Oral Statement
to the
Subcommittee on Health Data
Needs, Standards and Security of the
National Committee on Vital and Health
Statistics
Presented by Sean Auton, JD
August 5, 1997
Members of the National Committee on Vital and Health Statistics, my name is Sean Auton. I am the Assistant Medical Center Attorney at the University of Michigan. Prior to my legal career, I was a teaching assistant at the University of Michigan College of Engineering where I taught courses in computer network design, implementation and security. Today I am pleased discuss security standards and issues surrounding health care.
I commend this Subcommittee for undertaking a project to gather input from such a large and diverse group of healthcare participants. The creation, gathering, organizing and promulgation of health data affects a wide variety of participants, each of which has its own set of issues. It is important when attempting to set a standard for healthcare data that these various needs and uses are understood to prevent the creation of a standard that interferes with the delivery of care.
My comments today will focus on what the medical record is, who is responsible for it, the standards applicable to the custodians of these records, and the challenges facing these custodians in the electronic age. I will also review the difference between internal and external uses of electronic information, and how security standards need to allow for these differences.
The medical record and the data contained within it is owned exclusively by the hospital. Chapter 42, section 482.24(b)(3) of the Code of Federal Regulations requires a hospital to maintain a medical record and release information only in accordance with federal and state law, court orders, and subpoenas. While there are a few exceptions, such as for photography, this information is the business record of the institution. It is important to note that the providers of this data, patients, still retain certain rights regarding the use and dissemination of the data, but they are not able to remove the data from an institution. This is a long standing principle in medical care, with the definitive case being decided in Michigan in 1935. The State Supreme Court ruled in McGarry v. J.A. Mercier Co. that a patient is not buying a medical record, rather they are purchasing the professional services of the physician to create and interpret a record. While patients are granted access to their records, courts have, with one notable exception, ruled that such access does not entitle the patient to actual possession of the record.
The role of provider as the custodian of the medical record is well defined under a myriad of rules and regulations. Providers are required to maintain a complete and accurate medical record under Federal and State law. Such a record requires a combination of specific medical, personal and financial information. Furthermore, such a complete record is required for participation in Federal, State and private reimbursement programs. Often, payors will require that this record be made available to them for billing review.
These requirements imposed on providers already form a framework for the use and security of health data. Unfortunately, many of these requirements are imposed only on the provider and do not cover what happens to the information once it leaves a provider's domain, such as when it is shipped to an insurer. Further complicating matters is the fact that almost all patient privacy requirements are state based. Federal privacy law in the area of healthcare is limited to information about drug and alcohol abuse, and there is no federal recognition of the physician-patient privilege. The federal court for the northern district of Indiana visited this issue in the 1995 case of U.S v. MHC Surgical Centers, and concluded:
It strikes the court as outrageous that individuals who have sought medical treatment for matters of a highly personal nature will have their privacy invaded….because they had the misfortune to consult a physician who has become the subject of an IRS investigation. However, (in Indiana) the physician-patient privilege is a creature of statute…(and because) the Seventh Circuit has not explicitly recognized the existence of any corresponding privilege under federal common law, this court reluctantly concludes…that the IRS is entitled to the information it seeks.
With the advent of electronic information systems enabling providers to ship information across state lines, in the absence of any federal regulation, privacy rules that are purely state-based quickly become unworkable or unenforceable.
The state of Michigan offers a perfect example of this problem. Currently the Medicare processor for all claims in the state is Blue Cross and Blue Shield of Illinois, which resides in the Seventh Circuit. While Michigan and Illinois both allow access by payors to an individual's medical record, if either one of the states changed its policy or established new requirements for the handling of patient data, all hospitals in Michigan would be obliged to follow this standard. The logical and troublesome conclusion from this case is that as electronic information systems make it possible for a provider to handle and ship information to every state, the provider is forced to comply with all 50 state requirements. Federal action is required to either confirm the traditional view for the electronic age that a provider is liable for federal and its own state rules regarding health data, or the Federal Government can take action to standardize medical record requirements, superseding current state law. While the latter solution levels the playing field for providers from all states, such action may weaken privacy protection and regulation of records in states that have the most advanced medical record legislation. Furthermore, without standardized legislation in the area, medical providers will have to develop a different set of standards for the sharing of information internally versus providing information externally, even to another healthcare provider.
The University of Michigan has applied all of the current rules for paper-based medical records to its electronic environment. One benefit of this policy has been to leave us in a position where we are already compliant with the recommendations that the National Research Council has presented on protecting electronic health information. From this experience, Michigan has developed an awareness of the problems with the current rules and has discovered problems that need to be addressed for electronic health systems to move forward. Using the NRC recommendations as a guideline, I shall address each of these issues.
