National Academies Press: OpenBook

For the Record: Protecting Electronic Health Information (1997)

Chapter: Appendix A Study Committee's Site Visit Guide

« Previous: Bibliography
Suggested Citation:"Appendix A Study Committee's Site Visit Guide." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

Appendixes

Suggested Citation:"Appendix A Study Committee's Site Visit Guide." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
This page in the original is blank.
Suggested Citation:"Appendix A Study Committee's Site Visit Guide." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

Appendix A Study Committee's Site Visit Guide

General Protocol For Site Visits

STEP 1: Develop general field visit guide for use by all teams at all sites

  • list topics to cover (see list I below)
  • list questions to ask (see, "Possible Questions for Site Visit Interviews" below)
  • select sites

STEP 2: Pre-visit contact

  • make arrangements for visit (time, place, hotels)
  • ask for documents on study issues ahead of time (see list II below)
  • identify people to interview on site (see list III below)

STEP 3: Team preparation (conference calls)

  • teams review documents, match to questions, identify gaps/ areas in need of on-site questioning
  • make final decisions regarding individuals to interview on-site

STEP 4: Generate customized site visit protocol

STEP 5: Conduct site visit

  • kick off introductory meeting with CEO/CIO and all actors
  • follow up with one-on-one interviews
Suggested Citation:"Appendix A Study Committee's Site Visit Guide." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

STEP 6: Debrief/draft report

  • each site visitor reports on interviews
  • each site visitor summarizes his or her "picture"
  • team leader assimilates inputs and drafts overall report

Site Visit Information

I. Topics to cover

  • Privacy policies
  • Implementation of privacy policies
  • Responsibilities for developing and enforcing policies
  • Training of employees
  • Past security incidents/events
  • Definitions of privacy, confidentiality, and security
  • Content of electronic medical records
  • Description of information system(s)
  • Perception of internal security threats
  • Perception of external security threats
  • Description of security mechanisms
  • Evaluation of security mechanisms
  • Disaster planning
  • Security/damage control plans

II. Documents/information to request ahead of time

  • Organization's mission statement
  • Organizational chart
  • Privacy and security policies
  • Enabling/implementation documents for privacy/security policies
  • Description of personnel practices for punishing violators
  • Policies on record-keeping
  • Policy for release of information from medical records
  • Information system description(s)
  • Strategic plan for information system
  • Description of security systems for information system
  • List of responsibilities within information systems department
  • who is responsible for data release internally and externally?
  • who has administrative oversight for making sure information policies are actually implemented?

III. People to interview

  • CEO (or other high-level person responsible for deciding to develop privacy policy)
Suggested Citation:"Appendix A Study Committee's Site Visit Guide." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
  • CIO
  • Technical systems administrator
  • Network manager
  • Security director
  • Medical records director
  • User groups (physicians, nurses, others?)
  • Legal department or counsel

Possible Questions For Site Visit Interviews

I. Organization and confidentiality policies

A1) What is the general structure of the organization? A2) What are the goals of the organization? A3) What types of services do you offer and in what types of settings? A4) To what extent do you work with affiliated health care providers?

B1) What are the organization's existing policies regarding security and confidentiality of medical records? B2) How are they stated and promulgated? B3) What information do they try to protect? B4) Are there policies targeted specifically toward electronic medical records? B5) If so, how are they different from polices directed toward paper records? B6) What balance do the policies strike between patient confidentiality and provider access?

C1) Are patients given access to their own records? If so, can they see the entire record or just an abstract? C2) Are they allowed to make corrections to their own records?

D1) Who else can information be released to (insurers, researchers, other doctors, etc.)? D2) What limits are placed on such releases? D3) Is all information released, or just some? D4) Are additional restrictions placed on "sensitive data" such as HIV tests, drug and alcohol abuse? D5) What procedures must requesters follow in order to access medical information? D6) Must patients consent to releases of medical information?

E1) What is the process by which privacy and security policies are developed and implemented? E2) Is there a committee that regularly reviews confidentiality policies? E3) Who reviewed and signed off on the existing policies? E4) Have clients/consumers been involved in the development of the confidentiality policies? E5) Have you received comments or questions from consumers regarding the information system and confidentiality or security of their data?

F1) What factors motivate and shape the development of confidentiality policies: state and federal legislation, law suits, unauthorized releases of medical information? F2) What types of liabilities do the policies protect against? F3) Do they create other liabilities/legal problems? F4)

Suggested Citation:"Appendix A Study Committee's Site Visit Guide." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

Do policies themselves leave the organization open to suit (e.g., unfair termination or negligence)?

G1) How are violators punished? G2) How are they caught? G3) Are mechanisms in place to monitor and catch violations?

