5
Organizational Approaches to Protecting Electronic Health Information

Organizational policies and practices are at least as important as technical mechanisms in protecting electronic health information and patient privacy.1 Organizational policies establish the goals that technical mechanisms serve, outline appropriate uses and releases of information, create mechanisms for preventing and detecting violations, and set rules for disciplining offenders. Though generally most effective in protecting against abuses by legitimate system users—insiders or trusted—others organizational policies and practices can also provide guidance for establishing mechanisms to protect against outside attackers.2 In the health care industry, organizational policies and practices must properly balance patients' rights to privacy against the need for care providers to access relevant health information for providing care. Failure to do so can make patients unwilling to reveal sensitive health information to their providers or make such information too difficult to access when needed for care.

1  

Policies discussed in this chapter focus on maintaining the privacy of patient information. Health care organizations may have additional policies in place to protect the privacy of health care providers and of other information that the organizations consider confidential.

2  

Throughout this chapter, the term "user" is meant to include all employees with access to computing systems (whether full-time, part-time, temporary, or transferring), medical staff (including both admitting and referring physicians), contractors, vendors, students, and volunteers.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 127
--> 5 Organizational Approaches to Protecting Electronic Health Information Organizational policies and practices are at least as important as technical mechanisms in protecting electronic health information and patient privacy.1 Organizational policies establish the goals that technical mechanisms serve, outline appropriate uses and releases of information, create mechanisms for preventing and detecting violations, and set rules for disciplining offenders. Though generally most effective in protecting against abuses by legitimate system users—insiders or trusted—others organizational policies and practices can also provide guidance for establishing mechanisms to protect against outside attackers.2 In the health care industry, organizational policies and practices must properly balance patients' rights to privacy against the need for care providers to access relevant health information for providing care. Failure to do so can make patients unwilling to reveal sensitive health information to their providers or make such information too difficult to access when needed for care. 1   Policies discussed in this chapter focus on maintaining the privacy of patient information. Health care organizations may have additional policies in place to protect the privacy of health care providers and of other information that the organizations consider confidential. 2   Throughout this chapter, the term "user" is meant to include all employees with access to computing systems (whether full-time, part-time, temporary, or transferring), medical staff (including both admitting and referring physicians), contractors, vendors, students, and volunteers.

OCR for page 127
--> Creating a health care organization that is fully committed to safeguarding personal health information is difficult. It requires managers and employees, both individually and collectively, to engage in an ongoing process of learning, evaluation, and improvement to create an environment—and an organizational culture3—that values and respects patients' rights to privacy. Managers must provide leadership by heightening awareness of privacy and security issues and by determining how the organization can achieve the most appropriate balance between access to electronic health information and patient concerns over privacy.4 As front line caregivers, employees are responsible for the actual implementation of policies and procedures, and they may also participate in their development. Individual employees are the most likely sources of minor and accidental breaches of patient privacy, whereas inadequate policies or a lack of technical mechanisms are probably responsible for larger breaches. As the committee's site visits attest, health care organizations have developed a number of policies and practices for protecting electronic health information. These include formal policies regarding information system security and patient privacy, formalized structures for developing and implementing policies and procedures, employee training practices, and procedures for monitoring and penalizing breaches of privacy and security policies. Nevertheless, additional progress needs to be made to improve organizational protections for electronic health information. Few, if any, health care organizations have developed an integrated approach to organizational managment that addresses all aspects of information security and patient privacy. Numerous obstacles must be overcome in order to provide organizations with the incentives and motivation to adopt stronger practices. Formal Policies Health care organizations have adopted a range of formal policies to outline their goals with regard to patient privacy and security. These include policies related to authorized uses and exchanges of health information and patient-centered policies that are intended to promote a stron- 3   "Organizational culture" is a term inclusive of the values, norms, understandings, and experiences of organizational employees, as well as patients, payers, and purchasers. 4   Valuing patient privacy does not follow from a proclamation by an organization's managers; values can be effective only when they are individually held. Some organizational researchers suggest that management should communicate facts about policies and then demonstrate a strong commitment to that policy through their own behavior. See Larkin, T.J., and Sandar Larkin. 1996. "Reaching and Changing Frontline Employees," Harvard Business Review, May-June, pp. 95-104.

OCR for page 127
--> ger relationship between patients and providers with regard to maintaining patient privacy. Both the content of policies and the approach used to develop them play a large role in ensuring that employees abide by them. Policy documents are most effective when designed as easily accessible, ongoing reference materials and when introduced at the start of employment and referred to regularly in training and other internal communications. Policies Regarding Information Uses and Flows Policy statements regarding information uses and flows attempt to balance the need for providers, payers, researchers, and others to access health information against patients' desires for privacy. Overly restrictive policies, by making information inaccessible and leaving providers vulnerable to malpractice litigation, may interfere with providers' abilities to care for patients properly. Overly permissive policies may cause patients to lose confidence in the ability of the organization to protect sensitive data, making them reluctant to impart vital information. Notwithstanding common principles for balancing access and privacy, specific decisions may vary across organizations according to the size, structure, and types of care provided. Organizational culture also plays a strong role. Policies regarding information use and flows tend to be formalized in specific policy documents on security, confidentiality, protection of sensitive health information, research uses of health information, and release of health information. They address both paper and electronic health records to avoid possible inconsistencies in the procedures employees follow for handling them.5 Formally developed policies vary among organizations according to their internally developed risk assessments (Box 5.1). Security Policies Security policies describe an organization's philosophy and goals for user authentication and access control, as well as data reliability, availability, and integrity. Effective policies generally include a description of the organization's risk assessment and assign responsibility to individu- 5   At present, the electronic medical record is an attempt to transfer paper records into electronic form. Over time, the electronic medical record will incorporate content such as images and sound that cannot be stored in paper form. Modern telecommunications may also provide the opportunity to capture content not previously considered part of the patient record, such as teleconferences and on-line consultations.

OCR for page 127
--> BOX 5.1 Risk Assessment In conducting a risk assessment, organizations consider the following: The value of the assets being protected. The vulnerabilities of the system: possible types of compromise, including the vulnerability of users as well as systems. What damage can the person in front of the machine do? What about the person behind it? Threats: do adversaries exist to exploit these vulnerabilities? Do they have a motive, that is, something to gain? How likely is attack in each case? Risks: the costs of failure and recovery What is the worst credible kind of failure? Possibilities are death, injury, loss of privacy, fraud. The organization's degree of risk aversion. These considerations must be balanced against: Available countermeasures (both technical and nontechnical); and Their direct costs and (indirect costs of implementation). SOURCE: Computer Science and Telecommunications Board, National Research Council. 1991. Computers at Risk: Safe Computing in the Information Age. National Academy Press, Washington, D.C., adapted from pp 59-60 als, committees, or departments for developing specific procedures and mechanisms by which the policy is to be implemented (see Chapter 4) Confidentiality Policies Confidentiality policies describe the overall approach to be taken in balancing access to information against protection of information They may also provide details about the organization's risk assessment so that readers can understand why certain behaviors and procedures are important. Organizations often have a number of datasets that management considers confidential: individual health information, financial data, business plans, employee files, outcomes research, and so on. Each of these datasets may be considered corporate assets and their disclosure may result in a financial disadvantage or loss to the organization. Although this perspective can provide strong incentives for protecting health information, health data are qualitatively different from proprietary corporate information and entail unique risks and liabilities Confidentiality poli-

OCR for page 127
--> cies are most effective if they recognize the unique concerns associated with health information and provide adequate protection. As a matter of policy, most provider organizations allow physicians to access the records of all patients within the institution; this approach ensures that information will be available when needed for care, and it is technically simpler than more restrictive approaches. Committee members also observed alternative approaches that, although perhaps not widely applicable or scalable, more narrowly restrict access to health information. For example, some organizations allow all staff and admitting physicians unrestricted access to all patient files, but limit the access privileges of referring physicians to their patients of record. This approach enables an organization to restrict the access of physicians with only occasional need to access the system, but still leaves unrestricted the large number of physicians who regularly have patients admitted or seen at the organization. Other organizations allow physicians unrestricted access to information about their current patients, but allow access to other records only if a specific and documented need arises. In such cases, the information system can prompt the caregiver to type in the reason for access or to select the reason from a list. Common reasons such as "consult requested by primary care provider" or "emergency care" are supplied on the screen, as well as a fill-in-the-blank option. An e-mail notification of the access can be sent automatically to the primary care physician for review.6 Inappropriate access is deterred when system users understand that their actions will be recorded and reviewed and that sanctions can be applied for violating patient privacy. This system balances the need for restricted privileges against emergency or unexpected needs for access without requiring burdensome or time-consuming behavior. Policies to Protect Sensitive Information Most health care organizations have policies that establish special protections for sensitive information such as mental health records, HIV status, drug and alcohol treatment, as well as the health records of celebrities and other widely recognized persons. Protection of some information is guided by state or federal legislation (see Chapter 2); other protection is provided voluntarily by individual organizations. Some sites visited by committee members either kept sensitive information apart 6   "E-mail notification of access" is but one feature of an audit trail system that records details about information access. See the Chapter 4 section "Audit Trails" for further discussion of the topic.

OCR for page 127
--> from the rest of the health record or provided greater security for the entire health record if it contained sensitive information. Paper-based health records are often accorded special protection by simply locking them up (in the office of the director of medical records, for example) when not in active use. None of the sites the committee visited had tried to mimic this system with their electronic records (by removing records from the system entirely or by limiting access to a few, select providers); but in some sites, the information system generated additional prompts or warning screens, informing users of the sensitive content of the records and reminding them that audit logs maintained a record of all accesses to patient records. Users were required to type in their log-on ID or password again as acknowledgment that they had read and understood the warning. Users reported that the warning screen causes them to pause and think again about their reasons for accessing the record and that this approach successfully deters unnecessary attempts to access records of celebrities (which are often motivated as much by curiousity as by medical need). Other organizations have chosen not to include sensitive information in the electronic medical record; rather, the medical record contains a note stating that additional information is available from another physician or department. While effective in removing sensitive information from the record, this approach does not fully protect privacy. If a note in the record states that additional information is available from the psychiatric department, for example, any user accessing the primary record can infer that the patient is being treated for psychiatric problems. Furthermore, some sensitive information must be kept in the main record to ensure adequate care. Medication lists are typically included in electronic medical records because of the need to avoid prescribing drugs that interact with one another to cause an untoward effect. For this reason it is impractical to withhold certain drugs from the electronic record even though they may be a nearly unambiguous indication of a sensitive condition (e.g., a positive HIV diagnosis). Alternatively, some sites indicated that the contents of the electronic medical record are a matter of ongoing negotiation between patient and provider. In some cases, the most sensitive (and sometimes most critical) information is left out of the formal record when patients expressed concerns over privacy. In these instances, providers often maintained handwritten notes kept in a separate file, raising issues (and concerns) about what constitutes the real record.7 Withholding information from the 7   Separate, handwritten records are not always a guarantee that they will remain confidential between a patient and his or her physician. See Consumer Reports. 1994. ''Who's Reading Your Medical Records?," October, pp. 628-632.

