Organizational Approaches to Protecting Electronic Health Information
Organizational policies and practices are at least as important as technical mechanisms in protecting electronic health information and patient privacy.1 Organizational policies establish the goals that technical mechanisms serve, outline appropriate uses and releases of information, create mechanisms for preventing and detecting violations, and set rules for disciplining offenders. Though generally most effective in protecting against abuses by legitimate system users—insiders or trusted—others organizational policies and practices can also provide guidance for establishing mechanisms to protect against outside attackers.2 In the health care industry, organizational policies and practices must properly balance patients' rights to privacy against the need for care providers to access relevant health information for providing care. Failure to do so can make patients unwilling to reveal sensitive health information to their providers or make such information too difficult to access when needed for care.
Creating a health care organization that is fully committed to safeguarding personal health information is difficult. It requires managers and employees, both individually and collectively, to engage in an ongoing process of learning, evaluation, and improvement to create an environment—and an organizational culture3—that values and respects patients' rights to privacy. Managers must provide leadership by heightening awareness of privacy and security issues and by determining how the organization can achieve the most appropriate balance between access to electronic health information and patient concerns over privacy.4 As front line caregivers, employees are responsible for the actual implementation of policies and procedures, and they may also participate in their development. Individual employees are the most likely sources of minor and accidental breaches of patient privacy, whereas inadequate policies or a lack of technical mechanisms are probably responsible for larger breaches.
As the committee's site visits attest, health care organizations have developed a number of policies and practices for protecting electronic health information. These include formal policies regarding information system security and patient privacy, formalized structures for developing and implementing policies and procedures, employee training practices, and procedures for monitoring and penalizing breaches of privacy and security policies. Nevertheless, additional progress needs to be made to improve organizational protections for electronic health information. Few, if any, health care organizations have developed an integrated approach to organizational managment that addresses all aspects of information security and patient privacy. Numerous obstacles must be overcome in order to provide organizations with the incentives and motivation to adopt stronger practices.
Health care organizations have adopted a range of formal policies to outline their goals with regard to patient privacy and security. These include policies related to authorized uses and exchanges of health information and patient-centered policies that are intended to promote a stron-
ger relationship between patients and providers with regard to maintaining patient privacy. Both the content of policies and the approach used to develop them play a large role in ensuring that employees abide by them. Policy documents are most effective when designed as easily accessible, ongoing reference materials and when introduced at the start of employment and referred to regularly in training and other internal communications.
Policies Regarding Information Uses and Flows
Policy statements regarding information uses and flows attempt to balance the need for providers, payers, researchers, and others to access health information against patients' desires for privacy. Overly restrictive policies, by making information inaccessible and leaving providers vulnerable to malpractice litigation, may interfere with providers' abilities to care for patients properly. Overly permissive policies may cause patients to lose confidence in the ability of the organization to protect sensitive data, making them reluctant to impart vital information. Notwithstanding common principles for balancing access and privacy, specific decisions may vary across organizations according to the size, structure, and types of care provided. Organizational culture also plays a strong role.
Policies regarding information use and flows tend to be formalized in specific policy documents on security, confidentiality, protection of sensitive health information, research uses of health information, and release of health information. They address both paper and electronic health records to avoid possible inconsistencies in the procedures employees follow for handling them.5 Formally developed policies vary among organizations according to their internally developed risk assessments (Box 5.1).
Security policies describe an organization's philosophy and goals for user authentication and access control, as well as data reliability, availability, and integrity. Effective policies generally include a description of the organization's risk assessment and assign responsibility to individu-
BOX 5.1 Risk Assessment
In conducting a risk assessment, organizations consider the following:
These considerations must be balanced against:
SOURCE: Computer Science and Telecommunications Board, National Research Council. 1991. Computers at Risk: Safe Computing in the Information Age. National Academy Press, Washington, D.C., adapted from pp 59-60
als, committees, or departments for developing specific procedures and mechanisms by which the policy is to be implemented (see Chapter 4)
Confidentiality policies describe the overall approach to be taken in balancing access to information against protection of information They may also provide details about the organization's risk assessment so that readers can understand why certain behaviors and procedures are important.
Organizations often have a number of datasets that management considers confidential: individual health information, financial data, business plans, employee files, outcomes research, and so on. Each of these datasets may be considered corporate assets and their disclosure may result in a financial disadvantage or loss to the organization. Although this perspective can provide strong incentives for protecting health information, health data are qualitatively different from proprietary corporate information and entail unique risks and liabilities Confidentiality poli-
cies are most effective if they recognize the unique concerns associated with health information and provide adequate protection.
As a matter of policy, most provider organizations allow physicians to access the records of all patients within the institution; this approach ensures that information will be available when needed for care, and it is technically simpler than more restrictive approaches. Committee members also observed alternative approaches that, although perhaps not widely applicable or scalable, more narrowly restrict access to health information. For example, some organizations allow all staff and admitting physicians unrestricted access to all patient files, but limit the access privileges of referring physicians to their patients of record. This approach enables an organization to restrict the access of physicians with only occasional need to access the system, but still leaves unrestricted the large number of physicians who regularly have patients admitted or seen at the organization.
Other organizations allow physicians unrestricted access to information about their current patients, but allow access to other records only if a specific and documented need arises. In such cases, the information system can prompt the caregiver to type in the reason for access or to select the reason from a list. Common reasons such as "consult requested by primary care provider" or "emergency care" are supplied on the screen, as well as a fill-in-the-blank option. An e-mail notification of the access can be sent automatically to the primary care physician for review.6 Inappropriate access is deterred when system users understand that their actions will be recorded and reviewed and that sanctions can be applied for violating patient privacy. This system balances the need for restricted privileges against emergency or unexpected needs for access without requiring burdensome or time-consuming behavior.
Policies to Protect Sensitive Information
Most health care organizations have policies that establish special protections for sensitive information such as mental health records, HIV status, drug and alcohol treatment, as well as the health records of celebrities and other widely recognized persons. Protection of some information is guided by state or federal legislation (see Chapter 2); other protection is provided voluntarily by individual organizations. Some sites visited by committee members either kept sensitive information apart
"E-mail notification of access" is but one feature of an audit trail system that records details about information access. See the Chapter 4 section "Audit Trails" for further discussion of the topic.
from the rest of the health record or provided greater security for the entire health record if it contained sensitive information.