H1) What has been the response to the policy, both internally and externally? H2) What is management's view of privacy and confidentiality? H3) Who are the stakeholders in the medical information systems they use? H4) What does "security" mean to these stakeholders? H5) What information is viewed as being especially sensitive?

I1) What do you see as the primary needs for privacy and security in health care information systems? I2) How do these differ across users: providers, patients, third-party payer/insurers, public health organizations, law enforcement, researchers.

II. Data exchanges

A1) With what other institutions are data exchanged? Insurers? Government agencies (state and federal)? Other hospitals? Regulatory authorities? A2) How much of the data is exchanged? A3) Who decides on policy for what gets shared with whom? A4) What quality control mechanisms exist to ensure that policy is carried out?

III. Aggregated data

A1) What procedures are in place to handle requests for aggregate data? A2) Do researchers have access to the repository of clinical data for large-scale queries? A3) Is such access routinely available or does it have to be arranged, e.g., by ad hoc dump of data files from the operational system?

B1) If data are made available for research studies, is there any attempt to "scrub" (remove identifying information from) the data? B2) If yes, what standards are established for the degree of scrubbing, who sets such standards, and how are they verified?

C1) Is institutional review board approval required for all such studies?

D1) If a researcher is a participant in multi-institutional trials, is there hospital policy on whether shared data may retain or must have removed all identifiers?

IV. Policy implementation

A1) How/how well do specific policies actually work in practice? A2) What issues still need to be addressed? A3) Who is responsible for system security?

B1) Who is responsible for implementing privacy and security policies? B2) Is there a security officer? B3) How big is the security staff? B4)

Suggested Citation:"Appendix A Study Committee's Site Visit Guide." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

Is responsibility centralized or distributed among a number of people? B5) If there is a central person, how is responsibility delegated to other units/people?

C1) Is there a variance between the policies for paper records and electronic records regarding security and access? C2) Are there differences in accountability for paper and electronic records?

V. Violations/problems/experiences

A1) What types of violations/incidents have occurred in the past? A2) How were they detected? By whom? A3) How were they punished? A4) Was the punishment public? A5) Who handled the punishment?

B1) Are there reporting mechanisms for apparent anomalous behavior of system or users?

C1) If violations or security breaches have occurred, how were policies, training, or systems redesigned to help prevent subsequent occurrences? C2) What resources were used?

VI. Training/education

A1) How are workers educated regarding policies? A2) Is there a system of formal training? A3) If so, who performs the training? A4) Does it include training in ethics?

B1) Do workers receive additional training as their jobs/responsibilities change? B2) Do they receive additional training/education when new facilities are added to the system or when policies change? B3) Are there refresher courses? If so, how often?

VII. Information system(s)

A1) What types of information systems are in place for storing, retrieving, and manipulating medical information? (Include satellite systems as for report writing, research.) A2) What kinds of information processing do these systems support: databases, remote access, email, web sites, other? A3) What information is on-line and not on-line?

B1) How is the system organized? It is a centralized or distributed system? B2) What is the perimeter of the system? B3) What components are considered internal to the system and which are external to it? B4) How many entry points are there in the system?

C1) What media are used to provide access from inside and outside the institution? Dial up lines? Fixed/private lines? Private networks? Public networks? C2) What is the logical and physical configuration of the communications systems

D1) Is access to the information system from outside the organization possible? D2) Is such access restricted to organization employees or is it also available to "outsiders"?

Suggested Citation:"Appendix A Study Committee's Site Visit Guide." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

E1) What parts of the information system were supplied by vendors, and which are "home grown"?

VIII. Electronic medical record

A1) What components exist as part of the electronic medical record: problem list, medications, lab results, visit history, patient-provider relationships, bedside (clinical) measurements, full-text clinical notes, images, demographic information, including employer, financial, insurance, next of kin?

B1) Are medical records kept under a master patient identifier? B2) If not, what combination of attributes is used to identify patients? B3) If so, is the master key the SSN? B4) If the SSN is not used as the primary identifier, is it nevertheless commonly available in the medical record?

C1) How is ownership of the information contained in the record determined and managed? C2) Who is responsible for ensuring the integrity and quality of information in the patient record?

D1) What technical and non-technical means are used to ensure the integrity of data in the electronic medical record? D2) Are digital signatures or time stamps used?

E1) What types of uses are made of the electronic patient record? E2) How does medical information flow through the organization for 1) routine medical purposes (e.g., emergency room visits, outpatient visits, inpatient stays); and 2) non-routine visits (e.g., special treatment of data for particular classes of individuals, such as celebrities or criminals)?

F1) How do you respond to unusual requests for information: research projects, subpoenas, etc.? F2) How do you handle requests arriving via telephone?

IX. Security threats

A1) What do you perceive to be the threats to the system, both internal and external? A2) Are current users aware of the potential threats?

B1) What internal and external threats is your system designed to protect against? B2) Did you perform a formal threat analysis?

