National Academies Press: OpenBook

For the Record: Protecting Electronic Health Information (1997)

Chapter: 5 Organizational Approaches to Protecting Electronic Health Information

« Previous: 4 Technical Approaches to Protecting Electronic Health Information
Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

5
Organizational Approaches to Protecting Electronic Health Information

Organizational policies and practices are at least as important as technical mechanisms in protecting electronic health information and patient privacy.1 Organizational policies establish the goals that technical mechanisms serve, outline appropriate uses and releases of information, create mechanisms for preventing and detecting violations, and set rules for disciplining offenders. Though generally most effective in protecting against abuses by legitimate system users—insiders or trusted—others organizational policies and practices can also provide guidance for establishing mechanisms to protect against outside attackers.2 In the health care industry, organizational policies and practices must properly balance patients' rights to privacy against the need for care providers to access relevant health information for providing care. Failure to do so can make patients unwilling to reveal sensitive health information to their providers or make such information too difficult to access when needed for care.

1  

Policies discussed in this chapter focus on maintaining the privacy of patient information. Health care organizations may have additional policies in place to protect the privacy of health care providers and of other information that the organizations consider confidential.

2  

Throughout this chapter, the term "user" is meant to include all employees with access to computing systems (whether full-time, part-time, temporary, or transferring), medical staff (including both admitting and referring physicians), contractors, vendors, students, and volunteers.

Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

Creating a health care organization that is fully committed to safeguarding personal health information is difficult. It requires managers and employees, both individually and collectively, to engage in an ongoing process of learning, evaluation, and improvement to create an environment—and an organizational culture3—that values and respects patients' rights to privacy. Managers must provide leadership by heightening awareness of privacy and security issues and by determining how the organization can achieve the most appropriate balance between access to electronic health information and patient concerns over privacy.4 As front line caregivers, employees are responsible for the actual implementation of policies and procedures, and they may also participate in their development. Individual employees are the most likely sources of minor and accidental breaches of patient privacy, whereas inadequate policies or a lack of technical mechanisms are probably responsible for larger breaches.

As the committee's site visits attest, health care organizations have developed a number of policies and practices for protecting electronic health information. These include formal policies regarding information system security and patient privacy, formalized structures for developing and implementing policies and procedures, employee training practices, and procedures for monitoring and penalizing breaches of privacy and security policies. Nevertheless, additional progress needs to be made to improve organizational protections for electronic health information. Few, if any, health care organizations have developed an integrated approach to organizational managment that addresses all aspects of information security and patient privacy. Numerous obstacles must be overcome in order to provide organizations with the incentives and motivation to adopt stronger practices.

Formal Policies

Health care organizations have adopted a range of formal policies to outline their goals with regard to patient privacy and security. These include policies related to authorized uses and exchanges of health information and patient-centered policies that are intended to promote a stron-

3  

"Organizational culture" is a term inclusive of the values, norms, understandings, and experiences of organizational employees, as well as patients, payers, and purchasers.

4  

Valuing patient privacy does not follow from a proclamation by an organization's managers; values can be effective only when they are individually held. Some organizational researchers suggest that management should communicate facts about policies and then demonstrate a strong commitment to that policy through their own behavior. See Larkin, T.J., and Sandar Larkin. 1996. "Reaching and Changing Frontline Employees," Harvard Business Review, May-June, pp. 95-104.

Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

ger relationship between patients and providers with regard to maintaining patient privacy. Both the content of policies and the approach used to develop them play a large role in ensuring that employees abide by them. Policy documents are most effective when designed as easily accessible, ongoing reference materials and when introduced at the start of employment and referred to regularly in training and other internal communications.

Policies Regarding Information Uses and Flows

Policy statements regarding information uses and flows attempt to balance the need for providers, payers, researchers, and others to access health information against patients' desires for privacy. Overly restrictive policies, by making information inaccessible and leaving providers vulnerable to malpractice litigation, may interfere with providers' abilities to care for patients properly. Overly permissive policies may cause patients to lose confidence in the ability of the organization to protect sensitive data, making them reluctant to impart vital information. Notwithstanding common principles for balancing access and privacy, specific decisions may vary across organizations according to the size, structure, and types of care provided. Organizational culture also plays a strong role.

Policies regarding information use and flows tend to be formalized in specific policy documents on security, confidentiality, protection of sensitive health information, research uses of health information, and release of health information. They address both paper and electronic health records to avoid possible inconsistencies in the procedures employees follow for handling them.5 Formally developed policies vary among organizations according to their internally developed risk assessments (Box 5.1).

Security Policies

Security policies describe an organization's philosophy and goals for user authentication and access control, as well as data reliability, availability, and integrity. Effective policies generally include a description of the organization's risk assessment and assign responsibility to individu-

5  

At present, the electronic medical record is an attempt to transfer paper records into electronic form. Over time, the electronic medical record will incorporate content such as images and sound that cannot be stored in paper form. Modern telecommunications may also provide the opportunity to capture content not previously considered part of the patient record, such as teleconferences and on-line consultations.

Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

BOX 5.1 Risk Assessment

In conducting a risk assessment, organizations consider the following:

  • The value of the assets being protected.
  • The vulnerabilities of the system: possible types of compromise, including the vulnerability of users as well as systems. What damage can the person in front of the machine do? What about the person behind it?
  • Threats: do adversaries exist to exploit these vulnerabilities? Do they have a motive, that is, something to gain? How likely is attack in each case?
  • Risks: the costs of failure and recovery What is the worst credible kind of failure? Possibilities are death, injury, loss of privacy, fraud.
  • The organization's degree of risk aversion.

These considerations must be balanced against:

  • Available countermeasures (both technical and nontechnical); and
  • Their direct costs and (indirect costs of implementation).

SOURCE: Computer Science and Telecommunications Board, National Research Council. 1991. Computers at Risk: Safe Computing in the Information Age. National Academy Press, Washington, D.C., adapted from pp 59-60

als, committees, or departments for developing specific procedures and mechanisms by which the policy is to be implemented (see Chapter 4)

Confidentiality Policies

Confidentiality policies describe the overall approach to be taken in balancing access to information against protection of information They may also provide details about the organization's risk assessment so that readers can understand why certain behaviors and procedures are important.

Organizations often have a number of datasets that management considers confidential: individual health information, financial data, business plans, employee files, outcomes research, and so on. Each of these datasets may be considered corporate assets and their disclosure may result in a financial disadvantage or loss to the organization. Although this perspective can provide strong incentives for protecting health information, health data are qualitatively different from proprietary corporate information and entail unique risks and liabilities Confidentiality poli-

Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

cies are most effective if they recognize the unique concerns associated with health information and provide adequate protection.

As a matter of policy, most provider organizations allow physicians to access the records of all patients within the institution; this approach ensures that information will be available when needed for care, and it is technically simpler than more restrictive approaches. Committee members also observed alternative approaches that, although perhaps not widely applicable or scalable, more narrowly restrict access to health information. For example, some organizations allow all staff and admitting physicians unrestricted access to all patient files, but limit the access privileges of referring physicians to their patients of record. This approach enables an organization to restrict the access of physicians with only occasional need to access the system, but still leaves unrestricted the large number of physicians who regularly have patients admitted or seen at the organization.

Other organizations allow physicians unrestricted access to information about their current patients, but allow access to other records only if a specific and documented need arises. In such cases, the information system can prompt the caregiver to type in the reason for access or to select the reason from a list. Common reasons such as "consult requested by primary care provider" or "emergency care" are supplied on the screen, as well as a fill-in-the-blank option. An e-mail notification of the access can be sent automatically to the primary care physician for review.6 Inappropriate access is deterred when system users understand that their actions will be recorded and reviewed and that sanctions can be applied for violating patient privacy. This system balances the need for restricted privileges against emergency or unexpected needs for access without requiring burdensome or time-consuming behavior.

