STATEMENT
of the
Computer-based
Patient Record Institute
to the
National Committee on Vital and
Health Statistics
Presented by:
Erica Drazen, ScD
Regarding:
Perspectives
on Security Issues in Implementation
of Administrative Simplification
Provisions of P.L. 104-191
I am Erica Drazen, ScD, Chairperson of the Computer-based Patient Record Institute (CPRI), from the Emerging Practices Institute of First Consulting Group. We appreciate your inviting a representative of CPRI to address the state of the industry concerning confidentiality and security standards and practices.
As use of information technology becomes more widespread in health care, security may be the most critical issue the industry must address. Computer-based patient record systems that are properly designed and monitored can provide greater protection of confidentiality for individually identifiable health information than paper-based systems. Key factors that enhance security in a computer environment include the capability to positively identify the user, verify authorization, determine rights to access information, restrict retrieval to only specific, "need-to-know" information, encrypt access mechanisms and content, track all access, and remove identifying information when identity is not required to perform a task.
We believe that currently available technology combined with organizational policy changes can be used to greatly enhance security of electronic patient information.
CPRI is a non-profit organization representing the diverse stakeholders in health care. We are committed to advancing improvements in health care quality, cost, and access through use of information technology. Founded in 1992, we provide a neutral forum for the industry to come together to address major barriers and develop common solutions for implementing computer-based patient record systems. We also support the efforts of standards development organizations to develop technical standards and implementation guidelines, and we promote their immediate adoption by the health care industry.
Health care providers have traditionally relied upon the ethical standards of health care professionals to protect access to records and prohibit redisclosure. As many more people require access to health information in the course of their work, and as more health information is stored and transmitted in electronic means, there is heightened need for technical and organizational security measures. Several studies conducted recently report increased awareness of this need. The Insitute of Medicine study, Health Data in the Information Age: Use, Disclosure, and Privacy (Washington, DC: National Academy Press, 1994) addresses the need for controls over demands for data made by organizations not directly involved in the provision of care. The NRC report, For the Record: Protecting Electronic Health Information (Washington, DC: National Academy Press, 1997), reiterates that requirement, and emphasizes the need for the nation to address and mitigate concerns regarding the privacy and security of electronic health care information. CPRI supports the NRC recommendation that health care providers must adopt technical and organizational practices to protect health care information. CPRI also concurs with the National Committee on Vital and Health Statistics (NCVHS) recommendations to Secretary Shalala that the health care industry must work with government to create a legal framework and proper set of incentives for heightening interest in privacy and ensuring industry-wide protection of health information.
A first step in addressing the issues is to recognize that recommendations for technical and organizational practices already exist, and that their implementation does not necessarily require great expenditure of funds nor revamping of entire systems. There are simple and straightforward measures which can be taken that will make a significant impact. They will require a conscious effort to implement and vigilence in monitoring, but they will take considerably less effort than overcoming the effects of breaches of confidentiality. As the provider moves along the migration path of implementing electronic health care information systems, further technical measures may be incorporated as part of the necessary infrastructure that address the risk at each level.
CPRI believes that one barrier to improved security is lack of expertise in designing security programs, evaluating security systems, and implementing change. We have responded by developing tools and models that could be adapted and adopted by providers who want to improve their security program. CPRI has made available on its Web site Security Guidelines for Organizations with Computer-based Patient Record Systems. These guidelines address all the organizational practices recommended by the NRC report.
CPRI's Security Guidelines address policy, management, education, confidentiality, technical features, electronic signatures, and access control. The guideline on developing security policies provides a comprehensive outline of what a security policy should include and how to adapt the policy for the organization's unique culture and environment. The guideline on security management essentially provides a job description for a security manager, or -- for a small provider -- outlines the responsibilities that should be covered to manage a security program. It also outlines a workable security committee structure for involvement of the entire provider community. The guideline on education provides the tools needed to set up a training program for security. Sample confidentiality statements are available for a provider to use in entering into a confidentiality agreement with employees, medical staff, vendors, and others. The security features document provides a checklist for a provider, or its consultant, to assess its security program or evaluate a vendor's security features. This month we will be adding a guideline for implementing electronic signatures -- distinguishing among various forms of signatures, including digital signatures, and providing model policies and procedures for implementation. This fall we will have a guideline for controlling access to health information. CPRI has also produced a glossary of terms related to security to promote consistency of usage among all in health care.
CPRI's documents undergo broad circulation for feedback prior to approval by its membership. For example, the Security Features for Computer-based Patient Record Systems was sent to over 900 individuals, including the entire membership of over 500 chief information officers who are members of the College of Healthcare Information Management Executives. This diverse input assures that the guidelines are realistic and usable. We urge the industry to adopt these guidelines and to participate in the development of further technical standards in ASTM, HL7, and other standards development organizations.
Widespread adoption of security guidelines for organizational practices and technical standards would provide individual organizations with a standard level of security, and the industry as a whole with a consistent set of expectations relative to security.
We appreciate the opportunity to encourage use of existing mechanisms and to build upon these to ensure that health care will be able to reap the benefits of information technology while preserving confidentiality and data integrity that the American people expect.
Computer-based Patient Record Institute
1000 East Woodfield Rd., Suite
102
Schaumburg, IL 60173-5921
Tel. 847-706-6746
Fax.
847-706-6747
http://www.cpri.org