1
Introduction

Protection of patient privacy is a long-standing issue in health care. Since the fourth century B.C., physicians have abided by the oath of Hippocrates, binding them to keep secret the information they learn from patients during the course of providing care.1 Over the centuries, changes in the practice of medicine and in the structure of the health care industry have required a continuing expansion of the notion of patient privacy beyond the traditional patient-provider relationship and into other organizations that collect and analyze health information. Insurers, managed care organizations, public health officials, researchers, and others with a need for patient information have had to develop policies and practices for protecting the information they collect and, ultimately, the privacy of the individuals to whom the information pertains.

The growing use of information technology within the health care sector demands that issues of patient privacy and data security again be analyzed to ensure that policies, practices, and procedures for handling health information take into account the vulnerabilities these systems

1  

The pertinent part of the oath can be translated as follows: ''Whatsoever things I see or hear concerning the life of men, in my attendance on the sick or even apart therefrom, which ought not to be noised abroad, I will keep silence thereon, counting such things to be as sacred as secrets." (Bulger, R.J. 1987. "The Search for a New Ideal," pp. 9-21 in In Search of the Modern Hippocrates, R.J. Bulger (ed.). University of Iowa Press, Iowa City, Iowa.)



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 19
--> 1 Introduction Protection of patient privacy is a long-standing issue in health care. Since the fourth century B.C., physicians have abided by the oath of Hippocrates, binding them to keep secret the information they learn from patients during the course of providing care.1 Over the centuries, changes in the practice of medicine and in the structure of the health care industry have required a continuing expansion of the notion of patient privacy beyond the traditional patient-provider relationship and into other organizations that collect and analyze health information. Insurers, managed care organizations, public health officials, researchers, and others with a need for patient information have had to develop policies and practices for protecting the information they collect and, ultimately, the privacy of the individuals to whom the information pertains. The growing use of information technology within the health care sector demands that issues of patient privacy and data security again be analyzed to ensure that policies, practices, and procedures for handling health information take into account the vulnerabilities these systems 1   The pertinent part of the oath can be translated as follows: ''Whatsoever things I see or hear concerning the life of men, in my attendance on the sick or even apart therefrom, which ought not to be noised abroad, I will keep silence thereon, counting such things to be as sacred as secrets." (Bulger, R.J. 1987. "The Search for a New Ideal," pp. 9-21 in In Search of the Modern Hippocrates, R.J. Bulger (ed.). University of Iowa Press, Iowa City, Iowa.)

OCR for page 19
--> entail.2 As health care organizations collect, process, and store more health information in computerized form and use both private and public telecommunications systems to transmit this information between different entities, they must ensure that adequate mechanisms are in place to protect the information. This report investigates ways of protecting health information in an era of increasing computerization and far-reaching communications. It concentrates primarily on protecting patient-identifiable health information, that is, health records that contain information from which the patient's identity can be deduced or inferred.3 It assesses technical and organizational practices currently in use for protecting electronic health information, identifies other technologies worthy of testing in health care settings, and outlines areas for future research. In addition, the report discusses the privacy concerns that stem from the increasing exchanges of information among different types of organizations involved in providing care, paying for care, or conducting analyses of health information for a wide range of societal purposes. As the report notes, such sharing of information may pose greater privacy concerns than unauthorized access to health information stored at any individual location. The Growing Use Of Information Technology In Health Care Expenditures on information technology for health care are growing rapidly. The health care industry spends approximately $10 billion to $15 billion a year on information technology, and expenditures are expected to grow by 15 to 20 percent a year for the next several years.4 Health care organizations are developing electronic medical records (EMRs) for stor- 2   The terms privacy, confidentiality, and security are used in many different ways to discuss the protection of personal health information. This report uses the term privacy to refer to an individual's desire to limit the disclosure of personal information. It uses the term confidentiality to refer to a condition in which information is shared or released in a controlled manner. Organizations develop confidentiality policies to codify their rules for controlling the release of personal information in an effort to protect patient privacy. Security consists of a number of measures that organizations implement to protect information and systems. It includes efforts not only to maintain the confidentiality of information, but also to ensure the integrity and availability of that information and the information systems used to access it. 3   The protection of genomic data and tissue samples, while also of increasing concern, is not specifically addressed in this report, although much of the discussion of patient-identifiable information does apply. 4   Munro, Neil. 1996. "Infotech Reshapes Health Care Marketplace," Washington Technology, Aug. 8, p. 1.

