6
Finding and Recommendations

Information technology offers many potential benefits to health care. Electronic medical records (EMRs) facilitate cost-effective access to more complete, accurate health data with which providers can make better decisions about patient care. Advanced communications networks can enable the sharing of data among distributed elements of integrated health care delivery systems and can enable telemedicine programs to overcome geographic boundaries between patients and providers. Electronic data processing techniques can enable managed care providers, health services researchers, and public and private oversight organizations to conduct more sophisticated analyses of health care utilization and outcomes. Electronic billing and administration systems may help reduce the administrative costs of health care. Computer-based decision support tools can help reduce variation in health care quality across providers, improve adherence to standards of care, and reduce costs by eliminating duplicative or nonefficacious tests and therapeutic procedures.

To obtain the benefits of electronic medical records, the nation must address and mitigate concerns regarding the privacy and security of electronic health care information. As the recommendations in this chapter describe, health care providers have to adopt a range of technical and organizational practices to protect health care information, and the health care industry will have to work with government to create a legal framework and proper set of incentives for heightening interest in privacy and security and for ensuring industry-wide protection of health information.

This chapter summarizes the committee's principal findings and pre-



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 160
--> 6 Finding and Recommendations Information technology offers many potential benefits to health care. Electronic medical records (EMRs) facilitate cost-effective access to more complete, accurate health data with which providers can make better decisions about patient care. Advanced communications networks can enable the sharing of data among distributed elements of integrated health care delivery systems and can enable telemedicine programs to overcome geographic boundaries between patients and providers. Electronic data processing techniques can enable managed care providers, health services researchers, and public and private oversight organizations to conduct more sophisticated analyses of health care utilization and outcomes. Electronic billing and administration systems may help reduce the administrative costs of health care. Computer-based decision support tools can help reduce variation in health care quality across providers, improve adherence to standards of care, and reduce costs by eliminating duplicative or nonefficacious tests and therapeutic procedures. To obtain the benefits of electronic medical records, the nation must address and mitigate concerns regarding the privacy and security of electronic health care information. As the recommendations in this chapter describe, health care providers have to adopt a range of technical and organizational practices to protect health care information, and the health care industry will have to work with government to create a legal framework and proper set of incentives for heightening interest in privacy and security and for ensuring industry-wide protection of health information. This chapter summarizes the committee's principal findings and pre-

OCR for page 160
--> sents recommendations for improving the privacy and security of health information. Although a number of the recommendations are directed specifically to electronic health information, many are equally applicable to the protection of paper records. Findings And Conclusions Finding 1: Information technology is becoming increasingly important in improving the quality and lowering the costs of health care; attempts to protect patient privacy must therefore center on finding ways to protect sensitive electronic health information in a computerized environment rather than on opposing the use of information technology in health care organizations. As the site visits conducted for this study attest, the shift to integrated health care delivery systems and managed care creates a growing demand for electronic health information and for data networks capable of transferring data within and across organizations. Electronic health information allows such organizations to better analyze data for such purposes as improving care, monitoring the quality of care, analyzing the utilization of health care resources, and managing health benefits. Care providers claim that the availability of health information on-line helps them enhance the quality of health care delivery, as well as its efficiency. Patients will see the advantages of integrating and sharing data across the institution as they begin to receive a greater proportion of their care within integrated delivery systems. The application of information technology to health care is expected to help reduce the cost of administering care. Each of the organizations visited as part of this study has ongoing programs to expand the use of information technology for clinical care and administration; all reported positive benefits of such applications. As long as health care organizations continue to find value in these activities, whether by improving the quality or reducing the costs of care, strong incentives will exist to pursue them. Thus, although opposition to the use of electronic medical records may succeed in delaying their widespread adoption, in the long run expectations of enhanced quality and improved efficiency, combined with economic pressures, are likely to dominate. From a policy perspective, it therefore makes far more sense for the health care system to find ways to handle legitimate privacy and security concerns without foregoing the benefits of information technology. Furthermore, properly implemented EMRs offer great potential for improving the security of health information and the privacy of patients. EMRs allow the use of technical mechanisms to either impede unauthorized access or deter potential abuses. For example, authentication and access control technologies can help ensure that access to health informa-

