Introduction, Summary, and Options 1 Computerization of health care information, while offer- ing new opportunities to improve and streamline the health care delivery system, also presents new chal- lenges to individual privacy interests in personal health care data. Technical capabilities to secure and maintain confiden- tiality in data must work in tandem with legislation to preserve those privacy interests while making appropriate information available for approved uses. BACKGROUND AND STUDY APPROACH Previously, the Office of Technology Assessment has ex- plored the need to protect the confidentiality and integrity of data and information that is processed and transmitted using commu- nications and computer technology.1 OTA's objectives for this study were to: o examine the technology enabling the comput- erization and networking of medical informa- tion, o identify privacy issues arising from computeri- zation, o examine the law dealing with privacy in medical information, and o examine models and rules to protect privacy, and determine whether new technologies can ensure privacy in the area of medical records. To accomplish these objectives, OTA sought the opinions, attitudes, and perceptions of the stakeholders in academia, medicine, and the legal profession; researchers in computer and informa- tion system security; government agencies; and public interest groups. This was accomplished through interviews, correspondence, and public participation in two workshops.2 OTA explored the issue of privacy in comput- erized medical information by addressing ques- tions such as: o What are the issues with respect to privacy in paper systems for health information? How will these issues change with computerization? What new issues will arise? o To what extent can technology address the confidentiality and privacy of computerized health care information? What are the limita- tions of the technologies? Are the most serious threats to privacy internal to the computer systems designed for this information, external to them, or both? o What is the impact of creating a large databank of easily accessible health care information? What kind of uses will there be for the information? Will additional demands for in- formation be spurred by its ready availability? How must these demands for information be dealt with? o How must underlying issues, such as the perceived need for a unique patient identifier, the content of the patient record, and patient consent to disclosure of information, be ad- dressed? o How has the law traditionally dealt with concerns about privacy in medical informa- tion? What role might new legislation play in addressing these concerns? What Is Health Care Information? The Institute of Medicine report, The Computer- Based Patient Record: An Essential Technology for Health Care3 (hereinafter referred to as the "IOM report") recommends that health care professionals and organizations should adopt the computer-based patient record for use in online systems as the standard for medical and all other records related to patient care. Computer-based patient records would replace the present system of paper records. Whether on paper or in elec- tronic form, the information contained in patient records is the core of what is often understood to be "health care information," information about patients generated and maintained throughout the health care industry in providing health care services (see figure 1-1). But the patient record, generated and maintained by the health care provider and the patient in the course of the patient's health care, is only a part of the health information collected and maintained on individ- uals.4 Parties who are not directly involved in patient care also gather and maintain health care information, and are often referred to as second- ary users of the information. (For further discus- sion of secondary users of health care informa- tion, see box 2-F, and ch. 2). Among these are educational institutions, the civil and criminal justice systems, pharmacies, life and health insur- ers,5 rehabilitation and social welfare programs, credit agencies and banking centers, public health agencies, and medical and social researchers (see figure 1-2). As a result, in exploring appropriate ways to protect privacy, proposed definitions of what constitutes "health information" or "health care information" vary, but tend to consider health care information to be inclusive of more than the patient record itself. The American Medical Association's (AMA's) Proposed Revisions to its Model State Bill on Confidentiality of Health Care Information defines the term "confidential health care information" as: . . . information relating to a person's health care history, diagnosis, condition, treatment, or evalu- ation, regardless of whether such information is in the form of paper, preserved on microfilm or stored in computer-retrievable form. The American Health Information Management Association's Health Information Model Legisla- tion Language refers to "health care informa- tion" even more broadly as: . . . any data or information, whether oral or recorded in any form or medium, that identifies or can readily be associated with the identity of a patient or other record subject; and 1) relates to a patient's health care; or 2) is obtained in the course of a patient's health care from a health care provider, from the patient, from a member of the patient's family or an individual with whom the patient has a close personal relationship, or from the patient's legal representative. This report will refer to health care information as defined in this manner. This definition includes a range of medical information generated, gath- ered, and stored about individuals. It recognizes that the full range of health care information must be protected. THE NEED FOR PRIVACY IN HEALTH CARE INFORMATION Health information and the medical record include sensitive personal information that re- veals some of the most intimate aspects of an individual's life. In addition to diagnostic and testing information, the medical record includes the details of a person's family history, genetic testing, history of diseases and treatments, history of drug use, sexual orientation and practices, and testing for sexually transmitted disease. Subjec- tive remarks about a patient's demeanor, charac- ter, and mental state are sometimes a part of the record. The medical record is the primary source for much of the health care information sought by parties outside the direct health care delivery relationship, such as prescription drug use, treat- ment outcomes, and reason for and length of hospital stay. These data are important because health care information can influence decisions about an individual's access to credit, admission to educational institutions, and his or her ability to secure employment and obtain insurance. Inaccuracies in the information, or its improper disclosure, can deny an individual access to these basic necessities of life, and can threaten an individual's personal and financial well-being. Yet at the same time, accurate and comprehen- sive health care information is critical to the quality of health care delivery, and to the physician- patient relationship. Many believe that the effi- cacy of the healthcare relationship depends on the patient's understanding that the information re- corded by a physician will not be disclosed. Many patients might refuse to provide physicians with certain types of information needed to render appropriate care if patients do not believe that information would remain confidential.6 (For a discussion of the distinction between the terms "privacy" and "confidentiality" and for defini- tions of these terms for purposes of this report, see box 1-A) In addition to serving the physician- patient relationship and the delivery of personal health care, this information is a source of important data for insurance reimbursement. When aggregated, it can assist in monitoring quality control of health care delivery by providing re- sources for med- ical research. The lack of proper protections for privacy could lead to (and has, in some cases) the physician's with- holding informa- tion from a re- cord, maintaining a second complete record outside of the computerized system, or at the extreme, creating a market for health care deliv- ered without computer documentation.7 Safe- guards to privacy in individual health care information are imperative to preserve the health care delivery relationship and the integrity of the patient record. Many interests compete in the collection, use, and dissemination of medical records. In the case of United States of America v. Westinghouse Electric, the Court of Appeals for the Third Circuit set guidelines to be used by a court in weighing the individual's privacy interest in medical records against the need for public agency access to information. Thus, as in most other areas of the law, we must engage in the delicate task of weighing competing interests. The factors which should be considered in deciding whether an intrusion into an individ- ual's privacy is justified are the type of record requested, the information it does or might contain, the potential for harm in any subsequent nonconsensual disclosure, the injury from disclo- sure to the relationship in which the record is generated, the adequacy of safeguards to prevent unauthorized disclosure, the degree of need for access, and whether there is an express statutory mandate, articulated public policy or other recog- nizable public interest militating toward access.8 Similarly, whatever the technology employed to computerize medical information, decisions about data privacy also involve striking a balance, in this case between the individual's right to privacy against the cost of security, the inherent impedi- ment security measures present to the ready accessibility of data, and the societal benefits of access to information. On the basis of the Institute of Medicine's report and the consensus among stakeholders that computerization will go for- ward, OTA did not analyze the question of whether computerization of patient information is appropriate to the interests of individual privacy. THE COMPUTERIZATION OF MEDICAL RECORDS While some aspects of the health care industry continue to rely on a paper record system, in recent years, individual medical practices and institutions have computerized parts of their recordkeeping. Computer software vendors have developed systems to streamline record-keeping and administrative functions. Traditionally, how- ever, computer systems for patient information have been largely associated with medical cen- ters, hospitals, or offices. Departments within these facilities have been linked to provide for access and exchange of information among prac- titioners and administrators within an institution. Currently, however, the health care industry is moving toward linking these institutions through a proposed information infrastructure (comput- ers and information system) and the communica- tions networks. The IOM report advocates computerization of patient records and health care information in online systems to improve the quality of patient care, advance medical science, lower health care costs, and enhance the education of health care professionals. It envisions that the computerized patient record will "provide new dimensions of record functionality through links to other data- bases, decision support tools and reliable trans- mission of detailed information across substantial distances."9 Linkages would allow transfer of patient data from one care facility to another (e.g., from physician office to hospital) to coordinate serv- ices, and would allow collation of clinical records of each patient over a period of time among providers and at various health care sites.10 This would provide a longitudinal record, one that forms a cradle-to-grave view of a patient's health care history.11 The IOM report further envisions extraction of data by secondary users (poli- cymakers and clinical researchers) from data in the computer-based patient record. The Report of the Workgroup for Electronic Data Interchange12 similarly envisions electronically connecting the health care industry by an integrated system of electronic communication networks that would allow any entity within the health care system to exchange information and process transactions with any other entity in the industry. This capability, the workgroup asserts, could lead to a reduction of administrative and health care deliv- ery costs. As a result of the linkage of computers, patient information will no longer be maintained, be accessed, or even necessarily originate with a single institution, but will instead travel among a myriad of facilities. As a result, the limited protection to privacy of health care information now in place will be further strained. Existing models for data protection, which place responsi- bility for privacy on individual institutions, will no longer be workable for new systems of computer linkage and exchange of information across high-performance, interactive networks. New approaches to data protection must track the flow of the data itself. Smart cards have been proposed as a means to computerize and maintain health care informa- tion. A smart card is a credit card-sized device containing one or more integrated circuit chips that can store, process and exchange information with a computer (see figure 1-3). Smart card systems are used on a limited basis in some areas of the United States for medical purposes. They are used on a wide scale in France, and are being tested in other European countries to facilitate delivery of health care services. Smart cards can function in two ways: 1) to store information, which can be accessed when a patient presents the card to a health care practitioner, and/or 2) as an access control device, carrying out security func- tions to maintain a more secure and efficient access control system for health care information computer systems. Some describe smart cards as the ultimate in a distributed database that can meet the needs for access control and consent to disclosure, but critics cite shortcomings of the cards with respect to patient privacy. Among these is the proposal that such a system involve a backup database of information that is contained on each card, which would arguably present many of the same privacy problems that an online system would have.13 (For a discussion of the privacy challenges presented by online systems and smart card systems, see box 1-B). Some are concerned that individuals may not even know the content of the information they are carrying on the card.14 Others worry that the card marks a step in a move toward a national identification card, and that individuals will at some point be asked to present a card for identification purposes that contains a tremendous amount of highly personal informa- tion.15 Computerization of Health Care Information by Private Companies In addition to efforts by the health care industry to establish an online computer network of patient records, private companies have begun to act on the commercial incentive to collect health care data. Information is, in some cases, gathered on specific individuals to assist the insurance under- writing industry; in other cases, companies offer such computer services as health insurance claims- processing, office management, or patient billing. (See box 2-F.) These companies use the medical information made available to them by gathering and selling aggregate information, usually with- out patient knowledge or consent (although with the knowledge of a participating physician). These practices, for the most part, are currently legal, although the businesses in question operate under no regulatory guidelines regarding security measures, use of patient identifiers, requirements for training of personnel about privacy concerns, company confidentiality policies, or protocols for gathering, selling, or transferring data. Aware of public concerns about privacy, these companies have taken steps to address the issue of confiden- tiality in the data through security and confidenti- ality measures, employee education, and person- nel and confidentiality policies. Security and Confidentiality Measures For online computer systems, security is gener- ally provided by use of user identification names and passwords, and by user-specific menus to control access to functions and to limit access of the user to the information he or she legitimately needs. In addition to these measures, some systems use audit trails to record significant events on a system that may be inspected and traced to when a suspicious event occurs. Supple- menting these technological measures, organiza- tional education, policies, and disciplinary ac- tions attempt to ensure that confidentiality is maintained within the system. Smart cards can also play a role in system secu- rity, functioning as an access con- trol device, serv- ing the security functions that are normally carried out by the user, including entering passwords and PINs (personal identification numbers). A more extensive dis- cussion of the use of smart cards for access control is in chapter 3, and a further discussion of computer security measures is in appendix A. A major focus of security and confidentiality measures is preventing privacy invasion by trusted insiders. Prosecutions of U.S. Federal Govern- ment employees for unlawful disclosure of per- sonal information indicate the risk of invasion of privacy perpetrated by trusted insiders, who, motivated by financial incentives to supplement their income, sell personal information. While resources can be directed toward minimizing risk of abuse of information by insiders, no system can be made totally secure through technology, and the greatest perceived threat to privacy in medi- cal information exists in the potential for abuse of authorized internal access to information by persons within the system, whether paper or computer based. PROTECTION FOR PRIVACY IN HEALTH CARE INFORMATION Privacy in health care information has been protected through primarily two sources: 1) in the historical ethical obligations of the health care provider to maintain the confidentiality of medi- cal information; and 2) in a legal right to privacy, both generally and specifically, in health care information. The present system of protection for health care information offers a patchwork of codes; State laws of varying scope; and Federal laws applicable to only limited kinds of informa- tion, or information maintained specifically by the Federal Government. The present legal scheme does not provide consistent, comprehen- sive protection for privacy in health care infor- mation, whether it exists in a paper or computer- ized environment. Ethical Sources The physician's16 confidentiality obligation can be found in the Oath of Hippocrates, written between the Sixth Century B.C.E. and the First Century B.C.E. The Hippocratic Oath provided that what the physician saw or heard in the course of treatment "which should not be published abroad" would be kept in confidence. Later codes of medical ethics included language addressing the issue of confidentiality of information. The American Medical Association's Code of Ethics has evolved since its adoption; the obligation to preserve patient confidentiality remained in the 1980 code, but without guidelines about how to respond to requests for information from second- ary users of medical information, such as re- searchers, police, and Federal agencies. Recent AMA policy statements set forth in more detail the responsibilities of physicians with regard to confidentiality of patient information and issues surrounding the medical record. In its Code of Medical Ethics, Current Opinion, 1992, the AMA states its belief that the information disclosed to a physician during the course of the relationship between the doctor and patient is confidential to the greatest possible degree, and outlines particu- lar instances when the obligation to safeguard patient confidences is subject to exceptions for legal and ethical reasons. Professional ethical codes do not possess the force of law, but may be enforced through bodies such as the disciplinary board of the professional organization, or may serve as evidence of a provider's breach of his or her legal duty to maintain confidentiality. Legal Origins Although the Bill of Rights does not specifi- cally set forth a right to privacy, a right to privacy in information has been upheld by the Supreme Court in a series of cases beginning in the 1950s. The Court looked to the first amendment and due process clause, the fourth amendment protection against unreasonable searches and seizures and the fifth amendment protection against self in- crimination as sources of the right. A later case, Griswold v. Connecticut17, talked of the zone of privacy created by the first, third, fourth, fifth and ninth amendments. However, in two cases de- cided in 1976, the court did not recognize a constitutional right to privacy that protected erroneous information in a flyer listing active shoplifters, or one that protected the individual's interest with respect to bank records. (For further discussion of the Supreme Court's analysis of a right to privacy, see box 2-B). FEDERAL LAW While some Federal laws address the question of privacy in certain information collected and maintained by the Federal Government, no Fed- eral statute defines an individual's specific right to privacy in his or her personal health care information held in the private sector and by State or local governments. At the Federal Govern- ment level, the Privacy Act of 197418 specifically endorses the finding that privacy is a fundamental constitutional right. Designed to protect individu- als from Federal Government disclosure of confi- dential information, the Privacy Act prohibits Federal agencies (including Federal hospitals) from disclosing information contained in a sys- tem of records to any person or agency without the written consent of the individual to whom the information pertains, and stipulates that Federal agencies meet certain requirements for the han- dling of confidential information. In addition to the requirements of the Privacy Act, Federal law, by statute and implementing regulations, prescribes confidentiality require- ments for records of patients who seek drug or alcohol treatment at federally funded facilities. As these regulations have the full force and effect of Federal law, they supersede State laws on confidentiality in the area of drug or alcohol treatment. Provisions of the Social Security Act also prohibit disclosure of information obtained by officers or employees of the Department of Health and Human Services, except as prescribed by regulation. STATE LAWS AND REGULATIONS At common law, States have recognized an action for invasion of privacy in the tort law. Individuals may bring an action for defamation when medical records containing inaccurate in- formation are disclosed to an unauthorized per- son, when that information would tend to affect a person's reputation in the community adversely. Courts have also demonstrated a willingness to apply the ethical standards of the medical profes- sion to compel physicians to maintain the confi- dentiality of information they obtain in the course of treating their patients, by enforcing those standards as part of the contractual relationship between physicians and their patients. There is significant variation in the nature and quality of State laws regarding privacy in health care information. Among the States that have regulations, statutes, or case law recognizing medical records as confidential and limiting access to them, these are not consistent in recognizing computerized medical records as legitimate documents under the law, and gener- ally do not address the questions raised by such computerization. The range of medical privacy laws does not address the practice of compiling medical information about patients (with or without their consent or the identification of personal information) for sale to businesses with a financial interest in the data. This patchwork of State and Federal laws addressing the question of privacy in personal medical data is inadequate to guide the health care industry with respect to obligations to protect the privacy of medical information in a computerized environment. It fails to confront the reality that, in a computerized system, informa- tion will regularly cross State lines, and will therefore be subject to inconsistent legal stand- ards with respect to privacy. The law allows development of private sector businesses dealing in computer databases and data exchanges of patient information without regulation, statutory guidance, or recourse for persons who believe they have been wronged by abuse of data. These laws do not address the questions presented by new demands for data prompted by computeriza- tion, and the obligations of secondary users in accessing and maintaining data. Lack of legisla- tion in this area will leave the health care industry with an uneven sense of their responsibilities for maintaining privacy. The Effect of Computers on the Question of Privacy All health care information systems, whether paper or computer, present confidentiality and privacy problems. Among these problems are administrative errors that release, misclassify, or lose information; compromised accuracy of infor- mation; misuse of data by legitimate users; malicious use of medical information; unauthor- ized break-ins to medical information systems; and uncontrolled access to patient data. Comput- erization can re- duce some con- cerns about pri- vacy in patient data and worsen others; but it also raises new prob- lems. While computers offer security measures that are not available to paper systems, computer- ization also presents concerns about privacy and confidentiality that fall into the following catego- ries: o Computerization enables the storage of a very large amount of data in a small physical space, so that an intruder can systematically obtain large amounts of data (more than could likely be stolen on paper records) once access to the electronic records is gained. o Networking of computer information systems makes information accessible anywhere at any time to anyone who has access. Computers and computer networks enable a large number of people to handle or have access to information and allow for surreptitious modification, dele- tion, copying, or addition of data. o New databases can be created, maintained, and expanded with ease, and computers make it possible to link data sets in ways that produce new information that was not originally in- tended.19 o The computer's ability to transmit large vol- umes of data instantaneously make the poten- tial dissemination of medical information limitless, so that the distribution of private information will be easy and inexpensive. The increased quantity and availability of data and the enhanced ability that computerization provides to link these data raise privacy concerns about new demands for information for purposes beyond providing health care, paying for it, or assuring its proper delivery. Among these con- cerns is that information more easily gathered, exchanged, and transmitted will be sought and acquired by more parties for uses not connected to