OCR for page 19
--> ing clinical information, upgrading administrative and billing systems to reduce errors and lower administrative costs, and installing internal networks for sharing information among affiliated entities. Organizations are also beginning to experiment with the use of public networks, such as the Internet, to allow employees and physicians to access clinical information from off-site locations and to enable organizations to share information for purposes of care, reimbursement, benefits management, and research.5 Others are using the Internet to disseminate information about health plans and research.6 The National Library of Medicine recently awarded 19 contracts to a variety of health care organizations across the country to investigate innovative uses of the national information infrastructure for health care, including telemedicine and information sharing (see Appendix C). Much of the demand for information technology is driven by changes in the underlying structure of the health care industry itself and its methods of care, as well as by concerns over rising health care costs. A central part of all these initiatives is the creation of EMRs, which serve as the central clinical repository of information pertaining to patient care.7 Changes in the Health Care Delivery System The application of new technology to health care both drives and is driven by a fundamental restructuring of the U.S. health care delivery system. In recent years, the health care industry has seen (1) significant consolidation of providers and mergers of care-financing and provider organizations, (2) use of increasingly sophisticated management approaches to share financial risks for care between industry segments, and (3) new entrants into the market for analysis of clinical practice. This transformation is largely the result of pressures to reduce the cost of care, enhance the ability to measure and improve the quality of care, and move care delivery to less expensive settings. Overall, these changes have led to a significant increase in the collection and use of patient health data and in the sharing of these data across organizational boundaries. The 5   Health Data Network News. 1996. "Claims Over the Internet? It's Happening," May 20, p. 1. See also Fisher, Lawrence M. 1996. "Netscape's Founder Begins a New Venture," New York Times, June 18. 6   Fisher, Lawrence M. 1996. "Health On-Line: A Participatory Brand of Medicine," New York Times, June 24. 7   Many terms are used to describe the electronic storage of patient-specific information; apart from electronic medical record (EMR), the two most commonly used terms are computer-based patient record and electronic health record. The committee chose to use EMR without intending to resolve the debates that surround the use of each term.

OCR for page 19
--> rise of health maintenance organizations (HMOs), for example, has increased demand for information about the outcomes and costs of different treatment plans. Continuation of the transformation over the next decade will force additional changes in organizations involved in providing and monitoring health care and in their demand for additional health information. Integrated Delivery Systems Integrated delivery systems (IDSs) are rapidly becoming the primary means of delivering care in the United States. Though their forms vary and will continue to evolve, IDSs generally consolidate under one corporate umbrella multiple types of care providers that serve different aspects of the care continuum (such as hospitals and primary care clinics). Some IDSs also include a health care financing arm that offers health plans and pays for care. A 1996 survey by Deloitte and Touche indicates that 24 percent of U.S. hospitals already belong to an IDS, and an additional 47 percent are participating in the development of an IDS.8 The move toward integrated delivery systems is motivated by promises of cost savings through consolidations, expansions of market share to protect current business, improvements in the quality of care by managing care over a continuum of time and encounters, and improvements in bargaining position with respect to payers. IDSs view integrated information systems as critical to achieving their objectives. In the Deloitte and Touche survey, 67 percent of the hospitals state that they are pursuing the development of an integrated information network. They anticipate that their capital investment in information systems will increase 27 percent over the next two years.9 The investments will lead to a significant increase in the use of information technology to store, analyze, and improve access to patient health data. Access to these data is likely to expand well beyond the organizational setting that initially gathered the data to include sharing of data among providers and organizations that are members of the IDS. Managed Care Managed care programs, such as HMOs, are growing rapidly in the United States. In contrast to traditional forms of insurance in which care providers or patients are reimbursed for services rendered, managed care 8   Deloitte and Touche LLP. 1996. U.S. Hospitals and the Future of Health Care. Deloitte and Touche, Philadelphia. 9   Traditionally this investment in hospitals has increased 4 to 6 percent per annum.

