For the Record:: Protecting Electronic Health Information

Front Cover

When you visit the doctor, information about you may be recorded in an office computer. Your tests may be sent to a laboratory or consulting physician. Relevant information may be transmitted to your health insurer or pharmacy. Your data may be collected by the state government or by an organization that accredits health care or studies medical costs. By making information more readily available to those who need it, greater use of computerized health information can help improve the quality of health care and reduce its costs. Yet health care organizations must find ways to ensure that electronic health information is not improperly divulged. Patient privacy has been an issue since the oath of Hippocrates first called on physicians to "keep silence" on patient matters, and with highly sensitive data--genetic information, HIV test results, psychiatric records--entering patient records, concerns over privacy and security are growing.

For the Record responds to the health care industry's need for greater guidance in protecting health information that increasingly flows through the national information infrastructure--from patient to provider, payer, analyst, employer, government agency, medical product manufacturer, and beyond. This book makes practical detailed recommendations for technical and organizational solutions and national-level initiatives.

For the Record describes two major types of privacy and security concerns that stem from the availability of health information in electronic form: the increased potential for inappropriate release of information held by individual organizations (whether by those with access to computerized records or those who break into them) and systemic concerns derived from open and widespread sharing of data among various parties.

The committee reports on the technological and organizational aspects of security management, including basic principles of security; the effectiveness of technologies for user authentication, access control, and encryption; obstacles and incentives in the adoption of new technologies; and mechanisms for training, monitoring, and enforcement.

For the Record reviews the growing interest in electronic medical records; the increasing value of health information to providers, payers, researchers, and administrators; and the current legal and regulatory environment for protecting health data. This information is of immediate interest to policymakers, health policy researchers, patient advocates, professionals in health data management, and other stakeholders.

  

What people are saying - Write a review

We haven't found any reviews in the usual places.

Contents

INTRODUCTION
19
The growing Use of Information Technology in Health Care
20
Changes in the Health Care Delivery System
21
Integrated Delivery Systems
22
New Users of Health Information
24
The Electronic Medical Record
25
Advantages of Electronic Medical Records
26
Privacy and Security Concerns
27
Site Visit Summary
114
Key Issues in Using Technology to Protect Health Information
117
Control of Secondary Users of Health Care Information
120
Obstacles to Use of Security Technology
122
Lack of Market Demand for Security Technology
123
Cryptographybased Tools Are Still Out of Reach
124
Helpful Technologies Are Hard to Buy and Use
125
ORGANIZATIONAL APPROACHES TO PROTECTING ELECTRONIC HEALTH INFORMATION
127

Addressing Privacy and Security Concerns
29
Goals and Limitations of This Report
33
What This Report Does Not Do
34
Organization of This Report
35
The Public Policy Context
37
Federal and State Protections
39
Federal Statutes and Regulations
40
Limitations of Federal Protections
42
State Statutes and Regulations
44
Limitations of State Protections
45
Nongovernmental Initiatives
47
Computerbased Patient Record Institute
48
Improving Public Policy
49
Building National Consensus
50
Legislative Initiatives
52
PRIVACY AND SECURITY CONCERNS REGARDING ELECTRONIC HEALTH INFORMATION
54
Scale of the Threat to Health Information Held by Individual Organizations
55
General Taxonomy of Organizational Threats
56
Levels of Threat to Information in Health Care Organizations
59
Countering Organizational Threats
61
Observations on Countering Organizational Threats
64
Systemic Concerns About Health Information
65
Alices Medical Records
69
Government Collection of Health Data
72
Risks Created by Systemic Flows of Health Information
74
Universal Patient Identifiers
78
Conclusions Regarding Systemic Concerns
80
TECHNICAL APPROACHES TO PROTECTING ELECTRONIC HEALTH INFORMATION
82
Observed Technological Practices at Studied Sites
84
Authentication
86
Authentication Technologies Observed on Site Visits
88
Authentication Technologies Not Yet Deployed in Health Care Settings
89
Access Controls
93
Access Control Technologies Observed on Site Visits
94
Access Control Technologies Not Yet Deployed in Health Care Settings
96
Audit Trails
97
Audit Trail Technologies Observed on Site Visits
98
Physical Security of Communications Computer and Display Systems
99
Control of External Communication Links and Access
102
Network Control Technologies Observed on Site Visits
104
Encryption
106
Software Discipline
108
Software Control Technologies Observed on Site Visits
110
System Backup and Disaster Recovery Procedures
111
System Backup Procedures Not Yet Deployed in Health Care Settings
112
Formal Policies
128
Policies Regarding Information Uses and Flows
129
Confidentiality Policies
130
Policies to Protect Sensitive Information
131
Policies on Research Uses of Health Information
134
Policies Guiding Release of Information
135
Patientcentered Policies
136
Access to Records and Audit Logs
137
Organizational Structures
138
Structures for Implementing Policy
139
Structures for Granting Access Privileges
140
Education and Training
142
Training Programs
143
Nonformal Training
144
Educational Tools
145
User Confidentiality Agreements
149
Closing the Gap Between Theory and Practice
153
Implementing an Integrated Security and Confidentiality Management Model
154
Overcoming Obstacles to Effective Organizational Practices
155
Resource Constraints
156
Lack of Focus on Information Technology
157
Cultural Constraints
158
Findings and Recommendations
160
Finding and Conclusions
161
Recommendations
167
Technical Practices and Procedures for Immediate Implementation
169
Organizational Practices for Immediate Implementation
173
Security Practices for Future Implementation
175
Creating an Industrywide Security Infrastructure
177
Addressing Systemic Issues Related to Privacy and Security
180
Developing Patient Identifiers
185
Meeting Future Technological Needs
189
Technologies Relevant to the Computer Security Community as a Whole
191
Technologies Specific to Health Care
192
Testbeds for Privacy and Security
193
Concluding Remarks
194
BIBLIOGRAPHY
197
APPENDIXES
209
Study Committees Site Visit Guide
211
Individuals Who Briefed the Study Committee
221
National Library of Medicine Awards to Develop Health Care Applications of the National Information Infrastructure
222
Sections of the Health Insurance Portability and Accountability Act of 1996 Public Law 104191 Related to the Privacy and Security of Electronic He...
233
Committee Biographies
247
Index
255
Copyright

Common terms and phrases