Prepare now to protect privacy as virtual reality becomes real
Prepare now to protect privacy as virtual reality becomes real
Experts predict electronic records just around the corner
The potential for good is enormous. Imagine a patient experiencing acute chest pains while vacationing miles from home. In a matter of moments, the patient’s entire medical history, family history, risk factors, findings from physical examinations, vital signs, test results, known allergies, immunization record, medications, advance directives, even images such as X-rays are available to the treatment team. Having access to the patient’s medical record saves valuable time, perhaps the need to repeat expensive tests, and possibly a life.
But there is also potential for harm. Imagine a computer hacker breaking into the database of a medical clinic and accessing patient records. Within moments, the names of HIV-positive patients are broadcast over the Internet. Patients’ confidentiality is shattered. Their trust in their providers is shaken. Unlikely, perhaps, but not impossible.
If you think this doesn’t affect you, think again. Experts predict most health care organizations will have a completely electronic medical record (EMR) in the next three to five years. In fact, some case managers report that their organizations have linked up to national databases or the Internet without providing them with any training or a clear understanding of how to keep sensitive clinical patient information secure. Before this happens to you, read what experts interviewed by Case Management Advisor suggest health care professionals do to keep clinical information safe as it travels through this new electronic environment.
Creating a secure patient record follows the same principles, whether it is a paper record or an electronic one, and it must begin with organizational policies and procedures, says Ida Critelli Schick, PhD, FACHE, an associate professor with the graduate program in health services administration at Xavier University in Cincinnati. "If you have concerns about creating a secure EMR, they must be addressed in the developmental stage with policies and procedures. The technology necessary to ensure privacy becomes too cumbersome to add once a system is designed," says Schick, who helped develop a community health network for health care providers in the Cincinnati area.
Her suggestions for case managers preparing policies to smooth their entry into the electronic era include the following:
• Make your system patient-centered.
• Insist that administrators and providers bear serious responsibility to protect privacy and confidentiality.
• Support technical measures with practical administrative policies and procedures.
• Facilitate education and public discussions to prepare patients for the move to EMRs.
Other experts agree that patient education is an essential step on the road to EMRs. "The general public has a perception that once you automate information, it is no longer safe. Overcoming that perception is important. There are many measures that can be used to make computer-based records safer and more secure than paper records," says Margaret Amatayakul, RRA, MBA, executive director of the Computer-based Patient Record Institute (CPRI) in Schaumburg, IL.
"It is incumbent on the health care industry to start addressing the patient education process. The perception that an electronic health care transaction is not secure is false. In fact, giving out your credit card information over the phone is much riskier, yet consumers do it all the time," says Tony Marzulli, marketing manager for the health care information systems business unit at Hewlett Packard in Andover, MA.
"There are more security threats from within organizations than from without," Marzulli says. "Securing confidential information comes down to all software applications having passwords and encryption capabilities. It’s even more important for organizations to use those capabilities.
"We go on site visits to hospitals all the time and see a physician or a nurse walk up to use a computer application, log on, and not know what the password is. Then typically, another person will walk by and say, That’s OK. We removed the password. Just hit return, and you can get in.’ The applications are available. You must have policies and procedures to support them."
Too many times, professionals take new electronic applications and use them without thinking through the implications, cautions Kathleen A. Frawley, JD, MS, RRA, vice president of legislative and public policy services for the American Health Information Management Association’s (AHIMA) office in Washington, DC. "Take e-mail, for example. I would strongly recommend case managers never send sensitive patient information via e-mail. It is not secure. Neither are cell phones or pagers," she says.
For case managers, the bottom line on providing sensitive patient information over a computer network is simple, says Philip Donohue, RN, a medical/legal case consultant and case manager in Framingham, MA. "The case manager is only liable to the point of understanding how secure the information is," he explains. "If you are told this is a secure database used only for internal purposes, and you use it in good faith, you are covered if there is a breach of security. It is the organization providing the system that is at risk if a breach of security occurs."
In addition, Donohue suggests that case managers keep their computer-generated reports brief and keep more comprehensive notes in their personal working files. "All case managers keep raw notes on active files which we use to maintain a knowledge base of the client, but the insurance company doesn’t need to know all that information. You must weigh the information before you send it out and understand the practice act you are working under as well," he says, adding that professional practice acts provide guidelines for the disclosure of patient information.