C1) What are the vulnerabilities of the current system? C2) What threats have not been adequately addressed? C3) What types of problems have you experienced to date-hackers, system crashes, etc.?

D1) What types of security threats have arisen to date? D2) How well does/did the system handle these threats? D3) What has been learned from such experiences?

X. Security measures

A. General Issues

1a) What general types of physical security and security technol-

Suggested Citation:"Appendix A Study Committee's Site Visit Guide." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

ogy are used in the system: Kerberos, encryption, private lines, firewalls? 1b) To what extent does cost effectiveness affect decisions regarding security? 1c) What types of tradeoffs must be made between security capability and cost?

2a) Is a single, integrated security solution feasible? 2b) Can vendor products meet local needs, or must systems be tailored for different circumstances? 2c) Are standards available for security systems?

3a) What are 5 areas in which your organization is doing a great job regarding privacy and security?

B. Authentication

1a) What mechanisms are used for individual authentication for access? 1b) Do you have unique login for individual users? If so, what type of key is used? 1c) Who issues the key? 1d) How frequently is the key changed?

2a) How do you verify new users? 2b) How do you terminate access for employees or former employees no longer allowed into the system?

3a) Do you use passwords for authentication? 3b) What types of passwords are used? 3c) Are they selected by users or generated for them? 3d) How frequently are passwords changed? 3e) Are there limitations imposed on the types of passwords users may select?

4a) In practice are passwords routinely shared or posted? 4b) Are methods used to protect against password sharing?

5a) Are mechanisms other than keys and passwords used for authentication, such as smart cards, palm readers, voice recognition systems, address filtering gateways?

6a) Do you have an authentication server? 6b) Is information stored in encrypted form on the server?

7a) Does the information system automatically maintain audit trails of who accessed what information? 7b) What types of audit capabilities are in place? 7c) Who reviews such audit trails, and how frequently? 7d) What fraction of accesses is reviewed, and how thoroughly? 7e) Who determines review policy? 7f) What consequences are there for infractions of policy?

C. Access

1a) Is access to medical records granted to everyone, or is it differentially restricted? 1b) If restricted, is it restricted by specific individual or by role? 1c) Who defines roles in the institution, and who decides what access is appropriate for each role? 1d) How are appropriate access privileges determined? 1e) Are temporary employees given access to systems? If so, how? Who grants that access?

Suggested Citation:"Appendix A Study Committee's Site Visit Guide." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

2a) Do users have access to all patient records? 2b) If so, how do you regulate cross-patient queries? 2c) Is access granted or denied to the entire medical record, or is the record segmented and access granted to segments? 2d) If segmented, who defines these segments and decides access policy to them? Is it the information systems department, a medical records committee, . . . .?

3a) Is restriction of access to medical records preemptive, or is presumptive access granted with audit based review? 3b) How do you monitor staff access to other resources? 3c) Is there a regular report generated on access requests and access grants/denials?

4a) Are certain types of records kept more secure (field limitations on HIV lab tests, VIP records, etc.)? 4b) Are psychiatric records on-line? If so are they treated specially for access? 4c) Is HIV status on-line. Is it treated specially for access? Is HIV infection or AIDS suppressed from the problem list? 4d) Are medication lists altered to hide HIV or psychiatric medications?

D. Encryption

1a) Are databases encrypted? If so, what type of encryption is used? If not, are databases protected only through access control?

2a) Are data encrypted during transmission over the network or to remote sites? If so, what type of encryption is used?

E. Protection Against External Threats

1a) What mechanisms are used to secure access from outside the institution? Dial-back schemes? Firewalls? Private lines or public networks? Authentication schemes? Encryption techniques?

2a) Are mechanisms in place to detect outsider probes? How do you know if someone is ''sniffing" your system? 2b) Are there technical means available for detecting intrusion? 2c) What administrative mechanisms are used (awareness, reporting mechanisms, etc.)?

F. Software Discipline

1a) What types of software controls are in place to protect against Trojan horses and viruses?

2a) How do you attempt to control/limit the copying of data to prevent its subsequent release or unauthorized use?

G. Backup Procedures

1a) Do you have procedures in place for regularly backing up computer data? 1b) If so, what data are backed up: medical records, administrative data, password and access files? 1c) How frequently are

Suggested Citation:"Appendix A Study Committee's Site Visit Guide." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

data backed up and by whom? 1d) Where are backup tapes stored? 1e) Are back-up data stored in an encrypted or unencrypted form?

H. Emergencies/Contingency Plans

1a) What types of backup systems are in place to restore information/service in case of a catastrophe: redundancy, data storage, networks?

2a) How do you handle contingency/disaster planning? 2b) Are there formal procedures in place? 2c) Is there an oversight committee?