OCR for page 127
--> health record has implications for care: it is often difficult to determine a priori what information will be important to later delivery of care. Separate, or secret, records can hinder care in emergency situations and may have legal implications if a record is subpoenaed. But physicians may choose to negotiate with patients over the content of the record if it means the patient will continue to seek care. A small number of health care organizations allow patients considerable control over access to their health information. One particular organization that works with people with AIDS allows patients to determine which providers are allowed to access their records and which portions of the record they are authorized to see. Another organization that manages a state health program (but does not provide care) lets patients (or clients as they are referred to by the site) allow only their case worker to access patient records. As these examples demonstrate, technology is available for creating fine-grained access controls by the patient, but these controls appear to be applicable only in a limited set of circumstances with a narrow patient base. It does not appear that these practices could be applied easily to health care organizations with more diverse, transient patients who receive episodic care. An alternative approach that is used successfully by some health care organizations is to avoid segregating sensitive information from the rest of the medical record and to instead improve the security of the entire, integrated medical record through the use of well-designed authentication procedures, access controls, audit procedures, and other mechanisms. The goal of this approach is raise the level of protection for all health information, not just sensitive information. The advantage of this approach is that it ensures the medical record contains all available information that a care provider may need to make sound decisions about a patient's condition or treatment plan. The disadvantage is that it might require overly burdensome security practices for some applications or make organizations reluctant to offer some types of information services. For example, organizations may not want to allow Internet access to its clinical information systems if such access will be provided to the full medical record. In such cases, however, it may be possible to relax the security on some limited subsets of data. For example, one organization allows physicians to access information on patients in the intensive care unit from home or during travel. Screens show current laboratory results and vital signs for patients in the intensive care unit, but refer to them only as, for example, the "37-year-old, white male in bed 4." This information is insufficient to identify the patient to a casual intruder but is enough for a physician familiar with his or her patient profiles. Such a process works well in a controlled setting such as the intensive care unit, where a limited number of patients are under close and frequent supervi-

OCR for page 127
--> sion. The committee believes that this approach serves to protect patient privacy well in similarly controlled settings while allowing care providers easy and immediate access to vital information, but it probably would not scale well to larger units. Policies on Research Uses of Health Information Organizations (especially those linked to either a medical school or a medical research program) must also develop policies to guide researchers in procedures for maintaining patient privacy while using health information. These policies should contain a clearly formulated statement that defines "intended use" and defines identifiable versus aggregate data access. Procedures for removing identifying factors need to be clearly specified for both the paper and the electronic medical record and for record abstracts or audit material. The standard (and generally acceptable) pathway for review of requests for research access to medical record information is through an organization's institutional review board (IRB), whose members evaluate the potential for patient risk as a result of granting access (Box 5.2). Sites visited by committee members had experienced no instances of researcher abuse of confidentiality policies, and their IRB mechanisms seemed to function well to reduce such risk.8 Policies with regard to institutional review boards also may include procedures on how to obtain IRB approval, a clearly specified statement of IRB function and protocols, and lists of its regularly scheduled meetings and reviews. One site visited by committee members had a particularly well-developed process that required researchers from outside the organization to seek collaborative relationships with staff physicians and obtain approval for an appointment as a visiting scientist before applying for access to the organization's patient health information. This site would not allow external researchers to copy records in any form for their own use; paper records needed to be audited or read on-site. Visiting scientists were allowed only copies of aggregate datasets with all identifiers removed, and then only with the approval and knowledge of their collaborating on-site researchers. The information system was defined formally as an organizational resource to be carefully guarded and preserved; outsiders were allowed access only if they agreed to apply for, and could achieve, internal legitimization.9 Staff from this site routinely 8   Of note is the fact that a great deal of internal research activity is not reviewed by an IRB or any other oversight committee. Such studies include reviews of quality of care, surgical outcomes, and resource utilization. It is not clear the extent to which identified patient information is necessary for this research, but because the studies do not relate directly to patient care, there arise issues of confidentiality in the use of patient information. 9   Establishing a formal affiliation between a researcher and the organizational owner of patient information better enables an IRB or other specified group to monitor compliance with the originally approved research protocol.