OCR for page 19
--> programs use a capitation system to pay for health care and manage risk.10 In a capitation system, providers are reimbursed based on the number of patients enrolled in their care (e.g., paid a monthly fee per enrollee) rather than on the amount and nature of services rendered. Between 1990 and 1995, total enrollment in HMOs grew from 36.5 million to 50.1 million, representing 20 percent of all private insurance.11 The rise of managed care programs has greatly altered the practice of medicine. HMOs have contributed to a shift in the view of medical care from mostly an art based on clinical judgment to mostly a science based on empirical data. Managing the practice of care now involves examination of aggregate data to define optimal approaches to the management of chronic diseases, for example, and analysis of the cost and quality of current and new care practices. Managed care providers emphasize the need to manage care across a continuum of encounters in addition to managing care within an encounter. As a result, managed care organizations have an opportunity to assess patient health risks and define optimal approaches to the management of the chronically ill, in addition to improving the efficacy of specific patient encounters with a health care provider. They also have an opportunity to use information about the health care needs of enrolled subpopulations of patients with common characteristics (whether gender, age, or condition) to improve care for individuals. This shift has resulted in implementation of and experimentation with new data-intensive approaches to care provision and management. For example, the industry is developing measures of performance in the form of quality report cards administered by marketing or accrediting organizations. These include the Health Plan Employer Data and Information Set (HEDIS) developed by the National Committee for Quality Assurance and the Information Management standards established by the Joint Commission on Accreditation of Healthcare Organizations. In addition, providers are introducing more sophisticated approaches to managing the care of groups of patients with similar health problems (e.g., using demand management, disease management, and clinical pathways analyses). Managed care providers also tend to analyze the use of medical resources, including medications, specialists, radiology services, and sur- 10   In practice, a provider may be wholly or partially capitated (e.g., it may be capitated only for the provision of primary care and paid on a fee-for-service basis for other care). 11   Pharmaceutical Research and Manufacturers Association. 1996. Industry Profile. Pharmaceutical Research and Manufacturers Association, Washington, D.C., Figure 5-3; available on-line at http://www.phrma.org. Also, Health Insurance Association of America. 1996. Source Book of Health Insurance Data. Health Insurance Association of America, Washington, D.C., Table 2.5a.

OCR for page 19
--> gical procedures. Care providers and payers have begun to use total quality management and continuous quality improvement techniques to improve the quality of their services. New Users of Health Information Further fueling demand for information technology in health care is the entrance of new types of organizations that collect health information. These organizations typically provide products and services to the health care industry and have developed significant business interests that involve the collection of patient-identifiable health data. Examples include medical and surgical suppliers, pharmaceutical companies, reference laboratories, and companies that provide information technology services. Some of these companies have seen profit margins decline in their core businesses and see synergistic opportunities in the collection and analysis of patient-identifiable health data for health care organizations. For example, the pharmaceutical manufacturer, Merck and Company, acquired Medco, a pharmaceutical benefits management company that uses its database of medication claims to analyze utilization patterns for pharmaceutical products. Similarly Eli Lilly and Company, another pharmaceutical manufacturer, acquired the pharmaceutical benefits management firm PCS Health Systems Inc. Glaxo Wellcome Inc., a pharmaceutical company, has a significant interest in HealthPoint G.P., a developer of software for electronic medical records, to enable it to compare the effectiveness of its medications to that of others in treating various diseases and disorders. In many of these cases, specific agreements have been established to limit data sharing among affiliated companies, but the complex overlaps make security more difficult to ensure. In addition, existing companies in the health care industry are expanding their roles. Several insurance companies have established their own provider networks. Aetna, for example, acquired a health care provider-U.S. Healthcare. Blue Cross and Blue Shield plans in several states are developing provider networks.12 Providers are also moving into the administration and financing of care. One survey found that 15 percent of hospitals owned an HMO in 1996, compared to 10 percent in 1994.13 12   See Auerbach, Stuart. 1997. "Two Blue Cross Plans in Area Agree to Merge," Washington Post, January 15, pp. C10 and C12. See also, Freudenheim, Milt. 1996. "Blue Cross Groups Seek Profit, and States Ask Share of Riches," New York Times, March 25, p. A1. 13   Deloitte and Touche LLP. 1996. U.S. Hospitals and the Future of Health Care. Deloitte and Touche, Philadelphia.