OCR for page 160
--> tion is limited to people with a legitimate need to know. Audit logs can be used to keep a record of accesses to electronic records to detect abuse. Encryption can be used to keep health information secret as it is transmitted between users. Although none of these measures can guarantee absolute security, they provide a wide range of tools to ensure authorized access and use of health information. As a result, EMRs should not be viewed as a way of undermining patient privacy but as a means of enhancing patient privacy by improving the security of health information. Finding 2: Health care organizations need to take a more aggressive approach to improving the security of health information systems in order to better protect electronic health information. Little is known about the extent of existing violations of privacy and security in the health care industry. Although some sites were aware of some cases in which authorized users had intentionally or unintentionally released health information inappropriately (from both electronic and paper record systems), the sites visited as part of this study reported no incidents in which outside attackers breached system security and produced large-scale violations of patient privacy. Most health care organizations therefore continue to perceive insider abuse as the primary problem to be solved; however, evidence from other industries indicates that organizations with Internet connections or other kinds of remote access (e.g., modem connections) are prone to outsider attacks.1 As health care organizations put more information on-line and begin to transmit patient information electronically, they will have to ensure that adequate security protections have been developed to protect against new vulnerabilities. Finding 3: Health care organizations have been slow to adopt strong security practices, due largely to a lack of strong management and organizational incentives; no major breach of security has occurred that has catalyzed such efforts. Thus, the information technology vendor community has not found a market for providing security features in health information systems. Although health care organizations are committed to ensuring privacy and security, the need to ensure access to information for the provision of care often works against having strong access controls and other security mechanisms. For example, hospitals often choose to allow physicians to access the health records of all patients, rather than 1   According to one recent survey, nearly 25 percent of attacks against information systems that led to significant loss were due to outsiders. More than 50 percent of the survey's 1,320 respondents reported significant losses within the past two years. See Violino, Bob. 1996. "The Security Facade: Are Organizations Doing Enough to Protect Themselves? This Year's IW/Ernst & Young Survey Will Shock You," Information Week, October 21.

OCR for page 160
--> just their own, so that they can be certain to have access to needed information in an emergency. Concerns about the supposed inconvenience of using token-based authentication systems have led many health care organizations to rely on more convenient log-in IDs and passwords for authenticating users of health information systems. Even in cases in which security mechanisms would not necessarily impede provision of care, however, health care organizations have not always implemented strong security. Many organizations do not maintain audit logs of accesses to clinical information, nor have they developed tools or procedures for systematically reviewing the logs. Lack of security results, in large part, from a lack of strong incentives to improve it. In the absence of a widespread, public catastrophe regarding information security, many health care organizations reported that they believe the risk of a major breach of security is low and that they could survive a major event without significant consequences. Without strong legislation or enforceable industry standards, few penalties will exist for lax security.2 Although patients may sue organizations for damage resulting from alleged breaches of privacy, such suits appear to be infrequent and have not attracted much attention. Hence, most health care organizations have, to date, dedicated the vast majority of their information technology resources to expanding the functionality of health care information systems rather than to protecting the systems that are in place. System security does not improve the financial position of most health care organizations. In the more advanced organizations, security practices do not match those widely found in other industries, and in less advanced organizations, even elementary security practices have not been implemented. Several major vendors of health care information systems reported to the committee that lack of demand by health care organizations has stifled the supply of advanced security features in health care information systems. Since health care organizations do not reward them for including security features in their products, vendors have limited incentive to offer them. Finding 4: Patients have important roles to play in addressing privacy and security concerns. Patient concerns and expectations often set the standard for health care organizations; health care organizations must anticipate and respond to such expectations in order to survive in an increasingly competitive environment. Thus, patients who are knowledgeable about (1) the consent they give providers to disseminate data, 2   The Health Insurance Portability and Accountability Act of 1996 contains penalties for violation of privacy and security standards that have yet to be developed.

OCR for page 160
--> (2) overall flows of information within the industry, and (3) their legal and regulatory rights to privacy are in the long run an asset to an organization wishing to promote an internal culture that takes its privacy and security responsibilities seriously. Increasing the coupling between patients and provider organizations (e.g., through membership on key committees, messages sent to patients about privacy and security, and full disclosure of data flows) will ultimately benefit the organization. Most patients and consumers are either unaware of or unconcerned about the uses to which their health records are put and the many organizations that possess their health information. Privacy and consumer advocacy groups that have a better understanding of data flows have yet to articulate a consistent position on privacy and security requirements and, until recently, have had limited influence on the legislative process. As a result, patients have little control over the ways in which information about their health is collected, used, or disseminated. For patients to feel comfortable providing personal health information to a care provider, they may need greater authority in helping to determine rules regarding the privacy of health information. Finding 5: The greatest concerns regarding the privacy of health information derive from widespread sharing of patient information throughout the health care industry and the inadequate federal and state regulatory framework for systematic protection of health information. The current structure of the industry gives care providers, payers, pharmaceutical benefits managers, equipment suppliers, and oversight organizations a variety of incentives to collect large amounts of patient-identifiable health information (e.g., clinical data). The increasing emphasis on controlling costs and quality and on improving the marketing and sales of related products and services (e.g., medications) further boosts the economic value of such information. Although these data are collected for a variety of legitimate purposes, few controls exist to prevent such information from being used in ways that could harm patients or invade their privacy, and no national debate has occurred to determine what the appropriate uses of health information should be. The existing legal and regulatory framework for protecting patient-identifiable information forms a patchwork of protection that is insufficient in an age of increasing interstate data transfers and of health care delivery systems that span state boundaries.3 Federal laws protect mostly data in the control of the federal government, while state laws provide inconsistent 3   See Schwartz, Paul M. 1995. "The Protection of Privacy in Health Care Reform," Vanderbilt Law Review 48(2):310.

OCR for page 160
--> protection and often apply only to limited kinds of health information. In some instances, federal law facilitates the private-sector collection of patient-identifiable health information (e.g., the federal Employee Retirement and Income Security Act, or ERISA, allows self-insured employers to collect such information on their employees by preempting state laws). As a consequence, many organizations within the health care system are free to collect and use large amounts of patient-identifiable health information for purposes that suit their economic interests, and patients lack legal standing to bring suit against those they allege have breached their privacy. Data collected for one benign and stated purpose can be used for different, unstated purposes that may run contrary to the interests or understandings of the parties from which the data were collected. For example, self-insured companies that request patient data to monitor benefits programs have few legal constraints to prevent them from using such information in employment or promotion decisions. In organizations that are subject to formal privacy protections, such as hospitals with mandatory institutional review boards that oversee research uses of health information (see Chapter 5) and government agencies subject to the Privacy Act of 1974 (see Chapter 2), privacy concerns seem greatly diminished. These types of structures appear to have been effective in ensuring uses of health information that are consistent with privacy concerns. Finding 6: Within individual organizations, electronic health information is vulnerable to both authorized users who misuse their privileges and perform unauthorized actions (such as browsing through patient records) and outsiders who are not authorized to use the information systems, but break in with the intent of malicious and damaging action. Health care organizations have been working for many years to develop mechanisms for protecting health information (in both paper and electronic form) from abuse by authorized users, but they must continue to strengthen their protections by, for example, implementing auditing capabilities and strengthening disciplinary sanctions. As with other types of organizations, health care organizations will become more vulnerable to attacks by outsiders as they expand their networking activities. System vulnerabilities are not limited to breaches of privacy. If realized, the most serious vulnerability might well be a skilled individual with malicious intentions who can "crash" an important health information system and deny service to health care providers that rely on that system.4 4   Of course, this is not unique to health information systems; the threat of outside attackers crashing a system is present in many other industries as well.

OCR for page 160
--> Finding 7: Adequate protection of health care information depends on both technical and organizational practices for privacy and security. Although no set of mechanisms can make organizations impervious to malicious attack or inadvertent breaches of security, a suitably crafted set of technical and organizational practices can be designed to protect health information effectively. Technologies such as tokens, log-in IDs, and passwords can be used to authenticate, or verify the identification of, users. Access control techniques can be used in combination with a well-managed information repository to limit the types of data that individual users can read, enter, or alter and the types of functions they can perform. Audit trails can record all transactions that access patient information. Encryption can be used to protect log-in IDs, passwords, databases, or information transmitted over open communications systems. Public-key cryptography tools can ensure information integrity, user authentication (for digital signatures and nonrepudiation), and audit trails. The use of these technical measures can provide reasonable security for most health care applications but does not guarantee invulnerability against all technical attacks. Organizational policies and practices are at least as important an element of security. Organizations need explicit policies governing the privacy and security of health information. Practices and procedures flow from these policies. The health care industry employs millions of workers who routinely handle patient-identifiable information as part of their jobs. They have more opportunities to disclose information inappropriately than do outsiders, and their jobs are challenging and frequently changing. Organizational mechanisms are needed to ensure that employees, medical staff, contractors, and vendors properly protect health information. Policies are needed to specify the formal structures, ensure responsibility and accountability, establish procedures for releasing information and assigning access privileges, create sanctions for breaches of security at any level of the organization, and require training in the privacy and security practices of an organization. The culture of the organization—dependent on, but not necessarily determined by, its senior leadership—establishes the degree to which employees take their security and confidentiality responsibilities seriously. Commitment of organizational resources not only helps establish organizational culture but also ensures that funds are available for salaries of security officers and staff, for procurement of adequate technical security mechanisms (e.g., firewalls), and for studying vulnerabilities and required practices.

OCR for page 160
--> Recommendations As the findings above indicate, attempts to improve the protection of health information need to address privacy and security concerns at both the organizational and the national or industry-wide levels. Organizations need to improve their internal mechanisms for handling health information, and the health care industry as a whole needs to improve its practices for controlling and enforcing systemic uses of health information. In the absence of strong business motivations and economic pressures to improve privacy and security, other forces may be necessary to promote change. These include industry-wide efforts to develop sound practices for protecting health information, initiatives to better educate patients about health data flows, or government regulation or legislation to provide patients with enforceable rights to privacy. Educating the public may also be an effective option for prodding organizational leaders to place a higher priority on privacy and security needs, though to date such efforts have not proved effective. Legislative initiatives have been stymied by an inability to achieve national consensus, and standards organizations are fragmented and lack sufficient authority to promulgate or enforce standards for privacy and security. The recommendations below outline the roles of health care organizations, the health care industry, and government in improving privacy and security practices within individual health care organizations, creating the industry-wide infrastructure needed to develop and encourage adoption of stronger privacy and security practices, addressing systemic issues related to privacy and security, and ensuring research to meet future technical needs. To the extent possible, the committee has attempted to identify the organization or organizations best qualified to implement each recommendation. In some cases, private and public organizations will have to sort out their respective roles so as to make the best use of their strengths and resources. Improving Privacy and Security Practices As the site visits suggested, one of the obstacles to improving privacy and security in health care organizations is a lack of knowledge about the types of technical and organizational practices that are effective in protecting health information. No generally accepted set of practices exists against which organizations can compare their efforts, nor do specific standards exist. Guidelines such as these would help educate users about the types of practices that are available for protecting health information, would help ensure that health information is protected adequately within institutions, and would ensure some degree of uniformity across the

