Officials focus on weak links in privacy
Special Report | HHS, partners make securing patient data a specific plank of their platform
You could look at all the state laws in all jurisdictions ... and come up with so many potential conflicts that it would take you forever to resolve them.' Susan Christensen, HHS
Between May 2005 and this June, a front-desk coordinator of a large medical practice in Florida sold patient information on 1,100 people to a cousin, who allegedly used the confidential data to submit fraudulent Medicare claims.
Fortunately for the 1,100 patients, the two were caught. A federal grand jury in Miami indicted them earlier this month.
But the incident underscores the need for more comprehensive privacy provisions as electronic health records become more widely available. And as the use of electronic records expands, there is a sense of urgency building among health IT proponents to ensure privacy.
Privacy has been an embedded component of electronic health records for the Health and Human Services Department and the collaborative groups that are conducting technical, standards, business process and policy tasks. But now HHS officials and their partners are elevating privacy as a separate component.
For interoperable health IT systems to be effective, privacy and security must be built in from the ground up, said Paul Feldman, deputy director of the Health Privacy Project, a consumer privacy group, and co-chairman of the American Health Information Community's Confidentiality, Privacy and Security Work Group.
'It's a cautionary tale,' Feldman said. 'We share the tension that the administration feels that we want this to be adopted, and the benefits to patients and consumers are enormous. But we want it to be done right, with confidentiality and security in place.'
HHS and its partners recently formed the Confidentiality, Privacy and Security Work Group under AHIC, a public/private advisory organization. The working group will tackle privacy and security issues that are universal across the health IT environment as well as within HHS individual efforts. AHIC then will make recommendations for HHS to consider turning into national policy.
'Privacy is incredibly important as we look at all our health IT initiatives. We are trying to work on privacy simultaneously with some of the technology issues and incorporated into the technological solutions,' said Jodi Daniel, director of the Office of Policy and Research at HHS' Office of the National Coordinator for Health IT and the lead on privacy issues.
Later this month, the working group will undertake how to apply user authentication and identity-proofing to establish and verify identity in electronic health records.
'We started with that because they are the first issues to address when somebody accesses a system,' Daniel said, adding that she anticipates recommendations by year-end.
The group then will wrestle with how to ensure correct matching of patients' health data and whether different rules should apply to more sensitive information.
The Health Insurance Portability and Accountability Act, the federal law that covers data transmission in health care transactions for claims processing, acts as a floor for privacy and security. Many states, however, have stricter privacy laws, which could hinder the exchange of data across a nationwide health information network (NHIN).
'With the world of electronic data interchange developing, there may be
a need for other practices,' Daniel said.
The national coordinator's office over the last two years has contracted with collaborative groups whose missions sum up current health IT efforts. The groups have set out to:
- Establish criteria for certifying electronic health record systems
- Harmonize data exchange standards
- Develop prototypes of a nationwide health information network architecture
- Evaluate the variations in state privacy laws.
Health IT components such as electronic health records will reduce medical mistakes, improve the quality of care and cut costs because they can provide all a patient's information at the point of care, HHS secretary Mike Leavitt has said. The HHS-led American Health Information Community makes decisions about how to proceed with the development of interoperable health care systems.
AHIC has selected early versions of health IT systems that should begin to be realized next year. They include lab results as a precursor for electronic health records, secure messaging for chronic care, emergency room symptom data for bio-surveillance and personal health records, including patient histories and medication lists, for consumer empowerment.
To assess what the problems may be, HHS hired RTI International of Research Triangle Park, N.C., to form the Health Information Security and Privacy Collaborative. It has an agreement with 34 states to assess their privacy practices, policies and underlying laws to identify barriers to state electronic health data exchange.
RTI and HHS will meet later this fall with the state and regional representatives to identify solutions to those barriers and later implementation plans for carrying out the plans, said Susan Christensen, senior adviser for privacy issues at HHS' Agency for Healthcare Research and Quality, which administers the contract.Different rules
'You could look at all the state laws in all jurisdictions that are involved and come up with so many potential conflicts that it would take you forever to resolve them,' Christensen said. 'Are they actually getting in the way, or is it the way people interpret those laws, or are there other things that they are doing in the name of privacy and security that aren't even based on law or regulations?'