OCR for page 19
--> The Electronic Medical Record Central to the efforts of health care providers to integrate functions and shift to managed care is the development of EMRs. Fifty-six percent of hospitals were investing in EMRs in 1995; largely as a result of investments by IDSs, the market for EMRs systems is expected to grow 70 percent annually from $100 million in 1995 to $1.5 billion in 2000.14 Virtually all of the sites visited by the committee in the course of this study were in the midst of developing an EMR system. The rapid movement toward EMRs results not just from changes in the structure of the health care industry, but also from general advances in information technology. The greater speed and power of information technology accentuate the advantages of EMRs over paper records, and the more widespread use of computers throughout industry has created an infrastructure for supporting their implementation. Content of Electronic Medical Records At present, EMRs represent an attempt to translate information from paper records into a computerized format. Over time, it is anticipated that the content of EMRs will expand beyond that of paper records and potentially include on-line imagery (e.g., x-rays) and video (e.g., a telemedicine session). For the time being, EMRs document patients' histories, family histories, risk factors, findings from physical examinations, vital signs, test results, known allergies, immunizations, health problems, therapeutic procedures and medications, and responses to therapy. They also include the provider's assessment and plans, advance directives, information on the patient's assent to and understanding of therapy, and permission for disclosure of information for use by other care providers or bill payers. Originally, the medical record existed in abbreviated form to refresh the memory of the family doctor, who may have known more than patients themselves about familial risk factors and a patient's history of diseases or conditions. But because care is now provided by a variety of providers from a variety of locations and the bills are paid by more than one payer, the EMR is used to facilitate familiarity with the patient's status, document care, plan for discharge, document the need for care, assess the quality of care, determine reimbursement rates, justify reimbursement claims, pursue clinical or epidemiological research, and measure outcomes of the care process. 14   Health Management Technology. 1995. "I/T Sales to Soar Next Five Years," December, p. 10.

OCR for page 19
--> Advantages of Electronic Medical Records EMRs offer many potential advantages over traditional paper-based records. The primary benefit of using electronic records is access for authorized and authenticated users. EMRs allow providers to access health information from a variety of locations and to share that information more easily with other potential users. Multiple users may access the information simultaneously. When used to increase communication among providers, EMRs can reduce the number of redundant queries and diagnostic tests and improve the availability of health-related information at the point of care delivery. EMRs also offer opportunities for improving security. With EMRs, access can be limited to just that portion of the record that is pertinent for the user. For example, a radiology file clerk might have access only to radiology reports of all patients, whereas a physician might be granted access to the entire record of his or her patients. In addition, EMRs can allow all instances of access to be recorded in audit logs so that there is a record of who saw what information at what time and date on which patients. To many organizations, increased access, better logical organization, and greater legibility are reason enough to justify the move toward EMRs. However, electronic data can also be used to accomplish tasks that are not possible in the paper format even if access were not a problem. For example, data stored in electronic records can be organized and displayed in a variety of different ways that are tailored to particular clinical needs. Electronic health information can be manipulated by computer-based tools, so that knowledge about standards of care can be used to generate alerts, warnings, and suggestions. These types of capabilities are known variously as real-time quality assurance, decision support systems, critiquing engines, and event monitors. Such capabilities may be useful in reducing some of the disparity between the amount and the quality of care delivered to different individuals. Electronic records also hold the promise of improving clinical research. Today most information about the effectiveness of tests or treatments, if in health records at all, lies buried in large stores of paper files that cannot be analyzed economically. The search and retrieval capabilities of computerized record systems, in conjunction with automated analysis tools, can enable much faster, more accurate analysis of data. Protecting the Privacy and Security of Health Information The application of information technology to health care especially the development of electronic medical records and the linking of clinical

