Health Care’s Invasive Procedures: Protecting Patient Privacy

Reader ROI

Find out what hospitals are doing to digitize medical records

Learn the pluses and minuses of electronic medical records

Understand the extent to which technology can and cannot safeguard patient confidentiality

Your head’s been stuffed for weeks, and you don’t know why. Having gone to an allergist for a round of tests, you leave with a PIN, a password and a URL. This allows you to log in to a secure, personalized website to check the results of your tests, send your doctor a question via e-mail and schedule a follow-up appointment. While you’re on the site, you take a look at your medical record and notice it lists a medication you’re no longer taking. You e-mail the hospital records department to make the change and, just for good measure, add a list of herbal supplements you take at home. It’s just the kind of accurate, convenient, cooperative interaction that has the potential to tilt the power balance in medicine back toward the patient.

But what if you weren’t waiting for allergy medicine?

What if you were awaiting results from a test for pregnancy, HIV or prostate cancer?

What if your doctor’s e-mail reply was picked up by your spouse, coworker or a stranger bent on mischief?

What if the person looking at that medical record wasn’t you but a bored admissions clerk idly surfing the hospital’s intranet, or your nosy neighbor who happens to be in the office of a small debt-collection agency, or your ex-spouse’s attorney gathering evidence to be used against you in a child-custody case?

What was convenient and empowering can quickly become an invasion of privacy. If consumers are cautious with their credit cards online, imagine their concern when the most intimate details of their body and mind are computerized and circulated to a potentially wide audience for myriad reasons, often without their knowledge or expressed informed consent.

Yet make no mistake about it: Electronic medical records are coming, slowly but inevitably, to a health-care facility near you. The “carrot” is cost savings. One study, by the Workshop on Electronic Data Interchange, estimated that the health-care industry could save at least $73 billion annually by adopting electronic data-exchange practices. The “stick” is the federal government. Frustrated with HMOs’ high bureaucratic costs, the Department of Health and Human Services has mandated, through its Health Insurance Portability and Accountability Act of 1996 (HIPPA), that large health-care organizations be prepared to adopt more cost-effective, uniform procedures for exchanging digital data with their business partners by 2002, with smaller companies to follow suit a year later.

And so CIOs at health-care organizations find themselves caught at the intersection of technological imperative and public policy. They’re pushing toward the goal of fully digital medical records, even as they grapple with super-sensitive and as yet unresolved issues of security and privacy. IS executives are striving to protect their networks against outside invasion by hackers and minimize the more insidious threat of internal malfeasance. They are also trying to ensure the security of data flowing out of their systems into the networks of such business partners as billing agents, insurers, debt collectors, researchers, agencies at every level of government and charitable organizations.

Whither Patient Confidentiality?

It’s that vast network of potentially interconnected, large-scale information systems that worries privacy advocates like Dr. Margo Goldman, a practicing psychiatrist and director of policy development for the National Coalition for Patient Rights, an Andover, Mass., medical-records watchdog organization. Goldman argues that the combination of widely distributed electronic records and increasing demands from managed-care plans for the disclosure of patient information is essentially dismantling the established assumption of patient confidentiality.

“Paper records can be locked in a file cabinet. If there was a disclosure to be made, someone had to go through the medical records office with a specific request,” she points out. Now, information captured once can be used and reused in countless ways, often without the patient’s knowledge. “Unfortunately, it’s cheaper and easier to give [health-care workers] the broadest access,” Goldman says. “And with no overarching policies to guide any of this, institutions are left to their own devices.” (New privacy rules announced in late December by outgoing President Clinton are intended to provide such guidelines in two years’ time.)

Even so, CIOs at places like CareGroup, Kaiser Permanente and Partners Healthcare say they have developed state-of-the-art measures to safeguard the security of electronic medical data and are as confident as they can be of patient confidentiality.

IS executives also note that a majority of their patients want the convenience of electronic medical records. “We have done a lot of [patient] surveying, and 100 percent wanted the convenience transactions and the ability to message their doctor in a secure environment,” says John Halamka, CIO at CareGroup, a Massachusetts-based affiliation of six hospitals, headed by the Beth Israel Deaconess Medical Center in Boston that serves 1 million patients.

It’s Not the Hackers

But just what constitutes a secure environment? The prospect of medical records being accessed by an outside hacker is the scenario that might come to mind most quickly. But Halamka and nearly all of his colleagues at big health centers across the nation say that that particular threat is as close as it can be to negligible, thanks to measures like the eight-point security architecture CareGroup maintains to protect its $1.4 billion integrated data network.