OCR for page 127
--> BOX 5.2 Institutional Review Boards The Institutional Review Board (IRB) system and process rests on two sets of federal regulation. The first requires that any conduct of research on human subjects by agencies of the U.S. government or supported by the U.S. government must receive IRB approval before proceeding; the underlying model is that of government- supported biomedical subjects. Second, the Food and Drug Administration requires research involving human subjects and new drugs or devices to be approved by an IRB. Regulations require IRBs to have at least five members, one of whom is from outside the institution. IRBs review the benefits and risks to subjects of proposed research and the importance of knowledge that may be reasonably expected to follow, and examine the process by which investigators explain relevant issues in order to obtain informed consent from the subjects. SOURCES: Rosnow, Ralph L., Mary Jane Rotheram-Borus, Stephen J. Ceci, Peter D. Blanck, and Gerald P. Koocher. 1993. "The Institutional Review Board as a Mirror of Scientific and Ethical Standards," American Psychologist 48(7):821-826. See also Edgar, Harold, and David J. Rothman. 1995. "The Institutional Review Board and Beyond: Future Challenges to the Ethics of Human Experimentation," Milbank Quarterly 73:489-506. reviewed published research articles to detect possible violations of the organization's policy. Policies Guiding Release of Information Defining the circumstances under which health information may be released and to whom is a first step in ensuring that patient privacy is not violated by inappropriate disclosure. Common elements of policies on release of health information include defining (1) who is authorized to release information, (2) who is authorized to receive information and under what conditions, (3) the form and scope of information that may be released, and (4) the circumstances under which additional patient consent is required. Organizations may track releases of patient information by retaining in the permanent health record the signed authorization form (when one is required), records of what information was released, the date of release, to whom it was released, and the signature of the employee who released the information. This record keeping creates an audit trail if unauthorized disclosure is suspected.

OCR for page 127
--> Patient-centered Policies A number of practices have been developed to help improve communications between patients and providers regarding the collection, use, and dissemination of health information. These practices make individuals more aware of their rights regarding their health records, the consent they give for using and disseminating health information, and the existence of electronic medical records. In the short term, greater patient awareness of data issues and their rights may create liabilities for the organization: better-informed patients are more likely to hold organizations responsible for protection of their health information. In the long term, however, organizations using these practices are more likely to evolve cultures that value the protection of health information and avoid potential liabilities, fostering more open and candid interactions between patients and providers and increasing the likelihood that relevant data will be available for patient care. Patient Bill of Rights Some organizations have developed or adopted a patient bill of rights that outlines clearly the relationship between patient and provider; states the patient's rights to privacy and confidentiality; and outlines state and federal laws, regulations, and standards guaranteeing those rights. For example, it may describe a patient's right to view the audit trail related to a hospital stay or the procedures by which a patient may review the contents of his or her health record and correct information he or she believes is inaccurate.10 The name and telephone number of a contact person within the organization who is responsible for patient complaints with regard to privacy and security (e.g., an information security officer) is included for patients who believe that their rights have been violated. The patient bill of rights is coordinated with forms authorizing disclosure of individually identifiable health information to ensure compatibility between the two documents. Authorization Forms Disclosure authorization forms inform patients of the existence of the electronic health record and describes the policies and procedures in place 10   In most cases, a patient statement correcting information contained in the health record is submitted as an amendment to the record rather than a substitution. This method resolves concerns that a patient's view may differ from that of a care provider.

OCR for page 127
--> to protect patient privacy. They provide patients with information on what parts of the record are usually shared with other providers or insurance companies or are used for internal management purposes (over which the patient has no control) and request authorization from patients for any other intended uses. They may also provide patients with a statement of their rights to access their health record.11 At least one of the sites visited by committee members had recently completed an extensive review of its forms during which legal terminology had been removed, making the language clearer and more understandable, and the forms had been translated into the languages common to the organization's patient population. This site had worked with patient representatives to test their ability to understand the forms.12 Coordinating a patient bill of rights with a disclosure authorization form can further enhance the relationship between provider and patient by helping to establish mutual understanding and trust. Access to Records and Audit Logs Many health care organizations allow patients to review their own health records and to correct or amend records, as necessary, through a formal process. Some states require provider organizations to allow such access; other states make no such provision and individual institutions are free to set their own policy. Organizations that allow patients to access their own health records find that it can not only help ensure the integrity of the information contained in the record, but can help patients better understand its content and sensitivities. Most have developed formal policies for access; some allow patients to review records only in the presence of one of their employees who can both explain the content of the record and ensure that it is not altered. Other health care organiza- 11   The legal right for a patient to review or copy his or her own medical record is explicitly granted only in about half of the states (see Jeffrey, Nancy Ann. 1996. "Getting Access to Your Medical Records May Be Limited, Costly-or Impossible," Wall Street Journal, July 31, pp. C1 and C21). 12   The term "informed consent" is commonly used in the health care community to refer to authorizations that patients give for health care and related activities. Privacy advocates have expressed concern, however, that authorizations often are not "informed"; nor do they represent "consent.'' They claim that, at the very least, the person signing the form should understand its contents. The patient should understand also what information will be shared, with whom it will be shared, and how it will be used. Representatives of the health care organization should take steps to test whether or not the patient understands: for example, has the patient said no to any part of the form? Has the patient requested more information? Informed consent is both difficult to measure and difficult to test.