OCR for page 19
--> databases—has generated growing concern regarding the privacy and security of health information. Despite the enthusiastic reception of this enhanced capability for access by those who desire health information, many fear that transporting such information over the emerging national information infrastructure will further erode individual privacy. Coverage of health care privacy issues and public disclosures of sensitive data have become more common in the news media. Articles on the confidentiality of health information have appeared recently in the New York Times, the Wall Street Journal, and the Boston Globe. In a recent poll almost half of those questioned stated that they were "very concerned" about their personal privacy, and a third stated that they were very concerned about the possible negative consequences of EMRs.15 Such concerns are growing as more sensitive information, such as HIV status, psychiatric records, and genetic information, is stored in medical records. Addressing these concerns requires both a better understanding of the vulnerabilities of health information in electronic form and the various mechanisms available for protecting such information. Privacy and Security Concerns The concerns of privacy advocates about electronic health information are based on two underlying notions. The first is that individuals have a fundamental right to control the dissemination and use of information about themselves. Because privacy is a fundamental right, advocates argue, other organizations that make claims on such information should be obliged to respect the wishes of the individual and to obtain explicit authorization from the individual for each instance of information collection, processing, or further disclosure.16 The second concern is that information about an individual, revealed to some other party not willingly designated by the individual, may be used to harm his or her interests. These interests may include economic or social interests, and 15   Louis Harris and Associates. 1995. Equifax-Harris Mid-Decade Consumer Privacy Survey, Study No. 953012. Louis Harris and Associates, New York. 16   Note, however, that there are those who strongly believe that the decision to seek health care and to draw on medical expertise necessarily implies entering into a social contract to allow medical science and societal health to benefit from the use of data about all patients (provided suitable measures are in place to protect such data from inappropriate use). See Institute of Medicine. 1994. Health Data in the Information Age: Use, Disclosure, and Confidentiality, Molla S. Donaldson and Kathleen N. Lohr (eds.). National Academy Press, Washington, D.C.

OCR for page 19
--> they may or may not be tangible (e.g., disclosure may involve social embarrassment for which monetary compensation is not appropriate).17 Privacy advocates readily acknowledge that violations of a fundamental right to privacy or the uses of personal information that are harmful to an individual's interests do not depend on the existence of electronic health information-indeed, improper and harmful disclosures of personal information have mostly involved information taken from paper-based records. They argue, however, that electronic health information and computer networks compound the problem enormously. Prior to the establishment of computer networks, health information had a physical embodiment, was awkward to copy, and was accessible only from central locations. The difficulty of moving health information increased dramatically with the volume of records being transferred. Automation and, more importantly, networking have changed this situation radically. Data have no physical embodiment, are easily copied, and are accessible from multiple points of access. Large numbers of records can be transferred as easily as a single one. The existence of the Internet means that data can be moved across administrative, legal, and national jurisdictions as easily as it can be moved to the next desk; intrusions can be mounted with equal facility. Electronic medical records also raise the possibility that much more accurate and complete composite pictures of individuals can be more easily drawn—so much more so that reasonable people would raise concerns about the aggregate even if they had no concerns about any single data element. Finally, any such aggregated database might well concentrate information in so lucrative a manner that the database itself becomes an interesting target for those seeking information. Additional security concerns derive from the growing use of the World Wide Web. The spread of World Wide Web technology has precipitated a shift from a transaction-oriented approach to data transfer to an approach depending on a message-based client-server interface. In the transaction-oriented approach, users submit requests and receive responses in a stylized format. Because stylized requests and responses are limited in content to what style itself enables, not all data requests are possible, and expanding the scope of possible requests requires additional work on the part of the system developer. By contrast, Web-based interfaces are usually developed with tools that are intended to facilitate and improve system responsiveness to arbitrary user requests, and the 17   Examples of information seekers include employers, government agencies, credit bureaus, insurers, educational institutions, the media, and private investigators. See Rothfeder, Jeffrey. 1992. Privacy for Sale: How Computerization Has Made Everyone's Life an Open Secret. Simon and Schuster, New York.

OCR for page 19
--> interface developer must work to reduce the scope of the requests that the user can make. Although a Web-based interface for examining data can be as restrictive as a system based on the transaction approach, checking whether a user's actions are appropriate is difficult and expensive; auditing a user's actions is more complex; and the assurance that the intended limits are indeed enforced is even more difficult to achieve. Nor is it necessarily possible to determine what the user intends to do with the information retrieved and if the user therefore is a threat to patient privacy. The solutions advocated to address these privacy concerns fall into one of three categories. One approach is to forbid outright the collection of data that might be misused, on the theory that procedural solutions are inevitably ineffective and subject to abuse and compromise (these concerns about inevitable compromise are usually manifested in the area of secondary release of data). A second approach is to allow the collection of some amount of personal information (e.g., health information) under a specific set of circumstances but to impose on collecting organizations and parties rules about the management and disposition of that information and penalties for violations of those rules. A third approach is to specify conditions regarding the use of patient-identifiable health information through the policy process to which all handlers of that information are obligated to conform. The first proposal precludes the development of electronic databases of health information. The second two approaches can be implemented through the promulgation of appropriate public and organizational policy and the use of certain technologies. The second approach leads to situations in which the same information is handled differently by different organizations, simply because they fall into different categories. The third approach leads to a more uniform treatment of data and represents a high-level organizing principle for governing the protection of patient-specific information. Addressing Privacy and Security Concerns Even before the advent of computers, significant resources were devoted to the safeguarding of health information. Every accredited hospital in the United States had (and still has) a medical records department with responsibility for ensuring only legitimate access to health records, the integrity of data contained in those records, and the confidentiality of those records. Health care organizations established policies regarding the collection, use, and release of health information to maintain privacy and security, and they evaluated the relative costs and benefits of alternative mechanisms for protecting health information. With electronic health information, the same issues still apply, though

