Date: March 5, 1997
Contacts: Barbara Rice, Deputy Director
Shannon Flannery, Media Relations Assistant
(202) 334-2138; Internet <>


Pressure Needed to Improve Security and
Privacy of Electronic Health Records

WASHINGTON -- Industry standards, regulatory action, and pressure from consumers all are needed to bolster the privacy and security of electronic patient records, says a new report* by a committee of the National Research Council.

"Solutions are available to make electronic records even more secure than paper records, including electronic audit trails that can track every access to a medical record, backed by tough penalties for violators of privacy," said committee chair Paul D. Clayton, chair of the department of medical informatics and director of clinical information services at Columbia Presbyterian Medical Center in New York City. "But today there are no strong incentives to safeguard patient information because patients, industry groups, and government regulators aren't demanding protection."

To ensure that essential patient information is available to administer care, the health care industry has concentrated its resources primarily on expanding the capabilities of automated information systems rather than protecting them from snoops. Sensitive information also is shared routinely with non-caregivers who use it legitimately for claim payments, research, and oversight. Given the ease and extent to which this information can circulate between organizations and individuals, there is potential for breaches of privacy and security, the committee said.

Computerized systems can raise the quality of medical care and reduce costs by increasing access for intended users and improving the accuracy of patient information. With proper safeguards in place, they also can guard against potential abuse. The committee urged health care organizations -- including hospitals, doctors' offices, and insurance firms -- to adopt the following technical and organizational practices for improving security, most of which can be implemented now:

> Every employee with a legitimate need to know should have a unique identifier or password that allows use of an organization's information systems. Sanctions should be in place to discipline those who share their passwords or who leave records open at unattended computers. The system itself should be programmed to "exit" applications automatically if a workstation is left idle. Procedures also should be set up to guarantee that authorized users can access records in an emergency.

> Organizations should use additional access controls to restrict employees from obtaining information not necessary for their jobs, and routinely conduct electronic audits to track all accesses to clinical information. Organizations that provide health care services to their own employees should allow them to conduct audits of accesses to their own health records. A zero-tolerance policy should be instituted for punishing violators, regardless of their job title. Currently, most hospitals allow doctors and nurses to access the files of all patients, including those not under their care. Some hospitals allow all medical staff to log onto clinical record systems using the same identification code.

> Points in the system that are vulnerable to or set up for remote access should be strongly protected through special software, encrypted passwords, or dedicated modem lines. Organizations with centralized Internet connections should install "firewalls" that deny entry to unauthorized outsiders yet grant access to legitimate users who need to tap specific information systems from a remote location.

> Transmission of a patient's health information over public networks, like the Internet, should be encrypted or coded so that only the intended receiver can decipher it. Policies also should be in place to discourage the inclusion of patient information in electronic mail.

Within a few years, health care organizations should be able to maintain logs of all internal accesses to clinical information, the committee said. In the longer term, organizations should pursue ways of tracing all patient-identifiable information that is passed around.

The practices proposed by the committee could serve as guidelines for the Department of Health and Human Services (HHS), which must develop industry standards for protecting computerized health records to comply with the Health Insurance Portability and Accountability Act of 1996. Congress has set a February 1998 deadline for HHS to propose security standards and a "universal patient identifier" capable of linking a patient's files throughout the nation's health care system.

But policy-makers should weigh the likely advantages of an identifier -- including lower administrative costs and better access to patient information -- against the potential risks to privacy, the report says. Any method used to identify patients and link records should be evaluated against a set of criteria designed to protect patient privacy. Moreover, the use of a patient identifier should be backed by policies that define improper access and specify sanctions against abusers. An identifier also should be easy to use for legitimate purposes but difficult for an unauthorized person to use to deduce a patient's identity. And it should allow easy identification of those who access a computer record without authorization.

The report notes that health care organizations and others have few incentives for improving computer security, and many believe that the risk of a major breach is low since no widespread, public catastrophe has occurred. Added pressure from consumers as well as the development of industry standards and bolstered regulatory action may provide the needed incentives.

"You don't want to make it too easy for insurers, employers, and others to peruse patient files for their own purposes," Clayton explained. "We have already seen, for example, how the Social Security number's widespread use in motor vehicle licensing, employment, banking, and medical records can be abused to collect information on specific individuals."

From the patient's perspective, widespread flows of information beyond the health care provider -- often without explicit patient consent -- pose the greatest privacy concerns, the committee concluded. Self-insured employers, for example, are not systematically prevented from using health data to deny promotions or even dismiss employees, nor are holders of patient information prevented from selling data to marketing firms for use in targeted direct mailings. Insurers, pharmaceutical benefits managers, medical equipment suppliers, and oversight organizations routinely exchange health data on patients when managing care, conducting quality and utilization reviews, processing claims, combating fraud, or analyzing markets for new business. Yet they are subject to few regulations in the process.

To address these concerns, the committee also recommended:

> a government-industry push to develop and update industry standards for protecting electronic health records, coordinated by a committee of the National Center for Vital and Health Statistics specially assembled by HHS;

> establishment of a new organization that would share information about computer threats and best practices within the health care community, just as the computer emergency response team at Carnegie Mellon University does for the Internet community;

> a government-industry effort to promote national debate on patient privacy issues, raise consumer awareness, and designate a federal "privacy ombudsman" for consumers; and

> adoption of fair information practices, similar to those contained in the federal Privacy
Act of 1974, by organizations that collect, analyze, or disseminate health information.

Additional research is needed on methods for linking patient information, ways of allowing anonymous care, audit tools, and management practices to limit the distribution of information to outsiders. The federal government also should fund experiments that mimic actual environments to explore effective and inexpensive ways to control access. Doctors, hospital administrators, and others in the health community also need to become more connected to security efforts at the national level.

The study was funded by the National Library of Medicine, the Warren Grant Magnuson Clinical Center of the National Institutes of Health, and the Massachusetts Health Data Consortium. The National Research Council is the principal operating agency of the National Academy of Sciences and the National Academy of Engineering. It is a private, non-profit institution that provides science and technology advice under a congressional charter. A committee roster follows.

*Pre-publication copies of For the Record: Protecting Electronic Health Information are available from the National Academy Press at the mailing address in the letterhead; tel. (202) 334-3313 or 1-800-624-6242. The cost of the pre-publication is $35.00 (prepaid) plus shipping charges of $4.00 for the first copy and $.50 for each additional copy. Reporters may obtain copies from the Office of News and Public Information at the letterhead address (contacts listed above).