OCR for page 160
--> health care system. Promulgation of a set of guidelines for standard practices might provide the incentive that organizations need to commit greater resources to the development of sound security strategies and would help vendors determine which types of mechanisms to build into their products. Because health care organizations vary considerably in the types of information systems they deploy and the types of information they use in electronic form, as well as in the resources they can devote to system security, appropriate security practices are highly dependent on individual circumstances. It is therefore not possible to prescribe in detail specific practices for all organizations; rather, each organization must analyze its systems, vulnerabilities, risks, and resources to determine optimal security measures. Nevertheless, the committee believes that a set of practices can be articulated in a sufficiently general way that they can be adopted by all health care organizations in one form or another. Moreover, the committee believes that a general set of practices can be adopted at reasonable cost given the current state of technology. Recommendation 1: All organizations that handle patient-identifiable health care information—regardless of size—should adopt the set of technical and organizational policies, practices, and procedures described below to protect such information. The set is not expected to serve as a benchmark for the industry but is envisioned as a framework for helping organizations determine how to improve privacy and security within their own institutions. These policies either could help health care organizations meet the standards promulgated by the Secretary of Health and Human Services as directed by the Health Insurance Portability and Accountability Act of 1996 or could inform the development of such standards. The penalties established by this act for violations of privacy or security standards may provide sufficient motivation for organizations to adopt these policies. External auditing firms could also play a role by evaluating privacy and security practices as part of their annual audits of health organizations. Although auditing firms are not empowered to enforce the use of these practices, auditors' assessments might provide insight into areas that need strengthening to avoid potential liabilities. Specific implementation of these policies, practices, and procedures will vary from organization to organization, depending on individual circumstances, but each organization should adopt the full spectrum of recommendations to ensure that it addresses all aspects of security. The committee hopes that individual organizations will exceed as appropriate the requirements set out below in addressing privacy and security needs specific to their own sites. Although the committee did not calculate the cost of implementing the policies, procedures, and practices outlined be-

OCR for page 160
--> low, each was observed in an operational setting and reportedly had been implemented at reasonable costs. These practices and procedures will not make health information systems invulnerable to all potential forms of misuse or abuse, nor can they guarantee that the privacy of health information will not be compromised. They would, however, go a long way toward minimizing potential abuse by authorized users (whether intentional or unintentional) and make outsider attacks more difficult. Described below are technical and organizational practices and procedures that can be implemented immediately without too much difficulty or expense, as well as technical measures that could reasonably be taken in the future as the relevant technologies advance. In each case, the committee has attempted to identify approaches that take into account the specific requirements of health organizations (as opposed to organizations in other industries), balancing the need for privacy and security against the need for access in order to provide care. Each of the practices described for immediate implementation was observed to operate successfully in a health care setting. Of course, the implementation of these policies, practices, and procedures within individual health care organizations will have to be adjusted to accommodate the requirements specific to those institutions and to the various types of departments and settings within them. The demands of an AIDS clinic may be different from those of a large, urban hospital. The demands of a hospital's billing department may be different from those of an emergency room. Thus, although it may be appropriate to program a terminal in the billing department or on a physician's desk, for example, to log-off automatically after a specified period of time, it may not be appropriate for the terminal in an emergency room or an operating room to do so. Organizations will have to take these considerations into account as they develop plans for implementing the policies, practices, and procedures listed below to make sure that they adopt a strategy appropriate to their needs. Technical Practices and Procedures for Immediate Implementation Individual Authentication of Users. Every individual in an organization should have a unique identifier (or log-on ID) for use in logging onto the organization's information systems. This approach will make it possible to hold individual users accountable for their actions on-line and to implement access controls based on individual needs. Sanctions should be in place to discipline employees who share their identifiers or fail to log off their workstations. Where appropriate and not detrimental to the provision of care, computer workstations should be programmed to log off automatically if left idle for a specified period of time (though the period of time will have to be adjusted to accommodate local and departmental

OCR for page 160
--> operations). Password discipline should be exercised, requiring users to change passwords on a regular basis and to select passwords that cannot be guessed easily. Procedures should be established to (1) revoke the identifiers of employees who leave the organization; (2) identify and revoke other unused identifiers as appropriate; (3) ensure that only legitimate users are granted access to the organization's information system; and (4) guarantee that authorized users can access needed information in emergency situations. Access Controls. Procedures should be in place that restrict users' access to only that information for which they have a legitimate need. Ideally, such controls should be based on the needs of individual users, but in practice they may have to be based on job categories. Narrow job descriptions should be used, where possible, to allow more fine-grained control of access privileges. For example, job titles such as ''doctor," "nurse," or "physician's assistant" provide less control than titles such as "cardiologist" or "emergency room nurse."5 Any of the models discussed in Chapters 4 and 5 can be used for distributing access privileges. The committee recognizes that individual organizations will have to determine the appropriate job categories within their facilities and decide whether medical staff is allowed to access the records of all patients treated by the organization (which is often the case today) or only of patients under their direct care. Again, the proper balance between access and privacy will depend on the specific setting and on the need to ensure access to information in emergency situations. Audit Trails. Organizations should maintain in retrievable and usable form audit trails that log all accesses to clinical information. The logs should include the date and time of the access, the information or record accessed, and the user ID under which access occurred. Organizations that provide health care services to their own employees should implement the capability for employees to conduct audits of accesses to their own health records. Although self-audits will not necessarily identify large numbers of inappropriate accesses to health records, they have proved to be a cost-effective way of raising employees' awareness and appreciation of privacy concerns in organizations that have deployed them. In addition, all organizations should implement procedures for 5   It should be noted that the use of fine-grained access controls can exacerbate the difficulty of keeping the data in medical records organized so that they correspond with the access privileges of the users. A variety of software tools are under development to assist in managing this task (see Chapter 4).

