Healthcare privacy questions are moving to the front burner
Healthcare privacy questions are moving to the front burner
By BETTY GASCH
Healthcare InfoTech Contributing Writer
With all of the advancements in new technology geared toward health interventions in general and the computer-based patient record in particular, issues of patient security and confidentiality are being defined by what currently is being done. As we progress along this path, it will become increasingly difficult to maintain a clear boundary between what is and is not appropriate to secure.
There already are issues being raised that will have profound effects not on only the present generation, but future generations as well. Attorney General Janet Reno has asked that the National Commission on the Future of DNA Evidence study the legality of taking DNA samples from all persons arrested. At the very same time, the ACLU and other organizations are prompting Congress to hold public hearings concerning the misuse of federal databases. This action was in direct response to the report that the U.S. Treasury Department’s Secret Service had hired Image Data (Nashua, NH) to build a national database of drivers’ license photos.
It appears that securing the privacy of health records has moved to top priority, as Sens. Patrick Leahy (D-VT) and Edward Kennedy (D-MA) and Rep. Edward Markey (D-MA) last month introduced legislation on medical record privacy which would require informed consent prior to a patient’s record being disclosed to a third party. This legislation also would require law enforcement officials to seek the council of a judge before they could access a medical record while investigating a crime. And then there is the looming implementation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the proposed national healthcare IDs for every U.S. citizen.
All of this points to the issue of security being a hot topic, but also the reality that the computer is enabling medical science to use medical data in ways that were not conceived of only a few years ago. Under the legislation being introduced by Leahy, Kennedy and Markey advocating informed consent, will the patient have the option of still receiving medical treatment if he or she chooses not to allow a third party to access their record? Is a third party an insurer, the government, a medical researcher, a public health official? All of the above?
The aspect of HIPAA dealing with the confidentiality of individually identifiable health information is the broadest in scope of any movement toward securing the computer-based patient record. It recognizes that the rapid changes in the way in which healthcare is provided, documented and paid for in the U.S. poses challenges to our current value structure. Gone are the days of a patient speaking frankly with his physician, the physician hand-writing a note, and the information being filed under lock and key in the doctor’s office. The Department of Health and Human Services’ (HHS) background information concerning HIPAA called this basic trust between patient and physician "the very lifeblood of our healthcare system."
But the HHS information also pointed out the need to balance this "lifeblood trust" with the needs of insurers, governments, managed care organizations and public health officials and researchers. It is the tension which now exists between these needs that is pulling at all participants in the debate vendors as well as the others listed by HIPAA. Under HIPAA, there are five basic areas which the Secretary of Health and Human Services has included as being the basis of any decisions for legislating security as it relates to computer information technology being developed.
Those areas include:
Boundaries. HHS recommends that an individual’s health care information should be used for health purposes only but the agency allows a few carefully defined exceptions. HHS further recommends that the legal duty for assuring confidentiality should fall to those who provide and pay for health care as well as anyone who receives information from these parties. This broad, shared accessibility makes accountability difficult to track.
Security. Federal law should require organizations to which we entrust health information to protect this information against deliberate or inadvertent misuse or disclosure. But unless there are serious penalties for violation, this will provide little real protection.
Consumer Control. Here HHS is attempting to strengthen and expand the role of the consumer. Its recommendation says that patients should not only be able to see what is in their chart, but should also be able to obtain a copy, correct errors and find out who else has had access to the record. However, making this a practical reality is likely to be about as straightforward as correcting credit information.
Accountability. According to HHS, those parties who misuse a patient's health information should be punished, and those patients who were harmed and whose information was misused should have legal recourse. This recommendation sounds as if it will provide the teeth to HIPAA, but once a person’s health care information be comes public knowledge, it is rarely able to be undone.
Public Responsibility. HHS recommends that a person’s right to privacy must be balanced by a person’s public responsibility to contribute to the public good, through the use of their information for the "important, socially useful purposes, with the understanding that their information will be used with respect and care." Who determines what is important? Who will define what is a socially useful issue? Who has control over the definition of the term "contribute to the public good"?
With these recommendations guiding the HIPAA legislation, it would seem that the federal government wants to become the overseer, but who in the government, and for what purposes?
With more and more healthcare institutions looking toward the Internet for the solution to their communication problems, this proposed balance of individual vs. institution/organization needs becomes ever more precarious. The Internet has been referred to as the information highway, analogous to the interstate highways that we all drive on. While we all know the dangers present when we travel at fast speeds on roads filled with large numbers of other drivers, the dangers of the Internet are still being debated. Even low levels of Internet security are being debated among those in healthcare information technology. In the December 1998 issue of Health Data Management, John Glaser, vice president and CIO at Partners HealthCare System (Boston), said, "I don’t think the privacy problem is real. There is a perceived problem, though, which in a lot of ways makes it a real problem in the eyes of legislators, regulators and consumers." And, at present, no one is in charge of the Internet, and so whatever the CIO of an institution believes to be true is what is usually acted upon.
To add to the confusion, many clinicians do not know much about information technology or the issues of privacy and security. To many novice computer users, choosing a password to employ every time the clinician wants to access a patient’s data is an annoyance at best. As a result, passwords often are the user’s first name or even a shortened nickname easy for them to remember and to use. These are ridiculously easy for any moderately talented hacker to discover in seconds, or minutes at most.
Such information is not typically being brought to the attention of everyday users within a hospital system, and only IT-savvy clinicians are aware of the potential damage. Perhaps IT vendors should require a password of six or more characters, with at least one non-alphabetic character. Hospital IT people have a duty to inform those who work with either an intranet system, or eventually the Internet, as to the importance of this minimum level of security. As a result of the ease of breaking passwords, more and more information systems are looking to incorporate biological-based techniques retinal eye scans, voice recognition or fingerprint ID for ensuring security.
Encryption the process by which data is scrambled into unreadable character sequences to be sent over the Internet and then reassembled into the correct format on the receiving end is another safeguard available for Internet security. However, the structured format of healthcare data makes it easier to break the encrytpion. If, for example, a patient’s chart is encrypted and sent as an HL7 message, the patient ID will be in a known part of the HL7 message, and, being a short sequence of all numbers 0 through 9, it will be fairly easy to crack, particularly if it is some simple expansion of the patient’s Social Security number.
It wouldn’t take a determined hacker too long to break the entire code once the person’s hospital ID was decoded. For the average John or Jane Q. Public, you could ask, "Who cares?" But what about a high-profile government official or corporate executive? And what about those who have sent bombs to people because their companies were involved in pollution or who have laced our over-the-counter pain meds with poison? What could those minds do with any of our personal information obtained over the Internet? The New Jersey resident who was just caught spreading the Melissa virus says he was just playing around, that he didn’t intend any harm.
The difficulty with Internet security levels is that the private physician is not able to implement these measures (either technically or financially) to the same degree as a hospital can. But if a physician’s system is tied into an enterprisewide system, then the physician’s office or home becomes the weak link in the security of the entire system, particularly if the doctor is using a web browser interface over the Internet.
Fortunately, security issues are being looked into and Internet2 is on the horizon, but will be implemented too late to provide much protection. Other measures are needed now. Internet2 is primarily focused on improving the speed of electronic transfers and improving reliability. But the National Research Council is currently conducting a study, "Enhancing the Internet for Medical Applications," which includes a serious look at the issue of security for inclusion into Internet2.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.