OCR for page 127
--> A key factor in reinforcing organization policy is the practice of retraining every year. Annual installments remind employees that policy is in place to guide their behavior; they also allow an organization to educate employees about changes that have resulted from statutory or regulatory changes, procedural changes, and changes in the threat environment. At least one site visited by committee members had sections to be marked off on the employee performance review form that verified the employee's attendance at training and his or her viewing of the confidentiality video. In addition to a formal policy guide, periodic memos and newsletters were circulated to employees by some sites in order to provide regular reinforcement and to make a tangible addition to the employees' knowledge base. Information on changes in the data system were distributed routinely, and the ongoing policies were regularly reinforced. User Confidentiality Agreements In addition to informing employees of the organization's expectations with regard to keeping health information confidential, organizations need to hold them responsible for their behavior. Of the sites visited by committee members, several required any individual accessing the information system to sign a form verifying that he or she had read, had understood, and was committed to the organization's confidentiality policies.19 In keeping with other ongoing efforts, employees were required to sign this agreement during the initial orientation session and annually thereafter at the time of their performance review. Confidentiality agreements may also be used for nonemployees who have access to health information; these can include contract workers, vendors, physician's office staff, students, temporary workers, and volunteers. See Box 5.4 for a sample confidentiality agreement developed by the Computer-based Patient Record Institute (CPRI). Sanctions For Breaches Of Confidentiality The most effective response to either internal or external violations of confidentiality policies follows from disciplinary sanctions described in 19   The Computer-based Patient Record Institute advises that all health provider organizations will benefit from developing confidentiality agreements. These include hospitals, physician offices, home health agencies, pharmacies, nursing homes, and others. See Computer-based Patient Record Institute (CPRI). 1996. Sample Confidentiality Statements and Agreements for Organizations Using Computer-based Patient Record Systems, Work Group on Confidentiality, Privacy, and Security. CPRI, Schaumburg, Ill., May.

OCR for page 127
--> BOX 5.4 A Sample Access and Confidentiality Agreement (Physician) As a physician with privileges at (HEALTHCARE ENTITY) (hereinafter referred to as "Physician"), you may have access to what this agreement refers to as "confidential information." The purpose of this agreement is to help you understand your duty regarding confidential information. Confidential information includes patient/member information, employee information, financial information, other information relating to (HEALTHCARE ENTITY) and information proprietary to other companies or persons. You may learn of or have access to some or all of this confidential information through a computer system or through your professional care to patient/members. Confidential information is valuable and sensitive and is protected by law and by strict (HEALTHCARE ENTITY) policies. The intent of these laws and policies is to assure that confidential information will remain confidential—that is, that it will be used only as necessary to accomplish the organization's mission. As a physician with access to confidential information, you are required to conduct yourself in strict conformance to applicable laws and (HEALTHCARE ENTITY) policies governing confidential information. Your principal obligations in this area are explained below. You are required to read and to abide by these duties. The violation of any of these duties will subject you to discipline, which might include, but is not limited to loss of privileges to access confidential information, loss of privileges at (HEALTHCARE ENTITY), and to legal liability. As a physician, you must understand that you will have access to confidential information which may include, but is not limited to, information relating to: Patient/members (such as records, conversations, admittance information, patient/member financial information, etc.), Employees (such as salaries, employment records, disciplinary actions, etc.), (HEALTHCARE ENTITY) information (such as financial and statistical records, strategic plans, internal reports, memos, contracts, peer review information, communications, proprietary computer programs, source code, proprietary technology, etc.), and Third party information (such as computer programs, client and vendor proprietary information, source code, proprietary technology, etc.). Accordingly, as a condition of and in consideration of your access to confidential information, you promise that: You will use confidential information only as needed to perform your legitimate duties as a physician of patient/members affiliated with (HEALTHCARE ENTITY). This means, among other things, that: You will only access confidential information for which you have a need to know; You will not in any way divulge, copy, release, sell, loan, review, alter or destroy any confidential information except as properly authorized within the scope of your professional activities as a physician of patient/members affiliated with (HEALTH CARE ENTITY); and You will not misuse confidential information or carelessly care for confidential information.

OCR for page 127
--> You will safeguard and will not disclose your access code or any other authorization you have that allows you to access confidential information. You accept responsibility for all activities undertaken using your access code and other authorization. You will report activities by any individual or entity that you suspect may compromise the confidentiality of confidential information. Reports made in good faith about suspect activities will be held in confidence to the extent permitted by law, including the name of the individual reporting the activities. You understand that your obligations under this agreement will continue after termination of your privileges as a physician, as defined in this agreement. You understand that your privileges hereunder are subject to periodic review, revision, and if appropriate, renewal. You understand that you have no right or ownership interest in any confidential information referred to in this agreement. (HEALTHCARE ENTITY) may at any time revoke your access code, other authorization, or access to confidential information. At all times during your privileges as a physician, you will safeguard and retain the confidentiality of all confidential information. You will be responsible for your misuse or wrongful disclosure of confidential information and for your failure to safeguard your access code or other authorization access to confidential information. You understand that your failure to comply with this agreement may also result in loss of privileges to access confidential information, loss of privileges, and to legal liability [space for signature follows] NOTE: CPRI points out that any organization initiating the use of a similar agreement should seek the advice of legal counsel. SOURCE: Computer-based Patient Record Institute CPRI) 1996. Sample Confidentiality Statements and Agreements for Organizations Using Computer-based Patient Record Systems,CPRI Work Group Confidentiality, Privacy, and Security. CPRI, Schaumburg, Ill., May. formal policy statements. Sanctions complement confidentiality and security policies by establishing penalties for violating them. If a policy is violated and no response follows, the validity of the structure to protect patient privacy is nullified. If appropriate sanctions are applied, but only irregularly, after a long delay, or with little impact on perpetrators, the structure is severely undermined, and its legitimacy is suspect. Breaches of confidentiality and security policies originating from external sources may require assistance from local or federal law enforcement personnel, and organizations may seek redress through the courts. Breaches originating from internal sources may be dealt with in a variety of ways. Although both types of breaches are potentially disastrous, internal