Policies to Protect Sensitive Information

Most health care organizations have policies that establish special protections for sensitive information such as mental health records, HIV status, drug and alcohol treatment, as well as the health records of celebrities and other widely recognized persons. Protection of some information is guided by state or federal legislation (see Chapter 2); other protection is provided voluntarily by individual organizations. Some sites visited by committee members either kept sensitive information apart

6  

"E-mail notification of access" is but one feature of an audit trail system that records details about information access. See the Chapter 4 section "Audit Trails" for further discussion of the topic.

Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

from the rest of the health record or provided greater security for the entire health record if it contained sensitive information.

Paper-based health records are often accorded special protection by simply locking them up (in the office of the director of medical records, for example) when not in active use. None of the sites the committee visited had tried to mimic this system with their electronic records (by removing records from the system entirely or by limiting access to a few, select providers); but in some sites, the information system generated additional prompts or warning screens, informing users of the sensitive content of the records and reminding them that audit logs maintained a record of all accesses to patient records. Users were required to type in their log-on ID or password again as acknowledgment that they had read and understood the warning. Users reported that the warning screen causes them to pause and think again about their reasons for accessing the record and that this approach successfully deters unnecessary attempts to access records of celebrities (which are often motivated as much by curiousity as by medical need).

Other organizations have chosen not to include sensitive information in the electronic medical record; rather, the medical record contains a note stating that additional information is available from another physician or department. While effective in removing sensitive information from the record, this approach does not fully protect privacy. If a note in the record states that additional information is available from the psychiatric department, for example, any user accessing the primary record can infer that the patient is being treated for psychiatric problems. Furthermore, some sensitive information must be kept in the main record to ensure adequate care. Medication lists are typically included in electronic medical records because of the need to avoid prescribing drugs that interact with one another to cause an untoward effect. For this reason it is impractical to withhold certain drugs from the electronic record even though they may be a nearly unambiguous indication of a sensitive condition (e.g., a positive HIV diagnosis).

Alternatively, some sites indicated that the contents of the electronic medical record are a matter of ongoing negotiation between patient and provider. In some cases, the most sensitive (and sometimes most critical) information is left out of the formal record when patients expressed concerns over privacy. In these instances, providers often maintained handwritten notes kept in a separate file, raising issues (and concerns) about what constitutes the real record.7 Withholding information from the

7  

Separate, handwritten records are not always a guarantee that they will remain confidential between a patient and his or her physician. See Consumer Reports. 1994. ''Who's Reading Your Medical Records?," October, pp. 628-632.

Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

health record has implications for care: it is often difficult to determine a priori what information will be important to later delivery of care. Separate, or secret, records can hinder care in emergency situations and may have legal implications if a record is subpoenaed. But physicians may choose to negotiate with patients over the content of the record if it means the patient will continue to seek care.

A small number of health care organizations allow patients considerable control over access to their health information. One particular organization that works with people with AIDS allows patients to determine which providers are allowed to access their records and which portions of the record they are authorized to see. Another organization that manages a state health program (but does not provide care) lets patients (or clients as they are referred to by the site) allow only their case worker to access patient records. As these examples demonstrate, technology is available for creating fine-grained access controls by the patient, but these controls appear to be applicable only in a limited set of circumstances with a narrow patient base. It does not appear that these practices could be applied easily to health care organizations with more diverse, transient patients who receive episodic care.

An alternative approach that is used successfully by some health care organizations is to avoid segregating sensitive information from the rest of the medical record and to instead improve the security of the entire, integrated medical record through the use of well-designed authentication procedures, access controls, audit procedures, and other mechanisms. The goal of this approach is raise the level of protection for all health information, not just sensitive information. The advantage of this approach is that it ensures the medical record contains all available information that a care provider may need to make sound decisions about a patient's condition or treatment plan. The disadvantage is that it might require overly burdensome security practices for some applications or make organizations reluctant to offer some types of information services. For example, organizations may not want to allow Internet access to its clinical information systems if such access will be provided to the full medical record. In such cases, however, it may be possible to relax the security on some limited subsets of data. For example, one organization allows physicians to access information on patients in the intensive care unit from home or during travel. Screens show current laboratory results and vital signs for patients in the intensive care unit, but refer to them only as, for example, the "37-year-old, white male in bed 4." This information is insufficient to identify the patient to a casual intruder but is enough for a physician familiar with his or her patient profiles. Such a process works well in a controlled setting such as the intensive care unit, where a limited number of patients are under close and frequent supervi-

Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

sion. The committee believes that this approach serves to protect patient privacy well in similarly controlled settings while allowing care providers easy and immediate access to vital information, but it probably would not scale well to larger units.

Policies on Research Uses of Health Information

Organizations (especially those linked to either a medical school or a medical research program) must also develop policies to guide researchers in procedures for maintaining patient privacy while using health information. These policies should contain a clearly formulated statement that defines "intended use" and defines identifiable versus aggregate data access. Procedures for removing identifying factors need to be clearly specified for both the paper and the electronic medical record and for record abstracts or audit material. The standard (and generally acceptable) pathway for review of requests for research access to medical record information is through an organization's institutional review board (IRB), whose members evaluate the potential for patient risk as a result of granting access (Box 5.2). Sites visited by committee members had experienced no instances of researcher abuse of confidentiality policies, and their IRB mechanisms seemed to function well to reduce such risk.8

Policies with regard to institutional review boards also may include procedures on how to obtain IRB approval, a clearly specified statement of IRB function and protocols, and lists of its regularly scheduled meetings and reviews. One site visited by committee members had a particularly well-developed process that required researchers from outside the organization to seek collaborative relationships with staff physicians and obtain approval for an appointment as a visiting scientist before applying for access to the organization's patient health information. This site would not allow external researchers to copy records in any form for their own use; paper records needed to be audited or read on-site. Visiting scientists were allowed only copies of aggregate datasets with all identifiers removed, and then only with the approval and knowledge of their collaborating on-site researchers. The information system was defined formally as an organizational resource to be carefully guarded and preserved; outsiders were allowed access only if they agreed to apply for, and could achieve, internal legitimization.9 Staff from this site routinely

8  

Of note is the fact that a great deal of internal research activity is not reviewed by an IRB or any other oversight committee. Such studies include reviews of quality of care, surgical outcomes, and resource utilization. It is not clear the extent to which identified patient information is necessary for this research, but because the studies do not relate directly to patient care, there arise issues of confidentiality in the use of patient information.

9  

Establishing a formal affiliation between a researcher and the organizational owner of patient information better enables an IRB or other specified group to monitor compliance with the originally approved research protocol.

Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

BOX 5.2 Institutional Review Boards

The Institutional Review Board (IRB) system and process rests on two sets of federal regulation. The first requires that any conduct of research on human subjects by agencies of the U.S. government or supported by the U.S. government must receive IRB approval before proceeding; the underlying model is that of government- supported biomedical subjects. Second, the Food and Drug Administration requires research involving human subjects and new drugs or devices to be approved by an IRB. Regulations require IRBs to have at least five members, one of whom is from outside the institution. IRBs review the benefits and risks to subjects of proposed research and the importance of knowledge that may be reasonably expected to follow, and examine the process by which investigators explain relevant issues in order to obtain informed consent from the subjects.

SOURCES: Rosnow, Ralph L., Mary Jane Rotheram-Borus, Stephen J. Ceci, Peter D. Blanck, and Gerald P. Koocher. 1993. "The Institutional Review Board as a Mirror of Scientific and Ethical Standards," American Psychologist 48(7):821-826. See also Edgar, Harold, and David J. Rothman. 1995. "The Institutional Review Board and Beyond: Future Challenges to the Ethics of Human Experimentation," Milbank Quarterly 73:489-506.

reviewed published research articles to detect possible violations of the organization's policy.

Policies Guiding Release of Information

Defining the circumstances under which health information may be released and to whom is a first step in ensuring that patient privacy is not violated by inappropriate disclosure. Common elements of policies on release of health information include defining (1) who is authorized to release information, (2) who is authorized to receive information and under what conditions, (3) the form and scope of information that may be released, and (4) the circumstances under which additional patient consent is required.

Organizations may track releases of patient information by retaining in the permanent health record the signed authorization form (when one is required), records of what information was released, the date of release, to whom it was released, and the signature of the employee who released the information. This record keeping creates an audit trail if unauthorized disclosure is suspected.

Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

Patient-centered Policies

A number of practices have been developed to help improve communications between patients and providers regarding the collection, use, and dissemination of health information. These practices make individuals more aware of their rights regarding their health records, the consent they give for using and disseminating health information, and the existence of electronic medical records. In the short term, greater patient awareness of data issues and their rights may create liabilities for the organization: better-informed patients are more likely to hold organizations responsible for protection of their health information. In the long term, however, organizations using these practices are more likely to evolve cultures that value the protection of health information and avoid potential liabilities, fostering more open and candid interactions between patients and providers and increasing the likelihood that relevant data will be available for patient care.

Patient Bill of Rights

Some organizations have developed or adopted a patient bill of rights that outlines clearly the relationship between patient and provider; states the patient's rights to privacy and confidentiality; and outlines state and federal laws, regulations, and standards guaranteeing those rights. For example, it may describe a patient's right to view the audit trail related to a hospital stay or the procedures by which a patient may review the contents of his or her health record and correct information he or she believes is inaccurate.10 The name and telephone number of a contact person within the organization who is responsible for patient complaints with regard to privacy and security (e.g., an information security officer) is included for patients who believe that their rights have been violated. The patient bill of rights is coordinated with forms authorizing disclosure of individually identifiable health information to ensure compatibility between the two documents.

Authorization Forms

Disclosure authorization forms inform patients of the existence of the electronic health record and describes the policies and procedures in place

10  

In most cases, a patient statement correcting information contained in the health record is submitted as an amendment to the record rather than a substitution. This method resolves concerns that a patient's view may differ from that of a care provider.

Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

to protect patient privacy. They provide patients with information on what parts of the record are usually shared with other providers or insurance companies or are used for internal management purposes (over which the patient has no control) and request authorization from patients for any other intended uses. They may also provide patients with a statement of their rights to access their health record.11 At least one of the sites visited by committee members had recently completed an extensive review of its forms during which legal terminology had been removed, making the language clearer and more understandable, and the forms had been translated into the languages common to the organization's patient population. This site had worked with patient representatives to test their ability to understand the forms.12 Coordinating a patient bill of rights with a disclosure authorization form can further enhance the relationship between provider and patient by helping to establish mutual understanding and trust.

Access to Records and Audit Logs

Many health care organizations allow patients to review their own health records and to correct or amend records, as necessary, through a formal process. Some states require provider organizations to allow such access; other states make no such provision and individual institutions are free to set their own policy. Organizations that allow patients to access their own health records find that it can not only help ensure the integrity of the information contained in the record, but can help patients better understand its content and sensitivities. Most have developed formal policies for access; some allow patients to review records only in the presence of one of their employees who can both explain the content of the record and ensure that it is not altered. Other health care organiza-

11  

The legal right for a patient to review or copy his or her own medical record is explicitly granted only in about half of the states (see Jeffrey, Nancy Ann. 1996. "Getting Access to Your Medical Records May Be Limited, Costly-or Impossible," Wall Street Journal, July 31, pp. C1 and C21).

12  

The term "informed consent" is commonly used in the health care community to refer to authorizations that patients give for health care and related activities. Privacy advocates have expressed concern, however, that authorizations often are not "informed"; nor do they represent "consent.'' They claim that, at the very least, the person signing the form should understand its contents. The patient should understand also what information will be shared, with whom it will be shared, and how it will be used. Representatives of the health care organization should take steps to test whether or not the patient understands: for example, has the patient said no to any part of the form? Has the patient requested more information? Informed consent is both difficult to measure and difficult to test.

Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

tions will, upon request, analyze the audit logs of accesses to a particular patient's record. This practice is useful in detecting alleged violations of confidentiality. Though exposing health care organizations to possible legal action, such reviews can, in the long run, help reduce patients' suspicions and provide the motivation for organizations to develop strong measures for protecting patient information.

Organizational Structures

Formal organizational structures are needed to develop, implement, and enforce policies regarding privacy and security. These structures take on a variety of forms, depending largely upon the nature and culture of the institution in which they will operate, and serve as a focal point for both management and technical issues related to the safeguarding of privacy and security in paper and electronic medical records. Institutions with strong organizational policy tend to have well-defined structures with clear lines of responsibility. They typically include groups charged with developing policy; offices or departments for implementing policy, and structures for granting access privileges to users of the institution's information systems. A fourth structure—the institutional review board—is discussed above in the section titled "Policies on Research Uses of Health Information."

Policy Development Process

Health care organizations develop privacy and security policies in many different ways: by a small cadre of senior executives, by a committee process that solicits input from across the organization, or by some combination of the two. Committee members saw a range of approaches during their site visits. One site developed policy primarily within senior management, with limited input from department heads, users, and patients. Another organization used committee structures for all policy development activities. Policy developed by a small group of high-level executives has the advantage of being less time-consuming than a committee process and inherently carries with it the authoritative power of management. At the same time, it is becoming increasingly understood that employee input into policy decisions increases the likelihood of acceptance and effective implementation.13

Most sites visited for this study developed policy by committee. These

13  

Kanter, Rosabeth Moss, David V. Summers, and Barry A. Stein. 1986. "The Future of Workplace Alternatives," Management Review 75(7):30-33.

Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

committees went by different names (for example, health records, confidentiality, security, and information systems management) in different institutions and had different reporting structures. Some reported directly to upper management; others were part of a larger medical records committee. Regardless, committee composition is generally broad and may include members with knowledge of user needs and behavior (e.g., health information managers, nurses, physicians, admitting managers, human resources managers, and patient relations representatives), technical experts on the organization's information systems, lawyers, and patient representatives.14 Upper management often assists committee members by helping them to define a scope of work that complements rather than duplicates other organizational efforts and by requesting clear milestones for committee accomplishments. Using a committee structure to develop policy can be time-consuming and subject to delay; one site that had adopted a consensus decision-making style to ensure buy-in found the advantage offset by its time-consuming nature. Employees at this site commented also that committee memberships were often large (with members from each interested department) and subject to turnover, which further contributed to delay. Nevertheless, ensuring appropriate representation of interests is key to developing sound policy.

Structures for Implementing Policy

Once policies have been developed and approved, procedures are needed to translate their intent and goals into everyday practices, which may vary somewhat across departments. Whether or not the same individuals or committees that developed the overarching policy take on or delegate the task of developing procedures is not as important as ensuring that authority and responsibility for implementation are clearly assigned. Responsibility derives from accountability: unless management makes it clear that responsibility has been delegated, no one may assume responsibility, and employees may not know where to go with questions or problems. Accountability is particularly problematic in organizations in which committees formulate policies but individuals or departments are charged with policy implementation.

Several of the sites visited by committee members had designated an

14  

Another goal of broad committee membership is to include both system users and system designers. Input may be sought from the broader population as well by means of "comment boxes" into which users can drop suggestions for policy changes or system redesign. Also important is ensuring that the concerns of patients are met. In the sites visited by the committee, organizations often charged legal counsel with representing patient concerns. Other options include community representatives on key committees or active solicitation from the community via open meetings or annual surveys.

Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

information security officer to handle the design, implementation, and evaluation of confidentiality and security policies; this person also was the single point of contact for patients or employees to report incidents or concerns related to inappropriate disclosure of health information. In these organizations, the information security officer was a technically knowledgeable manager who reported directly to the chief information officer and served on relevant policy-making committees. For example, one information systems committee developed policy that said protecting patient privacy required the use of audit trails. That organization's information security officer then developed procedures that included a description of how often an audit trail should run, what information should be recorded, and what actions a patient should take in order to review audit trail data. Some organizations may add the duties of an information security officer to those of an existing employee; larger organizations may establish a new position or even a department.

Another role for which an information security officer may be held responsible—and one that requires a strong technical background—is risk assessment. Of the sites visited by committee members, few had formal programs for evaluating the presence and magnitude of various threats to the organization's health information. This is an ongoing activity that, at a strategic level, informs the policy development process, as well as the allocation of financial resources.