health care delivery--parties that may have little concern about the confidentiality of the data in their possession and individual privacy. SPECIAL POLICY PROBLEMS RAISED BY COMPUTERIZATION A computer-based patient record of the type recommended by the Institute of Medicine study-- in which the record is linked among records or record systems of different provider institutions and to other databases and sources of information, including medical practice guidelines, insurance claims, and disease registries/and databases that contain scientific literature, bibliographic and administrative information20--requires resolution of policy issues, such as the use of a unique patient identifier, informed patient consent to information disclosure, standardization, and new demands for access by secondary users. It is important to resolve these issues at the outset of the computerization process, so that system designers can build into software the appropriate mechanisms to implement privacy policy. The Unique Patient Identifier Proponents of computerized medical informa- tion recommend the use of a unique patient identifier to be assigned to a patient at birth and remain permanently throughout the patient's lifetime. A unique patient identifier, it is believed, would assure appropriate, accurate information exchange among approved parties, prevent fraud and forgery in reimbursement, and ensure accu- rate linkage of information. While a variety of approaches to establishing such an identifier have been proposed, the one most often mentioned is the use of the Social Security number as the most efficient and cost-effective way of identifying patients. Privacy advocates strongly object to this proposal. They cite the increasing use of the number in the private sector, and the power of the number to act as a key to a variety of information in both the public and private sector and to facilitate linkage of information.21 Proponents of its use believe that, with appropriate precautions, the integrity of the Social Security number can be maintained. Although there is a belief that the Social Security number is now a de facto national identifier (even though this is prohibited by law), use of the number as a unique patient identifier still requires close examination. The use of the Social Security number as a unique patient identifier has far-reaching ramifications for indi- vidual health care information privacy that should be carefully considered before it is used for that purpose. Informed Patient Consent to Information Disclosure Because computerization of medical informa- tion creates the potential for increased demands for data for purposes beyond providing health care, paying for it, or assuring its proper delivery, computerized medical information challenges present practices for providing informed consent to disclosure. Informed consent to disclosure of information generally involves four main elements: 1. information about what data is to be dis- closed must be given to the patient, 2. the patient must understand what is being disclosed, 3. the patient must be competent to provide consent, and 4. the patient's consent must be voluntary. The present approach to providing "informed consent" challenges the concept with respect to disclosure to the patient, patient competence, and patient comprehension about what is being dis- closed. In spite of the requests made of them to authorize disclosure of medical information for medical and nonmedical purposes, patients tradi- tionally have difficulty gaining access to inspect their own medical records, and laws governing patient access to records are neither universal nor uniform. It is argued by some that without knowledge of what is contained in the record, patients' consent to disclosure cannot be said to be informed per se. In taking responsibility for the care of a patient, physicians have been granted broad discretion to withhold information from the patient that he or she deems to be potentially harmful. Recent articles indicate a change in thinking about this approach, and the position of the American Health Information Management Asso- ciation (AHIMA) reflects the balance of opinion as reflected by the literature. AHIMA's position is that the computerized health care record, and its potential for increased use both within and beyond the health care relationship, requires that patients have greater access to their medical record, coupled with a general atmosphere of increased patient education and involvement in his or her own health care. Resolution of the question of patient access to one's record so that consent to disclosure is, in fact, informed, is critical to confronting privacy concerns about the computerized health record. The element of voluntariness is also challenged by the present scheme of providing informed consent. Medical information is usually required to provide health care reimbursers with sufficient information to process claims. Since individuals are, for the most part, not able to forego health care reimbursement benefits, they really cannot make a meaningful choice whether or not to consent to disclosure of their health care informa- tion. Some commentators suggest that alternative schemes to deal with the need to disclose patient information might be adopted. Standards Industry organizations are developing stand- ards for patient-record content, data exchange formats, vocabulary, patient-data confidentiality, and data systems security. Standardization of medical information in both content and format is believed to be important to the computerization effort. Content uniformity would assure data completeness for medical practitioners. In addi- tion, third-party payers could process claims readily on the basis of the medical, financial, and administrative information at their disposal; and secondary users of the information, such as researchers, utilization review committees, and public health workers, could anticipate the nature of the information available to them. Format standards would assure uniform and predictable electronic transmission of data. Standards for patient-data confidentiality and data systems security would ensure that patient data are protected from unauthorized or inadver- tent disclosure, modification, or destruction. Pri- mary and secondary users of health care data are working to agree on common levels of data protection so they can benefit from use of automated patient information. Outbound Linkages to Secondary Users and the Problem of Increased Demand The Institute of Medicine report foresees broad connectivity in a computerized records system, meaning that the record or record system will establish links or interact effectively with provid- ers' systems and databases. In addition to link- ages that will connect clinical records of a single patient to create a longitudinal pa- tient record, the report foresees external linkages to other databases and other sources of information. These linkages might include databases that contain scientific literature and bibliographic in- formation, ad- ministrative information, medical practice guide- lines, insurance claims, and disease registries. The IOM report acknowledges that outbound linkages create additional concerns about main- taining privacy and require tight security measures. In addition to the question of security and privacy in the linked information, the larger question arises as to the appropriateness of access to information by certain parties. Policy decisions at the Federal and State levels have, over time, made medical records and health care informa- tion, as it exists in paper record form, available to utilization review agencies, medical researchers, judicial proceedings, public health agencies, li- censing agencies and, in some cases, employers. The power of computers to allow gathering, storage, exchange, and transmission of data could prompt increased demands for use of medical information beyond the traditional uses. MODELS FOR PROTECTION OF COMPUTERIZED MEDICAL INFORMATION Health professional organizations, privacy ad- vocates, and academics specializing in health information privacy have proposed legislative schemes and practice guidelines to protect pri- vacy in medical information. These initiatives are generally based on fundamental principles of fair information practices. These principles, which have been implemented in the Privacy Act for the protection of federally maintained information, are as follows: 1. No personal data recordkeeping system may be maintained in secret. 2. Individuals must have a means of determin- ing what information about them is in a record and how it is used. 3. Individuals must have a means of prevent- ing information about them obtained for one purpose from being used or made available for other purposes without their consent. 4. Individuals must have a means to correct or amend a record of identifiable information about themselves. 5. Organizations creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take reasonable precautions to prevent misuses of the data. Health care information protection schemes usually provide individuals with certain rights: 1. The proposals address concerns about pri- vacy in personal medical information on individuals. 2. Individuals are given the right to access much of the personal information kept on them. 3. Limits are placed on the disclosure of certain personal information to third parties. 4. Health care personnel are required to re- quest information directly from the individ- ual to whom it pertains, whenever possible. 5. When health care personnel request per- sonal information from an individual, the individual must be given notice as to the authority for the collection of data, whether the disclosure is mandatory or voluntary. 6. The individual may contest the accuracy, completeness, and timeliness of his or her personal information and request an amend- ment. 7. The health care personnel must decide whether to amend the information within a fixed time, usually 30 days after receiving a request. 8. The individual whose request for change is denied may file a statement of disagree- ment, which must be included in the record and disclosed along with it thereafter. 9. The individual is given a means of seeking review of a denied request. Chapter 4 discusses the provisions of the Massachusetts State Code on Insurance Informa- tion and Privacy Protection, Ethical Tenets for Protection of Confidential Clinical Data, the Uniform Health Care Information Act (imple- mented in Montana and Washington), and Model Legislation Language of the American Health Information Management Association, and their applicability to new health care information privacy legislation. While these principles form the foundation for information privacy protection, any new legislation must also reflect the develop- ment of distributed processing, sophisticated database management systems, and computer networks; and the wholesale use of microcomput- ers that characterize the kind of system envi- sioned for health care information. New legisla- tion must also take into account access to records and security of information flows. Current legislation at the State and Federal level for protection of privacy in medical infor- mation is limited in its application to individual institutions; the ease with which information will be transmitted between institutions requires that the law track the information, wherever it may reside. Technology may facilitate the policy goals of such a protection system. A system of audit trails and user identification codes can assist in the identification of points of unauthorized ac- cess. CONGRESSIONAL OPTIONS As computerization of patient records goes forward, Federal legislation is necessary to address issues of patient confidentiality and privacy.22 The present system of protection is a patchwork of State laws, which do not take into account a computerized system in which informa- tion will be frequently and easily transferred across State borders. Option 1a. Congress may wish to allow comput- erization to go forward under the present State and Federal systems of protection. No computer system can be made entirely secure. Privacy in health care information, whether electronic or paper, is protected by a range of various Federal23 and State laws. These laws are often inadequate, and in some States do not exist. The introduction of computerized medical re- cords entails transfer of that information among participants in the health care delivery system located in different States and operating under different State laws. If not modified, the present patchwork of laws regarding patient health care information will likely require that resolution of issues of individ- ual privacy and improper use of medical informa- tion be left to State legislatures and State courts. They would also require that the health care industry educate itself, on a State-by-State basis, about its obligations to secure and keep confiden- tial medical records. After a period of allowing the system to work in this way, Congress may find itself re-evaluating the question of State versus Federal legislation. Option 1b. Enact a comprehensive health care information privacy law. As the greatest concerns about privacy lie in the potential for abuse of information by authorized parties with appropriate access to a computer system, legislation providing criminal and civil recourse for illegally obtaining or disclosing records containing individually identifiable infor- mation to persons not entitled to receive it could address the problem of information brokering and illegal trafficking of health care information. The law would provide appropriate sanctions to deter such activities. Such legislation would: 1. Define the subject matter of the legislation, "health care information," broadly, includ- ing the range of information generated, collected and maintained about individual patients; 2. Provide criminal and civil sanctions for improper possession, brokering, disclosure, or sale of health care information with penalties sufficient to deter perpetrators; 3. Establish rules for patient education about information practices as applied to health care information, including access to infor- mation, amendment, correction and dele- tion of information, and creation of data- bases; 4. Establish requirements for informed con- sent by patients to disclosure of health care information; 5. Structure the law to track the flow of health care information, incorporating the ability of computer security systems to alert super- visors to leaks and improper access to information so that the law can be applied to the information at the point of abuse, not simply to one "home" institution; and 6. Establish protocols for access to health care information by secondary users, and deter- mine their rights and responsibilities in the information they access. As part of this legislative effort, Congress may want to commission an investigation of abuses of medical information to pinpoint the nature and scope of abuses in this area, and to provide empirical evidence of the problem in the United States. Option 2. Monitor standard setting Congress may wish to monitor and/or partici- pate in efforts to set standards for the content of the medical record and the minimum level of security and confidentiality in computerized med- ical record systems, to assure that technological standards will facilitate privacy policy goals. This task could be delegated to a special task force made up of technology, privacy, and health information experts. Or it could be delegated to a committee charged with ongoing review of medi- cal information privacy issues. Option 3. Establish a special committee or commission to oversee the protection of health care data; to provide ongoing review of privacy issues arising in the area of health care informa- tion; to keep abreast of developments in technol- ogy, security measures, and information flow; and to advise the Congress about privacy matters in the area of health care information. Computer systems for medical information and the security measures available for those systems are in constant development, and legislation is challenged by a technology that changes quickly. Demands for data change with "need" and tend to increase over time; simply relying on each individual's efforts to monitor and protect his or her privacy are useless because, in most cases, they can act only after damage has occurred. A committee or commission to oversee data protec- tion in medical data could be modeled on proposals for a broader Data Protection Board,24 but with a focus on health care information. A committee or commission could monitor and evaluate implementation of statutes and regula- tions enacted to protect privacy in health care information; it could continue research into areas of concern about privacy in health care informa- tion to supplement mechanisms by which citizens could question propriety of information collected and used by the health care industry. In this way, it would provide a measure of protection prior to the establishment and development of new data- bases and new uses for medical data. Such an entity would add a layer of protection to a legislative scheme by serving as a watchdog for potential encroachment on individual privacy in medical information, and serve as an early warning system to ensure that the legislative process is dynamic enough to deal with emerging problems.25 One function of such a committee or commis- sion might be to formulate guidelines for parties involved in computerization of medical informa- tion, whether for purposes of health care delivery or for commercial use of data, including an outline of the responsibilities of secondary users of information in maintaining security and confi- dentiality of the data. Computer security measures can only provide a certain level of protection for data in a computer system. Technology alone cannot completely secure a system, but appropriate operation stand- ards and data security policies can further im- prove the protection of data. A regulatory scheme mandating such measures could establish a thresh- old of protection for computerized medical data. Such a scheme could include procedures for informing the patient about record keeping prac- tices, disclosure of patient information, release of data to secondary users, examination, correction and amendment of the patient record by the patient, as well as provisions for internal and external review. Secondary users of information, such as medical researchers and public health agencies would be required to meet certain criteria in handling information it receives. Crim- inal sanctions could exist for failing to comply with regulations for maintenance of the system according to regulations. Various efforts have been made in the private sector to gather and aggregate medical data. As such compilation of data is largely invisible and done without the knowledge or permission of the patient, a committee or commission could exam- ine the propriety of the activity in terms of individual privacy. If the activity is considered appropriate, a regulatory scheme would be neces- sary to protect individual privacy. 1. In 1986, the Senate Committee on Governmental Affairs and the House Committee on the Judiciary, Subcommittee on Courts, Civil Liberties and the Administration of Justice, requested that OTA examine the impact of new technological applications, such as the computerized matching of two or more sets of records, networking of computerized record systems, and computer-based profiles on individuals for balancing the privacy of citizens with management efficiency and law enforcement. In response to that request, OTA prepared the report Electronic Record Systems and Individual Privacy, OTA-CIT- 296 (Washington, DC: U.S. Government Printing Office, June 1986). That report found that privacy is a significant and enduring value held by Americans, and that the courts have not determined adequate constitutional principles of information privacy. It concluded that the advances in information technology enable Federal agencies to process and manipulate information with great speed. A 1987 Office of Technology Assessment report, Defending Secrets, Sharing Data: New Locks and Keys for Electronic Information, OTA-CIT-310 (Washington, DC: U.S. Government Printing Office, October 1987), examined the vulnerability of communica- tions and computer systems, and technology for safeguarding information. The report recognized that government agencies, the private sector, and individuals are using sophisticated communications and computer technology to store, process, and transmit information that needs to be protected. 2. OTA workshops, "Emerging Privacy Issues in the Computerization of Medical Information," July 31, 1992; and "Designing Privacy in Computerized Health Care Information," Dec. 7, 1992. 3. Institute of Medicine, The Computer-Based Patient Record: An Essential Technology for Health Care, Richard S. Dick and Elaine B. Steen, eds., (Washington, DC: National Academy Press, 1991), p. 51. This is a publication of the Committee on Improving the Patient Record, Division of Health Care Services. 4. Joan Turek-Brezina, Chair, Department of Health & Human Services Task Force on the Privacy of Private Sector Health Records, personal communication, April 1993. 5. Some commentators contend that health care claim reimbursement processing has become such a major and integral part of the delivery of health care that health care insurers are among the primary users of patient information. In figure 1-1, the American Health Information Management Association shows billing and reimbursement as a primary use of patient records. 6. U.S. Privacy Protection Study Commission, Personal Privacy in an Information Society (Washington, DC: U.S. Government Printing Office, 1977), p. 28. 7. OTA Workshop, July 31, 1992, op. cit., footnote 2. 8. 638 F.2d 570 (3rd Cir. 1980). 9. Institute of Medicine, op. cit., footnote 3, p. 51. 10. Ibid. 11. Ibid., p. 45. 12. U.S. Department of Health and Human Services,Workgroup for Electronic Data Interchange, Report to the Secretary, July 1992. 13. Criticism of the smart card approach stems largely from the proposal that such a system involve a backup database of information that is already contained on the card. In and of themselves, smart cards may well offer some solutions to protecting privacy if information contained on them is properly segmented. Sheri Alpert, "Medical Records, Privacy and Health Care Reform," prepublication draft, June 29, 1993. A version of this paper will appear in the November/December issue of The Hastings Center Report. For further discussion of smart cards, see ch. 3. 14. Marc Rotenberg, Director, Washington Office, Computer Professionals for Social Responsibility, personal communication, December 1992. 15. David Flaherty, "Privacy, Confidentiality and the Use of Canadians Health Information for Research and Statistics," Canadian Public Health Administration, vol. 35, No. 1, p. 80, 1992. 16. The Oath of Hippocrates applies to physicians. Psychologists, nurses, and others referred to as "health care providers" operate under different, perhaps less comprehensive, strictures. Steven Brooks, Manager, Medical Information Management, Aetna Health Plans, personal communication, April 1993. 17. 381 U.S. 479, 85 S. Ct. 1678 (1965). 18. The Federal Privacy Act of 1974, 5 U.S.C. Sec. 552a (1988). 19. Ontario Commission of Inquiry into the Confidentiality of Health Information, Report of the Commission, Ontario, Canada, September 1980, vol. 2, pp. 160-166. 20. Institute of Medicine, op. cit., footnote 3, p. 44. 21. William M. Bulkeley, "Get Ready for Smart Cards in Health Care," The Wall Street Journal, May 3, 1993, p. B11. 22. OTA Workshop, Dec. 7, 1993, op. cit., footnote 2. 23. Federal law protects privacy in only those medical records maintained by the Federal Government, e.g., records maintained on Medicare and Medicaid patients. Those Federal laws do not protect the records of the same patients maintained by their private physician or held by their hospital. 24. Hearing before the Subcommittee on Social Security and Family Policy of the Committee on Finance, U. S. Senate, on Privacy of Social Security Records, Feb. 28, 1993, U.S. Government Printing Office, Washington, DC: 1992, testimony of Marc Rotenberg, Director, Washington Office, Computer Professionals for Social Responsibility. See also, David H. Flaherty, "Ensuring Privacy and Data Protection in Health and Medical Care," prepublication draft, Apr. 5, 1993. Such a board has been established in several foreign countries, including Sweden, Germany, Luxembourg, France, Norway, Israel, Austria, Ireland, United Kingdom, Finland, Ireland, the Netherlands, Canada, and Australia. For an analysis of data protection in certain of these countries, see David A. Flaherty, Protecting Privacy in Surveillance Societies (Chapel Hill, NC: The University of North Carolina Press, 1989). 