STATEMENT
of
Adele A. Waller, Esq.
Goldberg, Kohn, Bell, Black,
Rosenbloom & Moritz, Ltd
to the National Committee on Vital and Health Statistics
Regarding
Health Information Security
I am Adele Waller, Principal in the Chicago law firm of Goldberg, Kohn, Bell, Black, Rosenbloom & Moritz, Ltd., where I head the health law practice. I serve as Chair of the Health Information and Technology Substantive Law Committee of NHLA/AAHA, Inc., the organization created by the recent merger of the American Academy of Healthcare Attorneys and the National Health Lawyers Association. I authored the legal appendix to the Institute of Medicine's report, The Computer-based Patient Record: An Essential Technology for Health Care (Washington, DC: National Academy Press, 1991) (the "Institute of Medicine Report"). Although my firm's clients include health care providers, health plans, and providers of health information services, I am appearing here in my individual capacity and not on behalf of any client or organization.
I appreciate the opportunity to address the Committee this morning on the state of the industry with respect to health information security. I will discuss trends in the health care industry that the Committee will need to take into consideration if it is to recommend to Secretary Shalala health information security standards that will effectively protect the confidentiality, integrity and availability of health information. It is crucial that the health information security standards adopted by the Secretary under the Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191) reflect the integration of health information systems across multiple health care providers and other health care organizations so that responsibility for health information security is appropriately assigned. I will also discuss the need for greater awareness of the importance of health information security among the senior management of health care organizations.
There have been significant changes in the health industry and its use of information technology since publication of the Institute of Medicine Report. These changes are revolutionizing the medical record and are creating complex challenges to health information security.
The Institute of Medicine Report was published in an era when most patient record systems were maintained by a single institutional health care provider, such as a hospital. At that time, electronic recordkeeping still reflected traditional provider-based medical recordkeeping, with each health care provider who delivered care to a patient maintaining a separate medical record on the patient. Since publication of the Institute of Medicine Report, hospitals, physicians, other health care providers and, in many cases, health plans have come together to form integrated delivery systems so they can provide seamless care to patients across the continuum of care and manage the health of populations. As part of their movement toward integration, health care organizations are integrating their health information systems. Increasingly, integrated delivery systems are capturing information concerning each encounter a patient has with a provider in the system in a single, longitudinal electronic patient record.
This change from the traditional, provider-centered model for patient records to the new patient-centered model represents a revolution in medical recordkeeping. The patient-centered record makes possible improvements in the quality, continuity and cost-effectiveness of health care that are not possible if each provider treating a patient maintains a separate record on that patient. Nevertheless, the integration of multiple providers’ patient and other health information systems creates new security challenges and demands new approaches to security if health information maintained by integrated delivery systems is to be appropriately safeguarded.
When health information systems are integrated across multiple providers and health plans, health information security is no longer under the control of a single health care organization. Each organization participating in an integrated health information system or network must have in place an appropriate health information security program, or information in the system or on the network will not be secure. One organization’s health information security deficits may make all of the health information in a system or network insecure. In addition, it is important that all health care organizations integrating their health information systems work cooperatively and adopt and enforce compliance with comparable and compatible security policies, procedure and practices to assure the security of the health information they maintain.
The task of cooperation among health care organizations integrating their health information systems is complicated by the fact that the organizations participating in systems integration initiatives are often not under common corporate control but may, instead, be loosely linked by contracts and by information and communications infrastructures. Without a common parent corporation or single point of control, the authority to implement an appropriate health information security program, to enforce policies and to impose sanctions will be decentralized. The recent National Research Council Report, For the Record: Protecting Electronic Health Information (Washington, DC: National Academy Press, 1997) emphasizes the importance of appropriate organizational policies, practices and procedures in protecting health information. Participants in integrated delivery organizations and other decentralized organizational structures can address important health information security issues across these broader "virtual" organizations, in part, by entering into appropriate contracts with other health care organizations that are party to the systems integration initiative. Enforcement of such contractual obligations, however, is often not a practical way to compel a health care provider or health plan that is lax in the area of health information security to upgrade its security practices.
If they are to be effective in an environment where the health information systems of multiple health care organizations are integrated, the health information security standards to be promulgated by the Secretary under the Health Insurance Portability and Accountability Act of 1996 must require not only that each health care organization meet federal health information security standards but also that health care organizations forming health information networks or integrating their health information systems with those of other health care organizations establish effective structures and mechanisms for cooperation in implementing health information security programs across these networks and integrated systems.
The health information standards promulgated by the Secretary should address the responsibility that health information system vendors, consultants and others must assume for maintaining health information security when they have access to the information systems of health care organizations. It is common for health information system vendors and consultants providing support services to health care organizations to be given access to the client organization’s information systems at all times, or at least on demand. More and more health care organizations are outsourcing operation of their information systems, making the security of their health information totally dependent upon the security maintained by the outsource vendor. Health information security depends on all of these outside organizations; yet the Health Insurance Portability and Accountability Act of 1996 does not make them directly subject to the health information security standards to be promulgated by the Secretary.
In the current environment, contracts between health care organizations and outside health information system vendors and consultants do not always contain strong health information security requirements. In addition, contractual limitations on the liability of the vendor or consultant for breaches of security may mean that the vendor or consultant does not have real incentives to maintain appropriate security. Information system acquisition contracts often limit the liability of the vendor to the amount of the price paid to the vendor or to a stated dollar amount and often include the vendor’s disclaimer of liability for any special or consequential damages arising from malfunctions of the system or from the vendor’s acts.
The Committee should consider recommending that Secretary’s health information security standards include mandatory contract provisions for each contract between a health care organization directly subject to the Secretary’s health information security standards and an outside entity such as a system vendor or consultant given access to the information systems of the health care organization. These provisions should require that the outside entity comply with the Secretary's health information security standards and that any contractual limitations on and disclaimers of the outside entity’s liability not apply to liability arising from its failure to comply with these security standards. Such mandated provisions would assist health care organizations in obtaining better cooperation and assistance from information systems vendors and consultants and would give the vendors and consultants better incentives to maintain appropriate health information security.
The National Research Council Report, For the Record: Protecting Electronic Health Information, addresses the need for health care organizations to adopt technical and organizational policies, practices and procedures to protect health information. The report emphasizes the importance of management’s leadership in developing strong information security programs and notes that the health care organizations appearing to have moved toward stronger cultural supports for confidentiality and security controls are those in which the values, policies and procedures have come from the very top of the organization.
I work with numerous health care organizations across the country on the legal issues related to electronic medical records and health information systems integration, health information networks, health information security and confidentiality, and ownership of health care data. In these organizations, health information management professionals and information systems professionals are often keenly aware of the importance of health information security and make it a priority. However, in relatively few of these organizations does health information security appear to be a high priority for the organization’s senior managers. Often this is because senior managers are simply unaware of the critical importance of health information security in safeguarding the organization’s valuable information assets, in protecting patients and in preventing the adverse legal and public relations consequences that could result from a security breach. I believe that the Committee, in its recommendations to the Secretary, has the opportunity to highlight the need for government resources to be directed toward educating the leadership of healthcare organizations on the importance of health information security. Health information security will only become an organizational priority if it is a priority of leadership. Leadership must be educated if this is to occur.
I want to thank the Committee for the opportunity to review some important features of the current health care environment that have an important impact on the ability of health care organizations to protect the valuable health information they hold. Americans must be assured that the confidentiality of their health information will be protected and that their health information will be available and accurate when it is needed for their health care.