An information security officer needs a clear charter of authority from management to avoid conflicts with other departments. For example, an investigation into a breach of policy committed by an employee may become derailed if personnel from human resources believe employee discipline falls solely under their aegis. Although authority should clearly fall in one place or another, cooperation among departments with similar charters supports the overall goal.

Structures for Granting Access Privileges

The process by which users are granted or denied access privileges to an information system is key to maintaining the security of that system. Procedures are necessary for granting access to new users, changing access privileges for users who take on new responsibilities or transfer to different departments, and terminating access privileges for users who resign or whose employment is terminated. New users need privileges granted quickly in order to perform their jobs; transferring or temporary employees need access privileges updated to reflect their changing responsibilities; users who lose or forget their log-on IDs or passwords need a rapid response from the granter of privileges; employees who are terminated should have access privileges revoked promptly. Typically, re-

Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

sponsibility for granting or denying access privileges is assigned to information systems personnel, human resources personnel, supervisors, others appointed by management, or some combination of the above.

The structure for granting access privileges may be centralized or distributed. In a centralized model, information systems personnel usually grant the privileges approved by others. The advantage of this approach is that workers in the information systems department understand system requirements and the levels of access defined for various user roles; they are centrally located and easily contacted. The disadvantage is that they may not understand requests that stray from standard guidelines. Similarly, human resources personnel are responsible for administering new hires, transfers, and terminations and need to be closely involved in granting access privileges, but they are not close enough to the practical needs of health care providers to appraise unusual, but legitimate, requests for access.

Several sites used a more distributed model. In one instance, corporate vice presidents assigned authority to supervisors or department heads in various areas to grant access to particular databases or applications. Employees requested access privileges from the relevant authority and demonstrated their need to know. Supervisors understood job responsibilities (and, in fact, assigned them) that crossed standard rolebased access privileges and, thus, were able to evaluate the request. In emergency situations, workers could be granted access to clinical systems from a head nurse. This model has the advantage of assigning responsibility for certain sets of data to the employees most likely to understand legitimate requests for access. Having a variety of access granters helps ensure that someone will be readily available in all but the most unusual circumstances. A disadvantage that may be demonstrated is a lack of coordination among access granters that can lead to the system being vulnerable to nontechnical activities undertaken by individuals with an intent to deceive. For example, unless the access granter is scrupulous about checking the legitimacy of requests, someone may pretend to need access when, in fact, no real need exists.

Another site used a decentralized system of data stewards and custodians. Data stewards are responsible for particular data sets. They are typically department heads, division chairs, or principal investigators on research projects who are knowledgeable about the content of the data sets and can make appropriate decisions about its protection. Data stewards are formally charged to (1) recommend mechanisms and practices for protecting the data; (2) communicate control and protection requirements to data custodians (see description below) and system users; (3) coordinate with the information systems department to authorize access to particular sets of data (e.g., laboratory results or surgical notes);

Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

(4) monitor compliance and periodically review control decisions;15 and (5) review security violations and report them to the appropriate manager.

Data custodians are information systems personnel responsible for implementing security procedures established by the data steward, including audit trail, system backup, and disaster recovery tasks, as well as granting access privileges to system users (e.g., a data steward authorizes a request for access and passes the operational task on to a data custodian). Custodians supply the stewards with audit trail data or other system warnings about unusual or inappropriate activity. Finally, data custodians generally detect and respond to violations of policy and procedure and weaknesses in security measures. They coordinate with data stewards to propose changes to policies and technical mechanisms to enhance security.

A system of data stewards and custodians divides the management of information into pieces that can be handled easily and assigns responsibility for its security to the managers and technical personnel most likely to recognize unusual or inappropriate activity. It distributes decision making authority to those who best understand the confidentiality concerns associated with the data and can best identify those with a need to access the data. Decentralization also encourages a greater number of system users to value the security of electronic health information by holding them responsible for it. On the other hand decentralization requires an effective coordination strategy to avoid inconsistent implementation of policy. A clear process must be in place to ensure that data stewards are identified, notified of their responsibilities, and given proper training. In one site that used this approach, many people were unaware that they were data stewards, and other employees did not know to whom to go with questions about particular datasets. Mechanisms are also needed to allow data stewards to share information on good practices.

Education And Training

Education and training programs are critical to an organization's attempt to protect patient privacy and information security. Formal training programs seek to educate system users about existing policies and

15  

For example, a data steward may periodically review user accesses that have been granted over a predefined period (e.g., 30 days) and follow up with information systems personnel or even users whose access privileges appear inappropriate. A data steward may also review portions of audit trail data that track users accessing their datasets and investigate patterns of unusual usage.

Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

proper procedures so that they can incorporate them into everyday behaviors. They can also help employees internalize the value of patient privacy. Training users before allowing them access to health information reinforces management's commitment to protecting patient privacy. Both formal and nonformal training programs can help workers understand their responsibilities for protecting information and learn the procedures they must follow to do so. A variety of education tools and policy instruments, such as confidentiality agreements, can serve this role.

Training Programs

Most health care organizations have formal classes or programs to educate employees about patient privacy and system security. Many provide such training in an orientation session before they are given access to patient information. Similarly, refresher courses serve to remind long-time users about existing policies, update them on changes, and discuss strategies for real-life situations that they may encounter on the job. Transferring employees also need training to help them understand how their new position changes their responsibilities with regard to privacy and security.

Several of the sites visited by committee members provided training on a regular basis at both the organizational and the departmental levels in order to convey general policies as well as the particular requirements of a user's department.16 To make the abstract message more concrete, a special effort was made to discuss specific circumstances encountered in particular departments that might involve or threaten patient privacy. Some sites also held interdepartmental workshops or in-service sessions to discuss practical applications of confidentiality policy. Because some participants may have scheduling limitations, training options often include flexible delivery formats, widely varying schedule choices, and contingency plans that may include one-on-one sessions for extreme cases.

Training medical staff to use the information system and to safeguard data privacy or security poses special challenges for a number of reasons. In addition to their busy schedules, physicians often have a variety of relationships with health care organizations: they may be employees,

16  

An alternative approach offers training based on job role to recognize that various user groups access electronic medical records in different ways (e.g., look at different information) or to varying degrees (e.g., 1 to 2 times a day versus 80 to 100 times a day). For example, a class for nurses may cover privacy and security issues more comprehensively than a class introducing volunteers to the admitting department (who probably will not have access to clinical information).

Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

they may be under contract, or they may simply admit or refer patients to a health care facility. Several of the sites visited by the committee noted that the historical role of physicians made it difficult to require them to attend training; at least one site proposed requiring even nonemployee physicians to participate in training activities in exchange for access to the facility's computer system. Physicians often view training as a disruptive and unnecessary intrusion into an already busy schedule with competing demands, but organizations that tie training tightly to policy on privacy and security can both emphasize its value and accommodate cultural and scheduling conflicts (Box 5.3).

Most sites using a standard training module for new employees (lecture, handouts, film) reported that such modules are not at all effective in either capturing physician interest or imparting lasting information. To help spark physician interest in the importance of data security, a different form of system training is needed. Innovative training methods have been evaluated in studies on changing clinical practice behaviors and may be of use for training in confidentiality and security as well.17 Among the types of techniques that might be incorporated in confidentiality and security training is the use of grand rounds in health provider organizations in which cases or vignettes involving inappropriate disclosure of health information are examined in detail and adjudicated by medical staff. Physicians could also be encouraged to enroll in continuing medical education courses focused on confidentiality and security issues. Another possible technique used effectively by drug companies—detailing—might be customized to present one-on-one training to individual physicians or small groups of physicians. No matter which training techniques are developed for physicians, it is imperative that the leadership of the medical staff, both chairs of clinical departments and the chief of staff, be involved in their development and act as champions of and models for patient privacy.

Nonformal Training

Often, the most effective training occurs in spontaneous or unintended ways. One of the sites visited by committee members relied more on socializing new employees into an organizational culture that stressed the "highest moral, ethical, and legal standards" than it did on orientation and training programs. Nevertheless, this practice can backfire unless the

17  

Soumerai, S., and J. Avorn. 1990. "Principles of Educational Outreach to Improve Clinical Decision Making," Journal of the American Medical Association 262:549-556.

Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

organization has taken care to develop a culture that values privacy and security as much in practice as on paper. New employees seeking to fit in emulate their coworkers, but senior employees who have fallen into bad habits may pass their habits along to others. Similarly, if physicians routinely discuss patients over lunch in the cafeteria, ward clerks may soon come to understand that privacy is just another word in the policy manual.

In addition to the training and education employees receive about their day-to-day responsibilities, they need to participate in activities that support and encourage organizational learning. Organizational learning refers to the willingness of employees both individually and collectively to examine policies, procedures, and resulting behaviors and their effect on patient privacy. This happens only in organizations where the dominant culture stresses the importance of employee involvement in policy development and procedural evaluation. Similar to efforts toward total quality management, organizational learning involves a constant process of questioning the underlying goals of a policy, the effectiveness of procedures in appropriately guiding policy into practice, and the degree to which actual behavior reflects procedures. Managers and employees individually and collectively take responsibility for asking whether patient needs (both in terms of health care delivery and in terms of privacy) are being met and what changes would more effectively support that goal.

The cultural environment supports organizational learning by either valuing questions or discouraging them. One site visited by committee members denied the probability of breaches of patient privacy on the grounds that "nobody here would do that." By failing to acknowledge that individuals can (either through accident or malice) fail to protect patient privacy, the organizational culture ensured that changes in policy and practice were unlikely to occur. These "organizational defensive routines"18 are patterns of behavior that prevent employees from having to experience embarrassment or threat (e.g., confrontation over behavior that led to breaches of patient privacy) and, at the same time, prevent them from examining the nature and causes of that embarrassment or threat. In the absence of mechanisms to the contrary, new employees are likely to emulate the conduct of experienced personnel-whether or not that conduct is in compliance with established organizational policy.

Educational Tools

A variety of tools may be developed to support or enhance formal

18  

Argyris, Chris. 1994. "Good Communication That Blocks Learning," Harvard Business Review, July-August, pp. 77-85.

Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

BOX 5.3 Training Physicians in Privacy and Security

The difficulty of involving physicians in effective information system training is symptomatic of the changing basic professional norms and values in the practice of medicine. Most models of the medical profession are careful to distinguish between the content of medical work (the actual practice of medicine) and the terms and conditions of medical work—the organizational, employment, and contractual arrangements defining the relationship between the physician and the clinic, group, hospital, health maintenance organization, preferred provider organization, or health system where medical care is delivered.1 Although physicians continue to exert considerable control over the content of their work, there has been a marked erosion of physician control over the terms and conditions of that work. Most physicians who work within managed care settings are familiar with this development; however, they are still somewhat uncomfortable with the reality of modern medical work defined as both the process of delivering care and the process of creating, maintaining, and transmitting information about that care. Medical notes and patient charts traditionally have been someone else's responsibility, now, physicians must encounter the information system directly, and must then be responsible for how information is created, used, and safeguarded. Physician resistance to accepting this responsibility may be owing to the fact that responsibility for such charting tasks historically has been associated with clerical staff. Physicians are likely to define information processing tasks as part of the terms and conditions of medical work, rather than as part of the core of medical work. Once that historical association is weakened and the core of medical work is redefined as both care process and information process, resistance may also weaken.

The first and most obvious way to help overcome such resistance is to work toward revision of the medical school curriculum so that training in information systems and the importance of data security is more than cursory. Medical school curriculum changes are slow to develop and spread; thus, this type of solution can be expected only in the long term. Currently, many managed care organizations complain that primary care physicians hired at the postresidency level often lack experience with information systems and must be given extensive in-house retraining.2

Within managed care organizations and health maintenance organizations it is possible to directly impose information system training and responsibility for data

training programs. These include attractive pamphlets, enhancements to computer systems, self-study modules available for use in the computer training center or to take home, and posted reminders in elevators and cafeterias.

An organization's information system may be designed to educate users as to possible breaches of confidentiality Described earlier was a screen used at one site that appeared whenever users accessed sensitive information. The screen contained text reminding users that they were accessing sensitive information and asked the user if the action was justified. Another common option is to display an abbreviated version of the

Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

security as part of a physician's performance review Management within such settings usually has more direct control (either employment or financial) over physician practice behavior. It has also become more common in these settings for physician performance reviews to include statistical profile information on practice behavior,3 thus more closely aligning the observable outcomes of health information systems with the practice of medicine.

A somewhat less coercive strategy that could be used in any medical care organization—whether managed care or traditional, freestanding or system affiliated has to do with linking the credentialed status of physicians to the need for an internal role model on information system security. Of the hundreds or thousands of employees in modern health care organizations, only physicians still possess the status associated with the medical credential and the Hippocratic oath, especially its entreaty ''to do no harm." Physicians could use their status within health care settings to set an example regarding the importance of health information privacy and security that should be mirrored by all other employees with access to the information system Physician training that taps into this role may be found more acceptable and more meaningful, both to physician members and to the organization as a whole

  • 1  

    Hafferty, Frederic, and Donald Light. 1995. "Professional Dynamics and the Changing Nature of Medical Work," Journal of Health and Social Behavior, extra issue, pp. 132-153.

  • 2  

    Vanselow, Neal. 1996. "New Health Workforce Responsibilities and Dilemmas," pp. 231-242 in M. Osterweis et al. (eds.), The U.S. Health Workforce: Power, Politics and Policy. Association of Academic Health Centers, Washington D.C. See also Fulginiti, Vincent. 1996. "The Challenge of Primary Care for Academic Health Centers," pp. 247-252 in The U.S. Health Workforce: Power, Politics and Policy, M. Osterweis et al. (eds.). Association of Academic Health Centers, Washington D.C.

  • 3  

    U.S. Department of Health and Human Services, Agency for Health Care Policy and Research, 1995. Using Clinical Practice Guidelines to Evaluate Quality of Care, Volume 1. U.S. Government Printing Office, Washington, D.C., March. Also, Murrey, Katherine, Lawrence Gottlieb, and Stephen Schoenbaum. 1992. "Implementing Clinical Guidelines: A Quality Management Approach to Reminder Systems," Quality Review Bulletin, December, pp. 423-433.

confidentiality policy every time a user signs onto the information system. Unless organizations change the appearance of these screens on a regular basis, however, they are unlikely to be effective. For example, changing the presentation or the content will catch a user's eye.

Self-study computerized modules may offer additional opportunities for nonformal training These could be offered across departmental desktop machines or at a central location such as the human resources department.

At least one of the sites visited by committee members developed a special pamphlet to present the organization's confidentiality and secu-

Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

rity policies. Because it was short and visually attractive, this pamphlet captured users' attention in a way that a chapter in a larger policy manual could not. With the word "confidentiality" prominently displayed on the cover, it included the following information:

  • A summary of the organization's confidentiality philosophy and reference to the policy. Users were referred to specific sections of the main policy manual for further information related to what information was to be considered confidential, procedures to follow for ensuring confidentiality, and disciplinary actions that would follow breaches of policy.
  • References to relevant statutory and regulatory requirements. A synopsis of relevant law reinforced the organization's policy and emphasized that confidentiality was not simply an organizational requirement.
  • References to specific functions of the information system designed to reinforce policy. The pamphlet described how (in that state) users' ID and password combinations constituted their legal signature, informed users of the existence of audit records, reminded them they would be held accountable for the files they accessed, and described a function that allowed users to look up accesses to their own record compiled when they themselves were patients of the organization.
  • A reminder to users about patients' rights and users' responsibilities.

The pamphlet was distributed to new users during orientation and was readily visible in work areas. The organization stressed that a "person's medical record exists in several formats, including the electronic one."