25. Discussion of a larger scale Data Protection Board reviewing data privacy issues generally is beyond the scope of this inquiry. However, literature discussing proposals for a Data Protection Board is illustrative of the nature and function of oversight bodies for privacy in personal data. ----------------------------------------------- The Right to Privacy in Health Care Information 2 The report of the Institute of Medicine (hereafter referred to as "the IOM report"), claims that computers, high-performance networks, and technologies that allow electronic storage, transmission, and display of medical images will improve the quality of patient care, advance the science of medicine, lower health care costs, and enhance the education of health care professionals. The IOM study cites ways in which computerization of patient records could improve the quality of patient care by offering a way to improve the ease of access to patient care data. Computerized patient records could facilitate integration of patient information over time and from one care provider to another. They could make medical knowledge more accessible to practitioners, and they could support decision making by practitioners.1 With respect to medical research, the IOM report states that computerization could improve data and access to data by researchers, and research findings could be provided to practitioners over medical information computer systems.2 Computerization is seen also as a way to assist in lowering health care costs. The IOM report argues that improved information could reduce redundant tests and services carried out when test results are not available to the practitioner. Administra- tive costs could be reduced by electronic submission of claims and the ability to generate reports automatically. Practitioner productivity could be improved in three ways: o reduce the time required to find missing records or to wait for records already in use, o reduce the need for redundant data entry, and o reduce the time needed to enter or review data in records.3 The Computer-based Patient Record Institute (CPRI), an organization of public and private sector entities concerned with the computeriza- tion of patient records, was established in re- sponse to a recommendation of the IOM report.4 Its purpose is to facilitate development, imple- mentation, and dissemination of the computer- based patient record, and its vision is the use of a comprehensive, longitudinal patient record to provide all clinical, financial, and research data. The computer-based patient record would con- tribute to more effective and efficient care through: o access to lifetime health data collected and contained across the continuum of care; o support for quality of health care delivery; o ready access to knowledge bases to support clinical practice, administration, education, and research; o patient participation in health status determina- tion; and o wellness and disease prevention. The Workgroup for Electronic Data Inter- change (hereafter referred to as "WEDI") envi- sions electronically connecting the health care industry by an integrated system of electronic communication networks that would allow any entity within the health care system to exchange information and process transactions with any other entity in the industry. According to its report, such a system could reduce administrative and health care delivery costs. Electronic process- ing of insurance and managed-care administrative transactions, such as claims, eligibility checks, and coordinating benefits, could streamline pay- ers' operations and reduce the administrative tasks of providers. Clinical applications, such as computerized patient records, test results, and outcome studies, might assist providers in ensur- ing high-quality care without unnecessary or duplicate procedures.5 While endorsing the adoption of the computer- based patient record and electronic data inter- change for health care, these reports acknowledge the concerns about privacy that such systems raise. The IOM study notes that, "the computeri- zation of most types of record keeping, as well as the recent well-publicized cases of inappropriateaccess by computer hackers, has increased con- cerns about the misuse of personal information."6 Among the concerns cited by the IOM study are security features of computer-based patient re- cord systems, the lack of generally accepted standards for protection of computer-based medi- cal data across States, and the potential for invasion of patient privacy presented by a per- sonal identification number for all patient rec- ords. The Report of the Work Group on Computeri- zation of Patient Records to the Secretary of the U.S. Department of Health & Human Services7 echoes the concerns of the IOM study. The Work Group on Computerization Report asserts that linkages between systems will significantly en- hance access to patient information, thereby offering tremendous potential for improving the quality and efficiency of health care delivery. With enhanced access, however, come concerns about confidentiality and the protection of patient privacy. While patient data is already shared among those who deliver and pay for care, the health information infrastructure envisioned by the Work Group on Computerization Report would make patient information accessible to care givers, payers, and others, and would create new opportunities for abuse unless protection for patient privacy is built into its design and use. The WEDI Report discusses in depth the serious implications for privacy raised by the use of computer databases linked electronically for information exchange. The report clearly states that: [t]he electronic technology itself holds intrinsic threats to maintenance of personal privacy. The same technology that made it possible to transmit data from one computer to another, whether those computers are in the same room or on opposite sides of the globe, also permits violations of data integrity and data security. It goes on to assert that: [t]he establishment of the types of data reposito- ries envisioned for health care claims processingto effect administrative savings should be accom- panied by promulgation of significant patient rights regarding the accuracy of personal infor- mation maintained and the extent to which it is shared with others. The need for security and confidentiality of patient information should not be subject to individual organizational determina- tion of need. Security and confidentiality must be preserved and protected. They must not be compromised for expedience or the "bottom line." The WEDI Report examines the complex state of the law regarding privacy and confidentiality in such information, and cites the need to streamline the protection of patient information as one of the key steps the industry must take to implement electronic data interchange efficiently. Recent surveys demonstrate that the concerns voiced in these reports reflect a broad concern among the American public about privacy in their personal information. A joint Lou Harris/Equifax survey indicated that 79 percent of Americans feel their personal privacy is threatened, and some seg- ments of the population fear that consumer information will be more vulnerable by the year 2000. Most Americans also specifically acknowl- edge the dangers to privacy of present computer uses. According to the survey, two-thirds of the public believes that personal information in computers is not adequately safeguarded, and a significant portion of the American public no longer has confidence in the way industry treats personal information. Almost 9 of 10 Americans surveyed believe that computers have made it much easier for someone to improperly obtain confidential personal information about individu- als.8 In an earlier poll, conducted by Time and CNN in 1991, 93 percent of respondents asserted that companies that sell personal data should be required to ask permission from individuals in advance. California's Privacy Rights Clearing- house, the first privacy hotline in the Nation, logged more than 5,400 calls within 3 months of it inception in November 1992.9 These concerns are well founded. A market exists for the sale of personal information fromboth public and private sources, encouraged by financial incentives for staff to supplement their income through unauthorized disclosures of per- sonal information. Prosecutions of U.S. Federal Government employees for unlawful disclosure of personal information indicate the risk of invasion of privacy perpetrated by trusted insid- ers. Those indicted include current or former employees of the Social Security Administration, the Internal Revenue Service, local police officers accessing the FBI's National Crime Information Center, and a number of information brokers. In most of these instances, employees were bribed by information brokers and private investigators representing private clients.10 Anecdotal evi- dence in this country, and formal investigative work overseas, indicates that abuse of informa- tion, and specifically medical information, is widespread. (See boxes 2-A, 2-B, and 2-C) In addition, increasingly interconnected, af- fordable, fast, online systems enable the building of electronic dossiers. Macworld magazine re- ported that it investigated 18 business leaders, politicians, Hollywood celebrities, and sports figures, primarily in the State of California where most public records are online. The investigation sought all legally accessible data available from four commercial and two governmental data suppliers. Investigators were able to obtain the following kinds of information: birth dates, home addresses, home phone numbers, social security numbers, neighbors' addresses and phone num- bers, driving records, marriage records, voter registration, biography, records of tax liens, campaign contributions, vehicles owned, real estate owned, commercial loans and debts, civil court filings, corporate affiliations, public records for criminal court filings, fictitious business names, records of bankruptcies, insider trading transactions, trusts, deeds, and powers of attor- ney. To obtain this information, investigators spent an average of only $112 and 75 minutes per subject.11 WHY IS PRIVACY IN HEALTH CARE INFORMATION IMPORTANT? Health care information relates to profoundlypersonal aspects of an individual's life. The medical records kept by physicians and hospitals about patients may include identifying informa- tion, x-ray films, EKG and lab test results, daily observations by nurses, physical examination results, diagnoses, drug and treatment orders, progress notes and post-operative reports from physicians, medical history secured from the patient, consent forms authorizing treatment or the release of information, summaries from the medical records of other institutions, and copies of forms shared with outside institutions for insurance purposes. But in addition to objective observations, diagnoses, and test results, medical records may also contain subjective information based on impressions and assessments by the health care worker. Medical records may also include impressions of mental abilities and psy- chological stability and status; lifestyle informa- tion or suppositions (including sexual practices and functioning); dietary habits, exercise and recreational activities (including dangerous ones life insurers would want to know about); religious observances and their impact on treatment deci- sions; alcohol and drug use; and comments on attitudes toward illness, physicians, treatments, compliance with therapy and advice, etc.12 Staff comments about the patient's character or de- meanor are sometimes included in the record. Increasingly sophisticated diagnostic tools yield more and more detailed, and potentially sensitive information about a person's body--genetic re- search and testing results in information that not only indicates a patient's present condition but also enables prediction of his or her future medical condition and the prospect of developing specific medical problems. Medical information can affect such basic life activities as getting married, securing employ- ment, obtaining insurance, or driving a car.13 Medical conditions have served as the basis for discriminatory practices, making it difficult to participate in these activities.14 Because of its highly sensitive nature, improper disclosure of medical information can result in loss of business opportunities, compromise to financial status, damage to reputation, harassment, and personal humiliation. However, defining what is "sensi-tive" in a record may be difficult, since the definition may depend on the intended use of a record.15 Yet at the same time, the integrity of the patient record and the disclosure by the patient to the physician of information necessary to establish an accurate diagnosis is desirable to attain the best clinical outcome. Simply stated, disclosure of medical information by the patient, free of the fear of improper disclosure, is necessary to obtaining good quality medical care. An environment must be maintained in which this kind of disclosure is possible. In its testimony to the U.S. Privacy Commission, the American Medical Association stated, "Patients would be reluctant to tell their physicians certain types of information, which they need to know in order to render appropriate care, if patients did not feel that such information would remain confidential."16 More recently, the AMA Code of Medical Ethics stated: The confidentiality of physician-patient commu- nications is desirable to assure free and open disclosure by the patient to the physician of all information needed to establish a proper diagno- sis and attain the most desirable clinical outcome possible. Protecting the confidentiality of the personal and medical information in such medical records is also necessary to prevent humiliation, embarrassment, or discomfort of patients. At the same time, patients may have legitimate desires to have medical information concerning their care and treatment forwarded to others.17 UNREGULATED COMPUTERIZATION AND MARKETING OF HEALTH CARE INFORMATION In addition to the widespread problem of information brokering and abuse of authorized access to computerized information within a large public sector database of sensitive information, the private sector has begun now to respond to a strong commercial incentive to aggregate medical information. In some instances, such as that of the Medical Information Bureau,18 information is gathered and banked solely for the purpose of assisting the insurance industry in making cover-age exclusions in their policies. In other cases, companies offering such computer services as health insurance claims processing, office man- agement, or patient billing, take advantage of their access to medical information (see box 2-D). In these instances, aggregate information is gath- ered and sold, usually without patient knowledge or consent. At this time, there is no law prohibit- ing these practices.19 The businesses involved in these ventures operate under no regulatory guide- lines regarding security measures, employee prac- tices, or licensing requirements. POTENTIAL FOR INCREASED DEMANDS FOR COMPUTERIZED INFORMATION The IOM study discusses in some detail the increasing demand by multiple users for access to patient care data.20 According to the report, information must be shared among many profes- sionals who are involved in delivery of health care. In addition to these persons, administrators and managers of health care institutions require information to monitor quality of care and allo- cate resources. To develop budgets, measure productivity and costs, and assess market posi- tion, managers of institutions seek to link finan- cial and patient care information. Quality assurance activities also involve access to information. Among those organizations in- volved in such activities are the Joint Commis- sion on Accreditation of Healthcare Organiza- tions (JCAHO). Third party payers carry out quality monitoring and evaluations. The best known is perhaps the Medicare peer review organization program administered by the Health Care Financing Administration. Increased Fed- eral involvement in health care has resulted in greater need by the government for medical information. Programs that pay for health services legitimately require review of individual medical information as part of the payment process. In 1992, Medicare alone paid over $126 billion dollars for health services.21 Related programs for quality control and to limit fraud, abuse, and waste have needs for medical records. In addition, records are main-tained by agencies that operate health programs such as the Department of Veterans Affairs, the Department of Defense, Indian Health Service, and the Public Health Service.22 Demands for information come not only from review bodies, third-party payers, outside billing and computer services, and government, but also from employers, insurers, and others who use health care information for nonhealth purposes. Some suggest that, as the supply of computerized personal medical information increases, there may be a demand for access to information that is not currently authorized. Will investors seek "medical reports" on the chief executive officers of companies in which they are considering investing? Will the media seek to determine what prescription drugs celebrities are taking? Will direct marketers, or market researchers, have access to information about patients' prescription and nonprescription drug use, either from medical records or from pharmacies? To what extent might employers demand medical information?23 The Report of the Work Group on Computeriza- tion of Patient Records recognizes that: as capability for storage and analysis of personal records increases and the cost of collection decreases, the demand for such information by providers, payers, policymakers, and researchers will likely multiply. There may be pressure to collect more data than is strictly necessary for a given purpose--collected data may then be main- tained in a large database where it may be vulnerable to misuse.24 Others are concerned that extensive access to medical records and health care information may pose a threat to privacy, and that safeguards against unauthorized access are meaningless if authorized access is so broad.25 Still others point out that, once any kind of information is compiled for whatever legitimate goal, the impulse to access that information for another well-meaning purpose is strong.26 The technology of com- puterization and security makes it possible to monitor information flow in computer systems, and enables society to enforce clear value choices as to whom information should properly be madeavailable.27 Some suggest that this presents an opportunity for a reassessment of the question of authorized access, who should have it, and under what circumstances.28 Resolution of these issues would allow software developers to design sys- tems in which access and security provisions for appropriate secondary users become a part of the computer system.29 ISSUES RAISED BY COMPUTERIZATION In view of the report by the Krever Commis- sion, discussed in box 2-B, and from anecdotes of the kind presented in box 2-A it is clear that it is easy to gain access to, copy, remove, and destroy paper patient records. However, computers create new and more clearly defined problems about confidentiality and privacy than exist in paper record systems, and also bring longstanding confidentiality and privacy issues into sharper focus. Computerization of data with appropriate security measures can address the problem of confidentiality in sensitive medical information. Security alone, however, cannot solve the prob- lem of patient privacy. The maintenance of medical information on computers also worsens some problems and raises new and complex issues not confronted in a paper environment. Legislation to address concerns about privacy in this information must apply to paper records, to computerized ones, and to the period of transition between paper and computers. As discussed earlier, electronic storage and management of medical information is believed to provide certain advantages in the delivery of health care: o It could allow for greater mobility of patient treatment within the health care system, which could foster competition for patients among health care providers. o Use of an electronic system could potentially increase the speed with which patient medical histories could be accessed, thereby speeding treatment, particularly in medical emergencies. o It has been suggested that computer records arebetter protected through computer security measures, thus eliminating the potential for abuse presented by paper records. o Some suggest that the computer record allows greater control by part of record-keepers over patient information so that information based on need-to-know can be released to third-party payers, utilization review boards and other appropriate parties, replacing the current prac- tice of releasing the entire patient record to process one insurance claim.30 However, computerization of health care infor- mation raises other concerns: o Computer technology makes the creation of new databases and data entry easy, so that databases can be created and maintained read- ily. This could result in a proliferation of data and information that is easily searchable. o Computerization allows for storage of large amounts of data in a very small physical medium. An intruder into a database can retrieve large amounts of data (most likely far more than could be stolen on voluminous paper records) once access is gained. o Computers provide for the possibility of "in- visible theft"--stealing data without taking anything physical--so that patients and provid- ers remain unaware that the data has been stolen, altered, or abused. o Computers allow for the possibility of "invisi- ble" modification, deletion, or addition of data.31 o Computers create the potential for the easy linking of data that were not intended to be collated.32 o Computers allow a large number of people to handle or access data; the potential vulnerabil- ity of the data to large-scale intrusion is significantly increased in a computerized envi- ronment.33 In sum, computer systems create easy opportu- nities to compile and maintain large amounts of information and to use it in ways that were never intended by the person who provided it.34 The compilation of data and the ease with which the information contained in the databank can be transferred by computer make access to that information easier and more attractive to a wider group of people.35 RIGHT TO PRIVACY IN HEALTH CARE INFORMATION Privacy in health care information has tradition- ally been protected through ethical codes and through State and Federal laws. In addition, the Supreme Court has found sources for a right to privacy in health care information in the Constitu- tion (see box 2-E). Ethical Origins The historical origin of the health care pro- vider's obligation to protect the confidentiality of patient information is traced to the Oath of Hippocrates, written between the Sixth Century B.C.E. and the First Century A.C.E. which states: What I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to myself. . . Confidentiality requirements for physicians were formulated differently in later ethical codes. Thomas Percival's code of medical ethics, pub- lished in 1803 included the language: Secrecy and delicacy, when required by peculiar circumstances, should be strictly observed. And the familiar and confidential intercourse, to which the faculty are admitted in their professional visits, should be used with discretion and with the most scrupulous regard to fidelity and honor. The first code of Ethics of the American Medical Association, adopted in 1847, was based on Percival's Code. The Code's provisions on confi- dentiality repeated the language of Percival'sCode without substantive change, and continued: The obligation of secrecy extends beyond the period of professional services--none of the privacies of personal and domestic life, not infirmity of disposition or flaw of character observed during professional attendance, should ever be divulged by [the physician] except when he is imperatively required to do so. The force and necessity of this obligation are indeed so great, that professional men have, under certain circum- stances, been protected in their observance of secrecy by courts of justice. The American Medical Association's ("AMA") Principles of Medical Ethics expand on the ethical confidentiality obligation, requiring phy- sicians to "safeguard patient confidences within the constraints of the law."36 In addition, the AMA's Council on Ethical and Judicial Affairs issued guidelines for maintaining confidentiality of health information in the Electronic Data Interchange environment. These guidelines re- quire that the physician and patient consent to release of patient-identifiable clinical and admin- istrative data to any entity outside the medical care environment. The guidelines also state that the release of confidential health information should be confined to the specific purpose for the release, and the recipient of the information should be advised that further disclosure is not authorized. The AMA's Code of Ethics evolved from 1847 until the version drafted in 1980, in which confidentiality is covered in the fourth of eight principles. A physician shall respect the rights of patients, colleagues, and of other health professionals, and shall safeguard patient confidences within the constraints of the law. The obligation to preserve patient confidentiality remained in the 1980 code, without any specific guidelines about how to respond to requests for information from researchers, police, Federal agencies, or other potential users of information. Nor is the term "patient confidence" defined. Recent policy statements of the AMA more clearly detail the responsibilities of physicians to protect patient rights to confidentiality and the medical records. In the Code of Medical Ethics (Current Opinions, 1992), the AMA expresses its belief that the information disclosed to a physi- cian during the course of the relationship between physician and patient is confidential to the greatest possible degree. The patient should feel free to make a full disclosure of information to the physician in order that the physician may most effectively provide needed services. The patient should be able to make this disclosure with the knowledge that the physician will respect the confidential nature of the communication. The physician should not reveal confidential communications or informa- tion without the express consent of the patient, unless required to do so by law. The document sets forth particular instances when the obligation to safeguard patient confi- dences is subject to exceptions for legal and ethical reasons: Where a patient threatens to inflict serious bodily harm to another person and there is a reasonable probability that the patient may carry out the threat, the physician should take reasonable precautions for the protection of the intended victim, including notification of law enforcement authorities. Also, communicable diseases, gun shot and knife wounds, should be reported as required by applicable statutes or ordinances.37 Other providers and organizations maintaining records have established standards to protect the confidentiality of health information. The Ameri- can Hospital Association's Patient's Bill of Rights states that the patient has the right: . . . to expect that all communications and records pertaining to his/her care will be treated as confidential by the hospital and any other parties entitled to review certain information in these records. FEDERAL LAW PROTECTING PRIVACY IN MEDICAL RECORDS The Federal Privacy Act: The Federal Pri- vacy Act of 1974, 5 U.S.C. Section 552a (1988) protects individuals from nonconsensual govern- ment disclosure of confidential information. The Act prohibits Federal agencies, including Federal hospitals, from disclosing information contained in a system of records38 to any person or agency "without prior written consent of the individual to whom the record pertains" unless the disclo- sure or further use is "consistent with" the purpose for which the information was col- lected.39 The purpose of the Privacy Act is "to provide certain safeguards for an individual against an invasion of privacy."40 The Act contains major requirements concerning collec- tion, maintenance and dissemination of personal information. Agencies must: 1. Permit an individual the right to determine what records pertaining to him are col- lected, maintained, used, or disseminated by such agencies. 2. Permit an individual to prevent records pertaining to him obtained by such agencies for a particular purpose from being used or made available for another purpose without his consent. 