OCR for page 160
--> BOX 6.2 Possible Legislative Options for Addressing Systemic Concerns Patients currently have few rights regarding the privacy of health information contained in private databases, beyond those provided at the state level. State laws are inconsistent, often incomplete, and difficult to prosecute. A number of initiatives could be pursued to give patients greater rights regarding the protection of health information. Should the nation wish to pursue a pubic policy course that places greater emphasis on the privacy and security of patient-specific health information, legislation (or, equivalently, regulation with the force of law) may be needed. The committee believes that legislation of the following types could enhance the privacy of health-related information. Legislation to restrict access to patient-identifiable health information based on the intended use. For example, legislation could define acceptable activities to include (1) delivery of care to patients; (2) reviews of claims for payment; (3) research uses that are approved by institutional review boards (see Chapter 5); (4) analyses of the quality of care and cost of care conducted by care providers and those at financial risk for care; and (5) the detection or prevention of fraud, such as billing for multiple prescriptions or for services that were never rendered. In this last case, such efforts should be sanctioned by the organization and subject to external audit to demonstrate their necessity, utility, and conformance to organizational practices. The legislation could define all uses of patient-identifiable information outside the prescribed set to be illegal and subject to civil and/or criminal penalties. Legislation to prohibit specific practices of concern to patients. For example, legislation could prevent self-insured employers from making individual employment decisions on the basis of patient-specific health information (as long as the contentious. Economic and other forces create incentives to link individual patient data in ways that may well be detrimental to patient interests For example, linkages of patient information with purchasing and financial information can subject individuals to marketing campaigns for new or existing therapies. Patient information linked to employment may create incentives for denying an otherwise qualified individual a job Recommendation 4: Any effort to develop a universal patient identifier should weigh the presumed advantages of such an identifier against potential privacy concerns. Any method used to identify patients and to link patient records in a health care environment should be evaluated against the privacy criteria listed below. 1.   The method should be accompanied by an explicit policy framework that defines the nature and character of linkages that violate patient privacy and specifies legal or other sanctions for creating such linkages. That framework should derive from the national debate advocated in Recommendation 3.

OCR for page 160
--> employee is still able to perform his or her job functions). Legislation with this effect would eliminate much of the economic incentive for such parties to obtain patient-specific health information and thus reduce many concerns about patient privacy. Although the Americans with Disabilities Act provides some protection of this sort, it applies only to specific predefined disabilities and not to health conditions as a whole. Legislation to establish information rights for patients. As noted in Chapter 2 consumers have few legally enforceable rights regarding the privacy and security of their medical information. Today, patients have no legal basis on which to demand disclosure of information flows, access to their own health records, or redress for breaches of privacy. Passage of the Health Insurance Portability and Accountability Act is a first step toward giving patients greater ability to protect their health information, but efforts to extend the fair information practice requirements of the Privacy Act of 1974 to the private sector (including all organizations that collect, process, store, or transmit electronic health information) would empower the consumer population with enforceable rights and create a powerful force for protecting the privacy and security of sensitive information. Legislation to enable a health privacy ombudsman to take legal action. Most operating concepts of privacy ombudsmen are advisory in nature. In some instances, however, the office of privacy ombudsman has greater authority. For example, in Germany, data protection councils operate at the national level to field complaints from patients and conduct investigations as necessary. The committee notes that legislation in all of these areas has implications that go far beyond the question of protecting the privacy interests of consumers, and realizes that making recommendations about the desirability of such legislation is beyond its expertise and charge. 2.   It should facilitate the identification of parties that link records so that those who make improper linkages can be held responsible for their creation. 3.   It should be unidirectional to the degree that is technically feasible: it should facilitate the appropriate linking of health records given information about the patient or provided by the patient (such as the patient's identifier), but prevent a patient's identity from being easily deduced from a set of linked health records or from the identifier itself. The first criterion requires that the nation decide which types of record linkages will be legal or illegal. The United States has applied this approach sporadically to protect certain types of information. For example, the perceived unfairness of using videotape rental records in the fight against the confirmation of Judge Bork for a seat on the Supreme Court led to the adoption of a law that specifically prohibits such a practice The same law does not apply, however, to other types of records. In practice, it is difficult to legislate a prohibition on the collection of such data because institutions often have a legitimate need for the information Prohi-

