According to a report by the National Academy of Sciences, the industry is still in the process of developing standards for protecting health information within individual institutions.
These practices should be adopted by all organizations that handle patient-identifiable health information, not just providers and payers. The practices should include technical tools to identify and validate the identity of users, limit their access to particular types of information, protect remote access points, and keep logs of all accesses to health information. They should also include organizational policies, procedures, and practices that ensure that institutions develop, implement, and enforce security and confidentiality policies.
By focusing more on requirements than on particular mechanisms, these practices can be adopted by a wide range of organizations with different needs and resources. They are flexible enough to allow different technical approaches and to accommodate new technologies as they emerge, according to John Glaser, of Partners HealthCare System, Inc.
Glaser says he also recommends that industry work with government to develop the infrastructure needed to help health organizations better protect health information. Industry and government should continue to support a health information security standards subcommittee within the National Committee on Vital and Health Statistics. They should also establish an organization modeled after the computer emergency response team at Carnegie Mellon University to collect information about security incidents in the healthcare community and to develop and disseminate effective solutions for addressing these concerns.
Additional steps, however, will be needed to address the systemic concerns that arise from the widespread sharing of patient information throughout the healthcare system. While academic research is generally subject to review and approval by institutional review boards, few "mechanisms exist to regulate or monitor the use of health information in other sectors, whether insurance, benefits management, or marketing," says Glaser. "Patients fear that organizations may use the information in ways that will harm them, whether to deny insurance, employment, or a promotion."
The federal government works with industry to promote an informed public debate that would determine how best to balance the privacy concerns of patients against the information needs of various organizations.
Universal Patient Identifiers
In addressing systemic concerns, Congress may also wish to promote an initiative to create a unique health identifier for each patient in the healthcare system. This effort is part of the follow-up to the Health Insurance Portability and Accountability Act of 1996.
Glaser says a universal patient identifier clearly has many benefits, allowing the many different records referring to an individual patient across the healthcare system to be linked more easily for care, payment, administration, or research. But a universal identifier may also exacerbate systemic concerns over patient privacy. If information can be linked for legitimate purposes, such as collating a complete medical record for a physician, it also may be linked for other purposes that patients might not approve of. It might even allow health records to be linked with records outside the healthcare system.
"Other criteria, such as ease of management and integration into existing information systems, will also need to be considered in devising a universal patient identifier. These three criteria are intended to ensure that privacy concerns are explicitly recognized in the debate and that patient privacy is ultimately protected," says Glaser. "By addressing issues at the level of individual institutions and the healthcare system as a whole, comprehensive protections can be put in place that will address the broad spectrum of privacy concerns."
With electronic files, for the first time doctors can be assured of who accessed a file, and how often, something that is not at all possible with old-fashioned paper trails, says Ransome. "This allows for cleaner audit trails," he says.
One healthcare network, Meridian Health of Neptune, NJ, recently used electronic document audit technologies to investigate how much money it was "losing when Medicare reimbursements were made," Jimmy Moock, a spokesman for the project, says. Working with a consulting company, CBIZ KA Consulting, a publicly traded firm based in East Windsor, NJ, the investigators compared Meridian's results with those of hospitals across the state. "The numbers are scary," according to Moock. "And the current stance is that it will only get worse."
Florida Compare Care
Tumblewood Communications, Corp.
Xerox Global Services
Sidebar: Best Practices For Medical Information Management
What are some of the best practices that organizations are adopting to ensure access to digital records—and make sure that the health information is secure?
Individual authentication of users. To establish individual accountability, every individual in an organization should have a unique identifier (or log-on ID) for use in logging on to the organization's information systems.
Access controls. Procedures should be in place for ensuring that users can access and retrieve only that information that they have a legitimate need to know.
Audit trails. Organizations should maintain, in retrievable and usable form, audit trails that log all accesses to clinical information. The logs should include the date and time of access, the information or record accessed, and the user ID under which access occurred. Organizations that provide healthcare to their own employees should enable employees to conduct audits of accesses to their own health records. Organizations should establish procedures for reviewing audit logs to detect inappropriate accesses.
Physical security and disaster recovery. Organizations should limit unauthorized physical access to computer systems, displays, networks, and medical records; they should plan for providing basic system functions and ensuring access to medical records in the event of an emergency.
Protection of external electronic communications. Organizations should encrypt all patient-identifiable information before transmitting it over public networks, such as the internet. Organizations that do not meet this requirement either should refrain from transmitting information electronically outside the organization or should do so only over secure dedicated lines.
System assessment. Organizations should formally assess the security and vulnerabilities of their information systems on an ongoing basis. For example, they should run existing "hacker scripts" and password "crackers" against their systems on a monthly basis.