3. Provide a procedure by which an individual may request the correction or amendment of information pertaining to them. 4. Be subject to civil suit for damages that occur as a result of willful or intentional action that violates any individual rights under the Act. The Privacy Act permits exemptions from the requirements for re- cords provided in the Act only in those cases where there is an important public policy need for such exemption as determined by statutory authority (e.g., law enforcement). Thus, the Privacy Act requires Federal agen- cies to collect, maintain, use, or disseminate any record of identifiable personal information in amanner that ensures that such actions are for a necessary and lawful purpose, that the informa- tion is current and accurate for its intended use, and that adequate safeguards are provided to prevent its misuse. Hospitals operated by the Federal Government are bound by the Privacy Act's requirements with respect to the disclosure of the medical records of their patients. Also, medical records maintained in a records system operated pursuant to a contract with a Federal agency are subject to the provisions of the Privacy Act. For example, hospitals that maintain regis- ters of cancer patients pursuant to a Federal contract or to federally funded health mainte- nance organizations are subject to the Privacy Act.41 Alcohol and Drug Abuse Laws: Two Federal statutes prescribe special confidentiality rules for the records of patients who seek drug or alcohol treatment at federally funded facilities.42 These statutes and their implementing regulations apply strict confidentiality rules to oral and written communications of "records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any" educational, rehabilitative, research, training, or treatment program relating to drug or alcohol abuse.43 The regulations define a patient's record as "any information, whether or not relating to a patient, received or acquired by a federally assisted alcohol or drug program."44 In essence, these restrictions provide for a higher level of confidentiality and allow limited excep- tions for release of patient information. These exceptions, however, allow disclosure with the prior written consent of the patient (if the consent meets certain requirements prescribed by regula- tion).45 These regulations have full force and effect of Federal law, so that they supersede State laws on confidentiality. Section 1106 of the Social Security Act: This statute prohibits disclosure of any file, record, or other information obtained by the officers or employees of the Department of Health and Human Services except as prescribed by regula- tion. This prohibition also applies to officers and employees of any agency, organization, or institu-tion that contracts with the Secretary (intermedi- aries and carriers) during the course of carrying out the contract. The regulations that implement section 1106, 42 C.F.R. secs. 401.101-401.152, supplement and are consistent with the regula- tions that implement the Federal Freedom of Information Act.46 SOURCES OF THE CONFIDENTIALITY OBLIGATION--STATE COMMON LAW Defamation. Defamation is the false written or oral communication to someone other than the defamed of matters that concern a living person and tend to injure that person's reputation.47 Medical records may contain information that is inaccurate and that, if published, would tend to affect a person's reputation in the community adversely. Thus, conceivably, disclosure by a hospital to an unauthorized person would result in an action for defamation. A qualified privilege may exist where information is transmitted to a third party with a proper motive or purpose and with the exercise of reasonable care that the information was true.48 Breach of Contract. Courts have, of late, demonstrated a willingness to apply the ethical standards of the medical profession to compel physicians to maintain the confidentiality of information they obtain in the course of treating their patients. As discussed above, the ethical standards of the AMA prohibit physicians in most situations from revealing a confidence entrusted to them by a patient during treatment. Further, the Medical Practice Acts of many States require physicians to maintain the confidentiality of their patients' medical information, and the AMA has published standards of hospital conduct that require hospitals to protect their patients' pri- vacy.49 Some courts now appear willing to enforce these standards as part of the contractual relationship between physicians and their pa- tients. In Hammonds v. Aetna Casualty and Surety Co., 50 the court held that a physician breached an implied condition of his physician-patient con- tract when he disclosed medical information to ahospital's insurer without the patient's consent. The court emphasized the rights of patients to rely on the ethical standards of confidentiality as on an express warranty. Similarly, in Doe v. Roe51 the court found both breach of contractual covenant to keep statements in confidence and a tortuous invasion of privacy when defendant published a book including an extensive transcript of state- ments made by the plaintiff patient during treat- ment. SOURCES OF CONFIDENTIALITY OBLIGATION--STATE STATUTES There is tremendous variation in the number and quality of State laws on medical confidential- ity. While it may be difficult to generalize about the adequacy of State medical confidentiality laws, a report of the Committee on Government Operations of the House of Representatives concluded in 1980 that "most States do not have well defined, modern laws on the confidentiality of medical records."52 A survey of State statutes governing privacy in medical records published by Robert Ellis Smith emphasizes this point.53 These statutes, however, do not address the flow of medical information to secondary users outside the treatment process, who are deemed to legitimately have access to the information. They do not address the responsibilities of third-party payers in handling this information, nor do they impose rules about the use of medical information by secondary users of that data: parties that use medical records for nonmedical purposes. This patchwork of law addressing the question of privacy in personal medical data is inadequate to guide the health care industry in carrying out its obligations in a computerized environment. Furthermore, States are not consistent in their acknowledgment of the computerized medical record, and do not confront the problems pre- sented by computerization. Some States continue to require that patient records be maintained in writing. Moreover, State law does not address the growing segment of the information industry that seeks to compile (whether with or without patient names or identifiers) medical information aboutpatients for sale to interested corporations.54 As the WEDI Report to the U.S. Department of Health and Human Services states: Myriad laws and regulations require providers to maintain health information in a confidential manner. . . [C]onfidentiality has historically been addressed at the state level, with each state crafting its own unique approach. The state rules are superimposed on a federal regulatory frame- work. The result: a morass of erratic law, both statutory and judicial, defining the confidentiality of health information.55 INADEQUACY OF EXISTING PROTECTION SCHEME AND THE NEED FOR FEDERAL LEGISLATION Legal and ethical principles currently avail- able to guide the health care industry with respect to obligations to protect the confidentiality of patient information are inadequate to address privacy issues in a computerized environment that allows for intra- and interstate exchange of information for research, insurance and patient care purposes. Lack of legislation in this area will leave the health care industry with little sense as to their responsibilities for maintaining confiden- tiality. It also allows for a proliferation of private sector computer databases and data exchanges without regulation, statutory guidance, or re- course for persons wronged by abuse of data. The scheme, as it exists, does not adequately take into account the tremendous outward flow of information generated in the health care rela- tionship today (see box 2-F and figure 2-1). This problem has always existed, but was not as serious because medical records were only occa- sionally used outside the medical treatment proc- ess. The expanded use of medical records for nontreatment purposes exacerbates the short- comings of existing legal schemes to protect privacy in patient information. The law must address the increase in the flow of data outward from the medical care relationship by both addressing the question of appropriate access to data and providing redress to those that have been wronged by privacy violations. Lack of suchguidelines, and failure to make them enforceable, could affect the quality and integrity of the medical record itself. Further, the reservation of regulation of these matters to the States does not address the growing reality that this information will increasingly be transferred or accessed across State lines. As a result, health care providers, third party-payers, and secondary users of medical information will remain uncertain as to the law under which they are operating. The WEDI Report echoes this concern: The regulatory framework governing providers' disclosure of patient-identifiable health informa- tion is flawed. It dictates different disclosure rules for different types of providers. These rules may conflict within a given state and among different states. The great variance in disclosure rules creates inconsistent standards for providers and offers inconsistent protection to patients. Some states offer little protection for health informa- tion, while others offer protection for the initial disclosure of information but ignore the problem of subsequent disclosures.56 This lack of clarity could lead to increased litigation over medical confidentiality issues and the obligations of parties with access to the information. Patient awareness that records are maintained on computers, absent the assurance of a clear law protecting the confidentiality of those records, could lead to deterioration of the traditionally confidential "physician-patient" relationship.57 Some contend that this breakdown could well lead to patients' withholding information critical to their care, thus jeopardizing their own health as well as denying the health care system (including physicians, nurses, hospitals, third-party payers, and researchers) information they may legiti- mately want and need, and that society has already deemed appropriate to give them. It could also place physicians in the difficult ethical position of deciding whether or not to enter sensitive information into the record at the patient's request (or maintaining a separate,noncomputer-based record), or the extreme of this situation, the development of a "black market" health care system that does not participate in the computerized exchange of patient information.58 Yet others argue that while patients do express concern about the privacy of their records in general, there is a body of medical literature that has found no significant patient concerns with the privacy of computerized medical records within private medical settings.59 While patient concerns may be lessened when their medical records are stored in the computers of their personal physi- cians, patients may be more concerned with records stored in the large, national databases that are proposed as a part of recent health care initiatives.60 1. Institute of Medicine, The Computer-Based Patient Record: An Essential Technology for Health Care, Richard S. Dick and Elaine B. Steen, eds., (Washington, DC: National Academy Press, 1991) p. 24. This is a publication of the Committee on Improving the Patient Record, Division of Health Care Services Institute. 2. Ibid. 3. The Institute of Medicine study cites a 1991 report of the U.S. General Accounting Office (GAO) on automated medical records. That report identified three ways that such records could benefit health care. GAO stated that automated records could improve delivery of health care by providing medical personnel with better data access, faster data retrieval, higher quality data, and more versatility in data display. Automated records could also support decision making and quality assurance activities and provide clinical reminders to assist in patient care. According to GAO, automated records could enhance outcomes research by electronically capturing clinical information for evaluation and could increase hospital efficiency by reducing costs and improving productivity. 4. Membership of CPRI includes representatives of health profession organizations such as the American Medical Association, the AmericanHospital Association, the American Medical Informatics Association, American Nurses Association, the American Health Information Management Association, the American Association for Medical Transcription, computer and telecommunications companies, and health maintenance organizations. 5. U.S. Department of Health and Human Services, Workgroup for Electronic Data Interchange, Report to the Secretary, July 1992, Executive Summary, p. iii. 6. Institute of Medicine, op. cit., footnote 1, p. 103. 7. U.S. Department of Health and Human Services, Work Group on Computerization of Patient Records, Report to the Secretary, "Toward a National Health Information Infrastructure," April 1993. 8. Harris-Equifax Consumer Privacy Survey 1992, conducted for Equifax by Louis Harris and Associates in association with Alan F. Westin, Columbia University. See also, Joel Reidenberg, Associate Professor of Law, Fordham University School of Law, testimony before the House Committee on Energy and Commerce, Subcommittee on Telecommunications and Finance, Oversight Hearings on Issues Related to the Integrity of Telecommunications Networks and Transmissions, Apr. 29, 1993. 9. Charles Piller, "Privacy in Peril," Macworld Special Report on Electronic Privacy: Workplace and Consumer Privacy Under Seige, July 1993, p. 8. 10. David Flaherty, "Ensuring Privacy and Data Protection in Health and Medical Care," prepublication draft, Apr. 5, 1993, p. 8 (citing Michael Isikoff, "Theft of U.S. Data Seen as Growing Threat to Privacy," The Washington Post, Dec. 28, 1991, and "Dealing Federal Information to Private Resellers," Privacy Journal, vol. 17, No. 3, January 1992, pp. 1, 4). 11. Charles Piller, op. cit., footnote 9, pp. 11-12. 12. Madison Powers, Joseph and Rose Kennedy Institute of Ethics, Georgetown University, personal communication, May 1993. 13. Alan Westin, Computers, Health Records, and Citizen Rights (Washington, DC: U.S. Government Printing Office, 1976) p. 9. 14. S. Rept. 101-116, on The Americans With Disabilities Act of 1989, 42 U.S.C. Sec 12101, P.L. 101-336, sets forth in detail the kinds and extent of discrimination that can result on the basis of a medical condition. The report cites specifically the testimony of a woman who was fired from the job she held for a number of years because the employer found out that her son, who had become ill with AIDS, had moved into her house so she could care for him. It also cited testimony of former cancer patients and persons with epilepsy, among others, who had been subjected to similar types of discrimination. Among the report's conclusions is that "[h]istorically, individuals with disabilities have been isolated and subjected to discrimination and such isolation and discrimination is still pervasive in our society." While the Americans With Disabilities Act can address the problem legally, it does not solve the problem of social stigma and social ostracism that can result when a person's medical condition becomes known. 15. For example, is information on chronic health conditions, when used to determine whether or not to employ specific individuals, sensitive? Different persons will also vary in their perceptions of what is sensitive, and thus what constitutes an invasion of privacy may vary from person to person. Joan Turek-Brezina, Chair, Department of Health and Human Services Task Force on the Privacy of Private Sector Health Records, personal communication, April 1993. Some commentators suggest that medical information is so sensitive that it deserves a special standard for protection under the law, one higher than that provided for say, financial or consumer information. Jeff Neuberger, Brown, Raysman and Millstein, New York, NY, personal communication, April 1993. 16. U.S. Privacy Protection Study Commission, Personal Privacy in an Information Society (Washington, DC: U.S. Government Printing Office, 1977), p. 28. 17. American Medical Association, Code of Medical Ethics, Current Opinions, Prepared by the Council on Ethical and Judicial Affairs, 1992, sec. 5.07. 18. For further discussion of the Medical Information Bureau, its purpose and activities, see further discussion in box 2-E. 19. Commentators note that this practice contributes to inadequate healthcare coverage for many Americans. Margaret Amatayakul, Associate Executive Director, Computer-based Patient Record Institute, Inc., personal communication, April 1993. 20. Institute of Medicine, op. cit., footnote 1, p. 21. 21. HCFA Data Compendium, Health Care Financing Administration, Fiscal Year 1992, U.S. Department of Health and Human Services, Bureau of Data Management and Strategy, Office of Statistics and Data Management, p. 28. 22. Federal Privacy of Medical Information Act, Report 96-832 Part 1, Mar. 19, 1980, p. 30. 23. Gerry D. Lore, Associate Vice President and Director, Government Affairs, Hoffmann-LaRoche Inc., personal communication, April 1993. 24. Report of the Work Group on Computerization of Patient Records, op. cit., footnote 7, p. 14. 25. If individuals perceive that personal medical information is at risk of broad authorized access, individuals may forego medical treatment. Gerry D. Lore, op. cit., footnote 23. 26. OTA workshop, July 1992. One example of this phenomenon is the use of taxpayer information to track parents whose child support payments are delinquent. 27. Alan Westin, Professor of Public Law and Government, Columbia University, personal communication, February 1993. 28. Gerry D. Lore, op. cit., footnote 23. 29. It is well established that computer security systems are best integrated into systems as the software is developed. Kevin McCurley, SeniorMember of Technical Staff, Algorithms and Discrete Mathematics Department, Sandia National Laboratories, personal communication, November 1992. 30. OTA Workshop, July 31, 1992. Insurers' requests may be specific while the response to the request may be much broader than the request would require. Steven Brooks, Manager, Medical Information Management, Aetna Health Plans, personal communication, April 1993. 31. Ontario Commission of Inquiry Into the Confidentiality of Health Information, "Report of the Commission," 1980, vol. II, pp. 160-166. 32. This linkage of data is further facilitated by identification of data by Social Security Number, if it is used. 33. Steven Brooks, op. cit., footnote 30. 34. Ontario Commission of Inquiry Into the Confidentiality of Health Information, op. cit., footnote 31. 35. OTA Workshop, July 31, 1992. Some argue that once data is compiled for a particular purpose, the desire to use it for some other "laudable goal" becomes irresistable. Janlori Goldman, Director, Privacy and Technology Project, American Civil Liberties Union, personal communication, July 1992. 36. AMA Principles of Medical Ethics, Principle IV. 37. Code of Medical Ethics, Current Opinions, The American Medical Association, 1992. The AMA addresses these concerns again in its Policy Compendium: Current Policies of the American Medical Association, House of Delegates through the 1991 Interim Meeting. In its Policy Compendium of 1991 the AMA Council on Long Range Planning and Development discusses "Fundamental Elements of the Patient-Physician Relationship." Among these are the patient's right to confidentiality ("The physician should not reveal confidential communications or information without the consent of the patient, unless provided for by law or by the need to protect the welfare of the individual or the public interest."), and the patient's right to obtain copies or summaries of their medical records. (Section 140.975,Fundamental Elements of the Patient-Physician Relationship, subsections [4] and [1], respectively.) Special sections of the document state specifically the AMA's support for continued efforts to ensure the confidentiality of information on medical records, and encourages consideration of AMA drafted model state legislation, as well as its support for appropriate efforts to protect the confidentiality and privacy of information contained in electronic medical records.(Section 315.993, 998). It also addresses concerns about confidentiality of information requested by third party payors and utilization review groups. (Section 320.979 and 320.986). 38. Section 552a(a)(4) of the Privacy Act defines, for purposes of the Act, the term "record" as "any item, collection or grouping of information about an individual that is maintained by an agency, including but not limited to his education, financial transactions, medical history and criminal or employment history and that contains his name, or the identifying number, symbol or other identifying particular assigned to the individual such as a finger or voice print or a photograph." The Act defines the term "system of records" as "a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual." 39. Ibid. Section 552a(b). Agencies have expanded upon the notion of "consistent with" to justify further uses of personally identifiable information. 40. Public Law 93-579, sec. 2(b). 41. Medical Records and the Law, William H. Roach, Jr., Susan N. Chernoff, Carole Lange Esley, eds., (Rockville, MD: Aspen Systems Corp., 1985) p. 78. 42. 42 U.S.C. secs. 290dd-3, 290ee-3 (1988). 43. 42 C.F.R. secs. 2.1 et seq., (1990). 44. 42 C.F.R. sec. 2.12(e)(4), (1990). 45. See 42 C.F.R. sec. 2.31 (1990). 46. 5 U.S.C. sec. 5552 (1988). 47. W. Prosser, Law of Torts secs. 111, 116 (1984). 48. In Gilson v. Knickerbocker Hospital 280 App. Div. 690, 116 N.Y.S. 2d 745 (1952), plaintiff sued the hospital for libel, claiming that, by complying with a subpoena, the hospital had maliciously allowed the publication of false and defamatory matter contained in the medical record. The record contained an observation that the plaintiff was under the influence of alcohol. The court granted the hospital's motion for summary judgment, stating that the defendant's act was absolutely privileged in that it was acting pursuant to lawful judicial process. 49. American Medical Association, A Patient's Bill of Rights (1972). 50. 237 F.Supp. 96 (N.D. Ohio 1965) and 243 F. Supp. 793 (N.D. Ohio 1965). Applying Ohio law, the court held that a physician breached an implied condition of his physician-patient contract when he disclosed medical information to a hospital's insurer without patient's consent. 51. 193 Misc. 2d 201, 400 N.Y.S. 2d 68 (Sup. Ct. 1977). 52. H.R. Rep. No. 832 pt. I, 96th Cong., 2d Sess. 30-31 (1980). 53. Compilation of State and Federal Privacy Laws, published by the Privacy Journal, Providence Rhode Island, 1992. For another review of the State law governing this issue see Medical Records and the Law, op. cit., footnote 4 app. B, State-by-State Analysis of Medical Records Statutes and Regulations. 54. Two such enterprises, PCN Inc. and PCS Health Services, Inc., are discussed in box 2-E. 55. Workgroup for Electronic Data Interchange, op. cit., footnote 5, app. 4, p. 5. 56. Ibid., p. 17. 57. OTA Workshop, July 31, 1992. 58. Ibid., Robert M. Gellman, "Prescribing Privacy: The Uncertain Role of the Physician in the Protection of Patient Privacy," North Carolina Law Review, vol. 62, 1984. 59. See, A. Potter, "Computers in General Practice: The Patient's Voice," Journal of the Royal College of General Practice, vol. 31, 1981, pp. 83 to 85; M. Pringle, S. Robins, and G. Brown, "Computers in the Surgery: The Patient's View." British Medical Journal, 1984, vol. 288, pp. 289-291. G. Brownbridge, G. Hermark, and T. Wall, "Patient reactions to doctors' computer use in general practice consultations." Social Science Medicine, 1985, vol. 20, pp. 47-52. J. Rethans, P. Hoppener, G. Wolfs, J. Diederiks, "Do personal computers make doctors less personal?" British Medical Journal, 1988, vol. 296, pp. 1446- 1448. Because medical computerization is further advanced in England than in the United States, these studies are predominantly surveys of patient opinion within the British working class. Similar findings have been reported in American work. See, J. Legler, R. Oates. "Patient Reactions to Physician Use of Computers During Clinical Encounters." Prepublication draft. 