OCR for page 160
--> bitions must therefore focus on the uses of such data. Unscrupulous people could, of course, still collect, collate, and use such data in ways that are prohibited, but the threat of well-defined and rigorously enforced legal sanctions would help limit such abuses. The second criterion helps to make such a policy framework enforceable by reducing or eliminating opportunities to create improper linkages between records. If a visible and overt act is necessary to link information, illegal or unauthorized attempts to link information from various sources can be detected and traced, and guilty parties sanctioned. For example, if financial databases and health information databases used different identifiers, linkage between financial and health information would require someone to provide a translation between the different identifiers. If linkage of health and financial information without explicit patient consent were defined as a prohibited act, the fact that a linkage had been made would be an obvious indicator that a prohibited act had occurred; the party responsible for the translation would be a logical point at which to begin an investigation. The third criterion supports patient privacy by requiring that the patient provide some information (e.g., an identifier) that can be interpreted as patient authorization for a linkage to take place. However, unidirectional linkage prevents inference of the patient's identity from just the information contained in any collection of records. Practical application of these criteria is difficult given existing technology, but it will become more straightforward as technologies for controlling the distribution of information, such as rights management software (see Chapter 4), become more commonplace and as additional research investigates new types of identification and records-linking schemes (see Recommendation 5). In the meantime, many health care organizations have found that they can effectively link patient records within their expanding health care systems through the creation of master patient indexes. These indexes match patient records in affiliated institutions that use differing numbering systems through the use of demographic data. Although not all records or patients can be matched unambiguously, organizations that have adopted this approach report high levels of success. Linkages with organizations outside the institution can often be accomplished with information already contained in the patient record. The three criteria given above are meant to ensure that privacy concerns are explicitly recognized in the debate over the universal patient identifier. The committee recognizes that privacy interests are only one dimension of this debate. For example, it is also important that an identifier be structured such that it does not unduly delay or prevent the provision of care, meaning that it must allow care providers to retrieve or link

OCR for page 160
--> patient records in an emergency situation when the patient may be unable to divulge a particular identification number or may not be carrying an identification card. Other criteria must also be considered in the debate (Box 6.3). One often-discussed universal patient identifier is the Social Security number (SSN). The committee believes that an unmodified SSN would provide little, if any, protection against attempts to link health information with other types of personal information. Although not part of its original design, the SSN is in such broad use, not only by the Social Security Administration but also by all other branches of government and many commercial enterprises, that it almost serves the function of a universal identifier today. As such, use of the SSN raises many legitimate privacy concerns.14 On the other hand, the SSN has several attributes that make it attractive as a universal patient identifier. Among these are the fact that the SSN forms the basis of the identifier used by the Medicare program, is contained in many existing patient records held by public and private organizations, and has an existing management infrastructure for assigning numbers.15 Making a recommendation for or against the use of the SSN as a universal health identifier goes beyond the committee's charge and collective expertise. However, the committee notes that the use of any universal health identifier raises many of the same privacy issues raised by use of the SSN. The question the nation must therefore address is whether there are ways of attaining the presumed benefits of a universal patient identifier-better-informed health care, improved detection of fraud in connection with paying for health care services, and simplification of the administration of health care benefits-without jeopardizing patient privacy.16 Meeting Future Technological Needs Recommendation 5: The federal government should take steps to improve information security technologies for health care applications. 14   Szolovits, Peter, and Isaac Kohane. 1994. "Against Universal Health-care Identifiers," Journal of the American Medical Informatics Association, Vol. 1, pp. 316-319. 15   Hammond, W. Ed. 1997. "The Use of the Social Security Number as the Basis for the National Citizen Identifier," White Papers-The Unpredictable Certainty: Information Infrastructure Through 2000. National Academy Press, Washington, D.C., forthcoming. 16   For example, through the use of a system of identifiers in which individuals have a different unique identifier for each type of data collected about them or through cryptographic means, as described in Chapter 4.

OCR for page 160
--> BOX 6.3 Other Possible Criteria for a Universal Patient Identifier A universal patient identifier will have to meet other criteria in addition to those designed to protect patient privacy. The following list of criteria derives from a recent report by the Institute of Medicine on the privacy of health information. The committee neither endorses nor rejects these criteria but includes them here as examples of the other considerations that will undoubtedly enter into the debate over universal patient identifiers. A universal patient identifier must be able to make the transition easily from the present record-keeping environment to the future environment. This requirement has technical dimensions. If a new identifier contains more characters than the 10 used for the Medicare identifier (the Social Security number plus a single letter), software in many systems may have to be modified and data fields may have to be redefined. Further, organizations will need to know where to apply for new numbers, to verify numbers that patients give verbally, to track down uncertainties in identification, to find current mailing addresses, and to be able to trace errors and correct them. A universal patient identifier must have error-control features that make entry of a wrong number unlikely. This requirement implies that errors of many kinds are detectable and possibly correctable on the basis of the digits and characters in the identifier itself. Ideally, the identifier will protect against transpositions of characters and against single, double, or multiple errors. At minimum, the error control features must be able to indicate with high confidence whether the identifier is valid. A universal patient identifier should have separate identification and authentication elements. Identification implies that individuals indicate who they are; authentication allows the system to verify with a high degree of confidence that the identification offered is valid. A universal patient identifier must work in any circumstance in which health care services are rendered, whether or not the situation was anticipated in the design of the system. At minimum, the identifier should pose no impediments to the prompt, efficient delivery of health care. It must work when the patient is unable to cooperate (e.g., is unconscious or does not speak the same language as the care providers), regardless of the patient's mental and physical abilities. A universal patient identifier must function anywhere in the country, in any provider's facilities and settings. It should be able to link events that have occurred at multiple providers. A universal patient identifier must help minimize the opportunities for crime and abuse and perhaps help to identify their perpetrators. SOURCE: Institute of Medicine. 1994. Health Data in the Information Age: Use, Disclosure, and Privacy, Molla S. Donaldson and Kathleen N. Lohr (eds.). National Academy Press, Washington, D.C., pp. 165-167.