“The risk of outside invasion is one in a multiple million,” says Halamka, who is also an emergency room physician. “The real risk is not external, it’s internal.” In other words, it’s not the stranger on the Net, but the stranger inside the hospital system who’s more likely to compromise confidentiality, either intentionally or accidentally.

Kaiser Permanente, the nation’s largest HMO, is still smarting from one such unintentional leak, which occurred when about 850 e-mail messages, some of which contained sensitive personal medical information, were wrongly sent to 19 Kaiser Permanente members. The glitch occurred when a technician was upgrading the company’s system, and Kaiser Permanente officials say they are working to ensure such leaks don’t happen again.

Internal snooping by authorized employees is a little harder to control. Health-care organizations walk a fine line in determining which employees are given access to what data under which circumstances. Too much access and a patient’s privacy can be violated, as when a simple discharge order unnecessarily includes psychiatric notes. Too little, and caregivers can be denied critical patient data when they need it the most.

“It’s an uneasy balance. You want to protect people’s rights, but you don’t want doctors in an emergency room or a neurologist who’s new on a case having to say, ’God, I’m sorry, I can’t see your data,’” explains John Glaser, CIO at Partners HealthCare System, a $3.5 billion Boston-based organization that comprises more than 5,000 physicians and such hospitals as Massachusetts General and Brigham and Women’s.

Hospitals must also guard against the prospect of personnel with authorized access using data incorrectly, as when a gynecologist at one health plan read a patient’s psychiatric records online and told her that her menopausal problems were all in her head.

More worrisome, and more directly in the CIO’s purview, is what happens to medical data once it leaves the hospital network and travels out to insurers, researchers, fund-raisers, debt collectors and various state and federal agencies. “The bigger problem is the movement of data through multiple organizations, the secondary and tertiary transfer of data,” observes Glaser. “Those issues are more about policy and regulations than they are about technology. And of course HIPPA addresses that to a very serious degree.” (See “Keeping Uncle Sam Happy,” Page 79, for more on how health-care organizations are preparing to comply with the Health and Human Services regulations.)

The Technology Arsenal

At a time when even progressive health-care organizations are still working toward the ideal of truly ubiquitous electronic medical records, 70 percent of CareGroup’s patient records are Web-enabled, says Halamka, a result of the merger of the Beth Israel and Deaconess hospitals in 1996. “We needed a way to display to physicians data that was stored in several different legacy databases,” Halamka explains. Rather than create a monolithic data repository, CareGroup chose to build a virtual patient record that leaves legacy data where it is and assembles and presents the data in a uniform, browser-based interface that’s easy to work with and familiar. “The Web is agnostic and ubiquitous. It can take data from wherever and display it at the point of care, wherever that may be,” Halamka says.

A Web browser may make a great front end for aggregating data, but the Web itself is simply too wide open to serve as a secure delivery vehicle, health IT managers say. That’s why CareGroup and many other large health organizations use virtual private networks to bring physicians’ offices and other outlying staff into their networks.

To protect this multi-institutional network, CareGroup instituted a security architecture built on recommendations from the federal government’s National Research Council. Any medical staffer can log on to this system with a SecurID, a small, handheld device with a microprocessor displaying a code that changes every 60 seconds or so. To access the system, staffers must enter a user name, a PIN, and the current password from the SecurID. If they enter an old password, the system just won’t let them in.

Access control is assigned by job role on a need-to-know basis, with each person receiving the minimum amount of data necessary to perform his job. For example, an administrator in charge of discharging a patient wouldn’t have access to that patient’s psychiatric records.

Audit trails that display time, date, information accessed and user ID are monitored daily, Halamka says, and are available for patient review on request. Remote access is protected by firewalls, encryption and single-session passwords, and electronic records are authenticated using electronic signatures. To ensure physical security, locked, geographically dispersed site servers and offsite backup for disaster recovery are required. At the workstation level, virus checking is required and page caching is prevented, so that records can’t be retrieved from a central server and then stored, either deliberately or inadvertently, on a local machine. Finally, the system automatically compiles security logs, server logs and failed log-in attempts, and spits out a printout for IS personnel to review on a daily basis.

CareGroup combats the abuse of privacy by employees through several means. The technology ensures that employees see the minimum amount of personal data they need to perform their jobs, and all employees are trained extensively in privacy protection. Those caught violating the rules are fired. “We fire three or four people a year,” Halamka says.