The Computer Science and Telecommunications Board of the National Research Council in Washington, DC, recently released the report, For the Record: Protecting Electronic Health Information. In this report, the council recommends specific technical and organizational practices to improve the privacy and security of EMRs. (For further discussion of organizational security, see story, below.) Those recommendations include:
• Individual authentication of users.
Simply put, this means that each individual in an organization should have a unique identifier, or log-on ID, for logging onto the organization’s information systems.
• Access controls.
Procedures should allow only users with a legitimate need to know the right to access and retrieve information.
• Audit trails.
Each time an individual accesses clinical information, there should be a record of that transaction which includes the identification of the individual, the time and date of access, and the information accessed. Audit logs should be reviewed for inappropriate accesses.
• Physical security and disaster recovery.
Unauthorized physical access to computer systems, displays, networks, and medical records should be limited. Backup data should be stored in case of natural disaster or computer failure and be maintained in safe places or encrypted form.
• Protection of remote access points.
"Firewalls" should be installed in systems with central Internet connections to provide strong, centralized security and allow outside access only to those systems critical to outside users. A secure authentication process should be required for remote and mobile users, such as home computers.
• Protection of external electronic communications.
All patient-identifiable information should be encrypted before transmission over public networks, such as the Internet.
• Software discipline.
All servers should have virus-checking programs and limited ability of users to download or install their own software.
• System assessment.
The security and vulnerabilities of information systems should be assessed on an ongoing basis. Existing "hacker scripts" and password "crackers" should be run against systems each month.
• Security and confidentiality policies.
Explicit security and confidentiality policies that express a dedication to protecting health information should be developed. Policies should state the type of information considered confidential, individuals authorized to release the information, procedures to be followed for a release, and individuals authorized to receive information.
• Security and confidentiality committees.
A standing committee or an individual should be appointed to develop and revise policies and procedures for protecting patient privacy and ensuring the security of information systems.
• Information security officers.
An information security officer should implement and monitor compliance with security policies and practices. The security officer should maintain contact with national information security organizations.
• Education and training programs.
All users of information systems should receive minimal training in security practices and knowledge of existing confidentiality policies before being granted access to any information systems.
• Sanctions.
A clear set of sanctions for violations of confidentiality and security policies should be applied uniformly and consistently regardless of job title.
• Improved authorization forms.
Authorization forms should improve patients’ understanding of health data flow and limit the time period in which authorizations are valid. The forms should list the types of organizations to which identifiable and unidentifiable information is commonly released.
• Patient access to audit logs.
Patients should have the right to request and review audit logs of all accesses to their EMRs. "Patients have no clear understanding of what health information is captured and where it goes," says Frawley, who served on the board that wrote the National Research Council report.
Several projects have received national funding to develop secure systems that will provide a model for others as the health care industry continues its push to go on line. The Patient Centered Access to Secure Systems Online (PCASSO) project will enable consumers to access their own health information securely over the Internet. Its developers are incorporating many of the National Research Council’s guidelines into the project.
Use dedicated computers
"PCASSO will allow patients to access their own health information and track anyone who has accessed their health information. PCASSO provides security functions that allow users to establish who is authorized to access what portions of patient records," explains Dixie B. Baker, PhD, with the Science Applications International Corporation in San Diego, which is developing PCASSO in cooperation with the University of California, San Diego.
"As I see health care addressing the EMR, I don’t believe in many cases that health care organizations are applying the level of security that needs to be there," Baker explains.
"EMRs have broader implications and potential for abuse than paper records. EMRs provide the potential for sensitive information to be transferred around the world in a matter of seconds. The risk is much higher and much easier," she says.
For now, the computer scientist suggests that case managers and providers use a dedicated computer, which sends only encrypted data, to transfer patient information and use a separate computer to "surf the Web."
(Editor’s note: Health care organizations continue to move toward EMRs. Several computer software companies have developed products to help organizations secure patient information in this electronic environment.
The California Medical Association recently endorsed a patient "smart" card produced by EMCard in Palo Alto, CA, which provides physicians instant access to an individual’s medical record.
Hewlett Packard, also of Palo Alto, CA, has developed CareVue H1, a point-of-care information system that supports a multidisciplinary approach to patient care with enhanced security and clinical note filtering capabilities.
Look for profiles of these and other new products, as well as case studies of organizations on the cutting edge of the EMR revolution, in future issues of Case Management Advisor.)
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.