Paper-based health records are often accorded special protection by simply locking them up (in the office of the director of medical records, for example) when not in active use. None of the sites the committee visited had tried to mimic this system with their electronic records (by removing records from the system entirely or by limiting access to a few, select providers); but in some sites, the information system generated additional prompts or warning screens, informing users of the sensitive content of the records and reminding them that audit logs maintained a record of all accesses to patient records. Users were required to type in their log-on ID or password again as acknowledgment that they had read and understood the warning. Users reported that the warning screen causes them to pause and think again about their reasons for accessing the record and that this approach successfully deters unnecessary attempts to access records of celebrities (which are often motivated as much by curiousity as by medical need).
Other organizations have chosen not to include sensitive information in the electronic medical record; rather, the medical record contains a note stating that additional information is available from another physician or department. While effective in removing sensitive information from the record, this approach does not fully protect privacy. If a note in the record states that additional information is available from the psychiatric department, for example, any user accessing the primary record can infer that the patient is being treated for psychiatric problems. Furthermore, some sensitive information must be kept in the main record to ensure adequate care. Medication lists are typically included in electronic medical records because of the need to avoid prescribing drugs that interact with one another to cause an untoward effect. For this reason it is impractical to withhold certain drugs from the electronic record even though they may be a nearly unambiguous indication of a sensitive condition (e.g., a positive HIV diagnosis).
Alternatively, some sites indicated that the contents of the electronic medical record are a matter of ongoing negotiation between patient and provider. In some cases, the most sensitive (and sometimes most critical) information is left out of the formal record when patients expressed concerns over privacy. In these instances, providers often maintained handwritten notes kept in a separate file, raising issues (and concerns) about what constitutes the real record.7 Withholding information from the
health record has implications for care: it is often difficult to determine a priori what information will be important to later delivery of care. Separate, or secret, records can hinder care in emergency situations and may have legal implications if a record is subpoenaed. But physicians may choose to negotiate with patients over the content of the record if it means the patient will continue to seek care.
A small number of health care organizations allow patients considerable control over access to their health information. One particular organization that works with people with AIDS allows patients to determine which providers are allowed to access their records and which portions of the record they are authorized to see. Another organization that manages a state health program (but does not provide care) lets patients (or clients as they are referred to by the site) allow only their case worker to access patient records. As these examples demonstrate, technology is available for creating fine-grained access controls by the patient, but these controls appear to be applicable only in a limited set of circumstances with a narrow patient base. It does not appear that these practices could be applied easily to health care organizations with more diverse, transient patients who receive episodic care.
An alternative approach that is used successfully by some health care organizations is to avoid segregating sensitive information from the rest of the medical record and to instead improve the security of the entire, integrated medical record through the use of well-designed authentication procedures, access controls, audit procedures, and other mechanisms. The goal of this approach is raise the level of protection for all health information, not just sensitive information. The advantage of this approach is that it ensures the medical record contains all available information that a care provider may need to make sound decisions about a patient's condition or treatment plan. The disadvantage is that it might require overly burdensome security practices for some applications or make organizations reluctant to offer some types of information services. For example, organizations may not want to allow Internet access to its clinical information systems if such access will be provided to the full medical record. In such cases, however, it may be possible to relax the security on some limited subsets of data. For example, one organization allows physicians to access information on patients in the intensive care unit from home or during travel. Screens show current laboratory results and vital signs for patients in the intensive care unit, but refer to them only as, for example, the "37-year-old, white male in bed 4." This information is insufficient to identify the patient to a casual intruder but is enough for a physician familiar with his or her patient profiles. Such a process works well in a controlled setting such as the intensive care unit, where a limited number of patients are under close and frequent supervi-
sion. The committee believes that this approach serves to protect patient privacy well in similarly controlled settings while allowing care providers easy and immediate access to vital information, but it probably would not scale well to larger units.
Policies on Research Uses of Health Information
Organizations (especially those linked to either a medical school or a medical research program) must also develop policies to guide researchers in procedures for maintaining patient privacy while using health information. These policies should contain a clearly formulated statement that defines "intended use" and defines identifiable versus aggregate data access. Procedures for removing identifying factors need to be clearly specified for both the paper and the electronic medical record and for record abstracts or audit material. The standard (and generally acceptable) pathway for review of requests for research access to medical record information is through an organization's institutional review board (IRB), whose members evaluate the potential for patient risk as a result of granting access (Box 5.2). Sites visited by committee members had experienced no instances of researcher abuse of confidentiality policies, and their IRB mechanisms seemed to function well to reduce such risk.8
Policies with regard to institutional review boards also may include procedures on how to obtain IRB approval, a clearly specified statement of IRB function and protocols, and lists of its regularly scheduled meetings and reviews. One site visited by committee members had a particularly well-developed process that required researchers from outside the organization to seek collaborative relationships with staff physicians and obtain approval for an appointment as a visiting scientist before applying for access to the organization's patient health information. This site would not allow external researchers to copy records in any form for their own use; paper records needed to be audited or read on-site. Visiting scientists were allowed only copies of aggregate datasets with all identifiers removed, and then only with the approval and knowledge of their collaborating on-site researchers. The information system was defined formally as an organizational resource to be carefully guarded and preserved; outsiders were allowed access only if they agreed to apply for, and could achieve, internal legitimization.9 Staff from this site routinely
BOX 5.2 Institutional Review Boards
The Institutional Review Board (IRB) system and process rests on two sets of federal regulation. The first requires that any conduct of research on human subjects by agencies of the U.S. government or supported by the U.S. government must receive IRB approval before proceeding; the underlying model is that of government- supported biomedical subjects. Second, the Food and Drug Administration requires research involving human subjects and new drugs or devices to be approved by an IRB. Regulations require IRBs to have at least five members, one of whom is from outside the institution. IRBs review the benefits and risks to subjects of proposed research and the importance of knowledge that may be reasonably expected to follow, and examine the process by which investigators explain relevant issues in order to obtain informed consent from the subjects.
SOURCES: Rosnow, Ralph L., Mary Jane Rotheram-Borus, Stephen J. Ceci, Peter D. Blanck, and Gerald P. Koocher. 1993. "The Institutional Review Board as a Mirror of Scientific and Ethical Standards," American Psychologist 48(7):821-826. See also Edgar, Harold, and David J. Rothman. 1995. "The Institutional Review Board and Beyond: Future Challenges to the Ethics of Human Experimentation," Milbank Quarterly 73:489-506.
reviewed published research articles to detect possible violations of the organization's policy.
