EHR Security Measures, Explained (Or: How I Learned to Stop Worrying and Love the Software)

By: Lisa Morris on April 26, 2018

Too many physicians write off EHR software as counterproductive programs.

It can seem like too much of an inconvenience: you buy new software, then switch all existing patient files over to the new system and change everything about the way patient health information is tracked.

I get it, that’s a lot. But failure to adopt an EHR system will only result in patient privacy violations down the line.

In fact, most EHR systems come with strong security features built-in to help protect patient privacy and prevent data breaches. So physicians who resist adoption of EHR systems are putting their patients’ privacy on the line and will inevitably find themselves in violation of HIPAA regulations.

In this article, we’ll review patient privacy and go through some of the essential features in EHR systems that serve to protect you and your patients.

Patient Privacy Matters

Patient privacy is a big deal. We know it matters to patients because we asked them back in 2015.

Eighty-six percent of respondents expressed some level of concern about a health information security breach. Almost a quarter of patients surveyed (21 percent) said they have withheld personal health information from their doctors due to fear of a security breach that may result in identity theft.

And finally, over half of patients said they would find a new doctor if their current physician’s office suffered a security breach.

Patient Concern Over Health IT Security Breach


Patients Withhold Information Due to Security Concerns


Patient Likelihood of Switching Doctors after a Security Breach


We also know that security is a concern for medical practices thanks to a 2017 Gartner survey on Top Technology Trends.

This was clear when small and midsize health care practices were asked to rank a list of potential roadblocks towards achieving business goals in the coming years:

  • 29 percent selected “using the right technologies” and “complying with government regulations”

  • 18 percent selected “employing data protection and security”


Knowing how patients feel about the risk of a data breach and how physicians feel about adopting new technologies, you might be wondering: Why bother with an EHR at all?

Well, the short answer is because you have to in order to stay eligible for Medicare and Medicaid reimbursement.

The longer answer is physicians who hesitate to adopt EHRs are endangering their practices by risking HIPAA violations—violations that can be easily prevented through the use of certified EHRs that follow protocol automatically and protect users from many common mistakes.

EHR security measures come standard with most systems in the form of features. Here’s where we’ll discuss a few of the most essential security features of EHR systems.

Many EHR Security Measures Come Standard

The main benefit of adopting an EHR is the software’s intrinsic ability to protect you and your patients from data breaches thanks to a few features that come standard with most products. Those features are:

  • ONC-ATCB Certification

  • Audit Trails

  • Password Protection

  • Data Encryption

ONC-ATCB Certification

It’s true that software products in any market will vary in the list of features offered, but physicians are fortunate enough to have the government mandate a few features that IT vendors must provide to all users.

Thanks to these requirements, the first question you need to ask yourself about the system you’re selecting is a simple one: Is the product ONC-ATCB Certified?

This is a straightforward yes or no question for vendors—either their software has been tested and approved by an Authorized Testing and Certification Body recognized by the Office of the National Coordinator, or it hasn’t.

  • If the answer is “no,” you should move to the next product on your list.

  • If the answer is “yes,” you can move forward with evaluating that product.

For reference, all of the products considered for our EMR FrontRunners Quadrant must be ONC-ATCB Certified.

We’ve previously covered the different Authorized Testing and Certification Bodies and what they look for when evaluating EHR systems. To quickly recap, there are three main “checkpoints” products are required to pass in order to become certified. They are:

  • Functionality: Ability to create and manage records for patients.

  • Interoperability: Ability to communicate patient information with other systems.

  • Security: Ability to protect patient information from being stolen or wrongfully shared.

There are almost 400 different criteria being looked at within those three checkpoints, so you can bet any product with this certification has been thoroughly vetted.


Practices that adopt EHR systems without proper certification will have their bottom line affected by not meeting government requirements for certain reimbursement programs. You could also end up paying for a system that doesn’t meet security standards and is therefore more vulnerable to a breach.

Audit Trails

Audit trails provide documentation to keep track of every single action taken with patients’ information by automatically registering and recording who accesses the system, where they are, when they’re accessing and what they do once they’re in.