60. James D. Legler, M.D. Assistant Professor, Department of Family Practice, University of Texas, Health Science Center at San Antonio, personal communication, April 1993. -----------------------------------------Systems for Computerized Health Care Information 3 Implementation of a system for computerized medical information involves technological and nontechnological elements. Among the technological aspects of such a system are the online or off-line approaches to maintain- ing and processing information, computer security systems, and standards for computerization of medical information and the content of the medical record. From an administrative and policy standpoint, computerization of health care information requires foolproof identification of patients and patient information, policies to clarify questions of ownership and access to patient records, and practices for obtaining informed consent from patients for release and use of their personal data. E TECHNOLOGY OF COMPUTERIZED HEALTH CARE INFORMATION Early research into computerization of medical information focused on administrative record keeping, laboratory manage- ment, and electrocardiographic analysis. In addition to these uses, one of the goals of this research has been the creation of an electronic, computer-based patient record. Computer systems for health care information records consist of four essential ele- ments: Hardware, including a central processing unit, mass storage devices, communication channels and lines, and remotely located devices (e.g., terminals or microcomputers with or without local area networks) serving as human/computer inter- faces; Software, including operating systems, database management systems, communication and application programs; Data, including databases containing patient information; and Personnel, to act as originators and/or users of the data; health care professionals, paramedical personnel, clerical staff, administrative person-nel, and computer staff.1 These elements have traditionally been con- tained within each medical institution, and each department within the medical facility has been linked to provide access to information by health care practitioners and administrators working at the facility. Privacy and security concerns have been addressed by the individual institution. Recently, however, faced with rising costs and increasing demands for more cost-effective deliv- ery of services, the medical community is consid- ering a system that links computers among institutions. Such an approach, an online system, would tie together computer systems in hospitals, private practitioners' offices, health maintenance organizations, health libraries and research re- sources, and third-party payers. Information about the individual patient could be transferred among these facilities, with the intent of eliminating paperwork and lowering administrative costs, while raising the level of patient care.2 Linkage of these computer systems would expand access and broaden security and privacy concerns. A smart card system has also been considered as the primary means of storing and maintaining the patient record, or for use as an access control device to assure confidentiality in an online system, or some combination of the two.3 Smart card systems for health care have been implemented extensively in France. Other Euro- pean countries have pilot projects to test this technology for maintenance of health care data. Smart cards can be used in two ways: for storage of medical information, and for enhancing secu- rity of online computer systems. Smart cards are considered by some as a way of giving the patient maximum control over the confidentiality of his or her health care information. However, depend- ing on how smart cards are used, they too raise concerns about privacy. Whatever the technology employed to maintain medical information, decisions about privacy in data involve balancing the individual's right to privacy against the cost of security, and the impediment that security measures impose on theaccessibility of data. Individual rights must also be balanced against public interests in informa- tion such as those for medical research.4 Technol- ogy controls improper access from outside the system, but the greater concern for abuse is improper actions by persons authorized to access the computer system from within an institution.5 No system can be made totally secure through technology. Online Systems The Institute of Medicine (IOM) report dis- cusses the potential for linking data in terms of "connectivity"--a term denoting the potential to establish links or to interact with any source or database that may improve the care of the patient. The report identifies three interfaces important for such interactions: 1) the interface between the record and other repositories or potential reposi- tories of information that may be useful in providing patient care, 2) the interface between the record systems of different provider institu- tions, and 3) the interface between the record and a practitioner. The ability to link these kinds of data depends on new network technologies that are built on communications, computing, information and human resource capabilities, and integration of computing and communications technologies to enable transmission of text, images, audio and video. The information infrastructure enabling these developments include communications net- works, computers, information and the people who use these resources and create information. Communications networks are interconnected and interoperable public and private communica- tions networks ("public" networks refer to those networks, such as the public switched telephone network, that are open to use by anyone (common carriers); "private" networks refer to those that are limited to use by a specific group of people meeting certain criteria, such as corporate net- works or "value added networks") providing services ranging from high to low speed, allowing a range of uses anytime, anywhere. They also involve agreed-upon technical standards for piec-ing together the network and having all the elements work together; the capacity to transmit information at both low and high speeds, in a variety of data formats, including image, voice, and video; and multiple mechanisms to support the electronic transfer of funds in exchange for services received. Computers include specialized computers resi- dent on the communications networks to provide intelligent switching and enhanced network serv- ices, personal computers and workstations, in- cluding machines that respond to handwritten or spoken commands and portable wireless devices that are easy to use and that can be easily accessed by users, and distributed computer applications that are widely accessible over the network. Information includes public and private data- bases and digital libraries that store material in video, image, and audio formats, and information services and network directories that assist users in locating, synthesizing and updating informa- tion. From a health care perspective, a high- performance computing network is believed to allow linkage of hospitals, doctors' offices, and community clinics through high-speed networks. Patient records, including medical and biological data, would be available to authorized health care professionals anytime, anywhere over these net- works, allowing health care providers to access immediately, from any location, the most up-to- date patient data. This data would in the future include not only textual records but would also incorporate medical images (e.g., x-ray and mag- netic resonance imaging) from clinical or labora- tory tests. From an administrative standpoint, such a system could enable efficiency gains and cost savings. Most often cited is the projected savings in administrative costs involved in proc- essing an estimated five million health care claims per day. It is believed that a network would allow improved management of and access to health care-related information and reduce costs for processing insurance claims through elec- tronic payment and reimbursement. High-speed networks would also enable medical collabora-tion through use of interactive, multimedia tele- medicine technologies over distances.6 The exten- sive linking of computers through high performance, interactive networks that enable instantaneous exchange of information challenges existing schemes for data protection, which place respon- sibility for confidentiality on each institution. Information will no longer be maintained, ac- cessed, or even necessarily originate from a single institution, but will instead travel among a myriad of institutions, so that new systems for data protection must track the flow of the data itself. SECURITY IN ONLINE SYSTEMS In online systems, security is generally pro- vided through the use of user identification names and passwords. User identification names can be defined in a variety of ways, including different combinations of segments of the patient's name and number sequences. Passwords are, theoreti- cally, known only to the user and are periodically changed. More advanced technological solutions to the problem of access control include use of smart cards, or biometric control devices such as scanners that read finger-prints, retinas, or speech patterns. These devices provide heightened secu- rity, but at higher cost.7 In addition to user identification names and passwords, systems may also be equipped with user-specific menus to control access to functions and thereby limit user access only to particular parts of the patient record that the user legiti- mately needs to carry out his or her job. Thus, an administrator may have the ability to view only accounting and demographic data and have no access to medical data. Indicators, or flags, can be used to define the level of interaction in a particular functional or domain area. For exam- ple, flags can control whether data can be accessed to be read or updated only; whether data can be corrected only on the same date of entry; whether data can be updated at a later date; and whether data can be validated or a process activated. Policy decisions may be made that certain kinds of information need not be accessi- ble to all health care personnel. Thus, softwarecan be implemented that suppresses and restricts access to certain categories of data.8 Because a networked system allows access to data from a number of terminals, terminals may be left by the operator during a data entry session after the password has been entered and at a sensitive point in a query of the data entry process. This problem may be addressed by a mechanism for quick storage of information, and time-out features so that any idle terminal unused for input for a fixed period of time will automati- cally revert to the password entry screen.9 Some systems make use of audit trails, records of significant events (login, user authentication, and authorization, activities of specific users) that may be checked when something of a suspicious nature occurs. Audit trails can reveal irregular patterns of access and allow detection of improper behavior by legitimate or nonlegitimate users.10 Equally as important in supplementing the technological measures taken to address the problem of maintaining a secure networked system are organizational education efforts, poli- cies, and disciplinary "actions" to ensure the ethical behavior of persons inside the computer system who have authorized access to the infor- mation. In addition, organizational committees are often established to oversee and make deci- sions about compliance with regulations about data, legal concerns, and ethical considerations regarding the transfer and release of information. Smart Cards A smart card is a credit card-sized device containing one or more integrated circuit chips, which perform the functions of a microproces- sor,11 memory, and an input/output interface. Smart cards can perform two major roles: 1.they can provide a medium for storing and carrying personal information; and 2. they can process information that enhances the security of many online computer sys- tems, thus acting as a means for accessing information in a network of computers.12 Definitions of what constitutes a smart card differ. Generally, a smart card encompasses off-line technology that is able to activate devices at the point of use. The traditional smart card, invented in 1974, is embedded with a microchip, which allows it to exchange information with a computer. The super smart card is battery- powered, contains a keyboard and display, and has a 64K EEPROM (Electrically Erasable Pro- grammable Read Only Memory)13 reprogramma- ble memory chip and microprocessor for internal power.14 The smart card reader/writer device is also a major component of the smart card system. The main purpose of the reader/writer device is to provide a means for passing information from the smart card to a larger computer and for writing information from the larger computer into the smart card. The reader/writer device provides power to the smart card and physically links the card's hardware interface to the larger computer. Since the smart card's microprocessor can control the actual flow of information into and out of the card's memories, the reader/writer device's role may be minimal. Some smart card systems incorporate reader/writer devices that perform calculations and other functions. It is generally the smart card itself that determines if and when data will be transferred into and out of the smart card's memories. SMART CARDS AS A MEANS OF INFORMATION STORAGE.15 The capacity of smart cards to store informa- tion has increased to 800 printed pages. In addition to this expansive memory, the smart card can ensure that the information stored in its memory is secure. The memory of a smart card can be divided into several zones, each with different levels of security and requirements for access, as required for a specific application. The smart card microprocessor and its associated operating system can keep track of which mem- ory addresses belong to which zones and the conditions under which each zone can be ac- cessed (see figures 3-1 and 3-2). A confidential zone could be used to store an audit trail listing all transactions, or attempted transactions, made with the card. The confidential zone could have a password known only to the card issuer, who could examine the history of the card for evidence of misuses of the system. To prevent any attempts to modify the card's audit trail, the confidential zone could have a read-only access restriction, so that the system could write to the zone, but information could not be changed from the outside. A usage zone could be used for storage of information that is specific to the smart card application and that requires periodic updates and modification. For example, the date of the card bearer's last access to the host computer or the amount of computer time used could be stored in the usage zone. Depending on the sensitivity of the data, a password could be required for this zone. The usage zone could have both read and write access protected by a password. A public zone could hold nonsensitive infor- mation, such as the card issuer's name and address. The public zone could have read-only access, without a password. Crucial secret information can be maintained in separate protected memory locations through the use of the smart card's memory zones. It may also be possible to produce a smart card that would ensure that the entire secret zone will be destroyed if any attempt is made to access the data in that zone; information located in that zone could be used only by the microprocessor itself. Informa- tion such as passwords, cryptographic keys, and other information which should never be readable outside of the smart card could be located here. The smart card's capacity for distinct memory zones also allows for the allocation of separate memory zones for individuals so that, for exam- ple, only the card bearer could access the usage zone, and only the card issuer could access the confidential zone. Care providers would be equipped with areader, microcomputer, and necessary software. Each provider would be given an accreditation card to gain access to the smart card of patients. This card defines the zones to which access is allowed. A Personal Identification Number (PIN) would also have to be entered before the smart card could be accessed (like those used by bank automatic teller machines and credit cards.) SMART CARDS AS A MEANS OF ACCESS CONTROL A smart card can be used as part of an access control system to protect sensitive data. Appendix A discusses generally the basic access control concepts of cryptography, user authentication, and device authentication. A smart card can be used to perform the encryption operations needed for authentication rather than a cryptographic device attached to (or inside of) a terminal (see figure 3-3). A smart card is intended to remain in the possession of its sole user, who is responsible for its protection, as opposed to a cryptographic device kept at the site of the terminal, which may be vulnerable to tampering. The cryptographic operations performed by a smart card are believed to possess the potential to improve security. In addition, the smart card is capable of encrypting short strings of data used in authenti- cation procedures. Several encryption algorithms are currently available in smart cards and imple- mentations of the Data Encryption Standard have been developed for smart cards. E SMART CARD AS A CARRIER OF MEDICAL DATA The concept of a patient card and the portable medical record was originally born in the 1970s, but it took several years, until the mid 1980s, to implement the operation.16 The frequently used definition of a patient card is: . . . a plastic card of credit-card size upon which is printed legible information; it may also carry part or all of the patient's medical record in micro or digital form. A card that carries only medical information is referred to as a "dedicated"patient card. Non-dedicated cards may carry insurance information, financial or credit data, educational data, etc., in combination with medi- cal information.17 Several countries are currently attempting to implement such a health care card (see box 3-A on the French Smart Card System for Health Care). In Australia, proposals for implementation of such a system provide that: Patients will be able to elect to have a life-long health care record in electronic form, which will contain a summary of all relevant health care information from the date of birth until death. Included will be entries from general practition- ers, specialists and consultants, radiologists, labo- ratories, nursing care, hospitals, physiotherapists, psychologists, occupational therapists, dental care etc. The total record will be carried by the patient on a "Health Card" the size of a plastic credit card. Copies will also be kept by the last doctor seen and by a "national back-up service" (a non government organization) which will maintain a network of back-up centers throughout the coun- try. This electronic record will have several levels of security restriction which will control who will have access to what part of each encounter.18 In the Australian approach, the smart card will collate all patient information--administrative, hospital, and doctor related records. Pilot projects have been implemented in France, Great Britain,19 Sweden, and Italy, which use the smart card in a different manner, storing limited kinds and amounts of information (see box 3-B). In the United States, card systems are proposed as one solution to the need to contain costs, streamline paperwork, and increase availa- bility of health care services.20 Smart card technology is often cited as a possible solution to the problem of privacy in computerized medical data. In lieu of a computer- ized, central database, or a linked network of information, smart cards would allow individual patients to maintain their own medical records, and would empower the patient with the ability to consent to any access to the data by authorization of access to the card. The smart card, as a patient-borne record, would represent a distrib- uted database with the advantage that real-time access to information is available only with the informed consent of the patient (with the excep- tion, probably, of emergency information).21 This is contrasted with the acknowledged risk of computer network penetration by the determined "hacker" who, if successful, could have access to thousands, even millions, of clinical records. The restriction of access to different kinds of data of different levels of sensitivity enabled through use of security codes arguably heightens the patient's personal control over the data.22 However, critics of such a system cite short- comings of the card's ability to protect patient privacy in medical information. Concerns have been raised about patient compliance with carry- ing the card.23 The proposed solution to such compliance problems is the creation of a back-up database containing the patient information, such as that proposed in the Australian plan (see discussion on pages 58-61).24 Such a database would, arguably, present many of the same problems as an online computerized system. Others have noted that while the smart card allows for control over the information while it is in the patient's possession, it is entirely possible that the patient will not know the nature of the information he or she is carrying.25 In addition, without further laws to the contrary, the carrier of the patient card could be completely dependent on the judgment of health care administrators to determine what information should be accessed by which health care provider, insurer or other third party.26 Concerns remain, also, about secu- rity of information at the host.27 Yet another concern is that patients will not want information about psychic and mental diseases, AIDS tests, abortions, venereal diseases, or genetic anomalies recorded on the card. As a result, there is concern about whether a smart card will contain a comprehensive medical record, or an abbreviated version of the record with its attendant limita- tions. Some also contend that, while the patient data serves to document the process of patient care, it would be inappropriate to eliminate the hospital or office-based record of care because that record is also part of the process information of the health care provider. The proposed 1994 Accredi- tation Manual for Hospitals released by the Joint Commission on Accreditation of Healthcare Or- ganizations (JCAHO) emphasizes the ever- increasing role of information in patient care processes as a way of measuring the quality and efficiency of health care delivery. Given this scenario, the card would more likely serve as the patient's personal copy, or would serve as an access control tool, but would not be the sole source of patient information.28 From the stand- point of health care research, questions remain to what extent this system would hinder epidemiolo- gists' efforts to examine the course of diseases through access to medical records.29 Still others indicate their uneasiness with a system of identifi- cation cards containing large amounts of personal information to be carried by individuals, and the implications such a system may have for a large scale national identification card system.30 E UNIQUE PATIENT IDENTIFIER Proposals for establishing a unique patient identifier have been the subject of much discus- sion. Proponents of the computerized patient record recommend the use of a unique patient identifier that is assigned to the patient at birth and remains permanently throughout the patient's lifetime. Theoretically, an identifier might allow appropriate information exchange between ap- proved parties in the course of delivery of health care, and may ensure that accessed, entered or altered records correspond to the proper patient. The assignment of such a unique number might also prevent problems of fraud and forgery in the reimbursement process. It could also facilitate linkage of information for administrative, statisti- cal, and research purposes. A variety of systems for assigning such a number have been proposed, including some combination of parts of the Social Security number, segments of the patient's name, digits from the patient's date of birth, and the latitude and longitude coordinates of the patient's place of birth, or place of issuance of the number.31 The most often mentioned, and what is often argued to be the most expeditious solution, is the use of the Social Security number itself.32 While recogniz- ing that problems exist in the assignment of the Social Security number while avoiding duplica- tion and preventing forgery, many see this estab- lished system of a unique number for individuals to be the most efficient and cost effective way of dealing with the problem of the unique patient identifier.33 In spite of the ease with which proponents believe that such a system might be put in place, and the advantages of such a system to facilitate record linkages that might permit improved delivery of health care and reimbursement, pri- vacy advocates strongly criticize the proposal.34 Concerns about the proliferation of the use of the Social Security number for purposes unrelated to the administration of the Social Security system, and the power of the number to act as a key to uncovering and linking a vast amount of informa- tion held both by the government and private companies,35 have been voiced by many in a variety of contexts. Following passage of the Social Security Act in 1935, the narrowly drawn purpose of the Social Security number was to provide the Federal government with means of tracking earnings to determine the amount of social security taxes to credit to each worker's account. Over the years, however, the use of the number as a convenient means of identifying people has grown, so that the Social Security number has been used by government agencies and the private sector for other purposes.36 As a result of this expanded use of the Social Security number, the number now facilitates the ability of large institutions to compare databases. It allows outsiders (including private detectives, computer hackers, or other strangers) to move from database to database, from credit bureau to insurance company to grocery store to publisher, to find out detailed marketing, financial, and medical information about an individual, so that a very detailed dossier on the individual can be created. The Court of Appeals for the Fourth Circuit in Greidinger v. Davis37 noted that since the passage of the Privacy Act, an individual's concern about his Social Security number's confidentiality and misuse has become more compelling. The court discussed at some length the potential financial harm that can result from the number falling into the hands of an unscrupulous individual. At least as important, however, is the court's recognition that other illegal uses of the number include "unlocking the door to another's financial re- cords, investment portfolios, school records, fi- nancial aid records, and medical records."38 While the adoption of any patient identification number should be carefully considered, use of the Social Security number as a unique patient identifier presents special privacy problems. Proposals to adopt the Social Security number, as opposed to some other unique patient identifier, should be closely scrutinized and alternative proposals considered as decisions are made about computerization of medical information. Proponents of the use of such an identifier believe that, if appropriate safeguards are used, the integrity of the Social Security number can be maintained. One suggestion is use of encryption to protect the number.39 Others argue that the solution to the problems presented by use of the Social Security number is not to devise an alternative system, but to create and enforce a policy that addresses the abuses to which the number may be subject.40 The experience of Ontario, Canada with unique patient identifiers in delivering health care bene- fits is useful.41 All Canadian provinces have some type of health identification numbers. While some are permanent numbers, some change in the course of an individual's lifetime. Only the province of Prince Edward Island uses the Federal social insurance number, a number akin to the Social Security number in the United States, for health purposes. Ontario introduced a system of unique, life- time, 10-digit health numbers for all individuals in 1990. Privacy advocates in Ontario wanted to ensure the use of the new numbers for health- related purposes only, and to prevent their emer- gence as a universal unique identifier for residents of the province, as they believed had been the case with the social insurance number.42 In response to these concerns, the Ontario legislature enacted the Health Cards and Numbers Control Act, which specifies that "no person shall require the production of another person's health card or collect or use another person's health number." The numbers can be used to provide health resources funded by the province and for "purposes related to health administration or planning or health research or epidemiologic studies."43 STANDARDS FOR COMPUTERIZED MEDICAL INFORMATION According to the IOM, in order to implement a computerized system for health care information, three kinds of standards must be developed: content, data-exchange, and vocabulary; patient data confidentiality; and data and system secu- rity.44 It is believed that these are necessary for transmitting complete or partial patient records, and that they are essential to the aggregation of information from many sources, either for longi- tudinal records for individual patients or for databases of secondary records to be used for research or epidemiologic purposes. Content standards are to provide a description of the data elements that will be included in automated medical records, with the intent that uniform records will be produced no matter where or in what type of health care setting the patient is treated. Data-exchange standards are formats for uniform and predictable electronic transmis- sion of data, establishing the order and sequence of data during transmission. Vocabulary stand- ards establish common definitions for medical terms and determine how information will be represented in medical records. These standards are intended to lead to consistent descriptions of a patient's medical condition by all practition- ers.45 Currently, the terms used to describe the same diagnosis and procedures sometimes vary. Data and system