OCR for page 19
--> the mechanisms used to provide protection may be different. Health care organizations must decide who can have access to health information systems and whose needs for access are legitimate. Individuals assume that they have the right to keep information about their health private, yet most would acknowledge that health care providers need access to pertinent facts about a patient's history, test results, allergies, symptoms, and response to therapy in order to provide advice and make decisions that will be in the best interests of the individual's health. Others, such as researchers, health insurers, life insurance companies, employers, and marketers of health products, all have a legitimate need to access some types of health care information. Clinical researchers and epidemiologists need health information to answer questions about the effectiveness of specific therapies, patterns of health risks, behavioral risks, environmental hazards, or genetic predisposition for a disease or condition (e.g., birth defects). Health insurers seek to combat rising costs of care by using large amounts of patient data in order to judge the appropriateness of medical procedures.18 Life insurance companies created the Medical Information Bureau Inc. to improve the underwriting process and help detect possible instances of fraud in the use of health information (Box 1.1). Drug companies want to know who is taking which drug so that they can conduct postmarketing surveillance to develop marketing strategies. A growing number of companies serve as information clearinghouses, collecting data from any number of sources and reselling it to customers in search of efficiency and savings. In certain instances the desire for access transcends health care decisions and economic incentives. Foreign governments, voters, and business leaders are interested in the health of politicians, celebrities, and prominent citizens. A recent book, Hidden Illness in the White House,19 and a recent film, The Madness of King George, are illustrations of the tension between an individual's desire for privacy and another group's claims of legitimate access to information concerning the health of its leaders. In Russia, one of Boris Yeltsin's surgeons acknowledged that Yeltsin had 18   A recent news article described the payer point of view. ''They [the privacy advocates and patients] think that we are seeking personal detail. But we're seeking clinical accountability. Ten years ago, there was no accountability. They sent in a claim and it was paid. Today, we ask for information .... "(Ian Schaffer, Medical Director, Value Behavioral Health, as quoted in Riley, John, 1996, "When You Can't Keep a Secret," NY Newsday, April 1, p. A36. The same article (at p. A37) describes a case in which a U.S. Circuit court of appeals concluded, "We hold that a self-insured employer's need for access to employee prescription records under its health plan outweighs an employee's interest in keeping his prescription drug purchases confidential.") 19   Crispell, Kenneth A., and Carlos F. Gomez. 1988. Hidden Illness in the White House. Duke University Press, Durham, N.C.

OCR for page 19
--> failed to disclose details about his health status during an election campaign because his advisors felt that such disclosure would adversely affect the outcome of the election.20 Policies must be established to determine who can have access to what information. Organizations must then implement mechanisms to prevent those without legitimate needs from gaining access to information and must try to develop mechanisms to keep those who are granted access from divulging information to others. These mechanisms must balance the need for information against privacy; they must protect information while ensuring that health care will not suffer because someone has been unable to gain access to important information. They must reduce to an acceptable level the risk that health information might be used for purposes that harm (in a physical, emotional, or economic way) the patient, those who care for the patient, or the family and associates of the patient, while still providing legitimate access to ensure that the patient's care will not be compromised, payers will not be defrauded, and researchers can obtain information that will enable further knowledge. Finding the appropriate set of mechanisms for deployment within health care organizations is complicated by the fact that all access controls cost money and time. Care providers who have legitimate needs to access patient information must pass through access controls many times in the course of a day. If authentication and access pathways for users are inconvenient or time consuming, providers will generally choose convenience and may attempt to find ways to bypass controls or refuse to use a system with these pathways. A variety of mechanisms exist for protecting electronic health information.21 These include both technical measures for improving computer and network security as well as organizational measures for ensuring that workers understand their responsibility to protect information and for detecting and reporting violations. Understanding the efficacy, costs, and trade-offs between protection and access inherent in each of these mechanisms is central to implementing sound programs for improving privacy and security in the health care industry. By clearly delineating the types of privacy and security concerns associated with health information, reviewing the uses to which health information is put, and evaluating technical and organizational mechanisms for protecting health 20   CNN Interactive. 1996. "Yeltsin Had Heart Attack During Russian Elections," September 21; available on-line at www.cnn.com. 21   A bibliography compiled by the National Library of Medicine identifies some 800 recent references on topics related to the security and confidentiality of health information. See National Library of Medicine. 1996. Current Bibliographies in Medicine: Confidentiality of Electronic Health Data, No. 95-10. National Library of Medicine, Rockville, Md.