For example, one state might not allow another state access to a patient's Social Security number, which could affect the use of a record locator service. Or, a state could have different consent laws for physicians than for hospitals.
The goal is to identify good practices and common approaches to solve difficult problems.
'We want to begin to get an idea of best practices, or practices that affect health information exchange that you want to keep for whatever reason,' Christensen said.
There's a commonality across states, but each state is implementing differently. States have to ask themselves if they want to keep the same privacy practices as they move to electronic records exchange, she added.
'Are they doing this to comply with HIPAA, because someone said to do it or it's just good business, such as using aliases with high-profile patients, even though it's not required by law?' Christensen said.
Health plans, providers and public health systems have created up to 300 business practices that are part of privacy and health data exchange, she said. HHS is reviewing these 300 practices under nine domains, such as user and entity authentication, information authorization and access controls, and patient and provider identification, to match identities across multiple systems and locate personal health information across enterprises.
States will be able to filter the practices they want through working groups for legality, variations and solutions to assess what is required by law and what is not. The idea is to accommodate variations where possible, after determining which ones are needed and which ones not.
'I think with technology we may be able to address more of the variations than we thought, but we don't know what they are,' Christensen said.
RTI will report to HHS on the assessment of variations later this year, followed early next year by a national meeting of the states to finalize the assessments and propose solutions for the variations and then a proposed implementation plan, Christensen said.
HIPAA has provided the means for health care organizations to protect their patients' data. But it won't cover everything on a nationwide network, said Paul Tang, vice president and chief medical information officer of the Palo Alto Medical Foundation in Palo Alto, Calif. He also is a member of the privacy and confidentiality subcommittee of HHS' National Committee on Vital and Health Statistics, which recently reported on privacy and security implications of NHIN. The AHIC privacy group will include those recommendations in its work.
'Whereas an individual health care organization has fairly good control over users of its systems, it's much harder to authenticate 250 million people (on NHIN),' Tang said.
Authentication, then, is one of the key technical, policy and business components for interoperable electronic health records, he said.
Little guidance exists for organizations that will move data around NHIN. So it is critical to meet consumers' expectations.
Trust is important so that patients and physicians will use NHIN, Tang said.
'It doesn't necessarily mean that you follow one law. It's a sense that you're going to do with my data what I expect you to do,' Tang said.
One of the levers that the federal government has is that HHS can require agencies, such as the Veterans Affairs Department, to comply with the privacy and security policies that AHIC recommends as a condition for participating in NHIN, Tang said.Setting standards
Where privacy and security policies, practices and business processes mesh is the Nationwide Health Information Network, for which four contractors'Accenture LLP of Chicago, Computer Sciences Corp., IBM Corp. and Northrop Grumman Corp.'are developing prototypes.
HHS has planned a national conference next month in Washington to consider privacy, security and confidentiality issues in NHIN.
Northrop Grumman, for example, is implementing standard technologies to ensure security of access to the system and encryption of the data as it is transported between systems, said Robert Cothren, Northrop Grumman's chief scientist. They are mature technologies similar to cybersecurity for doing business over the Internet.
Authentication and authorization establish the ability to access data in a secure way. The electronic health record, which is at the most local level of any health IT system, handles authentication and authorization. The EHR also is the gateway to NHIN, making it imperative that these processes have privacy and security standards in place, Cothren said.
For example, a hospital could validate the identity of a physician and that the physician has access to its system and provides a user identification and password.
'Authentication is a technology issue; authorization is a policy issue. We're letting the edge system dictate those rather than NHIN enforcing anything on its own,' Cothren said.
Northrop Grumman also is providing the ability of the consumer or patient to control access to information through a consent registry.
'It's one thing to say that if you're a physician, you've got access to all my information. But there are circumstances when the consumer would want control over what information is transferred in the NHIN,' he said.
For example, as part of a medication history, the consumer may not want everyone who has access to NHIN to know of the consumer's treatment for depression or substance abuse. If someone asks for a medication history, the consumer can have that medication deleted from the response.
However, in a process that will likely be repeated as NHIN is developed and assembled, technology will prompt debate to settle the policy questions that arise from advanced capabilities, he said.
'You want to earn and maintain the trust of the public, you want to do good by the patient and avoid doing harm in privacy,' Tang said. 'You have to figure out how to optimize all of those.'