security standards are to ensure that patient data are protected from unauthorized or inadvertent disclosure, modification, or destruc- tion. Health care providers, hospital administra- tors, researchers, policymakers, and insurers must agree on common levels of data protection before they can benefit from the widespread use of automated patient information.46 Two kinds of standards must be developed for the content of computer patient records. One is a minimum data set that applies to all computer patient records; the second is content standards for specific kinds of computer patient records. Establishment of these standards would allow effective use of the patient record data by clinical and nonclinical users because record content would be consistent among various institutions and practitioners. There is also an effort to establish a specific meaning for data elements; data elements would be used to collect the same pieces of information in all record systems. Composite clinical data dictionaries would ena- ble users to translate data from different systems to equivalent meanings. Standardization of medical information in both content and format is believed to be of utmost importance in establishing a computerized sys- tem. (For discussion of standard development efforts, see box 3-C). The completeness of patients' records for subsequent users depends in part on agreement among users about uniform core data elements. Without such uniformity, what one patient-record user views as complete data may be considered incomplete by another. Data completeness implies that systems will accommodate the currently expected range and complexity of clinical data and that they will permit new data fields to be added and obsolete data to be identified. Standardization of medical information facilitates gathering, exchanging, and transmitting data. The combined effect of data compatibility provided by standards, cou- pled with networked computer information sys- tems and the capacity to maintain enormous databases of personally identifiable information presents tremendous challenges to privacy. While progress in development of standards in any of these categories is limited, efforts to develop security and confidentiality are in their early stages.47 Although there is general agree- ment that this issue is critical, only one of the four standard setting organizations is addressing this topic. Work began in November 1991, and an early draft of the standards is being developed. The progress and decisions of standard setting organizations that are establishing minimum standards for confidentiality deserve careful examination, so that technology can best serve the protection of privacy. The discussion of standardization of computer- ized medical information includes the issue of patient record content, i.e., what information constitutes the patients' record. Standardization of the patient record content would allow health care practitioners, third-party payers, and second- ary users of medical data to know what informa- tion would be available for patients under their care. Physicians and other medical personnel would know what personal identification, clinical and other data would be available for making medical decisions, even on a patient's first visit, or if an emergency situation arose. Third-party payers could process claims faster on the basis of standard and readily available medical, financial and administrative forms and information. Sec- ondary users of medical data, such as researchers, utilization review committees, and public health workers, could anticipate the nature of the infor- mation available for research and policy deci- sions. The nature and scope of the medical record highlights the question "what is medical informa- tion."48 The paper record is currently a repository for a wide array of information, including: o the patient's name, address, age, and next of kin; names of parents; o date and place of birth; o marital status; o religion; o history of military service; o Social Security number; o name of insurer; o complaints and diagnosis; o medical, social and family history; o previous and current treatments; o inventory of the condition of each body system; o medications taken now and in the past; o use of alcohol and tobacco; diagnostic tests administered; and o findings, reactions, and incidents.49 Some argue that the record should include a tremendously broad range of information: demo- graphic, environmental, clinical, financial, em- ployment, family history, health history. Such an inclusive record would ensure the ready availabil- ity of information to health care workers and researchers. It would also, they argue, place all such information under the umbrella of whatever legal protections are afforded to medical records and information.50 The response to this argument is that accumula- tion and storage of so much personal information would lead only to a greater chance for abuse as well as access to information by persons who do not really have a legitimate need to know.51 While plans exist to compile a "womb to tomb" longitudinal record, including all information from pre-birth to death, some advocate data destruction after an appropriate period of time. Medical information necessary to treat certain conditions can be reconstructed adequately to assure good quality medical care, they believe, so that massive amounts of highly personal and sensitive information need not be warehoused throughout the patient's lifetime. This approach, they believe, balances the medical "need-to-know" with the privacy interests of the patient.52 The decisions of organizations charged with establishing standards for patient record content deserve special scrutiny, as the medical record would be a significant subject for any legal protection of medical information. INFORMED CONSENT TO DISCLOSURE OF INFORMATION Because of the sensitive nature of health care information, physicians generally must obtain patient consent before disclosing patient records to third parties.53 The theory of informed consent to release of information originates in the concept of informed consent to medical treatment. Medi- cal and research codes, as well as Federal regulations, have traditionally emphasized the elements of disclosure, voluntariness, compre- hension, and competence to consent.54 For there to be informed consent to medical treatment, the act of consent must be genuinely voluntary, and there must be adequate disclosure of information to the patient about what is to be done. Patients must comprehend what they are being told about the procedure or treatment, and be competent to consent to the procedure.55 On the basis of this model, if informed consent requires communication of information and com- prehension by the patient of what he or she is being told, informed consent to disclosure of medical information is arguably possible only when patients are familiar with the data contained in their records, so that they understand what they are consenting to disclose. Because many patients are neither granted access to their medical re- cords, nor apprised of which portions of the record are accessible to others, most patients are ill-equipped to make intelligent choices about authorizing disclosures.56 The general rule is that the owner of the paper on which the medical record is maintained is the "owner" of the record.57 Some States have statutes that specify that health care facilities own the medical records in their custody. At the same time, physicians, even if not covered by statute, are considered the owners of the medical records generated by them in their private offices. How- ever, ownership of a medical record is a limited right that is primarily custodial in nature. Licens- ing statutes and statutes governing contracts (e.g., health insurance contracts) place limits on the right of ownership in the record. Moreover, the information contained in the record is often characterized as the patient's property.58 Early in the twentieth century, when sole practitioners dominated the medical profession, the typical medical record consisted of a ledger card noting the date of visit, the course of treatment, and the fees charged. The specializa- tion of health care, the rise in clinical and outpatient care, and increased patient mobility have fostered greater interaction between the average individual and the health care system. In addition, the decline of the long-term, one-on-one physician-patient relationship made necessary more comprehensive medical records to provide continuity and communication within the medical community. The use of the medical record as a general source of information for decisions and control in nontreatment contexts also has prolifer- ated. Access to the medical record has become vital to institutions which once had a marginal interest--but no legitimate need--for such per- sonal information. Further, the medical record has assumed primary importance in Federal Government- mandated medical community audits of physician competency and performance and in insurance company assessments of an applicant's eligibility for health and life insurance. The medical record plays a role in insurance claims processing and in public and private efforts to detect medical fraud. Private employers, educational institutions, credit investigators, and law enforcement agencies also use personal medical information. Advances in information technology has matched this rising demand for medical records. It is this pervasive- ness of disclosure and the potential for new demands for information that increases the pa- tient's need to ensure the accuracy of the infor- mation contained in his or her medical record. With a right of access to the record, patients would have an opportunity to refuse consent to the release of information, challenge the accuracy of information, or request deletion of informationirrelevant to the concerns of the party requesting disclosure.59 In spite of the requests made of them to authorize disclosure of medical information for medical and nonmedical purposes, patients tradi- tionally have been unable to inspect their own records, and laws governing patients' access to records are not universal or uniform.60 Because of the absence of limitations of these regulations, individuals are routinely denied access to their health information. This traditional lack of patient access to health records is based on the rationale that the physician, in accepting responsibility for the patient's health, needs broad discretion to withhold medical information that the physician deems harmful to the patient.61 The justification for this right on the part of the physician has been to protect patients from information that would be detrimental to their health.62 However, this ap- proach to the patient record arguably conflicts with patient rights and autonomy.63 Traditionally, the medical rationale for withhold- ing information in the chart has been patient psychopathology or medical paternalism. Both rationales fail to address the issue of rights. Patients have rights because they are people. If we believe in individual freedom and the concept of self-determination, we must give all citizens the right to make their own decisions and to have access to information that is widely available to those making decisions about them.64 While the majority of States grant individuals a legal right to see and copy their medical records by statute, regulation or judicial decision,65 laws regulating patient access to health records are not uniform or even universal. Federal regulations for substance abuse programs,66 "Confidentiality of Alcohol and Drug Abuse Patient Records," specifically permit individuals access to their own health records. Subpart B, Section 2.23 states: "These regulations do not prohibit a program from giving a patient access to his or her own records, including the opportunity to inspect and copy any records that the program maintains about the patient." Section 483.10(b)(2) of the new regulations for nursing facilities grantsresidents access to their records within 24 hours, and grants residents the right to obtain photocop- ies within two working days. Only 27 States have statutes requiring providers to make health re- cords available to patients, and the majority of these statutes fall under hospital licensing acts. On the Federal level, the Privacy Act of 1974 provides for direct access to information under most circumstances.67 Indeed, the Privacy Protection Study Commis- sion, established by the Privacy Act, recom- mended that, "[u]pon request, an individual who is the subject of a medical record maintained by a medical care provider, or another responsible person designated by the individual, be allowed access to that medical record including an oppor- tunity to see and copy it."68 The American Health Information Management Association (AHIMA) has taken the position that patients should have access to the information contained in their health records. The basis for establishment of this right is so that patients can: 1. be knowledgeable about the nature of their disease or health status and understand the treatment and prognosis; 2. be educated about their health status to enable them to participate actively in their treatment process and in wellness pro- grams; 3. provide a history of their medical care to a new health care provider; 4. ensure the accuracy of documentation in the health record with regard to diagnoses, treatment(s), and their response to treat- ment(s); 5. verify that the documentation in the health record supports the provider's bill for serv- ices; and 6. be informed of the nature of the information being released to third parties such as insurers, when authorizing disclosure of their health information.69 The AHIMA recommends limitations on ac- cess where patients are adjudicated incompetent, where the health care provider has determined information would be injurious to the patient or other persons,70 where State law specifically precludes access, and where minors are governed by legal constraints.71 Patient access to their medical record is seen by some as part of a broader effort to expand and regularize regimes for ensuring informed consent from health care recipients to disclosure of med- ical information. In addition to patient understand- ing of the contents of his or her medical record, some believe that individuals have a right to learn in considerable detail what will be done with their personal information at the time of initial contact with a health or medical organization or other care giver, even if many of the disclosures are manda- tory.72 Some commentators suggest that patient consent forms for disclosure of information should be required to contain a check list detailing what information can be released, to whom it may be sent, for what purpose it may be used, and for what period of time.73 Today, blanket consent forms are commonly used in health care. Patients are generally asked to sign such a form upon his or her entering the health care facility, and the form essentially states that the facility may release medical information concerning the patient to anyone it believes should have it or to certain named agencies or organizations. These agencies include insurance companies and the welfare department, and other cost and quality monitoring organizations. Usu- ally no restriction is placed on the amount of information that may be released, the use to which these parties may put the information, or the length of time for which the consent form is valid.74 Much of the debate about what constitutes informed consent centers on how much informa- tion is enough and how much is too much. Some argue that giving persons a long list of informa- tion about potential uses of their data would be an unwieldy process, since it would involve setting out all primary and secondary uses of the informa- tion. Such a requirement, they believe, would result in administrative confusion, if individuals exercise a right to reject or accept various uses.75 Yet others recommend at minimum "a policy decision not to honor statements of unrestricted scope."76 Resolution of questions of patient access and requirements for informed consent at the outset of establishment of computer system would enable software developers to incorporate appropriate software and access controls directly into new systems. Alternatives to Informed Consent Because informed consent must be voluntary, some argue that in the present health care system, and likely in future health care plans, the concept of informed consent is largely a myth and the mechanism of informed consent has no force. Medical information is most commonly required to provide health care reimbursers with sufficient information to process claims. Individuals for the most part are not in a position to forego such benefits, so that they really have no choice whether or not to consent to disclose their medical information. An alternative approach to informed consent is the notion that an individual gains access to medical benefits in exchange for reason- able use of certain medical information by the system for prescribed purposes. Once that reason- able use is determined, the system must then protect the use and the confidentiality of the information. Informed consent would then be required of individuals only when information about them were to be put to some extraordinary use. 1. Gretchen Murphy, "System and Data Protection," Aspects of the Computer Based Patient Record, Marion J. Ball, Morris F. Collin, eds., (New York, NY: Springer-Verlog, 1992). 2. Wide linkage of computer systems has already been accomplished between financial institutions, allowing for, among other things, electronic funds transfer, and immediate, onsite verification of credit eligibility. 3. Suggestions have been made that the smart card might contain certain critical pieces of information, e.g., patient identification, special conditions or allergies, the name and phone number of the patient's primary physician, as well as act as an access control device. 4. Some commentators suggest that the fundamental question may be whether individual privacy in medical information is an absolute right, one not subject to a utilitarian balancing approach. That perspective suggests the more difficult issue, whether personal medical information should even be entered into a national computer system, regardless of the safeguards put in place. Gerry D. Lore, Associate Vice President and Director, Government Affairs, Hoffman LaRoche Inc., personal communication, April 1993. 5. Robert H. Courtney, "Considerations of Information Security for Large Scale Digital Libraries," contractor paper prepared for the Office of Technology Assessment, Mar. 27, 1993. 6. S. 4, Title VI - Information Infrastructure and Technology, introduced before the 103d Congress, sets forth applications of such a network for health care. These include networks for linking hospitals, clinics, doctors' offices, medical schools, medical libraries, and universities; software and visualization technology for visualizing the human anatomy and analyzing x-ray, CAT scan, PET scan imagery; virtual reality technology for simulating surgery and other medical procedures; collaborative technology to allow several health care providers in remote locations to provide real-time treatment to patients; database technology to provide health care providers with access to relevant medical information and literature; database technology for storing, accessing and transmitting patients' medical records while protecting the accuracy and privacy of the records. (Corresponding bill introduced before the House of Representatives, H.R. 1757.) 7. W. Ed. Hammond, "Security, Privacy and Confidentiality: A Perspective," Journal of Health Information Management Research, vol. 1, No. 2, fall/winter 1992, pp. 1-8. 8. Ibid. Harvard Community Health Plan, for example, restricts, among other things, certain kinds of narrative mental health data (notes, dictation, free text) in this manner. 9. Some organizations implement a policy whereby people who have not properly logged out of a system will be held responsible for improper access to data. 10. Audit trails only detect breaches in security "after the fact;" there must be a specific policy in place that such trails are regularly checked in order for them to be effective. 11. The microprocessor is the component which distinguishes a smart card from cards designed to simply store data. The microprocessor and its operating system enables the smart card to "make decisions" about where it will store data in its memories and under what circumstances it will transfer data through its input/output interface. 12. Smart cards and access technologies are only one part of an overall computer security program. For a discussion of computer security measures, see app. A. 13. EEPROM is a memory that can be electrically erased and reprogrammed via a reader/writer device at the user's facility. 14. Other cards not generally characterized as smart cards include magnetic stripe cards, which can store about 800 bits (100 bytes) of information. These are largely used as banking cards. High- density magnetic stripe cards are in the development stage. Using new magnetic materials, these cards would be able to carry one megabit or more. Memory cards involve the use of integrated circuits, but do not have a processor. Memory cards are often described as the immediate technological advance over magnetic stripe cards. The optical card or laser smart card is an optical memory card with laser-recorded and laser-read information that can be edited or updated and has a storage capacity of 800 printed pages. See, J.A. Reese, "Smart Cards: Microchip Technology Revolutionizes the Development of Bank Cards,"Telecommunication Journal, vol. 59, No. 3, 1992, p. 134; and "Introduction to Smart Cards" Version 1.0, Reference GGA06U10, a publication of Gemplus Card International, 1990. 15. The sections on smart cards as a means of secure storage of information and as a means of access control are derived from Martha E. Haykin and Robert B.J. Warnar, U.S. Department of Commerce, National Institute of Standards and Technology, "Smart Card Technology: New Methods for Computer Access Control," NIST Special Publication 500-157, September 1988, pp. 13-26. 16. Claudia Wild and Walter Peissl, "Patient Cards: An Assessment of a New Information Technology in Health Care," IT in Medicine, Project Appraisal, vol. 7, No. 2, June 1992, pp. 67-78. 17. Ibid. 18. Walker et al., Health Information Issues in General Practice in Australia, National Centre for Epidemiology and Population Health, Discussion paper No. 2, ANU, Canberra, 1991, cited by Simon Davies, Big Brother: Australia's Growing Web of Surveillance (Australia: Simon & Schuster, 1992), p. 54. 19. The Exmouth Project, conducted in Exeter, England, is discussed in Institute of Medicine, The Computer-Based Patient Record: An Essential Technology for Health Care, Richard S. Dick and Elaine B. Steen, eds., (Washington, DC: National Academy Press, 1991), p. 78-79. 20. Major proposals before the 102d Congress concerning health care reform and involving the use of smart card technology included one by the Bush administration (originally issued as a White Paper in 1992, which discussed the issue of administrative costs and strategies to reduce them) introduced in both Houses as "The Medical and Insurance Information Reform Act of 1992" and three legislative proposals: S. 1227, "Health America: Affordable Health Care for All Americans Act" introduced by Senators Mitchell and Kennedy; H.R. 1300, "The Universal Health Care Act of 1991" introduced by Representative Russo; and H.R. 3205, "The Health Insurance Coverage and Cost Containment Actof 1991" introduced by Representative Rostenkowski. The 103d Congress introduced several new proposals, including H.R. 200, introduced by Congressman Stark, "Health Care Cost Containment & Reform Act of 1993"; H.R. 191, introduced by Congressman Gekas, "American Consumers Health Care Reform Act of 1993"; and S. 223 "Access to Affordable Health Care Act" introduced by Senator Cohen. 21. Some argue, however, that in and of themselves, smart cards could offer the technical capability to give the patient more control over medical information, but only if the medical data is completely and solely resident on the card. Sheri Alpert, "Medical Records, Privacy and Health Care Reform," prepublication draft, June 28, 1993. A version of this paper will appear in the November/December 1993 issue of the The Hastings Center Report. 22. Debate continues about who may examine which zones of the card, and who may make entries on the card. 23. The card is useless if lost, forgotten, or damaged. None of the current proposals for use of the cards suggests that the medical data reside solely on the card for that reason. In addition to concerns about compliance, there is also a potential for theft and fraudulent use of the cards. 24. Each of the current proposals for implementation of an electronic card system also calls for one or more databases on the other end of the medical/insurance transaction, keeping track of every claim filed and every medical treatment administered. 25. Marc Rotenberg, Director, Washington Office, Computer Professionals for Social Responsibility, personal communication, December 1992. 26. Sheri Alpert, op. cit., footnote 21. 27. Stuart Katsky, National Institute of Standards and Testing, personal communication, Oct. 26, 1992; OTA workshop, Dec. 7, 1992. 28. Sean McLinden, GFN Healthcare, Inc., personal communication, Mar. 14, 1993. 29. Ibid. 30. David H. Flaherty, "Privacy, Confidentiality, and the Use of Canadian Health Information for Research and Statistics," Canadian Public Administration, vol. 35, No. 1, 1992, p. 80. 31. See, for example, Guide for Unique Healthcare Identifier Model, ASTM document, Apr. 29, 1993. The document is not an ASTM Standard. It is under consideration within an ASTM Technical committee but has not received all approvals required to become an ASTM Standard. 32. The proposal of the Bush administration before the 102d Congress, "The Medical and Insurance Information Reform Act of 1992," required use of the Social Security Number. 33. To change over to another system, it is argued by some, would be extremely costly. However, in testimony before the House Subcommittee on Social Security, Gwendolyn S. King, Commissioner of Social Security, discussed the potential effect on the Social Security Administration of expanded use of the SSN through proposals to make the Social Security card a national personal identifier. She stated that, to issue new Social Security cards containing enhancements to make them useful for personal identification would be an "enormous and expensive undertaking. The process of verifying identities and reissuing everyone a new, more secure card would be very costly--in the range of $1.5 to $2.5 billion." (This testimony did not specifically address use of the number as a unique patient identification number.) The exact cost would depend on the security features and issuance procedures used. U.S. Congress, House Committee on Ways and Means, Subcommittee on Social Security, Hearing on the Use of the Social Security Number as a National Identifier, Serial 102-11, Feb. 27, 1991, pp. 24-25. Others suggest that implementation of a medical identification number could be accomplished on a prospective basis. Jeff Neuberger, Raysman & Milstein, New York, NY, personal communication, April 1993. 