OCR for page 127
--> breaches are more amenable to organizational sanctions. In fact, many industry leaders believe that the internal threat is far more dangerous and prevalent than the external threat. The chief executive officer of the firm that markets one of the leading Internet firewalls was quoted recently as saying: "It's ironic, because 80 percent of security breaches are internal—internal security is more important than perimeter defense. The outside world seems scarier, but the inside world is more dangerous."20 The existence of clearly specified sanctions and well-understood procedures for their implementation are important signals to employees. Several practices appear to preserve the effectiveness of the structure as it relates to internal breaches of confidentiality. Clear policies are needed for disciplining employees who violate confidentiality and security policies. Many organizations distinguish between intentional and unintentional violations by defining a policy of incremental discipline. Such a policy acknowledges the difference between intentional or malicious behavior and violations that result from carelessness or unintentional actions (e.g., leaving a computer terminal logged on). Organizations might provide an oral or written warning to an employee for a first or minor offense, suspend an employee for a second or greater offense, and terminate employment for major or repeated violations. A policy of "zero tolerance" that is used by some organizations states that all breaches will have swift and appropriate consequences, no matter by whom or for what reason the breach occurred. If evidence shows that a breach has occurred and a guilty party can be identified, disciplinary action follows quickly and in accordance with the signed confidentiality agreement. The committee observed a range of established sanctions and disciplinary actions at the sites it visited. At least one site had no written sanctions and dealt with violations on a case-by-case basis. Other sites described sanctions in policy documents but were uneven in applying them; for example, clerical employees may have been fired, but physicians were "cautioned" behind closed doors. Another site had a clearly stated and observed zero-tolerance policy; employees were treated similarly throughout the hierarchy, and the organization publicly announced the results of its investigations and disciplinary actions. Effective policies depend on consistent and evenhanded implementation. Inconsistently applied penalties encourage employees to believe that they can avoid them. Unevenly applied penalties can cause friction among staff and undermine confidentiality and security policies. For sanctions to act as an effective deterrent, employees must know 20   Information Week, Vol. 3 (June 1996), p. 12.

OCR for page 127
--> that they exist and will be implemented. Descriptions of sanctions should be included in confidentiality and security policies. Organizations that make disciplinary actions public can find that this serves as a strong example of management's willingness to enforce policy; one site visited by committee members, however, cautioned that such an approach can create an atmosphere of mutual suspicion and violate employees' own rights to privacy. Organizational culture is an important source of the norms regarding appropriate information access and use, and is one source of guidance for the definition of appropriate sanctions for violations of accepted norms in these local situations. Most of the organizations visited by committee members had spent little time on the delineation of appropriate sanctions for the abuse or inappropriate use of health care information; it appears that industry standards in this area have yet to be developed. Given the high level of mutual suspicion among health care providers, their employing organizations, and associated financial organizations, it is not yet clear how useful it would be to publicize widely the ways infractions of information rules and policies are handled. Improving Organizational Management: Closing The Gap Between Theory And Practice Each of the sites visited by committee members indicated a strong interest in and concern for patient privacy but often failed to have adequate written policies or to demonstrate behavioral compliance with existing policies. Typical of inadequate or incomplete policies was the lack of clear definition of what was meant by a lapse in security or a breach of patient privacy—or of what these meant in the context of the health information systems maintained by the organization. Employees disagreed over whether problems referred to mere episodic technological breakdowns or to truly malicious incidents. Moreover, there was a lack of specificity as to who was responsible for these events when they did occur and what constituted an appropriate disciplinary response. Further, few organizations had formal mechanisms for modifying confidentiality and security policies. Committee members observed several well-documented policy statements and some excellent protocols for the training of organizational employees. Not only do these concrete and clearly specified policies make it easier to interpret and enforce confidentiality and security rules and procedures, but they also serve as reinforcements to existing cultural values and perceptions. The organizations that appear to have moved toward stronger cultural supports for confidentiality and security controls are those in which the values, policies, and procedures have come from the very top of the organization. Yet, without

