New electronic security measures proposed

Goal: To ease physician, consumer fears

On Aug. 11, Department of Health and Human Services (HHS) Secretary Donna E. Shalala proposed new standards for protecting individual health information when it is maintained or transmitted electronically. The new security standards are designed to protect all electronic health information from improper access or alteration, and to help prevent accidentally losing these records, say HHS officials.

"These proposals . . . set a national standard for protecting the security and integrity of medical records when they are kept in electronic form," Shalala said. "It is crucial to have these standards, as we move increasingly toward electronic medical records. But it is also not enough. In addition, we urgently need new legal protections to safeguard the privacy of medical records in all forms."

Current proposed regulations include technical guidance as well as administrative requirements for those who use electronic health information or medical records of individuals. All health plans, health care providers, and health care clearinghouses that maintain or transmit health information electronically will be required to establish and maintain responsible and appropriate safeguards to ensure the integrity and confidentiality of the information.

Included in the proposal is a new electronic signature standard requiring the use of a digital signature when an electronic signature is required for one of the standard transactions specified in the law. This standard will verify the identity of the person signing and the authenticity of an electronic health care document.

"Electronic medical records can give us greater efficiency and lower cost. But those benefits must not come at the cost of loss of privacy," Shalala said. "The proposals we are making today will help protect against one kind of threat - the vulnerability of information in electronic formats. Now we need to finish the bigger job and create broader legal protections for the privacy of those records."

All firms that transmit or maintain electronic health information will need to develop a security plan, provide training for employees, and secure physical access to records. Health information about individuals must be protected during transmission and where maintained in electronic form. Other administrative procedures, physical safeguards, and technical security measures will also be needed.

The new electronic data security standards were mandated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which also called on the Secretary of HHS to make recommendations to Congress on how to protect the privacy of health information. Under HIPAA, Congress has until August 1999 to enact privacy protections. If Congress fails to act by that time, HIPAA authorizes the secretary to implement privacy protections by regulation.

Other HIPAA-required proposals include standards for a uniform electronic health care claim (and other common administrative transactions), and for reporting diagnoses and procedures in the transactions.

HHS also has proposed the adoption of a unique health identifier number for every American. However, strong public reaction over individual privacy and the specter of Big Brother government has forced the administration to put that idea on indefinite hold.