34. William M. Bulkeley, "Get Ready for Smart Cards and Health Care," The Wall Street Journal, May 3, 1993, p. B11. 35. U.S. Department of Health, Education, and Welfare, The Secretary's Advisory Committee on Automated Personal Data Systems, Records, Computers and the Rights of Citizens (Washington, DC: U.S. Government Printing Office, 1973), p. 121. The advisory committee warned that the use of the Social Security number as a personal identifier "would enhance the likelihood of arbitrary or uncontrolled linkage of records about people, particularly between government or government- supported automated personal data systems. . ." 36. See, A. Westin and M. Baker, Databanks in a Free Society (New York, NY: Quandrangle Books, 1972), p. 399. 37. Greidinger v. Davis, Case No. 92-1571, Decided Mar. 22, 1993, p. 17. In Greidinger, the court found that the plaintiff's fundamental right to vote was substantially burdened to the extent the statutes at issue permitted the public disclosure of his Social Security number. 38. Ibid. p. 18. The court also acknowledges that its review of potential harm is not exhaustive, but highlights some instances to illustrate the egregiousness of the harm. 39. Position statement of the American Health Information Management Association on the Universal Patient Identifier, Draft as of Aug. 8, 1993. AHIMA recommends use of the Social Security Number with the addition of an encrypted confidentiality code for use initially to link a patient's records across the health care system. Access to the patient's records would require use of both the Social Security number and the confidential code. Providers would be free to use their own system of patient identification, but the records of different providers would be linked via use of the Social Security number with an encrypted confidentiality code. For the longer term, AHIMA believes a nationwide system of biometric identifiers must be implemented. 40. This policy would be part of a greater scheme in the protection of rights to privacy in personal information, whether health care information or otherwise. Sean McLinden, op.cit., footnote 28. 41. The Ontario, Canada system provides for universal access to health care benefits. 42. Privacy advocates in the United States voice similar concerns about the Social Security number becoming a de facto national identification number through the proliferation of its use in the private sector. 43. David H. Flaherty, "Privacy, Confidentiality, and the Use of Canadian Health Information for Research and Statistics," Canadian Public Administration, vol. 35, No. 1, 1992, p. 80. Flaherty asserts that, "those seeking to strengthen the health information system need to be sensitive to the risk of unique personal identifiers being used for purposes unrelated to health that may pose serious threats to the privacy of individuals." Speaking of the Canadian system he states that "provinces must be encouraged to enact legislation to restrict the use of such health identifiers to health-related purposes, in both the public and private sectors, in order to reduce public anxieties about abuse of such numbers." 44. Institute of Medicine, op. cit., footnote 19, pp. 144-145. U.S. Congress, General Accounting Office, Automated Medical Records: Leadership Needed to Expedite Standards Development. Report to the Chairman, Committee on Governmental Affairs, U.S. Senate; GAO/IMTEC-93-17 (Gaithersburg, MD: U.S. General Accounting Office, 1993), p. 8. General Accounting Office characterizes these categories of standards similarly, as vocabulary, structure and content, messaging, and security. 45. Some commentators believe that the responsibility of establishing and maintaining a common electronic data dictionary as well as a system of unique patient identifiers should be delegated to a Privacy Protection Board. Randall Oates, American Academy of Family Practice, personal communication, April 1993. 46. Automated Medical Records: Leadership Needed to Expedite Standards Development, op. cit., footnote 44, p. 10. The report also notesthat additional standards will be needed, including those for unique patient record identifiers, access procedures, encryption approaches, identification of invalid or inaccurate data, and verification of user access privileges. 47. Ibid., p. 11. At least 15 different confidentiality committees have been formed and are working on issues related to the protection of computerized records. There appears to be, however, a wide gap in the approach and scope of different groups' efforts due to a lack of consensus on appropriate confidentiality measures and national goals. "Computerization and Confidentiality," Toward an Electronic Patient Record: Updates on Standards and Developments, vol. 1, No. 6, pp. 1-8, January 1993. 48. The American Health Information Management Association defines "medical information" as any data or information, whether oral or recorded in any form or medium, that identifies or can readily be associated with the identity of a patient or other record subject; and is 1. related to a patient's health care; or 2. is obtained in the course of a patient's health care from a health care provider, from the patient, from a member of the patient's family or an individual with whom the patient has a close personal relationship, or from the patient's legal representative. This definition may include information beyond the confines of the patient record. In Canada, patient records usually include: all recorded information within an institution relating to the health of individual patients. This would include nurses' notes, medical orders, consultation reports, laboratory reports as well as information that is recorded on other forms such as microfilm, audio and video tape, xray, etc. The information relates to the state of health of a patient prior to his admission, at various stages during his stay at the institution, or during the period in which he takes treatment or care, the opinions of those caring for or treating him relating to his state of health. It also relates to care and treatment provided, and the effect of that care and treatment. Under the Canadian system, the content of the medical record is prescribed by the laws of the province, by regulation and by the bylawsof health care facilities. Federal legislation, including the Narcotic Control Act and the Food and Drug Act, also affects the contents of medical records. Kevin P. Feehan, "Legal Access to Patient Health Records/Protection of Quality Assurance Activities," Health Law in Canada, vol. 12, No. 1, 1991, p. 3. 49. Robert M. Gellman, "Prescribing Privacy: The Uncertain Role of the Physician in the Protection of Patient Privacy," North Carolina Law Review, vol. 62, No. 2, 1984, p. 258. 50. OTA Workshop, July 31, 1993. 51. Ibid. 52. David Flaherty, Professor of History and Law, University of Western Ontario, personal communication, January 1993. 53. According to Alexander Capron, informed consent serves several functions: 1) the promotion of individual autonomy; 2) the protection of patients and subjects; 3) the avoidance of fraud and duress; 4) the encouragement of self-scrutiny by medical professionals; 5) the promotion of rational decisions; 6) the involvement of the public (in promoting autonomy as a general social value and in controlling biomedical research). Principles of Biomedical Ethics, 2d ed., Tom L. Beauchamp, James F. Childress, eds., (New York, NY: Oxford University Press, 1983) pp. 69-70. 54. The Department of Health and Human Services has promulgated regulations for consent by human subjects in medical treatment in 4 CFR Section 46.116. 55. Principles of Biomedical Ethics, 2d ed. op. cit., footnote 53, pp. 69-70. 56. Ellen Klugman, "Toward a Uniform Right to Medical Records: A Proposal for a Model Patient Access and Information Practices Statute," U.C.L.A. Law Review, vol. 30, No. 6, 1983, p. 1362. 57. The American Medical Association has stated that the "notes made in treating a patient are primarily for the physician's own use andconstitute his personal property." Bruce Samuels and Sidney M. Wolfe, Medical Records: Getting Yours (A Consumer's Guide to Obtaining and Understanding the Medical Record) (Washington, DC: Public Citizen's Health Research Group, 1992), p. 2. 58. George J. Annas, The Rights of Patients: The Basic ACLU Guide to Patient Rights, 2d ed. (Carbondale and Edwardsville, IL: Southern Illinois University Press, 1989), p. 163. Networking of information would likely challenge these concepts of ownership, as information is transmitted between practitioner, reimburser, clinic and hospital. While patients may control initial release of identifiable information, the property right in the information may become less clear as data is subsequently transmitted between parties. Kathleen A. Frawley, Director, Washington, DC Office, American Health Information Management Association, personal communication, August 1993. 59. Klugman, op. cit., footnote 56, p. 1362. 60. Bruce Samuels and Sidney M. Wolfe, op. cit., footnote 57, p. 32. See ch. 3 of this publication for an analysis of existing rules regarding access to medical records in each of the 50 States and the District of Columbia. 61. See, e.g., Wallace v. University Hospitals of Cleveland, 82 Ohio Law Abs. 257, 164 N.E. 2d 917 (1959), modified and aff'd., 84 Ohio Law Abs. 224, 170 N.E.2d 261 (Ohio App. 1960). The lower court held that "a patient has a property right in the information contained in the record and as such is entitled to a copy of it." 164 N.E.2d at 918. On appeal, the patient's right of access was limited to those records that, in the hospital's judgment, were in the "beneficial interest" of the patient to inspect. 170 N.E.2d at 261-262. 62. The usual example of detrimental information is a fatal prognosis, a diagnosis of a malignant disease or psychiatric diagnoses. 63. It also runs contrary to the findings of some commentators on this issue. See discussion in James M. Madden, "Patient Access to MedicalRecords in Washington," Washington Law Review, vol. 57, No. 4, 1982, p. 697, which discusses studies concluding that "even though patients were sometimes upset by what they read, they were generally comfortable with reading their records and felt better informed and more involved in their treatment." Another study concluded that patient access to the record was helpful in allaying suspicions, developing trust, and obtaining consent for treatments. Two studies, however, emphasized that knowledgeable staff should be present when patients inspect records to help interpret potentially disturbing material. The article recommends a general right of patient access to mental health records, but suggests a need to protect patients from potentially disturbing material. 64. Letter from George J. Annas, Daryl Matthews, and Leonard H. Glantz, Boston University School of Medicine and Public Health, to the New England Journal of Medicine, vol. 302, No. 26, 1980, p. 1482. 65. George Annas, op. cit., footnote 58, p. 164. 66. 42 C.F.R. Part 2. 67. The Privacy Act of 1974, P.L. 579, 88 Stat. 1896, codified as 5 U.S.C. Sec. 552a. 68. U.S. Privacy Protection Study Committee, Personal Privacy in an Information Society (Washington, DC: U.S. Government Printing Office, 1977). 69. Position Statement of the American Health Information Management Association, Chicago, IL, March 1992, p. 1. 70. This limitation is recognized by others. See, James Madden, op. cit., footnote 63, 1982. The District of Columbia Mental Health Information Act takes this approach. DC Code Ann. Section 6-2076 (1981). The Act creates a general right of patient access to mental health records on request, but also provides: (1) that a mental health professional shall have the opportunity to discuss the information with the patient at the time of inspection, Id. at Section 6-2041 and that (2) information may be withheld only if the mental health professional "reasonablybelieves" that withholding is necessary to protect the patient from a "substantial risk of imminent psychological impairment" or to protect the patient or another individual from a "substantial risk of imminent and serious physical injury," Section 6-2042. 71. Ibid, p. 2. 72. David H. Flaherty, "Ensuring Privacy and Data Protection in Health and Medical Care," prepublication draft, p. 13. 73. Randall Oates, American Academy of Family Practice, personal communication, April 1993. 74. George Annas, op. cit., footnote 58, p. 185. Annas criticizes such general release forms as so broad and vague that the patient cannot reasonably and knowingly sign them. 75. David H. Flaherty, op. cit., footnote 72, p. 16. 76. Privacy Protection Study Committee, op. cit., footnote 68. --------------------------------------------------- Designing Protection for Computerized Health Care Information 4 Health care workers, insurers, medical records special- ists, and privacy advocates believe that as computeriza- tion of health care information proceeds, new Federal legislation is needed to protect individual privacy in that information.1 New legislation should address not only concerns about the computerized medical record, but also health care information stored in data systems. In these respects, new legislation for computerized health care information can be modeled on codes of fair information practices. However, new legislation should also anticipate the challenges that computerization of health care information presents with respect to possible new demands for data and linkages, creation of new databases, and changing technologies and requirements for computer security. Such legislation should also reflect technological capabilities to secure data and track data flow. It should provide for enforcement of these practices, and allow individuals redress for wrongful access and use of medical information, both in criminal and civil actions. Based on an analysis of current State statutes and legislative models and initiatives, effective and comprehensive health care information legislation would have to do the following: o Define the subject matter of the legislation, "health care information," to encompass the full range of information collected, stored, and transmitted about individuals, not simply the content of the medical record. o Define the elements that constitute violation of health care information privacy and provide criminal and civil sanctions for improper possession, brokering, disclosure, or sale of health care information with penalties sufficient to deter perpetrators. o Establish requirements for informed consent. o Establish rules for educating patients about information practices; access to information; amendment, correction, and deletion of infor- mation; and creation of databases. o Establish protocols for access to information by secondary users, and determine their rights and responsibilities in the information they access. o Structure the law to trace the information flow, incorporating the ability of computer security systems to warn and monitor leaks and im- proper access to information so that the law can be applied to information at the point of abuse, not just to one "home" institution. o Establish a committee, commission, or panel to oversee privacy in health care information. While no single proposal or scheme for data protection adequately addresses all of the needs of a health care information protection system, many offer models on which health care informa- tion legislation might be based. This chapter examines principles of fair information practices, and their strengths and limitations in protecting privacy in computerized health care information. It then discusses specific data protection initia- tives (see box 4-A and discussion below) and the applicability of their provisions to the needs of health care data protection. This discussion also includes aspects of proposals made by experts in computer privacy issues and certain legislative initiatives. FAIR INFORMATION PRACTICES AND THE PRIVACY ACT Proposals for protection of personal health data, whether maintained on computers or other- wise, have largely been based on a system of fair information practices. These proposals have been suggested by such organizations as the American Health Information Management Association and the American Medical Association. The Uniform Health Care Information Act (UHCIA) and sys- tems for treating specific kinds of health care information, such as the provisions of the Massa- chusetts code are also applicable. (For a discus- sion of several initiatives for protection of privacy in health care information, see box 4-A. The full texts of these initiatives are in Appendix B.) The basic principles of fair information practices werestated in Computers and the Rights of Citizens, a report published by the U.S. Department of Health, Education and Welfare in 1973. The report identified five key principles: 1. There must be no secret personal data record-keeping system. 2. There must be a way for individuals to discover what personal information is re- corded and how it is used. 3. There must be a way for individuals to prevent information about them, obtained for one purpose, from being used or made available for other purposes without their consent. 4. There must be a way for individuals to correct or amend a record of information about themselves. 5. An organization creating, maintaining, using or disseminating records of identifiable personal data must assure the reliability of the data for its intended use and must take reasonable precautions to prevent misuses of the data. These principles are clearly evident in the provisions of the Privacy Act of 1974 ("Privacy Act"), which "adopts the accepted privacy prin- ciples as policy for Federal agencies." The law gives individuals the right to access much of the personal information about them kept by Federal agencies. It places limits on the disclosure of such information to third persons and other agencies. It requires agencies to keep logs of all disclosures, unless systems of records are exempt from the Privacy Act.2 The Federal Privacy Act also gives an individ- ual the right to request an amendment of most records pertaining to him or her if he or she believes them to be inaccurate, irrelevant, un- timely, or incomplete.3 The agency must ac- knowledge the request in writing within 10 days of its receipt. It must promptly (no time limit is specified) make the requested amendment or inform the individual of its refusal to amend, the reasons for the refusal, and the individual's right to request a review by the agency head. If the individual requests such a review, the agency head has 30 days to render a decision. Should the agency head refuse to amend the information, the individual can file a concise statement of his disagreement with the agency decision. There- after, the agency must note the dispute in the record and disclose this fact, along with the individual's statement, whenever the record is disclosed. The Federal Privacy Act further provides that the individual can pursue his disagreement, and indeed any noncompliance by an agency, with a civil suit in Federal District Court. He or she can obtain an injunction against a noncomplying agency, collect actual damages for an agency's willful or intentional noncompliance, and be awarded attorney's fees and costs if he or she "substantially prevails" in any such action. Agency personnel are criminally liable for willful noncompliance; the penalty is a misdemeanor and a fine of up to a $5,000. The Federal agencies also have a responsibility to collect only relevant information on individu- als, to get the information directly from the individual whenever possible, and to notify the individual of several facts at the time the informa- tion is requested. Willful failure to comply with the notification requirement may result in civil and criminal liability. The Privacy Act also covers agencies' "sys- tems of records" and requires an annual, nine- point report to be published in the Federal Register. The report must contain information such as categories of records maintained; their routine use; policies on their storage and retrieval; and other agency procedures relating to the use, disclosure, and amendment of records. Agencies also have extensive rule-making duties to imple- ment each component of the law. The Act is limited, however, in several signifi- cant ways. Some believe that a system of notifica- tion through the Federal Register is cumbersomeand burdensome to the individual who, practi- cally speaking, does not regularly review the register, so that notification is not effective. The Act also places the burden of monitoring privacy in information and redressing wrongs entirely with the individual, providing no government oversight mechanism for the system. In addition, the Act itself is limited in its application to "routine use" of the record, which refers to disclosure of records, not how the collecting agency uses those records internally. Many com- mentators have noted that the penalties prescribed in the Act are inadequate,4 and others comment that the Act contains no specific measures that must be in place to protect privacy so that it cannot be used to describe what technical meas- ures must be taken to achieve compliance.5 Fair information practices and the provisions of the Privacy Act form the bases for most initiatives to protect medical information. Characteristics common to these proposals are: 1. They pertain to personal medical informa- tion on individuals. 2. Individuals are given the right to access much of the personal information kept on them. 3. Limits are placed on the disclosure of certain personal information to third parties. 4. Health care personnel are required to re- quest information directly from the individ- ual to whom it pertains, whenever possible. 5. When a government entity requests per- sonal information from an individual, laws require the individual to be notified of the authority for the collection of data, whether the disclosure is mandatory or voluntary. 6. The individual may contest the accuracy, completeness, and timeliness of his or her personal information and request an amend- ment. 7. The health care personnel must decidewhether to amend the information within a fixed time, usually 30 days after receiving a request. 8. The individual whose request for change is denied may file a statement of disagree- ment, which must be included in the record and disclosed along with it thereafter. 9. The individual can seek review of a denied request. An earlier OTA report, Electronic Record Systems and Individual Privacy (1986)6, noted that the Privacy Act of 1974 did not consider the distributed processing, sophisticated database man- agement systems, computer networks, and the wholesale use of microcomputers that will be used for medical information. To the extent that medical information protection is based solely on the Privacy Act and principles of fair information practices, it fails to consider these developments and the complexity of current computer network technology. It is apparent that protecting personal information in a computerized environment in- volves, at minimum, access to records, security of information flows, and new methods of informing individuals of where information is stored, where it has been sent, and how it is being used (see box 4-A). FEATURES OF HEALTH CARE PRIVACY LEGISLATION Congress has acted in other areas to protect the confidentiality of nongovernmental records. The Right to Financial Privacy Act,7 the Family Educational Rights and Privacy Act of 1974 (popularly known as the Buckley Amendment)8 to protect the privacy of records maintained by schools and colleges, the Fair Credit Reporting Act9 to protect the privacy of consumers in the reporting of credit information, and the Federal Videotape Privacy Protection Act 10 all serve this purpose. In addressing concerns about the privacy of health care information through legislation, Congress may wish to make the following provi- sions: Provision 1: Define the subject matter of the legislation, "health care information" to en- compass the full range of medical information collected, stored, and transmitted about indi- viduals, not simply the medical record. "Appropriate data protection should. . .cover the entire range of personal data systems in- volved in health care, not just the clinical record used for primary treatment." [Emphasis added]11 This assertion reflects the broad range of identifi- able personal information maintained in health care settings, including administrative, clinical, diagnostic, educational, financial, laboratory, psy- chiatric, psychosocial, quality control, rehabilita- tive, research, risk management, social service, and therapeutic records.12 To be effective, legisla- tive protection of "health information" should address the full scope of this information. The Ethical Tenets for Protection of Confiden- tial Clinical Data ("Ethical Tenets") define the subject of protection, "clinical data" as including "all relevant clinical and socioeconomic data disclosed by the patient and others, as well as observations, findings, therapeutic interventions and prognostic statements generated by the mem- bers of the healthcare team." Legislative propos- als, however, define health care information in different ways. The Model State Legislation on Confidentiality for Health Care Information of the American Medical Association refers to "confidential health care information," defining it as information relating to a person's health care history, diagnosis, condition, treatment, or evalu- ation, regardless of whether such information is in the form of paper, preserved on microfilm, or stored in computer-retrievable form. The lan- guage of this legislation is particularly helpful because it provides that health care records be recognized by law when in electronic form. The American Health Information Manage- ment Association's (AHIMA's) Health Informa- tion Model Legislation, while also defining "health care information" broadly, specifically refers to it as data or information, whether oral or recorded in any form or medium, that can be associated with the identity of a patient or otherrecord subject; and-- o relates to a patient's health care; or o is obtained in the course of a patient's health care from a health care provider, from the patient, from a member of the patient's family or an individual with whom the patient has a close personal relationship, or from the pa- tient's legal representative. This language acknowledges health care infor- mation in its broadest terms as being information relating to or collected in the course of a patient's health care, and does not limit it to where it resides. Arguably, health care information (be- yond the contents of the medical record) located in such places as student files, pharmacy comput- ers, public health agencies, and lawyers offices is covered by this definition. The scope of AHIMA's proposed legislation would provide coverage to information as it flows through a complex com- puter network through which it is accessed by a variety of primary and secondary users. Provision 2: Define the elements comprising invasion of privacy of health care information, and provide criminal and civil sanctions for improper possession, brokering, disclosure, or sale of health