Additional measures can be implemented to reinforce policy manuals. Of the sites visited by the committee, at least one had developed a video to reinforce key concepts of the organization's policies on patient privacy and security and help make them stand out from information on benefits, recycling, and cafeteria hours. New employees watched the video during orientation before a system ID and password were issued. Unlike a commercial product with anonymous actors, senior executives in the organization introduced policy concepts, demonstrating management's commitment to maintaining the confidentiality of health information. The video included examples that helped personalize violations to employees. Actor-employees in the video re-created instances where patient privacy had been breached; many of them seemed initially innocent, reinforcing the message that even good intentions can lead to unintended consequences. In one example, an employee was disciplined for accessing another employee's electronic health record to obtain a mailing address for a get-well card. The organization was successful in delivering the message because it presented examples to which employees could relate.

Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

A key factor in reinforcing organization policy is the practice of retraining every year. Annual installments remind employees that policy is in place to guide their behavior; they also allow an organization to educate employees about changes that have resulted from statutory or regulatory changes, procedural changes, and changes in the threat environment. At least one site visited by committee members had sections to be marked off on the employee performance review form that verified the employee's attendance at training and his or her viewing of the confidentiality video.

In addition to a formal policy guide, periodic memos and newsletters were circulated to employees by some sites in order to provide regular reinforcement and to make a tangible addition to the employees' knowledge base. Information on changes in the data system were distributed routinely, and the ongoing policies were regularly reinforced.

User Confidentiality Agreements

In addition to informing employees of the organization's expectations with regard to keeping health information confidential, organizations need to hold them responsible for their behavior. Of the sites visited by committee members, several required any individual accessing the information system to sign a form verifying that he or she had read, had understood, and was committed to the organization's confidentiality policies.19 In keeping with other ongoing efforts, employees were required to sign this agreement during the initial orientation session and annually thereafter at the time of their performance review. Confidentiality agreements may also be used for nonemployees who have access to health information; these can include contract workers, vendors, physician's office staff, students, temporary workers, and volunteers. See Box 5.4 for a sample confidentiality agreement developed by the Computer-based Patient Record Institute (CPRI).

Sanctions For Breaches Of Confidentiality

The most effective response to either internal or external violations of confidentiality policies follows from disciplinary sanctions described in

19  

The Computer-based Patient Record Institute advises that all health provider organizations will benefit from developing confidentiality agreements. These include hospitals, physician offices, home health agencies, pharmacies, nursing homes, and others. See Computer-based Patient Record Institute (CPRI). 1996. Sample Confidentiality Statements and Agreements for Organizations Using Computer-based Patient Record Systems, Work Group on Confidentiality, Privacy, and Security. CPRI, Schaumburg, Ill., May.

Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

BOX 5.4 A Sample Access and Confidentiality Agreement (Physician)

As a physician with privileges at (HEALTHCARE ENTITY) (hereinafter referred to as "Physician"), you may have access to what this agreement refers to as "confidential information." The purpose of this agreement is to help you understand your duty regarding confidential information.

Confidential information includes patient/member information, employee information, financial information, other information relating to (HEALTHCARE ENTITY) and information proprietary to other companies or persons. You may learn of or have access to some or all of this confidential information through a computer system or through your professional care to patient/members.

Confidential information is valuable and sensitive and is protected by law and by strict (HEALTHCARE ENTITY) policies. The intent of these laws and policies is to assure that confidential information will remain confidential—that is, that it will be used only as necessary to accomplish the organization's mission.

As a physician with access to confidential information, you are required to conduct yourself in strict conformance to applicable laws and (HEALTHCARE ENTITY) policies governing confidential information. Your principal obligations in this area are explained below. You are required to read and to abide by these duties. The violation of any of these duties will subject you to discipline, which might include, but is not limited to loss of privileges to access confidential information, loss of privileges at (HEALTHCARE ENTITY), and to legal liability.

As a physician, you must understand that you will have access to confidential information which may include, but is not limited to, information relating to:

  • Patient/members (such as records, conversations, admittance information, patient/member financial information, etc.),
  • Employees (such as salaries, employment records, disciplinary actions, etc.),
  • (HEALTHCARE ENTITY) information (such as financial and statistical records, strategic plans, internal reports, memos, contracts, peer review information, communications, proprietary computer programs, source code, proprietary technology, etc.),

    and

  • Third party information (such as computer programs, client and vendor proprietary information, source code, proprietary technology, etc.).

Accordingly, as a condition of and in consideration of your access to confidential information, you promise that:

  1. You will use confidential information only as needed to perform your legitimate duties as a physician of patient/members affiliated with (HEALTHCARE ENTITY).

    This means, among other things, that:

    • You will only access confidential information for which you have a need to know;
    • You will not in any way divulge, copy, release, sell, loan, review, alter or destroy any confidential information except as properly authorized within the scope of your professional activities as a physician of patient/members affiliated with (HEALTH CARE ENTITY); and
    • You will not misuse confidential information or carelessly care for confidential information.
Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
  1. You will safeguard and will not disclose your access code or any other authorization you have that allows you to access confidential information. You accept responsibility for all activities undertaken using your access code and other authorization.
  2. You will report activities by any individual or entity that you suspect may compromise the confidentiality of confidential information. Reports made in good faith about suspect activities will be held in confidence to the extent permitted by law, including the name of the individual reporting the activities.
  3. You understand that your obligations under this agreement will continue after termination of your privileges as a physician, as defined in this agreement. You understand that your privileges hereunder are subject to periodic review, revision, and if appropriate, renewal.
  4. You understand that you have no right or ownership interest in any confidential information referred to in this agreement. (HEALTHCARE ENTITY) may at any time revoke your access code, other authorization, or access to confidential information. At all times during your privileges as a physician, you will safeguard and retain the confidentiality of all confidential information.
  5. You will be responsible for your misuse or wrongful disclosure of confidential information and for your failure to safeguard your access code or other authorization access to confidential information. You understand that your failure to comply with this agreement may also result in loss of privileges to access confidential information, loss of privileges, and to legal liability

    [space for signature follows]

    NOTE: CPRI points out that any organization initiating the use of a similar agreement should seek the advice of legal counsel.

    SOURCE: Computer-based Patient Record Institute CPRI) 1996. Sample Confidentiality Statements and Agreements for Organizations Using Computer-based Patient Record Systems,CPRI Work Group Confidentiality, Privacy, and Security. CPRI, Schaumburg, Ill., May.

formal policy statements. Sanctions complement confidentiality and security policies by establishing penalties for violating them. If a policy is violated and no response follows, the validity of the structure to protect patient privacy is nullified. If appropriate sanctions are applied, but only irregularly, after a long delay, or with little impact on perpetrators, the structure is severely undermined, and its legitimacy is suspect.

Breaches of confidentiality and security policies originating from external sources may require assistance from local or federal law enforcement personnel, and organizations may seek redress through the courts. Breaches originating from internal sources may be dealt with in a variety of ways.

Although both types of breaches are potentially disastrous, internal

Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

breaches are more amenable to organizational sanctions. In fact, many industry leaders believe that the internal threat is far more dangerous and prevalent than the external threat. The chief executive officer of the firm that markets one of the leading Internet firewalls was quoted recently as saying: "It's ironic, because 80 percent of security breaches are internal—internal security is more important than perimeter defense. The outside world seems scarier, but the inside world is more dangerous."20 The existence of clearly specified sanctions and well-understood procedures for their implementation are important signals to employees. Several practices appear to preserve the effectiveness of the structure as it relates to internal breaches of confidentiality.

Clear policies are needed for disciplining employees who violate confidentiality and security policies. Many organizations distinguish between intentional and unintentional violations by defining a policy of incremental discipline. Such a policy acknowledges the difference between intentional or malicious behavior and violations that result from carelessness or unintentional actions (e.g., leaving a computer terminal logged on). Organizations might provide an oral or written warning to an employee for a first or minor offense, suspend an employee for a second or greater offense, and terminate employment for major or repeated violations. A policy of "zero tolerance" that is used by some organizations states that all breaches will have swift and appropriate consequences, no matter by whom or for what reason the breach occurred. If evidence shows that a breach has occurred and a guilty party can be identified, disciplinary action follows quickly and in accordance with the signed confidentiality agreement.