First issue is the individual authentication of users. Almost all computer systems today offer some method of having a unique identifier for a user. Michigan has taken the additional step of informing users to not share their unique identifier with anyone, and receives a signed statement from each user that they agree to comply with the standards of use for the system they have been granted access. The issue of logging off a user after a period of non-use can be a problem. While it makes sense to log users off of systems that are in highly public areas, researchers and laboratory workers who work in limited access areas and often have to multi-task are sometimes harmed by a time limit.. Certainly a rule of reason as to the length of time before an automated log-out occurs, and where such log-outs are used, is the best approach to the problem, rather than a capricious time element built into a system that is incapable of change.
The second issue with authentication is only now emerging. With the development and promulgation of more advanced authentication systems, it needs to be reviewed if such systems make sense in a healthcare environment and if the gains outweigh the cost. Encrypted authentication protocols and token-based authentication systems, such as Kerberos, are possible to implement, but come with a high overhead cost, are often incapable of being used with the legacy systems that still hold much of the healthcare market, and on a cost-benefit analysis may not offer a higher degree of protection. The University of Michigan has had quite a bit of experience with Kerberos and its limitations. While "encrypted authentication protocols" sound impressive, one has to question whether their cost is justified for internal use. Smaller hospitals and clinics may have little or no communication with outside networks, and even large facilities will have limits places on outside access. If the facility is monitoring for illicit uses of password capture mechanisms internally, plus trains and sanctions users who violate this policy, then Kerberos type systems are only for protection against outside attack. As mentioned, such systems are also capable of being compromised, as documented by the Computer Emergency Response Team ("CERT") at Carnegie-Mellon University.
Access controls and audit trails provide a different set of problems as healthcare enters a new computer-based era, but lessons from the paper-based system can still prove invaluable. Audit trail mechanisms are a method of keeping track of access to a record, but even with legacy systems they are cumbersome and useless for preventing unwanted access. An example is a mainframe-based medical record system that is capable of tracking user transactions. At a facility like the University of Michigan, this system would process tens of thousands of transactions per day. Sadly, the only way to discover an unauthorized access is to search a particular record and see who has accessed it, a process that occurs usually when a complaint of a privacy violation has been received. Even a test sampling done daily for quality assurance would yield little if any practical benefit, for perhaps only 10 of 10,000 transactions per day are unauthorized, reducing such an effort to looking for a needle in a haystack. As we progress to distributed computing systems, this problem increases exponentially, as these types of systems will demand perhaps millions of transactions per day. An important lesson to be remembered from our paper-based systems would apply to this situation. By tracking every transaction, this is the digital equivalent of tracking every person who "touches" a medical record. What is important is not who carries a record or possibly leafed through it, but rather that protection mechanisms are established for who has the original copy of the record, who can access the record, what changes have been made to the record, and who is the ultimate authority for the record. External communications do bring up another set of problems that demands a more thorough review and audit, and this situation will be addressed below. For internal communications, however, the key elements are to recognize who has copied a record, who is maintaining the authoritative record, and who has made changes to the record.
The physical access and security of systems has been a relatively easy point to address. Thus far, however, it has been practical need and concerns that have insured that these measures are taken. The centralization of systems makes it easier for a small team of individuals to handle backups and maintenance on machines, and the physical restriction of access to machines ensures that vandalism or theft does not occur.
A more difficult issue is the assessing of security and use for internal systems. Often, many of these systems are not truly "inter-operable", even if the vendor maintains that their system complies with existing technology standards, such as HL7. The University has had to spend a significant amount of time and money to redesign systems to make them truly inter-operable. Today, it is standard procedure for the hospital to require an implementation standard for all software to comply with prior to payment of funding, but problems occur with the fact that no current standards body addresses all of the data needs in a healthcare environment. Even with just one piece of software, issues will arise concerning the physical installation, the communication standard and the application layer standard. Absent some type of joint working relationship among these various standards, providers will continue to be hampered by having to do "customizations" of each piece of software implemented.
After a system is installed, issues concerning the confidentiality of information, proper use of the system and a method of sanctioning improper use of the system arise. The University requires a blanket confidentiality statement for all employees of the Medical Center to sign. The rationale for each employee to sign a confidentiality paper is that potentially every employee may have a need of access or be exposed to healthcare data. Within a hospital, it is common practice for all employees to be available to assist a patient in an emergency. An example is the disaster drill each department at the Medical Center participates in, where non-licensed individuals help the physicians and nurses in the movement of patients. The need for each employee to have an understanding of patient care exists and is anticipated by most providers.
