BOX 6.4 Charlotte's Data Flows

Charlotte, Alice and Bob's daughter, grew up in a world that refused to stand still, Charlotte was 5 when the managed care firm purchased her pediatrician's practice, and from that age, her primary medical record was kept electronically. Fueled by increasingly available and cheap computing and communications technologies, continuing attempts to control health care costs, and the need for easier access to expert specialists, telemedicine became more common. Alice frequently used her home computer to consult medical references and get additional information about Charlotte's childhood illnesses and injuries. When Charlotte was 10, the managed care firm started a program to make its patients' medical records available to them electronically. Because this was part of an initiative to attract more patients, the firm publicized the program widely and paid particular attention to ensuring that records would be released only to property identified individuals. Alice, Bob, and Charlotte decided to join the program and were each issued a plastic card to use for authenticating requests. When Charlotte graduated from high school and went away to college, she decided to take a copy of her medical records with her. She used her card to authorize the electronic transmission of her health records to her college's student health services program.

How Did This Come About?

A number of publicized privacy violations that damaged some of their competitors had alerted senior managers of the care firm to vulnerabilities in its own procedures. In response, the firm revised its procedures to reduce the exposure of its patients' records to other groups. Samples sent to outside laboratories for analysis were encoded with numbers, rather than names, so that results could be provided anonymously. Audit trails were incorporated in the provider's own systems, and policies were established to allow patients to review the audit logs. It became straightforward to remove direct patient identification from records released to groups that did not have a legitimate need for that information When patient-identified records were released, means were provided to ''fingerprint" them with hidden information in order to detect abuses. Under the medical records protection laws that had been enacted, violations traced back through these fingerprints could be prosecuted as criminal offenses, and patients could also sue for damages. With these controls in place, management realized that it was now in a position to offer the new patient access record service without exposing itself to undue risks and that its well-developed systems could lead to a competitive edge.

How Were the Risks Reduced?

First, the communications infrastructure had been made much more resistant to eavesdropping by the incorporation of practical cryptography. Built into the communications network interface at each home was a privacy service module that incorporated a private key and could negotiate a new key for each communication session, entirely transparent to the communicating parties. These facilities had first been used to ensure the integrity and confidentiality of real-time telemedicine links and record transfers.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement