: having access to your patient’s phone numbers would be convenient. So you might want to download your patient’s demographics on some kind of regular basis. Physicians would also likely need access to prescribing information. Most eprescribers (including Carepaths) have a downloadable report of all patients with current medications.

What if I change EMR companies?

Most EMRs enable downloads of demographics via a standard format such as a CSV. Also, current medications can be accessed when changing EMRs via Surescripts. Like a number of other systems, the CarePaths system allows download of financial data. The big problem for most EMRs currently is that there is no easy and standard way to download clinical notes and import them into another system. Most systems require that you print off the clinical notes as PDFs and then upload them to the new system. This is time consuming and is a barrier to users switching systems. CarePaths will be developing a utility in the next year to solve this problem. Suffice it to say, users of EMRs should not be stuck with a system they don’t want because of technological limitations.

What if I close my practice because I retire or win the lottery or become a reality TV star?

In the case of retirement, many clinicians continue to have their data hosted by the EMR company for a nominal fee inasmuch as data storage is relatively cheap. Otherwise, they download their data. Since they need only clinical data, the ONC mandated CCD (continuing care document which includes demographics, diagnosis and medications) is sufficient for that purpose.

What should you do?

Your call. The vast majority of clinicians do not back up their data because that’s a service they pay for! EMR companies are paid to actively manage the archiving of data; that means monitoring back ups, and backups of backups, and monitoring for stability. Moreover, internet access issues are not the risk they once were: the chances of internet outages lasting more than a few minutes or even an hour have decreased in the last several years as ISPs have moved to multiple, redundant fiber optic backbones for their systems. Those who practice in areas where there are serious weather hazards—i.e. Hurricane zones—may opt to download select data (med history, patient phone numbers and emails, etc), if not regularly, then perhaps at certain times of the year.