OCR for page 160
--> As outlined in preceding chapters of this report, patient privacy and the security of electronic health information would be greatly improved by the use of several technologies that are currently under development. The committee has identified three sets of research areas that must be pursued: (1) technologies relevant to computer security generally; (2) technologies specific to health care concerns; and (3) testbeds for a secure health care information system. Technologies Relevant to the Computer Security Community as a Whole Recommendation 5.1: To facilitate the exchange of technical knowledge on information security and the transfer of information security technology, the Department of Health and Human Services should establish formal liaisons with relevant government and industry working groups. Many of the technologies that could be used to better protect health information will be developed by the computer security community regardless of the needs or demands of the health care industry. Technologies for authentication, authorization, encryption, and system reliability, for instance, apply to many areas in which information security is relevant and will continue to receive attention from researchers and technologists. Biometric identifiers are the basis for approaches to very strong authentication. Public-key cryptography can be used to solve some privacy and integrity problems but requires an administrative infrastructure to be effective; thus, promotion of a public-key infrastructure would facilitate the greater use of public-key cryptography and its applications to more secure communications and data storage. Better methods to validate software packages and authenticate their sources will be needed in a computing environment based on widespread connectivity through the Internet and remotely executable programs (e.g., Java "applets") to protect against computer viruses and Trojan horse attacks. Although the Department of Health and Human Services is represented in many nongovernment efforts that promote health information standards, the committee believes that the health care community has not connected adequately to the information security community. For example, a consortium for developing biometric identification techniques has recently been formed but lacks representation from health-related government organizations. The health care community must be better aware of developments outside health care and must be prepared to adopt relevant solutions developed for other industries.

OCR for page 160
--> Technologies Specific to Health Care Recommendation 5.2: The Department of Health and Human Services should support research in those areas listed below that are of particular importance to the health care industry, but that might not otherwise be pursued. These technologies offer greater immediate benefit to health care than to other industries for protecting privacy interests and require specific attention and funding by health-related government agencies and industry. They include the following: Methods of identifying and linking patient records. Research is needed to find ways of indexing and linking patient records in a manner that protects patient privacy. The ideal scheme would meet the three criteria for privacy outlined in Recommendation 4. It would allow patient records to be easily indexed and linked for purposes of care and other purposes determined to be legitimate, while impeding inappropriate linkages. This research should also address the extent to which a universal identifier is needed to facilitate improved care and health-related research and to simplify administration of benefits. Anonymous care and pseudonyms. Today, a patient who wishes to remain anonymous for purposes of care faces a number of serious disadvantages. For example, patients wishing to receive care anonymously must currently pay for health services in cash. More seriously, a patient wishing to be anonymous runs a serious risk when his or her medical history is on-line, although the content of that history may be critical to providing quality medical care. The use of pseudonyms or cryptographically generated aliases may mitigate this problem in the future. An alternative might be the use of narrative templates to restrict the use of names in blocks of narrative text; a record in which names occur only in a header, can be efficiently (and perhaps automatically) purged of identifying information. For patients with strong privacy concerns, smart cards containing their medical histories might present an acceptable alternative to storing data in a hospital database or larger community-wide system. Reliable techniques for linking patient records without specific patient identification may reduce the need for assigning patients unique, universal identifiers. Audit tools. Audit trails are useful as a deterrent to improper access only if there is some possibility that an improper access will in fact be recognized as such. However, the collection of audit trails routinely generates enormous amounts of data that must then be analyzed. Automated tools to analyze audit trail data would enable much more frequent examination of accesses and thus serve a more effective deterrent role. For example, intelligent screening agents could be developed that would