Compare Products

Audit trail feature within Practice Fusion

By logging all of this information, EHR systems enable users to conduct regular reviews and flag suspicious activity that could lead to HIPAA violations. Reviews can also prevent mistakes caused by human error, which we cover in more detail with the follow-up to this report.

Many EHR systems with auditing capabilities and patient portals can be set up to send notification emails to patients every time their information is accessed. This transparency allows patients to quickly report possible breaches if a notification email is received when they did not log into their account.

As with most things, the sooner you become aware of a problem, the sooner you can fix it—and audit trails will make the fixing a great deal easier.


Practices adopting EHRs with minimal or nonexistent auditing features are automatically making things more difficult. Without this feature, you’ll have to manually record every action taken that deals with patient information or face heavy consequences when—not if—a security breach occurs.

Password Protection

This one might seem like a no-brainer, but it goes beyond simply requiring users to create a password to access their information. Because of the sensitive nature of patient data, EHRs should offer additional access controls such as:

  • Lockout capabilities that will forbid access if the wrong password is entered too many times.

  • Complex password requirements (such capitalization, numbers and special characters) to ensure passwords created for the system will be difficult to guess.

  • Regular password resets to keep old passwords from turning into a potential data breach.

  • Security questions to help further validate users beyond a password.

  • Two-factor authentication to provide an additional layer of security.



Compare Products

Password settings within drchrono’s EHR system

Of course, passwords are another area where human error can cause a lot of problems. And, while you can only do so much to make sure your patients take their passwords seriously, physicians have to accept responsibility for this potential privacy weakness as well.

A study in 2017 found that 73 percent of medical professionals have violated password security protocol by using a co-worker’s password to access their EHR.

Knowing this, you’re naturally going to want to enact a few strict best practices when it comes to using passwords in your own office. For example, you might want to set up password requirements so that when they’re created they are complex and difficult to guess.


If passwords are simple, shared among users or never changed, the odds of accidentally allowing outside access to patient information increases exponentially.

Data Encryption

Encrypting your data can go a little way towards helping cover over any lackluster passwords or sticky notes stuck to computer monitors (though I have to seriously recommend not writing down your password and leaving it where anyone walking by can see).

By coding the information in a way that can only be deciphered by authorized programs or users in possession of the access code, EHRs can make transferring patient data (such as test results or diagnoses to patients via patient portals or medical histories to referrals) safer.

Additionally, encryption can minimize damage in the event your data is stolen. It can also allow for securing information within your office when paired with a role-based access control, so only staff members with clearance can see the decrypted information.

Data encryption is not a required feature for HIPAA certification, but it’s absolutely something you want to look into when evaluating EHR products.

If a software vendor you’re interested in does not offer this security option, make sure you know why—Is it due to cost? Do they use a third-party to encrypt data?—and that you’re happy with their reason for not doing so.


Practices using EHRs without data encryption are most vulnerable when transferring data, which is required for things like treatment plans, referrals and prescriptions. Without encrypted data, hackers or unauthorized users can view and steal patient information.

Next Step: Assess Your Risk

Now that you’re fully aware of the many built-in EHR security measures, you’ll want to begin researching products to find the best system for your practice. First, though, you should conduct a security risk assessment.

HIPAA requires all “covered entities” to conduct one of these security risk assessments at least once a year, or any time changes are made to security protocols.

There are several tools to make these assessments easier, or practices can hire third-party or consultant firms to make the assessment for them. No matter what route you take, your security risk assessment should reveal a few important things:

  • A summary of all the protected health information (PHI) your practice creates, receives or transmits.

  • A list of every location, physical and digital, in which your practice’s PHI is stored.

  • An assessment of your practice’s current security measures.

  • An overview of possible threats/vulnerabilities in your practice’s protocols.

  • The likelihood of each potential threat.

  • An evaluation of the impacts of those potential threats.

Once you determine where your potential problems lie, you can work on establishing a stronger plan to prevent them—whether that means adopting a new EHR system, creating stronger best practices for your team or both.