Has EHR system replacement put your medical practice at risk? If your clinic has recently replaced its practice management or electronic health record (EHR) system, it could be at risk. The risk lies in the strategy you deploy for managing the storage of protected health information (PHI). Legacy PHI includes those patient records “left behind” in the replaced system(s) — all of the data that didn’t convert or migrate into the new, go-forward system. While demographics and other key clinical data points like problems, allergies, medication, immunizations and procedures are often converted to a new system, complexity and cost often prohibit line item financial detail or other clinical data elements from migrating. That leaves legacy PHI at-risk in a “retired” system, often sitting on an aging and vulnerable server. Cybersecurity Risks Increase with Legacy EHR Systems Besides the technical risks associated with trying to maintain outdated systems, there are cybersecurity risks that cannot be overlooked. Black Book Market Research found 93% of U.S. Healthcare organizations surveyed were breached in the past handful of years. And, more than half of those breached organizations were breached again (and even again). While providers of all sizes are at risk, cybercriminals often find smaller healthcare practices to be ripe targets. In fact, more than four out of five physicians have been a victim of some type of cyberattack, with one in three physicians reporting their practice experienced a cyberattack-related business shutdown. The hackers leverage technical vulnerabilities, infiltrate the network and virtually shut down the operation until a ransom is paid or restorative measures can get the practice up and running again. In a HIMSS cybersecurity survey: 69% of healthcare organizations reported they had at least some legacy systems in place. 83% of those still operate with Legacy Windows Servers (e.g., 2003, 2008, 2012, 2016 and XP). Learn more about how to safeguard your legacy health data with our resource: Active Archiving: A Smart Security Move to Protect Legacy Medical & Business Records. What constitutes PHI and how long must it be stored? The United States Department of Health & Human Services defines PHI as “any individually identifiable health information about health status, provision of health care, or payment for health care that can be linked to a specific individual in any form or media.” When it comes to replacing a practice management system, outpatient clinics often don’t consider it necessary to retain financial history. But, according to the definition of PHI above, a patient financial history is considered a part of the legal medical record and should be saved along with other historical clinical data elements for the duration that the state in which you practice medicine requires. That is often a minimum of seven years. Where should historical PHI be stored to comply with medical record retention mandates? To avoid risk and to be compliant with federal, state and agency record retention mandates, legacy systems should be decommissioned and the PHI they contain should be securely archived. Affordable yet secure solutions exist for practices of any size to extract data from a replaced practice management or EHR and migrate it into an electronic archive. This transition of PHI from a full production system into an archive allows the practice to reduce software maintenance payments to the legacy vendor remove aging server(s) from its network and deflect cyber-crimes or data breach consolidate historical patient records and make them accessible over time as employees come and go comply with medical record retention mandates Why active archive versus run legacy systems in read-only mode? As healthcare data volumes continue to surge and the push for secure and inter-operable data continues, it makes sense for your practice to eliminate the risk and hassle of keeping legacy systems up and running in read-only format. Servers age. Software must be patched to meet security requirements and be protected from hackers. Staff members who know how to navigate the old system may leave the practice for a new job. For these and other reasons, legacy practice management and EHR systems pose technical risk for the practice, not to mention cost and labor burden. Should release of information be required to fulfill a request from a patient, lawyer, employer, payer or auditor; the historical medical record must be accessible and easy to share in a HIPAA-compliant format. Secure, compliant, long-term PHI storage in an electronic health data archive solution is not only the right solution for your practice – it’s the right solution for your patients. Preserve their clinical care story and financial history by employing a legacy data management strategy. Get started Now Contact the legacy data management specialists at Harmony Healthcare IT to learn more about medical record retention tools like HealthData Archiver®. Editor’s note: This blog is updated from the original content published in 2018.