XI. User perspectives

A1) How important do users believe privacy and security are in health information systems? A2) What input did/do they have into the choice of security measures used or the design of the information system? A3) Do most users tend to favor or promote systems that require the least additional effort on their part? A4) Would users likely be strong supporters of increased security systems, or reluctant participants in systems that add to their daily workload? A5) What particular challenges did user perspectives add to the design process?

B1) Do users utilize the systems as intended? B2) Do they understand the security systems that are in place? B3) Do they find them effective? B4) Have they found ways to circumvent security measures that they don't believe provide real value? B5) What changes do users believe would make the system more effective and user friendly?

C1) Have security measures had adverse effects on the provision of health care? C2) Have there been cases in which physicians were unable to access an electronic record, or accessed wrong information, which caused a bad outcome? C3) How do security measures affect the availability of systems/information? C4) Have security measures resulted in denial of services?

D1) Do physicians and nurses put different types of information into an electronic patient record than they would put into a paper record? D2) If clinical notes are dictated, what confidentiality provisions apply to the transcription service? D3) Is it in-house or not? D4) Are there policies that cover dictation? D5) How are they enforced?

XII. Future research/needs

A1) How well have existing security measures worked? A2) What threats are not addressed or incompletely addressed? A3) What types of enhancements could be made to existing systems? A4) What would you do next if additional funding was made available for system upgrades?

B1) What types of incentives are necessary to stimulate adoption of additional security measures? B2) What is necessary to give other organi-

Suggested Citation:"Appendix A Study Committee's Site Visit Guide." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×

zations the incentive to adopt electronic medical records and adequate security mechanisms?

C1) How will the perceived threat change over time? How will countermeasures change?

D1) How will future development of information technology change the privacy and security picture? D2) Does the prospect of computers in the home imply significant changes or challenges to your current operations?

E1) What technologies do you know of that are currently under development that could have a significant impact on system security and accessibility?

Suggested Citation:"Appendix A Study Committee's Site Visit Guide." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 209
Suggested Citation:"Appendix A Study Committee's Site Visit Guide." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 210
Suggested Citation:"Appendix A Study Committee's Site Visit Guide." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 211
Suggested Citation:"Appendix A Study Committee's Site Visit Guide." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 212
Suggested Citation:"Appendix A Study Committee's Site Visit Guide." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 213
Suggested Citation:"Appendix A Study Committee's Site Visit Guide." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 214
Suggested Citation:"Appendix A Study Committee's Site Visit Guide." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 215
Suggested Citation:"Appendix A Study Committee's Site Visit Guide." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 216
Suggested Citation:"Appendix A Study Committee's Site Visit Guide." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 217
Suggested Citation:"Appendix A Study Committee's Site Visit Guide." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 218
Suggested Citation:"Appendix A Study Committee's Site Visit Guide." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 219
Suggested Citation:"Appendix A Study Committee's Site Visit Guide." National Research Council. 1997. For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press. doi: 10.17226/5595.
×
Page 220
Next: Appendix B Individuals Who Briefed the Study Committee »
For the Record: Protecting Electronic Health Information Get This Book
×
Buy Hardback | $32.95 Buy Ebook | $26.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

When you visit the doctor, information about you may be recorded in an office computer. Your tests may be sent to a laboratory or consulting physician. Relevant information may be transmitted to your health insurer or pharmacy. Your data may be collected by the state government or by an organization that accredits health care or studies medical costs. By making information more readily available to those who need it, greater use of computerized health information can help improve the quality of health care and reduce its costs. Yet health care organizations must find ways to ensure that electronic health information is not improperly divulged. Patient privacy has been an issue since the oath of Hippocrates first called on physicians to "keep silence" on patient matters, and with highly sensitive data—genetic information, HIV test results, psychiatric records—entering patient records, concerns over privacy and security are growing.

For the Record responds to the health care industry's need for greater guidance in protecting health information that increasingly flows through the national information infrastructure—from patient to provider, payer, analyst, employer, government agency, medical product manufacturer, and beyond. This book makes practical detailed recommendations for technical and organizational solutions and national-level initiatives.

For the Record describes two major types of privacy and security concerns that stem from the availability of health information in electronic form: the increased potential for inappropriate release of information held by individual organizations (whether by those with access to computerized records or those who break into them) and systemic concerns derived from open and widespread sharing of data among various parties.

The committee reports on the technological and organizational aspects of security management, including basic principles of security; the effectiveness of technologies for user authentication, access control, and encryption; obstacles and incentives in the adoption of new technologies; and mechanisms for training, monitoring, and enforcement.

For the Record reviews the growing interest in electronic medical records; the increasing value of health information to providers, payers, researchers, and administrators; and the current legal and regulatory environment for protecting health data. This information is of immediate interest to policymakers, health policy researchers, patient advocates, professionals in health data management, and other stakeholders.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!