Policies Guiding Release of Information
Defining the circumstances under which health information may be released and to whom is a first step in ensuring that patient privacy is not violated by inappropriate disclosure. Common elements of policies on release of health information include defining (1) who is authorized to release information, (2) who is authorized to receive information and under what conditions, (3) the form and scope of information that may be released, and (4) the circumstances under which additional patient consent is required.
Organizations may track releases of patient information by retaining in the permanent health record the signed authorization form (when one is required), records of what information was released, the date of release, to whom it was released, and the signature of the employee who released the information. This record keeping creates an audit trail if unauthorized disclosure is suspected.
A number of practices have been developed to help improve communications between patients and providers regarding the collection, use, and dissemination of health information. These practices make individuals more aware of their rights regarding their health records, the consent they give for using and disseminating health information, and the existence of electronic medical records. In the short term, greater patient awareness of data issues and their rights may create liabilities for the organization: better-informed patients are more likely to hold organizations responsible for protection of their health information. In the long term, however, organizations using these practices are more likely to evolve cultures that value the protection of health information and avoid potential liabilities, fostering more open and candid interactions between patients and providers and increasing the likelihood that relevant data will be available for patient care.
Patient Bill of Rights
Some organizations have developed or adopted a patient bill of rights that outlines clearly the relationship between patient and provider; states the patient's rights to privacy and confidentiality; and outlines state and federal laws, regulations, and standards guaranteeing those rights. For example, it may describe a patient's right to view the audit trail related to a hospital stay or the procedures by which a patient may review the contents of his or her health record and correct information he or she believes is inaccurate.10 The name and telephone number of a contact person within the organization who is responsible for patient complaints with regard to privacy and security (e.g., an information security officer) is included for patients who believe that their rights have been violated. The patient bill of rights is coordinated with forms authorizing disclosure of individually identifiable health information to ensure compatibility between the two documents.
Disclosure authorization forms inform patients of the existence of the electronic health record and describes the policies and procedures in place
to protect patient privacy. They provide patients with information on what parts of the record are usually shared with other providers or insurance companies or are used for internal management purposes (over which the patient has no control) and request authorization from patients for any other intended uses. They may also provide patients with a statement of their rights to access their health record.11 At least one of the sites visited by committee members had recently completed an extensive review of its forms during which legal terminology had been removed, making the language clearer and more understandable, and the forms had been translated into the languages common to the organization's patient population. This site had worked with patient representatives to test their ability to understand the forms.12 Coordinating a patient bill of rights with a disclosure authorization form can further enhance the relationship between provider and patient by helping to establish mutual understanding and trust.
Access to Records and Audit Logs
Many health care organizations allow patients to review their own health records and to correct or amend records, as necessary, through a formal process. Some states require provider organizations to allow such access; other states make no such provision and individual institutions are free to set their own policy. Organizations that allow patients to access their own health records find that it can not only help ensure the integrity of the information contained in the record, but can help patients better understand its content and sensitivities. Most have developed formal policies for access; some allow patients to review records only in the presence of one of their employees who can both explain the content of the record and ensure that it is not altered. Other health care organiza-
tions will, upon request, analyze the audit logs of accesses to a particular patient's record. This practice is useful in detecting alleged violations of confidentiality. Though exposing health care organizations to possible legal action, such reviews can, in the long run, help reduce patients' suspicions and provide the motivation for organizations to develop strong measures for protecting patient information.
Formal organizational structures are needed to develop, implement, and enforce policies regarding privacy and security. These structures take on a variety of forms, depending largely upon the nature and culture of the institution in which they will operate, and serve as a focal point for both management and technical issues related to the safeguarding of privacy and security in paper and electronic medical records. Institutions with strong organizational policy tend to have well-defined structures with clear lines of responsibility. They typically include groups charged with developing policy; offices or departments for implementing policy, and structures for granting access privileges to users of the institution's information systems. A fourth structure—the institutional review board—is discussed above in the section titled "Policies on Research Uses of Health Information."
Policy Development Process
Health care organizations develop privacy and security policies in many different ways: by a small cadre of senior executives, by a committee process that solicits input from across the organization, or by some combination of the two. Committee members saw a range of approaches during their site visits. One site developed policy primarily within senior management, with limited input from department heads, users, and patients. Another organization used committee structures for all policy development activities. Policy developed by a small group of high-level executives has the advantage of being less time-consuming than a committee process and inherently carries with it the authoritative power of management. At the same time, it is becoming increasingly understood that employee input into policy decisions increases the likelihood of acceptance and effective implementation.13
Most sites visited for this study developed policy by committee. These
committees went by different names (for example, health records, confidentiality, security, and information systems management) in different institutions and had different reporting structures. Some reported directly to upper management; others were part of a larger medical records committee. Regardless, committee composition is generally broad and may include members with knowledge of user needs and behavior (e.g., health information managers, nurses, physicians, admitting managers, human resources managers, and patient relations representatives), technical experts on the organization's information systems, lawyers, and patient representatives.14 Upper management often assists committee members by helping them to define a scope of work that complements rather than duplicates other organizational efforts and by requesting clear milestones for committee accomplishments. Using a committee structure to develop policy can be time-consuming and subject to delay; one site that had adopted a consensus decision-making style to ensure buy-in found the advantage offset by its time-consuming nature. Employees at this site commented also that committee memberships were often large (with members from each interested department) and subject to turnover, which further contributed to delay. Nevertheless, ensuring appropriate representation of interests is key to developing sound policy.
Structures for Implementing Policy
Once policies have been developed and approved, procedures are needed to translate their intent and goals into everyday practices, which may vary somewhat across departments. Whether or not the same individuals or committees that developed the overarching policy take on or delegate the task of developing procedures is not as important as ensuring that authority and responsibility for implementation are clearly assigned. Responsibility derives from accountability: unless management makes it clear that responsibility has been delegated, no one may assume responsibility, and employees may not know where to go with questions or problems. Accountability is particularly problematic in organizations in which committees formulate policies but individuals or departments are charged with policy implementation.