OCR for page 160
--> sort through audit data and flag some records for more thorough analysis. Tools for rights enforcement and management. The primary unsolved technical problem today relates to secondary recipients of information: today's access control tools can effectively limit primary (first-person) access to data stored on-line, but they are ineffective in controlling the subsequent distribution of data. Work on electronic watermarking (or digital fingerprinting) may provide tools with which the passage of data through a network can be tracked if not prevented. Work is also under way to develop tools that provide fine-grained access control for information. Such tools limit not only the types of information that certain recipients can receive but also the types of actions recipients can take on such information, and they can be used to make audit trail entries on each access action. For example, they may prevent recipients from directly printing the information, storing it on their own computer systems, or forwarding it to another user.17 More effective tools for rights enforcement and management would help to control secondary distribution of data. Testbeds for Privacy and Security Recommendation 5.3: The Department of Health and Human Services should fund experimental testbeds that explore different approaches to access control that hold promise for being inexpensive and easy to incorporate into existing operations and that allow access during emergency circumstances. Today, the trade-offs between the benefits and cost of greater access to electronic health information are not well understood, with the result that decision makers in health care organizations lack a sound analytical basis from which to determine the appropriate level of attention to protecting information. Research is needed that better explicates the costs and benefits of various levels and types of information protection so that decision makers need not function in a vacuum. The Internet Engineering Task Force has been successful in developing standards through a process of trial-and-error development of representative networked systems. Such an approach may prove useful for developing privacy and security standards in health care and may 17   Of course, it is fundamentally impossible to prevent redistribution entirely. For example, nothing can prevent the recipient of data from photographing a screen and distributing the screen image. Still, making redistribution more difficult is a meaningful step to take.

OCR for page 160
--> be more successful than attempts to develop standards through traditional committee structures. Similar research in the health care field could provide useful insight into effective practices and generate information that health care organizations might use to judge the efficacy, cost, and accessibility of varying approaches to privacy and security. Although the National Library of Medicine has funded the development of numerous testbeds to explore health care applications of the national information infrastructure, these efforts do not have as their primary focus attempts to explore privacy and security practices. A number of targeted security testbeds would provide useful information to the health care industry. Concluding Remarks The recommendations outlined in this chapter are not meant to be the final word on privacy and security in health care applications of information technology. Over time, the availability of new technology, experience with security management, changes in the structure of the health care industry, changes in the threats posed against information and communications systems, and changes in the public policy environment will require a reevaluation of effective practices. As witnessed to date, the increased capability of information technology in health care, such as electronic medical records, will continually force society to address policy issues that before could be left dormant. Yet, while the nation struggles with legislative initiatives related to privacy, the recommended practices outlined above demonstrate that meaningful steps can be taken to reduce the risk of improper disclosure at an organizational level. The committee believes that these recommendations can help to address concerns about patient information outlined in the Alice scenario in Chapter 3 and can pave the way for more productive, secure applications of information technology to health care (Box 6.4).

OCR for page 160
--> BOX 6.4 Charlotte's Data Flows Charlotte, Alice and Bob's daughter, grew up in a world that refused to stand still, Charlotte was 5 when the managed care firm purchased her pediatrician's practice, and from that age, her primary medical record was kept electronically. Fueled by increasingly available and cheap computing and communications technologies, continuing attempts to control health care costs, and the need for easier access to expert specialists, telemedicine became more common. Alice frequently used her home computer to consult medical references and get additional information about Charlotte's childhood illnesses and injuries. When Charlotte was 10, the managed care firm started a program to make its patients' medical records available to them electronically. Because this was part of an initiative to attract more patients, the firm publicized the program widely and paid particular attention to ensuring that records would be released only to property identified individuals. Alice, Bob, and Charlotte decided to join the program and were each issued a plastic card to use for authenticating requests. When Charlotte graduated from high school and went away to college, she decided to take a copy of her medical records with her. She used her card to authorize the electronic transmission of her health records to her college's student health services program. How Did This Come About? A number of publicized privacy violations that damaged some of their competitors had alerted senior managers of the care firm to vulnerabilities in its own procedures. In response, the firm revised its procedures to reduce the exposure of its patients' records to other groups. Samples sent to outside laboratories for analysis were encoded with numbers, rather than names, so that results could be provided anonymously. Audit trails were incorporated in the provider's own systems, and policies were established to allow patients to review the audit logs. It became straightforward to remove direct patient identification from records released to groups that did not have a legitimate need for that information When patient-identified records were released, means were provided to ''fingerprint" them with hidden information in order to detect abuses. Under the medical records protection laws that had been enacted, violations traced back through these fingerprints could be prosecuted as criminal offenses, and patients could also sue for damages. With these controls in place, management realized that it was now in a position to offer the new patient access record service without exposing itself to undue risks and that its well-developed systems could lead to a competitive edge. How Were the Risks Reduced? First, the communications infrastructure had been made much more resistant to eavesdropping by the incorporation of practical cryptography. Built into the communications network interface at each home was a privacy service module that incorporated a private key and could negotiate a new key for each communication session, entirely transparent to the communicating parties. These facilities had first been used to ensure the integrity and confidentiality of real-time telemedicine links and record transfers.

OCR for page 160
--> As described above, the firm had upgraded its electronic record system to incorporate access controls and audit trails so that accesses by its employees could be adequately tracked, and properly authenticated prescriptions could be issued directly from the system to local pharmacies. To support the new service, a special, patient-only access system had been added that replicated records from the system used by providers but had no other access to it. In addition to being able to examine her health records, Charlotte was able to review a list of all the people who had accessed her records and the purpose of each access. To be sure that a request for Charlotte's records came from her and not from someone else in the household, the firm also offered each of its patients a card that could be used in authenticating requests. The card avoided using the Social Security number for this purpose because those numbers were too widely available to be used for authentication. The card was used by the firm to identify its patients unambiguously, thereby reducing the paperwork required on each office visit and, in some cases, improving emergency treatment.