OCR for page 19
--> BOX 1.1 The Medical Information Bureau Inc. The Medical Information Bureau (MIB) Inc. is a nonprofit trade association designed to alert member insurance companies of possible fraud or omissions in life insurance applications. The organization was founded in 1902 by the medical directors of 15 life insurance companies who were concerned that their companies had lost substantial amounts of money because of undetected fraud and omission. Today, MIB has 680 member life insurance companies, including almost every major issuer of individual life, health, and disability insurance in the United States and Canada. MIB collect information about individuals from its member insurance companies. Member companies are required to submit reports to MIB regarding particular applicants if, in the underwriter's judgment, the application contains information significant to life expectancy, such as high blood pressure. Medical conditions are reported by using one or more of about 210 codes. Conditions most commonly report include height and weight, blood pressure, electrocardiogram readings, and x-rays if—and only if—these facts are commonly considered significant to health or longevity. Five additional codes record nonmedical information that may affect insurability, such as an adverse driving record or participation in hazardous activities MIB receives about 3 million reports per year, representing roughly 10 to 15 percent of all applications. It keeps record in ifs files for 7 years and has a database containing reports on approximately 15 million individuals. When a consumer applies to an MIB member company for individual life, health, or disability insurance, the company may ask MIB whether it has a record on the consumer. If there is a record, MIB sends it in coded form to authorized personnel at the requesting company. The company may use the MIB report to detect attempts by applicants to omit or misrepresent factual information: it may not use the report as the basis for denying an application. As a matter of sound underwriting, such decisions are based on independent investigations that document medical and nonmedical information about the consumer. As a matter of law, the National Association of Insurance Commissioners (NAIC) Insurance Information and Privacy Protection information that have been demonstrated in health care settings, this report attempts to demonstrate ways in which privacy and security can be maintained in health care applications of the national information infrastructure. The content of this report is structured to provide illustrations of practical initiatives that can be pursued by health care organizations and to allow a more informed public debate over policy.

OCR for page 19
--> Model Act, which is law in at feast 15 states, explicitly prohibits the use of MIB reports as a basis for decisions. The NAIC act and the federal Fair Credit Reporting Act both require that insurers explain the basis for adverse underwriting decisions. MIB takes a number of precautions to protect personal privacy while providing insurers sufficient information upon which base underwriting decisions. MIB reports do not include street addresses, telephone numbers, or Social Security numbers. Insurers are also required to provide applicants with a written notice informing them that they may make a "brief report" to MIB, identifying the uses to which MIB and its member companies may put the information, and outlining the applicant's right to demand disclosure of information held by MIB and to request that errant information be corrected. In 1995, about 163,400 people requested disclosures from MIB, resulting in corrections to 348 reports. MIB uses a variety of mechanisms to provide security. First, the computer system is "exceptionally user unfriendly." Second, each member has a computer terminal dedicated exclusively to activities approved by MIB. Each terminal has a unique identifying code; all access to MIB is documented, and all requests and transmissions are verified. The system will disconnect from the terminal if the identification code is not recognized. It disconnects after receiving an inquiry that includes the correct code, then dials back the requester, using another code, to establish the connection for transmitting the requested information. According to MIB, all of its 200 staff members are educated regarding expectations of confidentiality, and are limited in their access to the MIB code book, computer room, and database. Member companies must make an annual pledge to protect confidentiality and must adhere to a number of specific confidentiality requirements. MIB audits its members regularly to ensure their compliance with these requirements. SOURCE: Medical Information Bureau Inc. 1995. Medical Information Bureau: A Consumer's Guide. Medical Information Bureau Inc., Westwood, Mass., September. Additional information from Neil Day, president, and James Corbett, vice president, MIB Inc., briefing to the study committee, May 1, 1996. Goals And Limitations Of This Report Objectives This report attempts to guide the debate over the privacy and security of electronic medical information by evaluating practices for better protecting health information. To this end, the report has the following objectives: Illuminate the various flows that characterize the movement of patient-identifiable data over time.