Several of the sites visited by committee members had designated an
information security officer to handle the design, implementation, and evaluation of confidentiality and security policies; this person also was the single point of contact for patients or employees to report incidents or concerns related to inappropriate disclosure of health information. In these organizations, the information security officer was a technically knowledgeable manager who reported directly to the chief information officer and served on relevant policy-making committees. For example, one information systems committee developed policy that said protecting patient privacy required the use of audit trails. That organization's information security officer then developed procedures that included a description of how often an audit trail should run, what information should be recorded, and what actions a patient should take in order to review audit trail data. Some organizations may add the duties of an information security officer to those of an existing employee; larger organizations may establish a new position or even a department.
Another role for which an information security officer may be held responsible—and one that requires a strong technical background—is risk assessment. Of the sites visited by committee members, few had formal programs for evaluating the presence and magnitude of various threats to the organization's health information. This is an ongoing activity that, at a strategic level, informs the policy development process, as well as the allocation of financial resources.
An information security officer needs a clear charter of authority from management to avoid conflicts with other departments. For example, an investigation into a breach of policy committed by an employee may become derailed if personnel from human resources believe employee discipline falls solely under their aegis. Although authority should clearly fall in one place or another, cooperation among departments with similar charters supports the overall goal.
Structures for Granting Access Privileges
The process by which users are granted or denied access privileges to an information system is key to maintaining the security of that system. Procedures are necessary for granting access to new users, changing access privileges for users who take on new responsibilities or transfer to different departments, and terminating access privileges for users who resign or whose employment is terminated. New users need privileges granted quickly in order to perform their jobs; transferring or temporary employees need access privileges updated to reflect their changing responsibilities; users who lose or forget their log-on IDs or passwords need a rapid response from the granter of privileges; employees who are terminated should have access privileges revoked promptly. Typically, re-
sponsibility for granting or denying access privileges is assigned to information systems personnel, human resources personnel, supervisors, others appointed by management, or some combination of the above.
The structure for granting access privileges may be centralized or distributed. In a centralized model, information systems personnel usually grant the privileges approved by others. The advantage of this approach is that workers in the information systems department understand system requirements and the levels of access defined for various user roles; they are centrally located and easily contacted. The disadvantage is that they may not understand requests that stray from standard guidelines. Similarly, human resources personnel are responsible for administering new hires, transfers, and terminations and need to be closely involved in granting access privileges, but they are not close enough to the practical needs of health care providers to appraise unusual, but legitimate, requests for access.
Several sites used a more distributed model. In one instance, corporate vice presidents assigned authority to supervisors or department heads in various areas to grant access to particular databases or applications. Employees requested access privileges from the relevant authority and demonstrated their need to know. Supervisors understood job responsibilities (and, in fact, assigned them) that crossed standard rolebased access privileges and, thus, were able to evaluate the request. In emergency situations, workers could be granted access to clinical systems from a head nurse. This model has the advantage of assigning responsibility for certain sets of data to the employees most likely to understand legitimate requests for access. Having a variety of access granters helps ensure that someone will be readily available in all but the most unusual circumstances. A disadvantage that may be demonstrated is a lack of coordination among access granters that can lead to the system being vulnerable to nontechnical activities undertaken by individuals with an intent to deceive. For example, unless the access granter is scrupulous about checking the legitimacy of requests, someone may pretend to need access when, in fact, no real need exists.
Another site used a decentralized system of data stewards and custodians. Data stewards are responsible for particular data sets. They are typically department heads, division chairs, or principal investigators on research projects who are knowledgeable about the content of the data sets and can make appropriate decisions about its protection. Data stewards are formally charged to (1) recommend mechanisms and practices for protecting the data; (2) communicate control and protection requirements to data custodians (see description below) and system users; (3) coordinate with the information systems department to authorize access to particular sets of data (e.g., laboratory results or surgical notes);
(4) monitor compliance and periodically review control decisions;15 and (5) review security violations and report them to the appropriate manager.
Data custodians are information systems personnel responsible for implementing security procedures established by the data steward, including audit trail, system backup, and disaster recovery tasks, as well as granting access privileges to system users (e.g., a data steward authorizes a request for access and passes the operational task on to a data custodian). Custodians supply the stewards with audit trail data or other system warnings about unusual or inappropriate activity. Finally, data custodians generally detect and respond to violations of policy and procedure and weaknesses in security measures. They coordinate with data stewards to propose changes to policies and technical mechanisms to enhance security.
A system of data stewards and custodians divides the management of information into pieces that can be handled easily and assigns responsibility for its security to the managers and technical personnel most likely to recognize unusual or inappropriate activity. It distributes decision making authority to those who best understand the confidentiality concerns associated with the data and can best identify those with a need to access the data. Decentralization also encourages a greater number of system users to value the security of electronic health information by holding them responsible for it. On the other hand decentralization requires an effective coordination strategy to avoid inconsistent implementation of policy. A clear process must be in place to ensure that data stewards are identified, notified of their responsibilities, and given proper training. In one site that used this approach, many people were unaware that they were data stewards, and other employees did not know to whom to go with questions about particular datasets. Mechanisms are also needed to allow data stewards to share information on good practices.
Education And Training
Education and training programs are critical to an organization's attempt to protect patient privacy and information security. Formal training programs seek to educate system users about existing policies and
proper procedures so that they can incorporate them into everyday behaviors. They can also help employees internalize the value of patient privacy. Training users before allowing them access to health information reinforces management's commitment to protecting patient privacy. Both formal and nonformal training programs can help workers understand their responsibilities for protecting information and learn the procedures they must follow to do so. A variety of education tools and policy instruments, such as confidentiality agreements, can serve this role.
Most health care organizations have formal classes or programs to educate employees about patient privacy and system security. Many provide such training in an orientation session before they are given access to patient information. Similarly, refresher courses serve to remind long-time users about existing policies, update them on changes, and discuss strategies for real-life situations that they may encounter on the job. Transferring employees also need training to help them understand how their new position changes their responsibilities with regard to privacy and security.
Several of the sites visited by committee members provided training on a regular basis at both the organizational and the departmental levels in order to convey general policies as well as the particular requirements of a user's department.16 To make the abstract message more concrete, a special effort was made to discuss specific circumstances encountered in particular departments that might involve or threaten patient privacy. Some sites also held interdepartmental workshops or in-service sessions to discuss practical applications of confidentiality policy. Because some participants may have scheduling limitations, training options often include flexible delivery formats, widely varying schedule choices, and contingency plans that may include one-on-one sessions for extreme cases.
Training medical staff to use the information system and to safeguard data privacy or security poses special challenges for a number of reasons. In addition to their busy schedules, physicians often have a variety of relationships with health care organizations: they may be employees,
they may be under contract, or they may simply admit or refer patients to a health care facility. Several of the sites visited by the committee noted that the historical role of physicians made it difficult to require them to attend training; at least one site proposed requiring even nonemployee physicians to participate in training activities in exchange for access to the facility's computer system. Physicians often view training as a disruptive and unnecessary intrusion into an already busy schedule with competing demands, but organizations that tie training tightly to policy on privacy and security can both emphasize its value and accommodate cultural and scheduling conflicts (Box 5.3).
Most sites using a standard training module for new employees (lecture, handouts, film) reported that such modules are not at all effective in either capturing physician interest or imparting lasting information. To help spark physician interest in the importance of data security, a different form of system training is needed. Innovative training methods have been evaluated in studies on changing clinical practice behaviors and may be of use for training in confidentiality and security as well.17 Among the types of techniques that might be incorporated in confidentiality and security training is the use of grand rounds in health provider organizations in which cases or vignettes involving inappropriate disclosure of health information are examined in detail and adjudicated by medical staff. Physicians could also be encouraged to enroll in continuing medical education courses focused on confidentiality and security issues. Another possible technique used effectively by drug companies—detailing—might be customized to present one-on-one training to individual physicians or small groups of physicians. No matter which training techniques are developed for physicians, it is imperative that the leadership of the medical staff, both chairs of clinical departments and the chief of staff, be involved in their development and act as champions of and models for patient privacy.
Often, the most effective training occurs in spontaneous or unintended ways. One of the sites visited by committee members relied more on socializing new employees into an organizational culture that stressed the "highest moral, ethical, and legal standards" than it did on orientation and training programs. Nevertheless, this practice can backfire unless the
organization has taken care to develop a culture that values privacy and security as much in practice as on paper. New employees seeking to fit in emulate their coworkers, but senior employees who have fallen into bad habits may pass their habits along to others. Similarly, if physicians routinely discuss patients over lunch in the cafeteria, ward clerks may soon come to understand that privacy is just another word in the policy manual.
In addition to the training and education employees receive about their day-to-day responsibilities, they need to participate in activities that support and encourage organizational learning. Organizational learning refers to the willingness of employees both individually and collectively to examine policies, procedures, and resulting behaviors and their effect on patient privacy. This happens only in organizations where the dominant culture stresses the importance of employee involvement in policy development and procedural evaluation. Similar to efforts toward total quality management, organizational learning involves a constant process of questioning the underlying goals of a policy, the effectiveness of procedures in appropriately guiding policy into practice, and the degree to which actual behavior reflects procedures. Managers and employees individually and collectively take responsibility for asking whether patient needs (both in terms of health care delivery and in terms of privacy) are being met and what changes would more effectively support that goal.
The cultural environment supports organizational learning by either valuing questions or discouraging them. One site visited by committee members denied the probability of breaches of patient privacy on the grounds that "nobody here would do that." By failing to acknowledge that individuals can (either through accident or malice) fail to protect patient privacy, the organizational culture ensured that changes in policy and practice were unlikely to occur. These "organizational defensive routines"18 are patterns of behavior that prevent employees from having to experience embarrassment or threat (e.g., confrontation over behavior that led to breaches of patient privacy) and, at the same time, prevent them from examining the nature and causes of that embarrassment or threat. In the absence of mechanisms to the contrary, new employees are likely to emulate the conduct of experienced personnel-whether or not that conduct is in compliance with established organizational policy.
A variety of tools may be developed to support or enhance formal
BOX 5.3 Training Physicians in Privacy and Security
The difficulty of involving physicians in effective information system training is symptomatic of the changing basic professional norms and values in the practice of medicine. Most models of the medical profession are careful to distinguish between the content of medical work (the actual practice of medicine) and the terms and conditions of medical work—the organizational, employment, and contractual arrangements defining the relationship between the physician and the clinic, group, hospital, health maintenance organization, preferred provider organization, or health system where medical care is delivered.1 Although physicians continue to exert considerable control over the content of their work, there has been a marked erosion of physician control over the terms and conditions of that work. Most physicians who work within managed care settings are familiar with this development; however, they are still somewhat uncomfortable with the reality of modern medical work defined as both the process of delivering care and the process of creating, maintaining, and transmitting information about that care. Medical notes and patient charts traditionally have been someone else's responsibility, now, physicians must encounter the information system directly, and must then be responsible for how information is created, used, and safeguarded. Physician resistance to accepting this responsibility may be owing to the fact that responsibility for such charting tasks historically has been associated with clerical staff. Physicians are likely to define information processing tasks as part of the terms and conditions of medical work, rather than as part of the core of medical work. Once that historical association is weakened and the core of medical work is redefined as both care process and information process, resistance may also weaken.
The first and most obvious way to help overcome such resistance is to work toward revision of the medical school curriculum so that training in information systems and the importance of data security is more than cursory. Medical school curriculum changes are slow to develop and spread; thus, this type of solution can be expected only in the long term. Currently, many managed care organizations complain that primary care physicians hired at the postresidency level often lack experience with information systems and must be given extensive in-house retraining.2
Within managed care organizations and health maintenance organizations it is possible to directly impose information system training and responsibility for data
training programs. These include attractive pamphlets, enhancements to computer systems, self-study modules available for use in the computer training center or to take home, and posted reminders in elevators and cafeterias.
An organization's information system may be designed to educate users as to possible breaches of confidentiality Described earlier was a screen used at one site that appeared whenever users accessed sensitive information. The screen contained text reminding users that they were accessing sensitive information and asked the user if the action was justified. Another common option is to display an abbreviated version of the
security as part of a physician's performance review Management within such settings usually has more direct control (either employment or financial) over physician practice behavior. It has also become more common in these settings for physician performance reviews to include statistical profile information on practice behavior,3 thus more closely aligning the observable outcomes of health information systems with the practice of medicine.