Often outsiders also have access to the internal environment of a medical center, and nowhere is this more apparent than in the software arena, where vendors must have access to real patient data to evaluate their systems and correct any problems that may occur. The University is still liable for any confidentiality violations that may occur while these employees are reviewing information, therefore we require the signing of a non-disclosure statement by each vendor who may have such access. A copy of a generic non-disclosure statement used by the University is included as Attachment "A" of my testimony. Currently, sanctions against an employee who violates patient confidentiality can include any penalty the department sees fit to execute, including the termination of employment. Sanctions against vendors at the University, as seen in the non-disclosure, can include termination of the contract, a court ordered injunction preventing further activity, indemnification for any harm caused by the conduct, and liquidated damages up to the amount of $50,000 per occurrence.
Being an academic medical center, data often is made available for the use of research by physicians. Medical research may be the most highly regulated area of activity for any hospital. Prior to the commencement of any study, a physician must go before an Institutional Review Board to gain approval. A physician needs to disclose if any patient identifiable information is going to be used in the study, and what measures are going to be used to ensure that patient consent is obtained and patient confidentiality is not compromised.
As medical centers continue to develop the electronic record, it makes sense that they take advantage of such systems to quickly share medical information with other healthcare providers to ensure the best care of a patient. Currently, such sharing of information already occurs, but instead of using a network, a fax machine is employed. If a remote hospital contacts the University requesting the records of a patient that has entered its emergency room, we use a "fax-back" service, whereby we confirm that the facility is legitimate and send the information requested. A method of verifying a requestor should also be employed in the electronic environment, but the issue arises of how much authentication does a provider have to do before granting access to the information. Spoofing and false e-mails are commonplace on the Internet, and often hard to verify. Providers need to know the standard they will be held liable to when they receive electronic requests. Possible solutions include an out-of-band transfer of the information, a national directory that verifies providers, or the use of verification tools and keyservers.
Payors are another group that a provider must grant access to the medical record, and today such requests often require that a provider respond in an electronic format. While the Healthcare Information Portability Act has established some limits of what an insurer can do with the data, it falls far short of the responsibilities that a healthcare provider has for this data. Such a discrepancy exists on the state level as well, as Michigan requires payors have access to the data, but does not place on them the requirements that providers have in maintaining confidentiality. An issue for further discussion is if providers have a right to an entire medical record, if they can archive an individual's medical record, then who is the true custodian of the record, and who owns the data rights.
Another group that accesses health data are regulatory bodies, courts and attorneys. Often, such reviews are required to ensure compliance with the law, review suspect business practices, and investigate potential medical malpractice claims. Requirements for how long such information needs to be available vary from state to state, along with some Federal requirements. In Michigan, for example, records may need to be maintained from three to nineteen years. A troubling development is the fact that some electronic storage media can be highly volatile, or even if the media is stable, the equipment to read the media becomes unavailable. Such an occurrence has arisen in Colorado, where the Rockwell Corporation is being sued in conjunction with the U.S. Department of Energy. Electronic records that date back to the 1970's have been requested by the plaintiff in the action, and the court has held Rockwell in contempt for not being able to produce the information because the media is unreadable by any existing machine. Rockwell has been forced to retain the Digital Equipment Corporation ("DEC") as a personal consultant in trying to recover the data, and the cost of reproducing the information has already run into the hundreds of thousands of dollars, and will reach into the millions by the time the case is over. The court has ruled that all of these recovery costs must be borne by Rockwell. Such a case makes it apparent that a provider faces burdening costs if it maintains records forever, or it will try to pass these costs to its vendors to ensure backward compatibility or convert historical data to the current system.
All states require some variation of access to medical records for patients, including the right to add their own information to the record. Some states do limit patient access to mental health records only with the physicians approval, to ensure that it does not interfere with a patient's treatment. Some patient privacy groups have advocated a European type of system where a patient can edit medical information or request that information be removed from the record. This system is unworkable under current regulations prohibiting any alterations in the medical record.
As healthcare enters the electronic age, it will be important to remember the main reason for the creation of health data is to treat patients. While privacy is a concern in the electronic age, one should not be quick to adopt a "chicken-little" mentality toward the new wide-spread availability of information. Patient confidentiality has long been an important issue in the paper system that hospitals have addressed, and there is no reason to assume that by converting to an electronic system providers would become lax in this duty.
With this rationale in mind, there are some issues that do need to be addressed immediately. First, with the ability for healthcare information to be disseminated across all boundaries, the time has come for the United States to standardize its regulation of what a health record is, who is the custodian of the record, and who can access the data. Second, there is a need to ensure that interoperability can occur among a wide variety of systems. As discussed, with so many different elements involved in making up an electronic record, no one Standards Organization can provide a solution. Rather, a joint work group of the relevant organizations seems the most appropriate solution. Last, while some regulation appears necessary to ensure compliance with the new standards, it is important to maintain a rule of reason approach that allows smaller providers and legacy systems to continue to participate in healthcare.
Thank you very much for this opportunity to comment on the security of healthcare data. I would be happy to answer any questions.
Other materials provided with this testimony: