Patient Confidentiality and Electronic Medical Records Ann J. Olsen, MBA, MA Information Security Officer and Director, Information Management Planning.

Patient Confidentiality and Patient Confidentiality and Electronic Medical RecordsElectronic Medical Records

Ann J. Olsen, MBA, MA

Information Security Officer and

Director, Information Management Planning Vanderbilt University Medical Center

June 19, 1999

Julius S. Aronofsky Lecture Julius S. Aronofsky Lecture in Health Care Information Systems:in Health Care Information Systems:

Presentation delivered at 3rd Annual Presentation delivered at 3rd Annual “Enhancing Your Clinical Practice - “Enhancing Your Clinical Practice - Internet and New Technology Trends” Internet and New Technology Trends” Sponsored by: Sponsored by: The Office of Continuing Education of The Office of Continuing Education of The University of Texas Southwestern The University of Texas Southwestern Medical Center at DallasMedical Center at Dallas

http://www.mc.vanderbilt.edu/infocntrhttp://www.mc.vanderbilt.edu/infocntr

Objectives:Objectives:

Understand – basic context for information security and

confidentiality – current practices and risks regarding confidentiality– impact of EMR on ability to protect privacy– needs for organizational practices as well as technical

practices (policies, agreements, and continuous learning)

Learn about directions in Washington and upcoming requirements for your practices– HIPPA security standards– Proposed health information privacy legislation

Know key sources of information about this topic

AgendaAgenda

Key ConceptsDiscussion: Current Practices &

ConcernsKey Changes We FaceExpected Electronic Health Data

Security RequirementsQuestions & Discussion

Health Care ResourcesHealth Care Resources

Health Care Delivery Processes Depend on Acquisition, Utilization, and Management of Many Kinds of Resources

Security

Health Care Delivery Depends OnHealth Care Delivery Depends On

Financial Resources

HumanResources

PhysicalResources

Information &KnowledgeResources

Key Concept: Key Concept: Information Security Information Security ComponentsComponents

Confidentiality (Privacy)– Access control– Disclosure requires authorization– Need to know

Availability– Accessible when & where needed

Integrity– Records are complete– No unauthorized changes

Information Security

Integrity

Availability

Confidentiality

InformationSystemsSecurity

HealthInformation Security

Protection of Electronic Health Information

Discussion: Current Practices Discussion: Current Practices and Concernsand Concerns

(1) Share one of the biggest challenges or risks to health information privacy in your practice today OR a health information privacy issue you have faced recently

(2) Share a practice that has improved protection of health information in your office or clinic

What Changes are We Facing?What Changes are We Facing?Increased use of electronic medical

records (EMR) and internet communications– Expectation that health records are on-

line, with decision support– Information provided directly by health

care consumers in on-line interactions with providers

– Portable, hand-held computing

EMR and ConfidentialityEMR and ConfidentialityEMR Risks

– Easy to disclose vast quantities of information

– Ability to link records across systems– Insufficient security & training in many

EMR environments– Hackers keep pace with technology

EMR and ConfidentialityEMR and Confidentiality

EMR Benefits– Audit trails– Encryption– Access controls– Can remove identifiers– Can share without making copies

What Changes are We Facing?What Changes are We Facing?

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

– DHHS rules governing security of electronic health information

– Apply to all individual health care information electronically maintained or used in an electronic transmission

Federal legislation on health information privacy

For the Record: Protecting For the Record: Protecting Electronic Health InformationElectronic Health InformationNational Research Council Study of

Current Best Practice (1997)Recommendations:

– Organizational practices • for immediate implementation

– Technical practices • for immediate implementation• for future implementation

Basis for HIPAA Security Standard

Organizational PracticesOrganizational PracticesSecurity & Confidentiality Policies*Security & Confidentiality Committees Information Security Officers*Education and Training*Sanctions* Improved Authorization Forms**Patient Access to Audit Logs**

Technical PracticesTechnical Practices Individual authentication of users*Access controls*Audit trails*Physical security & disaster recovery*Protection of remote access points*Protection of external electronic

communications*Software discipline*System assessment*

Scenario for Security Standards Scenario for Security Standards

Proposed Security Standard includes “Small or Rural Provider Example”

Outlines how the requirements might be implemented

Expectation that software vendors will provide support

Excerpts ...

Joint Commission on Joint Commission on Accreditation of Healthcare Accreditation of Healthcare Organizations Organizations Current JCAHO standards require

classification and protection of information

Already at work to incorporate HIPAA standards

Information ResourcesInformation Resources

DHHS web site has rules proposed under HIPAA and other information: http://aspe.os.dhhs.gov/admnsimp

Computer-based Patient Records Institute has very useful publications on information security: http://www.cpri.org

http://aspe.os.dhhs.gov/admnsimphttp://aspe.os.dhhs.gov/admnsimp

http://www.cpri.orghttp://www.cpri.org

Health Information Privacy Health Information Privacy LegislationLegislation HIPAA required action by Congress by August

1999 on health information privacy or DHHS to issue final rules

None of bills introduced in 106th Congress likely to pass by HIPAA deadline

Expect amendment of HIPAA to extend deadline

For information on legislative proposals, see Library of Congress web site at http://thomas.loc.gov

Common Elements of ProposalsCommon Elements of Proposals Requirements for patient authorization for most

kinds of disclosures Patient notice about rights and use of health

information Patient right to review and amend Limit disclosure to minimum information needed Requirement to track disclosures Require safeguards for confidentiality, security,

accuracy, integrity Criminal and civil penalties

http://thomas.loc.govhttp://thomas.loc.gov

[email protected]@mcmail.Vanderbilt.edu