OCR for page 127
--> scheduled, annual reviews of these policies and procedures and their continued reinforcement by management, there is risk that these policies will no longer have relevance or impact within the organization. Implementing an Integrated Security and Confidentiality Management Model Although each of the organizational strategies described in this chapter was observed in at least one site visited by committee members, no site had implemented all and some had implemented very few. Sites often demonstrated a lack of clear leadership on the part of management; thus, employees were uncertain of what to do or where responsibility lay. The committee observed instances in which employees had made isolated efforts to improve practice within their departments, but without sufficient authority and management support, these efforts remained limited in scope and had little impact on the overall organization. As organizations expand their boundaries they need to develop a comprehensive program to ensure that the message of commitment to patient privacy is pervasive and implemented in policies, procedures, and everyday behavior. Such a model includes an overall vision and goal statement, specific policy development, training, and provisions for disciplinary action.21 It enables employees involved in developing policies and procedures to understand the ultimate goal of their efforts, as well as how those efforts complement parallel efforts elsewhere within the organization. Through early, careful, and explicit planning, management serves as a coordinator and helps ensure that policies are not in conflict, lines of authority are clear, and gaps in security are avoided. A model system would operate both top-down, with management outlining broad policy goals, and bottom-up, with employees developing local solutions, to form a matrix of communication, participation, and cooperation. The committee believes that the practices described in this chapter represent mechanisms by which patient privacy can be better protected; implemented together they may be described as an integrated management model for protecting patient privacy. 21   A comprehensive program includes written policies, standards, training, technical and procedural controls, risk assessment, auditing and monitoring, and assigned responsibility for management of the program. See Computer-based Patient Record Institute (CPRI). 1996. Guidelines for Managing Information Security Programs, Work Group on Confidentiality, Privacy, and Security. CPRI, Schaumburg, Ill., January.

OCR for page 127
--> Overcoming Obstacles to Effective Organizational Practices Organizations face a number of obstacles in developing an integrated approach to confidentiality and security. These obstacles derive from a lack of internal and external incentives that can motivate an organization to dedicate the resources necessary to establish the full range of policies, practices, and structures necessary to ensure stronger protection of electronic health information. These obstacles include resource constraints, competing demands, a lack of focus on information technology, and cultural constraints. Lack of Public or External Incentives As discussed in Chapter 2, there are few legislative or regulatory requirements that address patient privacy directly. Few existing controls provide adequate recourse for patients whose privacy has been breached. In addition, there have been relatively few broadly publicized events that have rallied public interest in privacy issues. In many cases, events have focused on a celebrity or public official, reinforcing the belief that the broad population of patients is unlikely to be harmed. At least one of the sites visited by committee members believed little would happen if its entire database of patient information were made public.22 As the committee conducted its study, it has become apparent that although most health care organizations express a commitment to patient privacy, their actual practice is somewhat different. This does not vary remarkably from other commercial and industrial organizations. Policy making in business organizations with regard to the confidentiality and security of information may generally be characterized as "drifting" on a path of incremental "policy by least steps" until these organizations experience a direct threat and an effort is made to respond to or repair the damage.23 Although business organizations may have written policies on confidentiality and security, these policies may no longer be relevant to current business practices and activities. At the same time, changes to policies made in reaction to events in the external environment can result in policies being too narrowly focused. 22   Recent events, however, may have begun to change this perception. See Tippit, Sarah. 1996. "A New Danger in the Age of AIDS," Washington Post, October 14, p. A4. See also Brelis, Matthew. 1995. "Patients' Files Allegedly Used for Obscene Calls," Boston Globe, April 11, pp. 1 and 6. 23   Smith, H. Jeff. 1993. "Privacy Policies and Practices: Inside the Organizational Maze," Communications of the ACM 36:105-122.

OCR for page 127
--> Examples of external catalysts include state and federal legislation but often are the result of business concerns, regulatory problems, lawsuits, or—most important—poor public relations. Business concerns grow out of heightened interest in keeping information from falling into the hands of competitors. They may also be the result of industry pressure to adopt a more stringent code of ethical conduct. Decisions to release or withhold information can leave organizations open to suits by disgruntled patients, employees, employers, and nonaffiliated health care providers. Several sites reported increased impetus in their policy-making process after a lawsuit had been filed or a breach reported in the media. Many sites also reported an increasing number of concerns expressed by individual patients that led to review (and sometimes revision) of existing policies. Resource Constraints Maintaining patient privacy is an important objective for health organizations, but it must compete with numerous other budgetary demands. As employees at sites visited by committee members indicated, health care organizations spend about 2 percent of their annual budget on information systems and about 2 percent of that on information security. Information security is often among the first items to be cut in the face of budgetary pressures. As in other industries, health care organizations do not act until a gross breach of patient privacy has occurred. According to one expert, sales of security products in the financial industry rise sharply after a breach is reported in the media, but drop off just as sharply after about 10 days. Several sites visited by committee members indicated that protection of health information does not serve as a market differentiator, and managers were therefore unwilling to allocate funds to support it. Competing Demands Many health care organizations are deep in the throes of developing integrated delivery systems (IDSs) by acquiring clinics, other hospital sites, and specialty practice groups, as well as retail pharmacy sites, longterm care facilities, and related organizations.24 Merging multiple organizations is a highly complex and often confusing process that stretches the resources of organizational members.25 As management focuses on high- 24   According to Deloitte and Touche LLP (U.S. Hospitals and the Future of Health Care, Philadelphia, 1996), 71 percent of U.S. hospitals either belong to an IDS or are participating in the development of one. IDSs are emerging as the predominant organizational model in today's health care environment. 25   Although much has been written in industry periodicals, the popular press, and aca

OCR for page 127
--> level negotiations and financial agreements, it is often unable to focus also on the details of how the resulting organization will function. Establishing IDS management processes for confidentiality is secondary or tertiary to formalizing the merger or acquisition, negotiating the make-up of a management team, cutting redundancy and positioning for market share, and developing a single health information system. From observations made during the committee's site visits, it is clear that the integration of systems, policies, cultures, and procedures is usually left to be worked out after the merger discussions have been completed. Organizations often keep separate information systems functional until more comprehensive business integration takes place; issues concerning systemwide information security are considered later on a catch-up, patch-up basis. As IDSs form, they begin to wrestle with the problem of redesigning their information systems around multiple system platforms, homegrown technologies or software, legacy systems, and multiple distributed systems across multiple sites. Managers of IDSs must define the boundaries and relationships of the new organization. Among the questions to be resolved are the following: Who should have access to which parts of the data system? What is the relationship between employee users and nonemployee users? What are the philosophy and goals with regard to confidentiality and security for the new organization? Who decides these? What is the architecture of the merged information system? Who controls it? This is a process rather than an event, and beginning to work on it during negotiation of the merger or affiliation will ease the transition to a new organization. Employees who are presented with a fait accompli often resist change, and the resulting clash of cultures can seriously jeopardize the future of an organization. Lack of Focus on Information Technology Information management has become an essential component of the financial and managerial aspects of health care organizations, as well as of the provision of clinical care. Health care organizations are no different     demic journals on health care system mergers and strategic alliances, it is clear that the development and the process of alliance or merger are still poorly understood. The best work in health care administration and health services research is still based primarily on case examples (see Kaluzny, Arnold D., Howard S. Zuckerman, and Thomas C. Ricketts III (eds.). 1995. Partners for the Dance: Forming Strategic Alliances in Health Care. Health Administration Press, Ann Arbor, Mich.); industry consultants still present models based on ideas of courtship and marriage (see Kanter, Rosabeth Moss. 1994. ''Collaborative Advantage: The Art of Alliances," Harvard Business Review, July-August, pp. 96-108).

OCR for page 127
--> than any other business enterprise in this regard, except that many are pressed to catch up with the state of the art and science of computer-based information systems. Providers of clinical medicine have had mixed reactions to the information revolution. On the one hand, some lament the passing of an era of personal ties between patient and physician—one usually carefully documented in the handwritten paper chart of the provider. On the other, many recognize the advantages of standardized health records as continuity of care becomes more difficult and physicians increasingly practice in groups and often substitute for one another in caring for patients enrolled in health care plans. Health information databases have become the professional memories through which the continuity and quality of patient care can be ensured for individual patients over time. As organizations become larger and more complex, electronic health information systems become more important as a means of monitoring and controlling both the quantity and the quality of care. The purposes for which health information is collected and the ways in which it is used have much to do with the way information systems are viewed by users. Cultural Constraints Organizational culture can either enhance or impede the intended effect of information confidentiality and security policies because it reflects the values, norms, understandings, and experiences of organizational participants. Some health care organizations have never really accepted the idea of patients as organizational participants; hence, when matters of privacy and security are raised, discussion centers on the proprietary value of such information, not on the threats to individual patient's rights to privacy. Health care organizations are focused on providing care, not on providing security.26 Accordingly, technology is valued inasmuch as it supports that goal and does so in a way that is convenient to caregivers. To the extent that mechanisms to support privacy and security are introduced, they are tolerated only if they are relatively transparent to the main goal. Health care providers often believe that security 26   A recent study survey of information systems trends conducted by Modern Healthcare and Coopers & Lybrand indicated that improving managed-care capabilities was the driving force behind priorities over the next 24 months. Maintaining or improving the security of patient information did not appear as a concern. See Morrissey, John. 1996. "A Broader Vision: CIOs Shift Strategy to Look Beyond the Hospital," Modern Healthcare, March 4, pp. 110-113.

OCR for page 127
--> mechanisms are redundant, that members of the profession are well intentioned, and that they would never violate a patient's privacy. With the advent of modern telecommunications and computing technology, almost any business enterprise draws upon a vastly expanded, even global, spectrum of information and personal contacts, which help to shape the culture of the organization itself. Most health care organizations have increasingly permeable boundaries, and it cannot be assumed that once the culture of privacy and security is established within the organization's walls, there are no other risks. As health care organizations form alliances and other vertical or horizontal linkages and as communications by these component entities increasingly use modalities such as the Internet, not only are the proprietary interests of these organizations put at risk, but patient-specific data are also more widely exposed. The awareness and concern that health care organizations exhibit with regard to these matters are, to a large extent, products of the organizational culture within which these issues are addressed. Individual organizations take on a distinctive pattern of dealing with issues such as privacy and security. To some extent, the way these issues are addressed can reflect an organization's response to issues involving all aspects of technology. For example, an organization whose leaders have thought of computers and information technology as beyond human capacity to control may accept on blind faith the claim that, once programmed and made operational, computer-based information systems require little human monitoring or oversight. The more that global cultural influences are felt in contemporary organizations of all types, the less likely is it that any individual organization will be dominated by the influence of one or a few leaders who exert their personal stamp on everyday business dealings. Organizations whose leaders and participants generally deny the possibility of violations of patient privacy (e.g., "It can't happen here," or "We've never had a serious incident before") may engender a culture that essentially acts as a blinder to these issues. This represents one of the most important, and frequently observed, impediments to the adoption and effective implementation of risk reduction policies and structures. Yet, the cultural supports for an initiative involving privacy and security may constitute an essential ingredient for its success. Unless organizational leaders actively foster and nurture a security-enhancing culture, such policies and structures may be imposed but will have little influence on health care organizations.