A somewhat less coercive strategy that could be used in any medical care organization—whether managed care or traditional, freestanding or system affiliated has to do with linking the credentialed status of physicians to the need for an internal role model on information system security. Of the hundreds or thousands of employees in modern health care organizations, only physicians still possess the status associated with the medical credential and the Hippocratic oath, especially its entreaty ''to do no harm." Physicians could use their status within health care settings to set an example regarding the importance of health information privacy and security that should be mirrored by all other employees with access to the information system Physician training that taps into this role may be found more acceptable and more meaningful, both to physician members and to the organization as a whole
confidentiality policy every time a user signs onto the information system. Unless organizations change the appearance of these screens on a regular basis, however, they are unlikely to be effective. For example, changing the presentation or the content will catch a user's eye.
Self-study computerized modules may offer additional opportunities for nonformal training These could be offered across departmental desktop machines or at a central location such as the human resources department.
At least one of the sites visited by committee members developed a special pamphlet to present the organization's confidentiality and secu-
rity policies. Because it was short and visually attractive, this pamphlet captured users' attention in a way that a chapter in a larger policy manual could not. With the word "confidentiality" prominently displayed on the cover, it included the following information:
- A summary of the organization's confidentiality philosophy and reference to the policy. Users were referred to specific sections of the main policy manual for further information related to what information was to be considered confidential, procedures to follow for ensuring confidentiality, and disciplinary actions that would follow breaches of policy.
- References to relevant statutory and regulatory requirements. A synopsis of relevant law reinforced the organization's policy and emphasized that confidentiality was not simply an organizational requirement.
- References to specific functions of the information system designed to reinforce policy. The pamphlet described how (in that state) users' ID and password combinations constituted their legal signature, informed users of the existence of audit records, reminded them they would be held accountable for the files they accessed, and described a function that allowed users to look up accesses to their own record compiled when they themselves were patients of the organization.
- A reminder to users about patients' rights and users' responsibilities.
The pamphlet was distributed to new users during orientation and was readily visible in work areas. The organization stressed that a "person's medical record exists in several formats, including the electronic one."
Additional measures can be implemented to reinforce policy manuals. Of the sites visited by the committee, at least one had developed a video to reinforce key concepts of the organization's policies on patient privacy and security and help make them stand out from information on benefits, recycling, and cafeteria hours. New employees watched the video during orientation before a system ID and password were issued. Unlike a commercial product with anonymous actors, senior executives in the organization introduced policy concepts, demonstrating management's commitment to maintaining the confidentiality of health information. The video included examples that helped personalize violations to employees. Actor-employees in the video re-created instances where patient privacy had been breached; many of them seemed initially innocent, reinforcing the message that even good intentions can lead to unintended consequences. In one example, an employee was disciplined for accessing another employee's electronic health record to obtain a mailing address for a get-well card. The organization was successful in delivering the message because it presented examples to which employees could relate.
A key factor in reinforcing organization policy is the practice of retraining every year. Annual installments remind employees that policy is in place to guide their behavior; they also allow an organization to educate employees about changes that have resulted from statutory or regulatory changes, procedural changes, and changes in the threat environment. At least one site visited by committee members had sections to be marked off on the employee performance review form that verified the employee's attendance at training and his or her viewing of the confidentiality video.
In addition to a formal policy guide, periodic memos and newsletters were circulated to employees by some sites in order to provide regular reinforcement and to make a tangible addition to the employees' knowledge base. Information on changes in the data system were distributed routinely, and the ongoing policies were regularly reinforced.
User Confidentiality Agreements
In addition to informing employees of the organization's expectations with regard to keeping health information confidential, organizations need to hold them responsible for their behavior. Of the sites visited by committee members, several required any individual accessing the information system to sign a form verifying that he or she had read, had understood, and was committed to the organization's confidentiality policies.19 In keeping with other ongoing efforts, employees were required to sign this agreement during the initial orientation session and annually thereafter at the time of their performance review. Confidentiality agreements may also be used for nonemployees who have access to health information; these can include contract workers, vendors, physician's office staff, students, temporary workers, and volunteers. See Box 5.4 for a sample confidentiality agreement developed by the Computer-based Patient Record Institute (CPRI).
Sanctions For Breaches Of Confidentiality
The most effective response to either internal or external violations of confidentiality policies follows from disciplinary sanctions described in
BOX 5.4 A Sample Access and Confidentiality Agreement (Physician)
As a physician with privileges at (HEALTHCARE ENTITY) (hereinafter referred to as "Physician"), you may have access to what this agreement refers to as "confidential information." The purpose of this agreement is to help you understand your duty regarding confidential information.
Confidential information includes patient/member information, employee information, financial information, other information relating to (HEALTHCARE ENTITY) and information proprietary to other companies or persons. You may learn of or have access to some or all of this confidential information through a computer system or through your professional care to patient/members.
Confidential information is valuable and sensitive and is protected by law and by strict (HEALTHCARE ENTITY) policies. The intent of these laws and policies is to assure that confidential information will remain confidential—that is, that it will be used only as necessary to accomplish the organization's mission.
As a physician with access to confidential information, you are required to conduct yourself in strict conformance to applicable laws and (HEALTHCARE ENTITY) policies governing confidential information. Your principal obligations in this area are explained below. You are required to read and to abide by these duties. The violation of any of these duties will subject you to discipline, which might include, but is not limited to loss of privileges to access confidential information, loss of privileges at (HEALTHCARE ENTITY), and to legal liability.
As a physician, you must understand that you will have access to confidential information which may include, but is not limited to, information relating to:
Accordingly, as a condition of and in consideration of your access to confidential information, you promise that:
formal policy statements. Sanctions complement confidentiality and security policies by establishing penalties for violating them. If a policy is violated and no response follows, the validity of the structure to protect patient privacy is nullified. If appropriate sanctions are applied, but only irregularly, after a long delay, or with little impact on perpetrators, the structure is severely undermined, and its legitimacy is suspect.
Breaches of confidentiality and security policies originating from external sources may require assistance from local or federal law enforcement personnel, and organizations may seek redress through the courts. Breaches originating from internal sources may be dealt with in a variety of ways.
Although both types of breaches are potentially disastrous, internal
breaches are more amenable to organizational sanctions. In fact, many industry leaders believe that the internal threat is far more dangerous and prevalent than the external threat. The chief executive officer of the firm that markets one of the leading Internet firewalls was quoted recently as saying: "It's ironic, because 80 percent of security breaches are internal—internal security is more important than perimeter defense. The outside world seems scarier, but the inside world is more dangerous."20 The existence of clearly specified sanctions and well-understood procedures for their implementation are important signals to employees. Several practices appear to preserve the effectiveness of the structure as it relates to internal breaches of confidentiality.
Clear policies are needed for disciplining employees who violate confidentiality and security policies. Many organizations distinguish between intentional and unintentional violations by defining a policy of incremental discipline. Such a policy acknowledges the difference between intentional or malicious behavior and violations that result from carelessness or unintentional actions (e.g., leaving a computer terminal logged on). Organizations might provide an oral or written warning to an employee for a first or minor offense, suspend an employee for a second or greater offense, and terminate employment for major or repeated violations. A policy of "zero tolerance" that is used by some organizations states that all breaches will have swift and appropriate consequences, no matter by whom or for what reason the breach occurred. If evidence shows that a breach has occurred and a guilty party can be identified, disciplinary action follows quickly and in accordance with the signed confidentiality agreement.
The committee observed a range of established sanctions and disciplinary actions at the sites it visited. At least one site had no written sanctions and dealt with violations on a case-by-case basis. Other sites described sanctions in policy documents but were uneven in applying them; for example, clerical employees may have been fired, but physicians were "cautioned" behind closed doors. Another site had a clearly stated and observed zero-tolerance policy; employees were treated similarly throughout the hierarchy, and the organization publicly announced the results of its investigations and disciplinary actions.
Effective policies depend on consistent and evenhanded implementation. Inconsistently applied penalties encourage employees to believe that they can avoid them. Unevenly applied penalties can cause friction among staff and undermine confidentiality and security policies.
For sanctions to act as an effective deterrent, employees must know
that they exist and will be implemented. Descriptions of sanctions should be included in confidentiality and security policies. Organizations that make disciplinary actions public can find that this serves as a strong example of management's willingness to enforce policy; one site visited by committee members, however, cautioned that such an approach can create an atmosphere of mutual suspicion and violate employees' own rights to privacy.
Organizational culture is an important source of the norms regarding appropriate information access and use, and is one source of guidance for the definition of appropriate sanctions for violations of accepted norms in these local situations. Most of the organizations visited by committee members had spent little time on the delineation of appropriate sanctions for the abuse or inappropriate use of health care information; it appears that industry standards in this area have yet to be developed. Given the high level of mutual suspicion among health care providers, their employing organizations, and associated financial organizations, it is not yet clear how useful it would be to publicize widely the ways infractions of information rules and policies are handled.
Improving Organizational Management: Closing The Gap Between Theory And Practice
Each of the sites visited by committee members indicated a strong interest in and concern for patient privacy but often failed to have adequate written policies or to demonstrate behavioral compliance with existing policies. Typical of inadequate or incomplete policies was the lack of clear definition of what was meant by a lapse in security or a breach of patient privacy—or of what these meant in the context of the health information systems maintained by the organization. Employees disagreed over whether problems referred to mere episodic technological breakdowns or to truly malicious incidents. Moreover, there was a lack of specificity as to who was responsible for these events when they did occur and what constituted an appropriate disciplinary response.
Further, few organizations had formal mechanisms for modifying confidentiality and security policies. Committee members observed several well-documented policy statements and some excellent protocols for the training of organizational employees. Not only do these concrete and clearly specified policies make it easier to interpret and enforce confidentiality and security rules and procedures, but they also serve as reinforcements to existing cultural values and perceptions. The organizations that appear to have moved toward stronger cultural supports for confidentiality and security controls are those in which the values, policies, and procedures have come from the very top of the organization. Yet, without
scheduled, annual reviews of these policies and procedures and their continued reinforcement by management, there is risk that these policies will no longer have relevance or impact within the organization.
Implementing an Integrated Security and Confidentiality Management Model
Although each of the organizational strategies described in this chapter was observed in at least one site visited by committee members, no site had implemented all and some had implemented very few. Sites often demonstrated a lack of clear leadership on the part of management; thus, employees were uncertain of what to do or where responsibility lay. The committee observed instances in which employees had made isolated efforts to improve practice within their departments, but without sufficient authority and management support, these efforts remained limited in scope and had little impact on the overall organization.
As organizations expand their boundaries they need to develop a comprehensive program to ensure that the message of commitment to patient privacy is pervasive and implemented in policies, procedures, and everyday behavior. Such a model includes an overall vision and goal statement, specific policy development, training, and provisions for disciplinary action.21 It enables employees involved in developing policies and procedures to understand the ultimate goal of their efforts, as well as how those efforts complement parallel efforts elsewhere within the organization. Through early, careful, and explicit planning, management serves as a coordinator and helps ensure that policies are not in conflict, lines of authority are clear, and gaps in security are avoided.
A model system would operate both top-down, with management outlining broad policy goals, and bottom-up, with employees developing local solutions, to form a matrix of communication, participation, and cooperation. The committee believes that the practices described in this chapter represent mechanisms by which patient privacy can be better protected; implemented together they may be described as an integrated management model for protecting patient privacy.
Overcoming Obstacles to Effective Organizational Practices
Organizations face a number of obstacles in developing an integrated approach to confidentiality and security. These obstacles derive from a lack of internal and external incentives that can motivate an organization to dedicate the resources necessary to establish the full range of policies, practices, and structures necessary to ensure stronger protection of electronic health information. These obstacles include resource constraints, competing demands, a lack of focus on information technology, and cultural constraints.
Lack of Public or External Incentives
As discussed in Chapter 2, there are few legislative or regulatory requirements that address patient privacy directly. Few existing controls provide adequate recourse for patients whose privacy has been breached. In addition, there have been relatively few broadly publicized events that have rallied public interest in privacy issues. In many cases, events have focused on a celebrity or public official, reinforcing the belief that the broad population of patients is unlikely to be harmed. At least one of the sites visited by committee members believed little would happen if its entire database of patient information were made public.22
As the committee conducted its study, it has become apparent that although most health care organizations express a commitment to patient privacy, their actual practice is somewhat different. This does not vary remarkably from other commercial and industrial organizations. Policy making in business organizations with regard to the confidentiality and security of information may generally be characterized as "drifting" on a path of incremental "policy by least steps" until these organizations experience a direct threat and an effort is made to respond to or repair the damage.23 Although business organizations may have written policies on confidentiality and security, these policies may no longer be relevant to current business practices and activities.
