Presentation by Daniel A. Proctor, Passport Health Communications

Testimony of Daniel A. Proctor
Founder & Chief Technology Officer of
Passport Health Communications
to Subcommittee on Health Data Needs

I am pleased to be here and would like to thank you for allowing me to testify before this subcommittee. EDI within healthcare is an area in which I am intensely interested and the opportunity to be involved in the deliberations of security standards is very exciting for me.

My involvement with EDI in healthcare began many years ago. After graduating from college I became involved in managing my fathers radiology practice. We purchased a microcomputer and I wrote the programs to accommodate his billing. After realizing the inefficiencies of paper claims I approached Medicare and asked them to let me transmit claims to them via telephone. They agreed to let me work with them on a pilot project and in 1981 we began transmitting.

In 1994 I was introduced to a new technology that I was convinced would impact healthcare EDI in a far more fundamental way than electronic claims – the Internet. A friend and I were discussing the Clinton healthcare proposal and I remarked that I would like to get a copy to read. He sat down at a terminal and logged into several universities looking for the legislation. He found it soon enough at a University in Germany. I still remember my amazement as he hopped around from computer to computer all over the world.

After spending two more years investigating the Internet phenomenon and its applicability to healthcare, I decided to leave my position with a practice management company and to found Passport Health Communications, a company devoted exclusively to the use of the Internet for healthcare. One of the main advantages of the Internet is its presence, or ubiquity. One of the main concerns of the Internet is security and much of our effort at Passport Health Communications has been to understand the security issues and the solutions.

I would like to make three main points and in so doing answer some of the questions you’ve asked.

First, I would like to make the point that the Internet is the technology that will be used to deliver healthcare transactions, especially the set of transactions you are charged with investigating. The reason this is important to understand is that legislatively you can play an active role in the process by developing standards that are "Internet friendly," or you play a reactive role by requiring "Internet un-friendly" standards. We would like you to choose "Internet friendly" standards. Let me give you an example. One of the questions was: "Did we select DES or SSL and why?" We’ve chosen to use SSL, because it is a much better choice for Internet based commercial applications.

Secondly, security should not be seen as a restrictive technology, rather an enabling technology. Let me give you an example. One of the biggest fears on the Internet has been the use of credit cards. Recently a new standard that allows a person to make a purchase over the Internet has been developed by the credit card industry. The process they use ensures the merchant never even sees the customer’s credit card number. Thus the transaction is actually more secure than handing your credit card to a waiter that disappears for 5 minutes (or 10 or 15). In this instance the proper use of security actually enhances trade rather than restricts it.

In her recent address to the National Press Club, Donna Shalala said, "Almost 75 percent of our people say they are at least somewhat concerned that computerized medical records will have a negative effect on their privacy." While privacy is an ethical issue that must also be decided upon, security is the vehicle that makes it work.

For a security solution to be enabling it must be:

highly effective
easily deployed
low cost
and non-intrusive

Many companies using the Internet use security tools that meet all these criteria. At a recent DHHS public meeting on security John Parmigiani spoke on the use of digital signatures. He said, "We have an opportunity for a much higher level of protection, or security, than we have in any kind of hard copy, or manual, process." The Internet is an extremely effective platform for using digital signatures.

Much has been said about keeping the cost down and developing a solution that is not prohibitive for small players. The Internet offers the way to meet the objectives laid out by John, and meets the requirements as well. These include:

a technology neutral solution
interoperability
the use of standard tools

To make digital signatures work you need a certifying authority. This is someone that issues the digital signature and then verifies that the recipient of the signature is indeed who they say they are. The certifying authority then electronically verifies, or certifies, the identity of that individual for future transactions with other parties.

I believe the government could play a role in defining the standards a vendor must meet and then allowing them to be the certifying authority for healthcare providers. Such an approach would be low cost and would allow small vendors, as well as large ones, to participate.

Thirdly, I’d like to encourage the committee to come up with improvements that head us in the right direction rather than a comprehensive solution that is difficult to enforce. One of the questions touched on the use of smart cards, and biometrics for authentication. While I believe those will be the solutions we use in a few years, I don’t believe it’s practical today. I think the standards should accommodate the use of those solutions but not require that we start there.

One of the questions for the hearing was: "How should these policies and procedures be communicated to internal and external users as well as consumers?" I’ll bet you can guess my answer to that question. In preparing for my testimony I accessed your web site. It was there that I found a transcript of Donna Shalala’s presentation to the National Press Club. I was also able to find out that John Parmigiani made a presentation on security last month. While sitting in my office I was able to look at his slides on my screen and listen to his 40 minute presentation at the same time.

We at Passport Health Communications believe that the Internet offers a great opportunity to cut healthcare costs by delivering data in a more timely, accurate, and efficient manner. We also believe that HIPPA offers an opportunity to propel the momentum even more and look forward to being involved with the implementation of HIPPA.

Thank you for this opportunity to address this subcommittee.