Like CareGroup, Partners HealthCare System requires its physicians, clinicians and other employees to access the company’s network via a user ID, password and, when coming in from offsite, a secure PIN. Workers are also assigned varying levels of access depending on their job role, according to Glaser.

Partners uses prompts and reminders built right into the software as a first line of defense in determining whether employees with clearance are using their access inappropriately. “If we detect you going after someone’s record for not a priori reason, we say via software, Tell me your relationship to this patient,” says Glaser. “If he says he’s a consulting physician, we ask for how long and if the patient is giving him approval to do this. And we remind people that we reserve the right to see if there’s a consent on file.”

The Providence Health System, a regional health-care organization in the Northwest, headquartered in Seattle, uses a similar two-step access-and-audit approach, according to Rick Skinner, CIO of Oregon state operations. For efficiency purposes, all physicians are given access to all patient records. If, however, the doctor-patient connection has not been entered into the system, a screen pops up reminding the doctor that he isn’t the physician of record and warning that access to the patients’ records will be audited and reviewed. “We can run a report that says, ’Give me all the physicians last week who had that access,’ and then determine if there was a reason for this,” Skinner says.

Like CareGroup, Providence looks to the Web to bring together disparate systems across geographically dispersed medical centers. Four years ago, the organization finally abandoned the idea of a centralized data repository after concluding the maintenance requirements were too costly. Now, between 60 percent and 75 percent of all hospital data is recorded electronically, with the remainder (handwritten physicians’ notes and the like) scanned, digitized and added to the legal medical archive upon the patient’s discharge. Physicians and other staff can access reports via the Web from several systems, including laboratory, radiology, order entry, EKG and transcription.

We Know It’s You

This month, Kaiser Permanente, which serves some 8 million members in 11 states and Washington, D.C., is expected to launch a new public-key infrastructure (PKI) system, which many IS practitioners view as the most secure system commercially available today. A PKI uses digital certificates to authenticate users and then uses digital signatures—the electronic “signing” of documents—to track what actions people take while logged on to the system, what files they look at, what orders they issue and so on. “We’ll know it’s you on the system, and with the digital signature, we’ll know it’s you doing the work,” says Tim Sullivan, senior vice president and CIO at Kaiser Permanente in Oakland, Calif. Kaiser Permanente’s Hawaii operations will be the first to use PKI, with California and Colorado due to follow in the coming year.

CIOs at the big medical institutions like CareGroup, Partners Healthcare and Kaiser Permanente are confident that their systems are secure from unwanted intrusion. Internal systems and policies are in place to keep employees toeing the security line, and HIPPA will make health-care organizations liable if any of their business partners use patient information in inappropriate ways. That leaves the doctor-patient interaction as the last wide-open security front.

Busy caregivers are now “talking” with patients via e-mail, websites, faxes or even just plain voice mail. But these unregulated, seemingly benign forms of communication are often the places where security and confidentiality are most apt to be compromised, health-care CIOs say.

“When a doctor is communicating with a patient over e-mail, he doesn’t know who’s actually picking up that mail, how quickly it’s being read or what frame of mind the patient is in when he gets it,” Partners’ Glaser notes. “When you talk about e-mail security, encryption is the least part of it.”

Kaiser Permanente plans to launch next year a post-office e-mail system aimed at addressing some of those issues in a standardized way. Rather than simply swapping e-mail with a doctor, patients will receive an e-mail telling them they have a message waiting at a secure website, which they then must access via password and PIN. “That still won’t prevent people from writing their password on a yellow sticky note next to their PC, but it does take that messaging out to somewhere that’s secure,” says Sullivan.

Currently, all Kaiser Permanente patients can refill prescriptions and schedule nonurgent appointments online, with online access to medical records. CareGroup launched a site this past spring that gives patients access to their medical records—with reservations, says Halamka. “Some items we have elected not to Web-enable,” he explains. “Pathology results, viral loads [an indication of HIV health], cancer results—those all need human interaction,” he says. “But patients can look up a list of any diagnostic elements done to them recently, review their medication lists, add to their own problem list or check out drug-to-drug interactions.”

Those kinds of conveniences meet the needs of evermore savvy health-care consumers, says Peter Waegemann, executive director of the Medical Records Institute. Privacy and security issues are still being hashed out, he concedes, but the future of electronic medical records is secure. “It’s irresponsible in the year 2000 not to have a maintenance record on your own body,” Waegemann says. “People are conscious that their health is their main asset, and they want control over that asset.”