OCR for page 19
--> Evaluate practical measures that can be (and are) used today to reduce the risk of improper disclosure of confidential health information while providing justified access to those interested in improving the quality and reducing the cost of health care. Analyze the types of privacy and security concerns that must be addressed. Examine obstacles and impediments to broader implementations of the measures that are described in this report. Highlight areas that will require further work in order to protect electronic health information. This report takes as its point of departure the committee's interim report,22 which described practices the committee observed in operational health care settings. It expands on the interim report by assessing the utility of these practices in health care settings and by identifying other measures that could be adopted by the health care industry to strengthen its protection of health information. No single organization has implemented all the practices described in this report (or the interim report), but each measure is judged to be practical and economical based on experience to date. Additional mechanisms that are not yet feasible for application to health care are also identified as research needs. What This Report Does Not Do The original charge to the committee called for an assessment of mechanisms to protect the privacy and security of electronic health care information. Technical and organizational measures can help to protect health information within individual organization in which some consensus has been achieved regarding who may have access to particular sets of data. Once the data leave the umbrella of organizational control, however, and flow into databases of prescription records, insurance claims, or epidemiological studies, organizational protections become less effective, and national policy becomes relevant. National policy is much more difficult to forge because of the strongly conflicting goals of diverse constituencies. This report does not address the proper policy balance between access and privacy across all organizations. It does not settle issues that involve making value judgments about benefits compared to risks. A second limitation of this report concerns the pace of change of 22   Computer Science and Telecommunications Board, National Research Council. 1996. "Observed Practices for Improving the Security and Confidentiality of Electronic Health Information: Interim Report." National Academy Press, Washington, D.C., September.

OCR for page 19
--> technology. Whereas today's information infrastructure consists of Ethernet and the Internet, tomorrow's will consist of widespread high-speed networks and hand-held devices connected to the national information infrastructure through wireless communications protocols. Many of the technical recommendations contained in this report will become obsolete as the technical environment changes. This report cannot predict the advance of technology. Although the recommendations contained in Chapter 6 do identify a handful of technologies that will become available to health care organizations in the near future (three to five years), no attempt is made to extrapolate beyond that point. Health care organizations and policy makers at the local and national levels will have to remain cognizant of technological advances and facilitate their adoption. Finally, this report is based largely on a review of practices used at a limited number of facilities, supplemented by reviews of existing literature. Despite its efforts to address many aspects of privacy and security, the committee cannot claim that this report is comprehensive. Many other health care organizations are likely to have developed innovative solutions for protecting electronic medical information that are not described in this report. To the extent that such solutions may be applicable to a large number of other organizations, the committee hopes that health care organizations will attempt to disseminate the results of their efforts among the rest of the community in order to ensure more widespread use of strong protections. With these goals and limitations in mind, the committee hopes that this report will provide a better understanding of the issues and assist in reducing the harm that could be caused by inappropriate disclosure of health information. Organization Of This Report The remainder of this report presents the results of the committee's work, including its findings and recommendations. Chapter 2 discusses the current legal and regulatory environment for protecting health information, noting its limitations and recent initiatives under way in government and industry. Chapter 3 discusses data flows within the health care industry and describes the general types of privacy and security concerns that must be addressed. These include both the vulnerability of data held by particular organizations and privacy issues resulting from the widespread dissemination of data throughout the health care industry. Chapters 4 and 5 examine technical and organizational approaches, respectively, for better protecting electronic health information. These chapters review and evaluate practices within the health care industry (many of which were observed during the committee's site visits) and practices in

OCR for page 19
--> use by other industries. They include technologies currently in use in other sectors of the economy (such as banking and finance) as well as those still under development. Chapter 6 contains the committee's findings and its recommendations for increasing the privacy and security of electronic health information.