At the same time, changes to policies made in reaction to events in the external environment can result in policies being too narrowly focused.
Examples of external catalysts include state and federal legislation but often are the result of business concerns, regulatory problems, lawsuits, or—most important—poor public relations. Business concerns grow out of heightened interest in keeping information from falling into the hands of competitors. They may also be the result of industry pressure to adopt a more stringent code of ethical conduct. Decisions to release or withhold information can leave organizations open to suits by disgruntled patients, employees, employers, and nonaffiliated health care providers. Several sites reported increased impetus in their policy-making process after a lawsuit had been filed or a breach reported in the media. Many sites also reported an increasing number of concerns expressed by individual patients that led to review (and sometimes revision) of existing policies.
Maintaining patient privacy is an important objective for health organizations, but it must compete with numerous other budgetary demands. As employees at sites visited by committee members indicated, health care organizations spend about 2 percent of their annual budget on information systems and about 2 percent of that on information security. Information security is often among the first items to be cut in the face of budgetary pressures. As in other industries, health care organizations do not act until a gross breach of patient privacy has occurred. According to one expert, sales of security products in the financial industry rise sharply after a breach is reported in the media, but drop off just as sharply after about 10 days. Several sites visited by committee members indicated that protection of health information does not serve as a market differentiator, and managers were therefore unwilling to allocate funds to support it.
Many health care organizations are deep in the throes of developing integrated delivery systems (IDSs) by acquiring clinics, other hospital sites, and specialty practice groups, as well as retail pharmacy sites, longterm care facilities, and related organizations.24 Merging multiple organizations is a highly complex and often confusing process that stretches the resources of organizational members.25 As management focuses on high-
level negotiations and financial agreements, it is often unable to focus also on the details of how the resulting organization will function. Establishing IDS management processes for confidentiality is secondary or tertiary to formalizing the merger or acquisition, negotiating the make-up of a management team, cutting redundancy and positioning for market share, and developing a single health information system. From observations made during the committee's site visits, it is clear that the integration of systems, policies, cultures, and procedures is usually left to be worked out after the merger discussions have been completed. Organizations often keep separate information systems functional until more comprehensive business integration takes place; issues concerning systemwide information security are considered later on a catch-up, patch-up basis.
As IDSs form, they begin to wrestle with the problem of redesigning their information systems around multiple system platforms, homegrown technologies or software, legacy systems, and multiple distributed systems across multiple sites. Managers of IDSs must define the boundaries and relationships of the new organization. Among the questions to be resolved are the following: Who should have access to which parts of the data system? What is the relationship between employee users and nonemployee users? What are the philosophy and goals with regard to confidentiality and security for the new organization? Who decides these? What is the architecture of the merged information system? Who controls it? This is a process rather than an event, and beginning to work on it during negotiation of the merger or affiliation will ease the transition to a new organization. Employees who are presented with a fait accompli often resist change, and the resulting clash of cultures can seriously jeopardize the future of an organization.
Lack of Focus on Information Technology
Information management has become an essential component of the financial and managerial aspects of health care organizations, as well as of the provision of clinical care. Health care organizations are no different
than any other business enterprise in this regard, except that many are pressed to catch up with the state of the art and science of computer-based information systems.
Providers of clinical medicine have had mixed reactions to the information revolution. On the one hand, some lament the passing of an era of personal ties between patient and physician—one usually carefully documented in the handwritten paper chart of the provider. On the other, many recognize the advantages of standardized health records as continuity of care becomes more difficult and physicians increasingly practice in groups and often substitute for one another in caring for patients enrolled in health care plans. Health information databases have become the professional memories through which the continuity and quality of patient care can be ensured for individual patients over time. As organizations become larger and more complex, electronic health information systems become more important as a means of monitoring and controlling both the quantity and the quality of care. The purposes for which health information is collected and the ways in which it is used have much to do with the way information systems are viewed by users.
Organizational culture can either enhance or impede the intended effect of information confidentiality and security policies because it reflects the values, norms, understandings, and experiences of organizational participants. Some health care organizations have never really accepted the idea of patients as organizational participants; hence, when matters of privacy and security are raised, discussion centers on the proprietary value of such information, not on the threats to individual patient's rights to privacy. Health care organizations are focused on providing care, not on providing security.26 Accordingly, technology is valued inasmuch as it supports that goal and does so in a way that is convenient to caregivers. To the extent that mechanisms to support privacy and security are introduced, they are tolerated only if they are relatively transparent to the main goal. Health care providers often believe that security
mechanisms are redundant, that members of the profession are well intentioned, and that they would never violate a patient's privacy.
With the advent of modern telecommunications and computing technology, almost any business enterprise draws upon a vastly expanded, even global, spectrum of information and personal contacts, which help to shape the culture of the organization itself. Most health care organizations have increasingly permeable boundaries, and it cannot be assumed that once the culture of privacy and security is established within the organization's walls, there are no other risks. As health care organizations form alliances and other vertical or horizontal linkages and as communications by these component entities increasingly use modalities such as the Internet, not only are the proprietary interests of these organizations put at risk, but patient-specific data are also more widely exposed. The awareness and concern that health care organizations exhibit with regard to these matters are, to a large extent, products of the organizational culture within which these issues are addressed.
Individual organizations take on a distinctive pattern of dealing with issues such as privacy and security. To some extent, the way these issues are addressed can reflect an organization's response to issues involving all aspects of technology. For example, an organization whose leaders have thought of computers and information technology as beyond human capacity to control may accept on blind faith the claim that, once programmed and made operational, computer-based information systems require little human monitoring or oversight. The more that global cultural influences are felt in contemporary organizations of all types, the less likely is it that any individual organization will be dominated by the influence of one or a few leaders who exert their personal stamp on everyday business dealings.
Organizations whose leaders and participants generally deny the possibility of violations of patient privacy (e.g., "It can't happen here," or "We've never had a serious incident before") may engender a culture that essentially acts as a blinder to these issues. This represents one of the most important, and frequently observed, impediments to the adoption and effective implementation of risk reduction policies and structures. Yet, the cultural supports for an initiative involving privacy and security may constitute an essential ingredient for its success. Unless organizational leaders actively foster and nurture a security-enhancing culture, such policies and structures may be imposed but will have little influence on health care organizations.