Oral Testimony for National Committee on Vital and Health Statistics
Subcommittee on Health Data Needs, Standards and Security
Input on Recommendations for Security Standards August 5, 1997

Ted Cooper, MD
Clinical Information System Consultant
Kaiser Permanente Medical Care Program-Northern California
1800 Harrison 10th Floor
Oakland, CA 94612
510 (267-5659)
ted.cooper@ncal.kaiperm.org

Introduction:

I appreciate this opportunity to provide a perspective from a health care delivery organization on the protection of health care information. I am Ted Cooper, MD. I am an ophthalmologist at the Kaiser Permanente Medical Center in Redwood City, California. I have practiced there since 1973 and have served as department chief and assistant physician-in chief. Since 1984 my primary responsibility has centered on The Permanente Medical Group's need for clinical information systems. I chair the committee that makes and implements policy on confidentiality, privacy, security, and access of all data and information in Northern California Kaiser Permanente.

I am an associate clinical professor of ophthalmology at the Stanford School of Medicine and the chairperson elect of the Computer-based Patient Record Institute.

Kaiser Permanente is the preeminent HMO in the United States. We have been delivering prepaid healthcare to our members as a public nonprofit health plan since 1946. The program is a group model HMO with the Permanente Medical Groups contracting for the delivery of healthcare services to Kaiser Health Plan members. Our national membership exceeds 7.9 million members in 18 states and the District of Columbia. It is the largest private healthcare delivery program in the United States with 90,000 employees and 9,400 full-time equivalent contracting physicians. In Northern California we care for over 2.5 members. Northern California Kaiser Permanente owns 15 medical centers with hospitals, 30 medical office complexes, has over 3,500 full-time salaried physicians and employs over 35,000 staff. We store health care information in both paper and electronic records

In addition to these remarks I have provided additional written testimony.

I wish to acknowledge the assistance of Sue Odneal, our Information Technology Security Administrator, in the preparation of this testimony.

Security and Confidentiality of Computer-based Health Records:

Well designed, implemented, and monitored computer-based health record systems provide protection for health information that is superior to paper-based systems. The major factors that provide computer-based systems with this superiority are their ability to:

  1. positively identify each user,
  2. verify authorization,
  3. predefine access rights,
  4. restrict retrieval based on the circumstances of the access request (need-to-know-now),
  5. encrypt transmissions,
  6. record each user access in logs,
  7. and display personal identifying information only when necessary.

Kaiser Permanente Northern California and Health Information Protection

We modeled our approach on the Computer-based Patient Record Institute Guidelines on Security, and would recommend them as a foundation for any organization.

The primary methods we use to protect health care information are:

  1. policy,
  2. sanctions for violations of policy,
  3. security training and awareness,
  4. physical security,
  5. unique user identification codes and passwords,
  6. regularly required changes of passwords,
  7. role and individual permission-based access control,
  8. log-in warnings,
  9. locking of keyboards and blanking of display screens on demand or if unused for a period of time,
  10. logging all access transactions,
  11. ready access to audit log reports,
  12. and standard procedures for release of health information.

Each of our 2.5 million members may choose to visit any of our many sites or use the telephone to seek advice from our nurses and physicians at any time. So far we have found that it would be operationally impractical to limit access to health care information only to those clinicians who have seen a patient in the recent past or with whom an appointment is scheduled. We have not found breaches of confidentiality that would make this necessary.

Our patients see that we have information systems when they use our services. They know that we depend on their Kaiser Permanente medical number to schedule appointments, register for office visits, provide phone advice, and fill prescriptions. Many of our physicians access on-line health care information in their exam rooms with the patient present.

We are making very limited use of the Internet to transmit identifiable health care information. We have policies, and guidelines that permit the use of physician-patient e-mail over the Internet. We serve Silicon Valley and many of our members are very conversant with Internet security issues, but still request the use of unencrypted e-mail. Common sense seems to prevail on the content of these unencrypted e-mail messages and we are still waiting our first security situation to arise with this.

We have a World Wide Web pilot project. A password protected site permits a member to request appointments, obtain advice nurse services, and access Kaiser Permanente illness-based support groups and health care references. Authentication is based on certificates and all transmissions are encrypted under Secure Sockets Layer.

A personal identification number (PIN) system for our members was developed and implemented to support this effort. We also use this PIN system for automated telephone (interactive voice response) systems for appointment verification, cancellation and prescription refills.

Impediments:

The major impediment to good health care information security is the absence of industry standards for the policies, procedures, and technology required to provide adequate protection. Other major impediments to good protection of health care information are complacency, overconfidence, competition with other priorities for attention and resources, the limits of technology in legacy systems, turnover of personnel, and corporate mergers and reorganizations.

Concerns:

I am concerned that regulations might place a large and costly burden on administrative overhead. e.g.:

  1. requiring written consent to be obtained to collect, store and use information on patients each time care is delivered,
  2. requiring each patient to give permission to each individual caregiver or user before access to a record is permitted,
  3. requiring the patient's primary care physician to approve each clinician or user who requests access to a record.

The analysis of health care data is required to determine the best and most cost effective ways to treat and manage illness and health. When done as research, an institutional review board is used to protect patient interests. However, essentially the same analyses are required as a part of business for management reporting and decision support. I would like to see regulations that will protect patient confidentiality interests in this situation.

In addition, I am concerned about the potential for violation of confidentiality through the sale of identifiable health information. As an ophthalmologist, organizations have offered to sell me lists of names and addresses of likely candidates for refractive surgery, cataract extraction, and laser surgery for diabetic retinopathy. A regulation prohibiting and providing prosecution for the sale of such information seems to be required.

I am also concerned by the potential of health care information to be used to discriminate against individuals, without their knowledge or consent, when they apply for health care, life and other insurance, and in education and employment. Regulations preventing such use are essential.

Another concern is that access log requirements might be written that would make the delivery of health care by teams unworkable. In the situation where several individuals are looking at a single display (e.g. ICU, ER), presumably only one is logged on. How do we capture the access of the other team members for the access audit log? Similarly, in primary care, teams of doctors, and others (e.g. physician assistants, nurses, medical assistants, pharmacists, health educators, and clerks) are all involved in the care of the patient as they flow through the office. Team members often look at the paper health care record together. How do we manage access control for on-line records when a team looks at the same display?

Recommendations:

Having Federal regulations that establish reasonable minimum standards for health care information protection would be an enormous aid to health care delivery organizations. If we had such regulations, we would not have to spend resources to determine what protection is required and then justify the resources necessary to develop and implement it. We do not need to justify the resources that are required to implement Federal standards. Many discussions with great amounts of passion could be avoided. We could just do it.

It is essential to have regulations with significant penalties and adequate prosecution for violations of the regulations. The regulations should cover:

  1. patient and provider rights for health care information,
  2. informing patients and providers of information practices of organizations,
  3. securing consent to store and use health care information for:

    a.) the delivery of health care,
    b.) managing health care organizations,
    c.) research,
    d.) performance reports on providers,

  4. who has authorization to access on-line health care information,
  5. circumstances of appropriate access,
  6. transmitting health care information,
  7. disclosure and redisclosure of health care information,
  8. and sale of individually identifiable health information.

Summary:

At Kaiser Permanente, we have found it necessary to have a formal program for health care information protection.

The development of a health care information security program must take into consideration patterns of human behavior and deploy solutions that are workable in the health care delivery setting.

Having Federal regulations that establish reasonable and appropriate standards for health care information protection would be an enormous aid to health care delivery organizations.

Thank you for inviting me to provide this testimony.

Other materials provided with this testimony:

Additional written testimony