The committee observed a range of established sanctions and disciplinary actions at the sites it visited. At least one site had no written sanctions and dealt with violations on a case-by-case basis. Other sites described sanctions in policy documents but were uneven in applying them; for example, clerical employees may have been fired, but physicians were "cautioned" behind closed doors. Another site had a clearly stated and observed zero-tolerance policy; employees were treated similarly throughout the hierarchy, and the organization publicly announced the results of its investigations and disciplinary actions.

Effective policies depend on consistent and evenhanded implementation. Inconsistently applied penalties encourage employees to believe that they can avoid them. Unevenly applied penalties can cause friction among staff and undermine confidentiality and security policies.

For sanctions to act as an effective deterrent, employees must know

20  

Information Week, Vol. 3 (June 1996), p. 12.

Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

that they exist and will be implemented. Descriptions of sanctions should be included in confidentiality and security policies. Organizations that make disciplinary actions public can find that this serves as a strong example of management's willingness to enforce policy; one site visited by committee members, however, cautioned that such an approach can create an atmosphere of mutual suspicion and violate employees' own rights to privacy.

Organizational culture is an important source of the norms regarding appropriate information access and use, and is one source of guidance for the definition of appropriate sanctions for violations of accepted norms in these local situations. Most of the organizations visited by committee members had spent little time on the delineation of appropriate sanctions for the abuse or inappropriate use of health care information; it appears that industry standards in this area have yet to be developed. Given the high level of mutual suspicion among health care providers, their employing organizations, and associated financial organizations, it is not yet clear how useful it would be to publicize widely the ways infractions of information rules and policies are handled.

Improving Organizational Management: Closing The Gap Between Theory And Practice

Each of the sites visited by committee members indicated a strong interest in and concern for patient privacy but often failed to have adequate written policies or to demonstrate behavioral compliance with existing policies. Typical of inadequate or incomplete policies was the lack of clear definition of what was meant by a lapse in security or a breach of patient privacy—or of what these meant in the context of the health information systems maintained by the organization. Employees disagreed over whether problems referred to mere episodic technological breakdowns or to truly malicious incidents. Moreover, there was a lack of specificity as to who was responsible for these events when they did occur and what constituted an appropriate disciplinary response.

Further, few organizations had formal mechanisms for modifying confidentiality and security policies. Committee members observed several well-documented policy statements and some excellent protocols for the training of organizational employees. Not only do these concrete and clearly specified policies make it easier to interpret and enforce confidentiality and security rules and procedures, but they also serve as reinforcements to existing cultural values and perceptions. The organizations that appear to have moved toward stronger cultural supports for confidentiality and security controls are those in which the values, policies, and procedures have come from the very top of the organization. Yet, without

Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

scheduled, annual reviews of these policies and procedures and their continued reinforcement by management, there is risk that these policies will no longer have relevance or impact within the organization.

Implementing an Integrated Security and Confidentiality Management Model

Although each of the organizational strategies described in this chapter was observed in at least one site visited by committee members, no site had implemented all and some had implemented very few. Sites often demonstrated a lack of clear leadership on the part of management; thus, employees were uncertain of what to do or where responsibility lay. The committee observed instances in which employees had made isolated efforts to improve practice within their departments, but without sufficient authority and management support, these efforts remained limited in scope and had little impact on the overall organization.

As organizations expand their boundaries they need to develop a comprehensive program to ensure that the message of commitment to patient privacy is pervasive and implemented in policies, procedures, and everyday behavior. Such a model includes an overall vision and goal statement, specific policy development, training, and provisions for disciplinary action.21 It enables employees involved in developing policies and procedures to understand the ultimate goal of their efforts, as well as how those efforts complement parallel efforts elsewhere within the organization. Through early, careful, and explicit planning, management serves as a coordinator and helps ensure that policies are not in conflict, lines of authority are clear, and gaps in security are avoided.

A model system would operate both top-down, with management outlining broad policy goals, and bottom-up, with employees developing local solutions, to form a matrix of communication, participation, and cooperation. The committee believes that the practices described in this chapter represent mechanisms by which patient privacy can be better protected; implemented together they may be described as an integrated management model for protecting patient privacy.

21  

A comprehensive program includes written policies, standards, training, technical and procedural controls, risk assessment, auditing and monitoring, and assigned responsibility for management of the program. See Computer-based Patient Record Institute (CPRI). 1996. Guidelines for Managing Information Security Programs, Work Group on Confidentiality, Privacy, and Security. CPRI, Schaumburg, Ill., January.

Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

Overcoming Obstacles to Effective Organizational Practices

Organizations face a number of obstacles in developing an integrated approach to confidentiality and security. These obstacles derive from a lack of internal and external incentives that can motivate an organization to dedicate the resources necessary to establish the full range of policies, practices, and structures necessary to ensure stronger protection of electronic health information. These obstacles include resource constraints, competing demands, a lack of focus on information technology, and cultural constraints.

Lack of Public or External Incentives

As discussed in Chapter 2, there are few legislative or regulatory requirements that address patient privacy directly. Few existing controls provide adequate recourse for patients whose privacy has been breached. In addition, there have been relatively few broadly publicized events that have rallied public interest in privacy issues. In many cases, events have focused on a celebrity or public official, reinforcing the belief that the broad population of patients is unlikely to be harmed. At least one of the sites visited by committee members believed little would happen if its entire database of patient information were made public.22

As the committee conducted its study, it has become apparent that although most health care organizations express a commitment to patient privacy, their actual practice is somewhat different. This does not vary remarkably from other commercial and industrial organizations. Policy making in business organizations with regard to the confidentiality and security of information may generally be characterized as "drifting" on a path of incremental "policy by least steps" until these organizations experience a direct threat and an effort is made to respond to or repair the damage.23 Although business organizations may have written policies on confidentiality and security, these policies may no longer be relevant to current business practices and activities.

At the same time, changes to policies made in reaction to events in the external environment can result in policies being too narrowly focused.

22  

Recent events, however, may have begun to change this perception. See Tippit, Sarah. 1996. "A New Danger in the Age of AIDS," Washington Post, October 14, p. A4. See also Brelis, Matthew. 1995. "Patients' Files Allegedly Used for Obscene Calls," Boston Globe, April 11, pp. 1 and 6.

23  

Smith, H. Jeff. 1993. "Privacy Policies and Practices: Inside the Organizational Maze," Communications of the ACM 36:105-122.

Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

Examples of external catalysts include state and federal legislation but often are the result of business concerns, regulatory problems, lawsuits, or—most important—poor public relations. Business concerns grow out of heightened interest in keeping information from falling into the hands of competitors. They may also be the result of industry pressure to adopt a more stringent code of ethical conduct. Decisions to release or withhold information can leave organizations open to suits by disgruntled patients, employees, employers, and nonaffiliated health care providers. Several sites reported increased impetus in their policy-making process after a lawsuit had been filed or a breach reported in the media. Many sites also reported an increasing number of concerns expressed by individual patients that led to review (and sometimes revision) of existing policies.

Resource Constraints

Maintaining patient privacy is an important objective for health organizations, but it must compete with numerous other budgetary demands. As employees at sites visited by committee members indicated, health care organizations spend about 2 percent of their annual budget on information systems and about 2 percent of that on information security. Information security is often among the first items to be cut in the face of budgetary pressures. As in other industries, health care organizations do not act until a gross breach of patient privacy has occurred. According to one expert, sales of security products in the financial industry rise sharply after a breach is reported in the media, but drop off just as sharply after about 10 days. Several sites visited by committee members indicated that protection of health information does not serve as a market differentiator, and managers were therefore unwilling to allocate funds to support it.

Competing Demands

Many health care organizations are deep in the throes of developing integrated delivery systems (IDSs) by acquiring clinics, other hospital sites, and specialty practice groups, as well as retail pharmacy sites, longterm care facilities, and related organizations.24 Merging multiple organizations is a highly complex and often confusing process that stretches the resources of organizational members.25 As management focuses on high-

24  

According to Deloitte and Touche LLP (U.S. Hospitals and the Future of Health Care, Philadelphia, 1996), 71 percent of U.S. hospitals either belong to an IDS or are participating in the development of one. IDSs are emerging as the predominant organizational model in today's health care environment.

25  

Although much has been written in industry periodicals, the popular press, and aca

Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

level negotiations and financial agreements, it is often unable to focus also on the details of how the resulting organization will function. Establishing IDS management processes for confidentiality is secondary or tertiary to formalizing the merger or acquisition, negotiating the make-up of a management team, cutting redundancy and positioning for market share, and developing a single health information system. From observations made during the committee's site visits, it is clear that the integration of systems, policies, cultures, and procedures is usually left to be worked out after the merger discussions have been completed. Organizations often keep separate information systems functional until more comprehensive business integration takes place; issues concerning systemwide information security are considered later on a catch-up, patch-up basis.

As IDSs form, they begin to wrestle with the problem of redesigning their information systems around multiple system platforms, homegrown technologies or software, legacy systems, and multiple distributed systems across multiple sites. Managers of IDSs must define the boundaries and relationships of the new organization. Among the questions to be resolved are the following: Who should have access to which parts of the data system? What is the relationship between employee users and nonemployee users? What are the philosophy and goals with regard to confidentiality and security for the new organization? Who decides these? What is the architecture of the merged information system? Who controls it? This is a process rather than an event, and beginning to work on it during negotiation of the merger or affiliation will ease the transition to a new organization. Employees who are presented with a fait accompli often resist change, and the resulting clash of cultures can seriously jeopardize the future of an organization.

Lack of Focus on Information Technology

Information management has become an essential component of the financial and managerial aspects of health care organizations, as well as of the provision of clinical care. Health care organizations are no different

   

demic journals on health care system mergers and strategic alliances, it is clear that the development and the process of alliance or merger are still poorly understood. The best work in health care administration and health services research is still based primarily on case examples (see Kaluzny, Arnold D., Howard S. Zuckerman, and Thomas C. Ricketts III (eds.). 1995. Partners for the Dance: Forming Strategic Alliances in Health Care. Health Administration Press, Ann Arbor, Mich.); industry consultants still present models based on ideas of courtship and marriage (see Kanter, Rosabeth Moss. 1994. ''Collaborative Advantage: The Art of Alliances," Harvard Business Review, July-August, pp. 96-108).

Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

than any other business enterprise in this regard, except that many are pressed to catch up with the state of the art and science of computer-based information systems.

Providers of clinical medicine have had mixed reactions to the information revolution. On the one hand, some lament the passing of an era of personal ties between patient and physician—one usually carefully documented in the handwritten paper chart of the provider. On the other, many recognize the advantages of standardized health records as continuity of care becomes more difficult and physicians increasingly practice in groups and often substitute for one another in caring for patients enrolled in health care plans. Health information databases have become the professional memories through which the continuity and quality of patient care can be ensured for individual patients over time. As organizations become larger and more complex, electronic health information systems become more important as a means of monitoring and controlling both the quantity and the quality of care. The purposes for which health information is collected and the ways in which it is used have much to do with the way information systems are viewed by users.

Cultural Constraints

Organizational culture can either enhance or impede the intended effect of information confidentiality and security policies because it reflects the values, norms, understandings, and experiences of organizational participants. Some health care organizations have never really accepted the idea of patients as organizational participants; hence, when matters of privacy and security are raised, discussion centers on the proprietary value of such information, not on the threats to individual patient's rights to privacy. Health care organizations are focused on providing care, not on providing security.26 Accordingly, technology is valued inasmuch as it supports that goal and does so in a way that is convenient to caregivers. To the extent that mechanisms to support privacy and security are introduced, they are tolerated only if they are relatively transparent to the main goal. Health care providers often believe that security

26  

A recent study survey of information systems trends conducted by Modern Healthcare and Coopers & Lybrand indicated that improving managed-care capabilities was the driving force behind priorities over the next 24 months. Maintaining or improving the security of patient information did not appear as a concern. See Morrissey, John. 1996. "A Broader Vision: CIOs Shift Strategy to Look Beyond the Hospital," Modern Healthcare, March 4, pp. 110-113.

Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

mechanisms are redundant, that members of the profession are well intentioned, and that they would never violate a patient's privacy.

With the advent of modern telecommunications and computing technology, almost any business enterprise draws upon a vastly expanded, even global, spectrum of information and personal contacts, which help to shape the culture of the organization itself. Most health care organizations have increasingly permeable boundaries, and it cannot be assumed that once the culture of privacy and security is established within the organization's walls, there are no other risks. As health care organizations form alliances and other vertical or horizontal linkages and as communications by these component entities increasingly use modalities such as the Internet, not only are the proprietary interests of these organizations put at risk, but patient-specific data are also more widely exposed. The awareness and concern that health care organizations exhibit with regard to these matters are, to a large extent, products of the organizational culture within which these issues are addressed.

Individual organizations take on a distinctive pattern of dealing with issues such as privacy and security. To some extent, the way these issues are addressed can reflect an organization's response to issues involving all aspects of technology. For example, an organization whose leaders have thought of computers and information technology as beyond human capacity to control may accept on blind faith the claim that, once programmed and made operational, computer-based information systems require little human monitoring or oversight. The more that global cultural influences are felt in contemporary organizations of all types, the less likely is it that any individual organization will be dominated by the influence of one or a few leaders who exert their personal stamp on everyday business dealings.

Organizations whose leaders and participants generally deny the possibility of violations of patient privacy (e.g., "It can't happen here," or "We've never had a serious incident before") may engender a culture that essentially acts as a blinder to these issues. This represents one of the most important, and frequently observed, impediments to the adoption and effective implementation of risk reduction policies and structures. Yet, the cultural supports for an initiative involving privacy and security may constitute an essential ingredient for its success. Unless organizational leaders actively foster and nurture a security-enhancing culture, such policies and structures may be imposed but will have little influence on health care organizations.

Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 127
Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 128
Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 129
Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 130
Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 131
Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 132
Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 133
Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 134
Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 135
Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 136
Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 137
Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 138
Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 139
Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 140
Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 141
Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 142
Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 143
Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 144
Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 145
Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 146
Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 147
Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 148
Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 149
Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 150
Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 151
Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 152
Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 153
Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 154
Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 155
Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 156
Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 157
Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 158
Suggested Citation:"5 Organizational Approaches to Protecting Electronic Health Information." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 159
Next: 6 Findings and Recommendations »
For the Record: Protecting Electronic Health Information Get This Book
×
Buy Hardback | $32.95 Buy Ebook | $26.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

When you visit the doctor, information about you may be recorded in an office computer. Your tests may be sent to a laboratory or consulting physician. Relevant information may be transmitted to your health insurer or pharmacy. Your data may be collected by the state government or by an organization that accredits health care or studies medical costs. By making information more readily available to those who need it, greater use of computerized health information can help improve the quality of health care and reduce its costs. Yet health care organizations must find ways to ensure that electronic health information is not improperly divulged. Patient privacy has been an issue since the oath of Hippocrates first called on physicians to "keep silence" on patient matters, and with highly sensitive data—genetic information, HIV test results, psychiatric records—entering patient records, concerns over privacy and security are growing.

For the Record responds to the health care industry's need for greater guidance in protecting health information that increasingly flows through the national information infrastructure—from patient to provider, payer, analyst, employer, government agency, medical product manufacturer, and beyond. This book makes practical detailed recommendations for technical and organizational solutions and national-level initiatives.

For the Record describes two major types of privacy and security concerns that stem from the availability of health information in electronic form: the increased potential for inappropriate release of information held by individual organizations (whether by those with access to computerized records or those who break into them) and systemic concerns derived from open and widespread sharing of data among various parties.

The committee reports on the technological and organizational aspects of security management, including basic principles of security; the effectiveness of technologies for user authentication, access control, and encryption; obstacles and incentives in the adoption of new technologies; and mechanisms for training, monitoring, and enforcement.

For the Record reviews the growing interest in electronic medical records; the increasing value of health information to providers, payers, researchers, and administrators; and the current legal and regulatory environment for protecting health data. This information is of immediate interest to policymakers, health policy researchers, patient advocates, professionals in health data management, and other stakeholders.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!