care information with penalties sufficient to deter perpetrators. The Massachusetts law on Insurance Informa- tion and Privacy Protection provides that a person who knowingly and willfully obtains information about an individual from an insurance institution, insurance representative, or insurance-support organization under false pretenses shall be fined not more than $10,000 or imprisoned not more than 1 year, or both. The Privacy Act provides guidelines to address the problem of information brokering and abuse of information accessed by authorized persons within a data system.13 The Act provides criminal sanctions for officers or employees of an agency who have possession of or access to records that contain individually identifiable information that may not be disclosed under the provisions of thePrivacy Act. If a person discloses the material to any person not entitled to receive it, he or she is guilty of a misdemeanor and subject to a fine of up to $5,000. Similar sanctions apply when an officer or employee of an agency willfully main- tains a system of records without satisfying notice requirements, or when a person requests or obtains any record of an individual from an agency under false pretenses.14 The Uniform Health Care Information Act, which has been enacted into law in Montana and Washington, provides criminal sanctions for ille- gally obtaining health care information. Persons obtaining health care information maintained by a health care provider by means of bribery, theft, or misrepresentation of identity, purpose of use, or entitlement to the information are guilty of a misdemeanor under the Act. Persons found guilty are subject to criminal penalties of imprisonment for not more than 1 year, or a fine not exceeding $10,000, or both. A person presenting a false disclosure authorization form or certification to a health care provider is also guilty of a misde- meanor and is subject to similar criminal penal- ties. Civil recourse is available to persons harmed by the violations under the Act. The court may award damages for pecuniary losses and punitive damages if the violation results from willful or grossly negligent conduct. The court may also assess attorney's fees. The Federal Privacy of Medical Information Bill of 1980 (which was not enacted into law) prohibited requesting or obtaining access to medical information about a patient from a medical care facility through false pretenses or theft. It imposed higher penalties on those who did so for profit or monetary gain. The bill also authorized civil suits for actual and punitive damages and equitable relief against officers and employees of Federal and State governments, by any patients whose rights had been knowingly and negligently violated. The AHIMA Model Legislation provides that anyone who requests or obtains health care information under false or fraudulent pretenses is subject to a $10,000 fine or imprisonment for 6months. Anyone who obtains health care informa- tion fraudulently or unlawfully and intentionally uses, sells, or transfers the information for some monetary gain is subject to fines of not more that $50,000 and imprisonment for 2 years. The AHIMA Model Legislation also provides for civil remedies and monetary penalties. Among the civil money penalties provided for is a fine of not more that $1,000,000 if it is found that violations of the provisions have occurred in such numbers or with such frequency as to constitute a general business practice. In the discussion about health care information privacy, commentators and stake- holders indicate that for legislation to be mean- ingful, penalties for improper access, possession, brokering, disclosure, or sale of information must be stringent enough to deter perpetrators.15 Provi- sions or penalties such as those set forth in the AHIMA Model Legislation might be more likely to deter information brokers who might otherwise include fines and penalties in their cost of doing business. Provision 3: Establish requirements for informed consent. The Massachusetts law on Insurance Informa- tion and Privacy Protection details the required elements for disclosure authorization forms used in connection with insurance transactions. The provisions for disclosure authorization set forth in this statute are applicable to requirements for informed consent of health care information generally. According to the Massachusetts law, the disclosure authorization form must (1) be written in plain language; (2) be dated; (3) specify the types of persons authorized to disclose information about the individual; (4) specify the nature of the information authorized to be dis- closed; (5) name the institution to whom the individual is authorizing information to be dis- closed; (6) specify the purposes for which the information is collected; (7) specify the length of time authorization shall remain valid; and (8) advise the individual, or a person authorized to act on behalf the individual, that the individual or his authorized representative is entitled to receive a copy of the authorization form.16 Provision 4: Establish rules for educating pa- tients about information practices; access to information; amendment, correction and dele- tion of information, and creation of databases. The Privacy Act contains specific provisions about the right of access of individuals to records maintained by a Federal agency. The Act estab- lishes agency requirements for maintenance and collection of information. Agencies maintaining records must limit the information collected to that which is relevant and necessary to accom- plish the stated purpose. Individuals who supply information to an agency must be informed as to the purpose of the information, the uses that may be made of the information, who authorized the collection of the information, and the effects on the individual of not providing the requested information. An agency is required to make public a notice of the existence and character of the system.17 Only a notice in the Federal Register is required by the Privacy Act, which many believe does not adequately inform the patient population about information uses and practices. By contrast, under the Massachusetts law on Insurance Information and Privacy Protection, insurers are obligated to provide a description of information practices to applicants and policy- holders when applying for coverage and renewing or reinstating policies. The notice must include: 1. whether personal information may be col- lected from persons other than the individ- ual proposed for coverage; 2. the type of personal information that may be collected and the sources and investigative techniques that may be used to collect it; 3. the type of disclosure without authorization that is permitted by the law and the circum- stances under which the disclosure may be made; and 4. information about patient rights to access, amend, correct, and delete information. This law provides for individuals to access information maintained about themselves by insurers. It also provides that an individual has a right to have factual errors corrected and any misrepresentation or misleading entry amended or deleted. The statute states that within 30 business days from receipt of a written request to correct, amend, or delete any personal informa- tion that their insurer shall either do so or reinvestigate the disputed information and notify the individual of the grounds for refusing the request. The insurer must also notify persons and institutions that have received or provided the information. When a correction is not made, the subject is permitted to file a statement setting forth what he or she believes to be is the correct, relevant, or fair information, and provide a statement of reasons why he or she disagrees with the insurer's refusal to change it. The Ethical Tenets also provide for access by the patient to health care information maintained in his or her file. Like the Massachusetts code, they require that patients be involved and in- formed about the recordkeeping process. Patients are deemed owners of the information provided during the course of the medical care as well as of the clinical data related to clinical care.18 Patients must be kept informed of the location, practices, and policies for information maintained in elec- tronic medical data. The Ethical Tenets define "kept informed" as providing a description and explanation of the record storage and access rules and exceptions defined in the operating policies of data centers. The Tenets require that these policies be explained to the patients, including the basic rule that patients are the owner of their own records, and should describe the exceptions such as "regulatory agency functions," or in the case of emergency, the authorization of the data center's security officer to release "key data" to the attending physician. Patients must be notified of special authorizations, such as those for researchers seeking clinical information that in- cludes patient identifiers.19 The Uniform Health Care Information Act (UHCIA) also requires that a health care provider inform the patient about information practices,including a notice that is to be posted in the health care facility that states: We keep a record of the health care services we provide for you. You may ask us to see and copy that record. You may also ask us to correct that record. We will not disclose your record to others unless you direct us to do so or unless the law authorizes or compels us to do so. You may see your record or get more information about it at. . . .20 The UHCIA sets forth the requirements and procedures for the patient's examination and copying of his or her record. Within 10 days of a patient's request, the provider must make the information available for examination or provide a copy to the patient, or inform the patient that the information does not exist, cannot be found, or is not maintained by the provider. Special provi- sions cover delays in handling the request, and the provider's obligations in providing explanations of codes or abbreviations. Providers can also deny the request; the statute sets forth the circum- stances under which they may do so. These include when the health care information would be injurious to the health of the patient, when it might endanger the life or safety of an individual, or when it might lead to the identification of an individual who provided information in confi- dence. Special provisions are made for access to health care information by a patient who is a minor. Special provisions are made for requests for correction or amendment of a record by a patient for purposes of accuracy or completeness. When a request is made, the provider must make the correction; inform the patient if the record no longer exists or cannot be found; make provisions for making the changes if there is a delay; or inform the patient in writing of the provider's refusal to correct or amend the record as re- quested, the reason for the refusal, and the patient's right to add a statement of disagreement and to have that statement sent to previous recipients of the disputed health care information. Specific procedures for making changes to the record are also provided for. Provision 5: Establish protocols for access of information by secondary users, and deter- mine their rights and responsibilities in the information they access. The Ethical Tenets address the handling of data by secondary users referred to as a "second- ary clinical record"; i.e., the data derived from the primary patient record for administrative, fiscal, epidemiologic, and other purposes outside the primary patient/provider relationship. According to the Tenets, these records are created for a "limited purpose, are not a part of the patient's treatment, and not a part of the professional communication to contribute to the care of the patient." For instance, a physician may be required to report information to an insurance company to assess a disability. The Tenets provide that "[i]dentified secondary clinical rec- ords shall receive confidential treatment"--i.e., those records including patient identifiers such as name, address, telephone number, or Social Security number.21 The Ethical Tenets provide that identified secondary records are to be used only for the purpose for which they were provided, and specifically require that they be destroyed or masked as promptly as possible once the task is accomplished. The Ethical Tenets provide for release of data for public health or research purposes. If the release of primary or secondary data is deemed desirable or appropriate for these purposes, patients must grant informed consent and formal authorization before information will be released. Trubow22 suggests specific obligations for secondary users of personal information. The holder of a record should notify the data subject about the records in his or her possession or control. The recordholder should: 1. disclose the purpose for which the informa- tion was collected; 2. explain the primary and parallel uses of the information; 3. provide to the individual subject a proce- dure to examine, challenge, and correct the information; and 4. give the individual an opportunity to deny any designated parallel uses. Trubow recommends that the record-holder be allowed to use the information only for those uses of data to which the individual subject has been notified and not to which he or she has objected. The record-holder may not make any secondary use of personal information without the individ- ual's express consent. These notice requirements, coupled with provisions similar to those of the Ethical Tenets for destruction of information after use, would adequately notify the individual sub- ject about use of other data and could reduce the probabilities of creating new databanks of health care information outside the patient/provider relationship. Provision 6: Structure the law to track the information flow, incorporating the ability of computer security systems to monitor and warn of leaks and improper access to informa- tion so that the law can be applied to the information at the point of abuse, not to one "home" institution. Existing legislation and proposals for protec- tion of health care information place responsibil- ity for data protection on each institution. As discussed in chapter 2, the ability to transfer and exchange information among institutions so that there is no single point of origination or residence for the information makes such an approach unworkable. Legislation should take advantage of the technological ability to track data flows and maintain auditing records of each person who accesses information, at what location, and at what time. (See discussions of computer security measures in ch. 3 and Appendix A.) Monitoring information access and abuse in this way allows the flexibility needed to monitor all institutions and users along the chains of access. The Canadian Commission d'Acces a l'Infor-mation issued a specific set of minimum require- ments for the security of computerized health care records. The commission indicated that its man- datory rules on health care information applied to mainframe computers, the machines of the suppli- ers of computer services, and to microcomputers. In addition to the designation of a responsible person to implement and enforce security meas- ures and maintain their currency (preferably with the assistance of a committee), it prescribed, in detail, technical procedures for user identification and authentication, and the creation of "access profiles" for the type of personal information specific users need to perform their duties. The rules further prescribe for such matters as site security and audit trails. Application of such a set of minimum requirements to institutions using health care information would enable tracking of information flow and access and allow for shared responsibility to protect health care information among institutions using it. Brannigan's approach to protecting privacy in clinical information is through the use of "techni- cal tools."23 These tools include both "machine- based" and "people-based" precautions, includ- ing concepts such as "need to know," encryption, audit trails, read/write limitations, physical keys, and passwords.24 Brannigan looks to the National Practitioner Data Bank (NPDB), a large computer system operated by UNISYS as a contractor to the Public Health Service. NPDB operates by collecting reports on physicians submitted by authorized reporters, consolidating them and sending them, on request, to authorized institutions. The NPDB process would be analogous to a single request for a patient's entire computer- based medical record, as opposed to a clinical inquiry on a specific visit. As such, it makes a reasonable technical analogy to the proposed transmission of computer-based medical records. Confidentiality of the data is a major concern. After analyzing the technical data protection tools in the NPDB and identifying discontiniuties in the system, Brannigan set forth a list of technicalprovisions needed for a reasonably secure multi- institutional system for sharing patient records: 1. control authorized requesters by use of restricted request software needed to ac- cess the database; 2. protect passwords used to identify individ- ual requesters; 3. route requests through a secure electronic mail system that eliminates direct elec- tronic connection to the data bank; 4. allow searches only by patient name, and prevent random browsing of the data bank; 5. provide an audit trail to the individual subject; 6. maintain a secure data facility not con- nected to the health institution; 7. allow responses to be sent in a secure manner, only to pre-approved addresses; and 8. provide the individual subject a way to monitor disputed, incorrect, or unneeded data. In addition, the system might include: 9. encryption and transmission through se- cure electronic mail to a mailbox accessi- ble only to users with authorized decryp- tion software; 10. permit searches only for authorized pur- poses; and 11. searches allowed only with the permission of that patient.25 Industry established standards, as discussed in chapter 3, could also be incorporated into legisla- tion. Compliance with technical requirements for assuring confidentiality could be required by law, with sanctions for failure to meet standards. Provision 7: Establish a committee, commission, or panel to oversee privacy in health care information. One approach to addressing the problem of maintaining privacy in computerized medical records is the establishment of a committee on health care information privacy. Such a commit- tee could be modeled in some aspects on propos- als for a data protection board.26 Legislation alone cannot address all of the privacy problems created as a result of quickly changing and developing computer technology. A committee could serve a more dynamic function and could assist in implementing the health care information privacy policies set out in legislation. Data protection boards have been instituted in several foreign countries, including Sweden, Germany, Luxem- bourg, France, Norway, Israel, Austria, Iceland, United Kingdom, Finland, Ireland, the Nether- lands, Canada, and Australia.27 The responsibilities and functions suggested for a data protection board are particularly appli- cable to the issues of health care information privacy and can be implemented in the following ways. A health care information privacy commit- tee could: 1. identify health care information privacy concerns, functioning essentially as an alarm system for the protection of personal pri- vacy; 2. carry out oversight to protect the privacy interests of individuals in all health care information-handling activities; 3. develop and monitor the implementation of appropriate security guidelines and prac- tices for the protection of health care information; 4. advise and develop regulations appropriate for specific types of health care information systems. (Staff members of such a commit- tee could thus become specialists in differ- ent types of health care information systemsand information flows); 5. monitor and evaluate developments in in- formation technology with respect to their implications for personal privacy in health care information; and 6. perform a research and reporting function with respect to health care information privacy issues in the United States. As part of its responsibilities, the health care information privacy committee could also moni- tor the establishment and use of computer systems for health care data in the private sector, and make recommendations on the potential expansion of the content of the medical records and different uses of health care data. The committee could closely watch the progress of the technology for health care data and storage, and track the development of technical capabilities and secu- rity measures. A committee could help avoid the need to deal with privacy problems "after the fact," that is, after new uses have been established for data and new inroads made into individual privacy in health care information, by taking a prospective approach to addressing privacy concerns. Some suggestions have been made that a committee of this type be established within a division of the Department of Health and Human Services. Others suggest that this such a committee operate independently from any Federal agency.28 1. OTA Workshop, "Designing Privacy in Computerized Medical Information," Dec. 7, 1992. 2. Other Federal policy on the right to access government information is set forth in the Federal Privacy Act at 5 U.S.C. Sec. 552, which deals with public information and public access to agency rules, opinions, orders, records, and proceedings. 3. The Privacy Act exempts from this provision records pertaining to law enforcement. Public Law 93-579 Sec. 552a(k)(2). 4. Joan Turek-Brezina, Chair, Department of Health & Human Services Task Force on the Privacy of Private Sector Health Records, personal communication, April 1993. 5. Vincent M. Brannigan, "Protecting the Privacy of Patient Information in Clinical Networks: Regulatory Effectiveness Analysis," Extended Clinical Consulting by Hospital Computer Networks, D.F. Parsons, C.N. Fleischer, and R.A. Greene, eds. (New York, NY: Annals of the New York Academy of Sciences, 1992) vol. 670, pp. 190-201. 6. OTA-CIT-296 (Washington, DC: U.S. Government Printing Office, June 1986). 7. Public Law 95-630, title XI, 92 Stat. 3697, Nov. 10, 1978, et seq. 8. Public Law 93-380, title V, Sec. 513, 88 Stat. 571, Aug. 21, 1974. 9. Public Law 91-508, title VI, Sec. 601, 84 Stat. 1128, Oct. 26, 1970, et seq. 10. Public Law 100-618 Sec. 2(a)(1),(2), 102 Stat. 3195, Nov. 5, 1988 et seq. 11. David H. Flaherty, "Ensuring Privacy and Data Protection in Health and Medical Care," prepublication draft, Apr. 5, 1993. 12. Ibid. 13. Discussion of these activities in the context of computerized medical information is discussed in ch. 2. Further discussion about the Privacy Act generally is also found in ch. 2. 14. 5 U.S. Code, Sec. 552a(h). Many commentators believe that these penalties are inadequate to address information abuses. Joan Turek-Brezina, op. cit., footnote 4. 15. OTA workshop, "Emerging Privacy Issues in the Computerization of Medical Information," July 31, 1993. 16. The code also makes specific provisions for the length of time such disclosure authorization remains valid. 17. The notice must include the system's name and location, the categories of records maintained on the system, the categories of individual on whom records are maintained in the system, each use of the record contained in the system, and the policies. The Act provides that when an agency refuses to amend an individual's record or refuses to grant an individual access to his or her record, civil action may be brought. The court will order the agency to comply with the provisions of the Act, and will require the government to pay attorneys' fees and litigation costs. In cases when an agency fails to properly maintain an individual's record according to the provisions of the Act, damages of at least $10,000 will be awarded. 5 U.S. Code, Sec. 552(a); Public Law 93- 579, Sec. 552a(g). 18. The Tenets make the distinction that the physician is deemed owner of the information generated by him or her during the course of medical care, such information including diagnostic, therapeutic, or prognostic comments; opinions, decision explanations, and choice rationale--all parts of the clinical reasoning and professional interpretation of the data collected. This provision addresses concerns about professional privacy. Other health care workers may be included under this protection. 19. The Federal Privacy of Medical Information Act (H.R. 5935), introduced before the 96th Congress in 1980, provided that a medical care facility shall, on request, provide any individual with a copy of the facility's notice of information practices and shall post in conspicuous places in the facility such notice or a statement of availability of such notice and otherwise make reasonable efforts to inform patients (and prospective patients) of the facility of the existence and availability of such notice. Sec. 113(b). 20. The Federal Privacy of Medical Information of 1980 (H.R. 5935) proposed a similar notification practice. In Sec. 113, it provided: A medical care facility shall prepare a written notice of information practices describing: 1) the disclosures of medical information that the facility may make without the written authorization of the patient;2) the rights and procedures . . . including the right to inspect and copy medical information, the right to seek amendments to medical information and the procedures for authorizing disclosures of medical information, and the procedures for authorizing disclosures of medical information and for revoking such authorizations; and 3) the procedures established by the facility for the exercise of these rights. 21. Under these provisions, the identified secondary record also refers to unique identifiers of the care-providing physician, healthcare team, and institution, which are also entitled to the right to privacy under the Tenets. 22. George B. Trubow, "Protocols for the Secondary Use of Personal Information," Report of the Roundtable on Secondary Use of Personal Information, The John Marshall Law School Center for Informatics Law, Chicago, IL, prepublication draft, Feb. 22, 1993. 23. Vincent M. Brannigan, op. cit., footnote 5. 24. Brannigan notes that one characteristic of these tools is that they can pre-exist any legal structure or be established as the result of one. "[T]he legal system can either follow or force a technology." Ibid. 25. Vincent M. Brannigan, "Protection of Patient Data in Multi- Institutional Medical Computer Networks: Regulatory Effectiveness Analysis," to be published in Proceedings of the 17th Annual Symposium of Computer Applications in Medicine Care, November 1993. 26. Such a board was supported by the Office of Technology Assessment in its 1986 study of Electronic Record Systems and Individual Privacy. In its discussion of the issue, OTA cited the lack of a Federal forum in which the conflicting values at stake in the development of Federal electronic systems could be fully debated and resolved. 27. Kevin O'Connor, "Information Privacy: Explicit Civil Remedies Provided," Law Society Journal, March 1990, pp. 38-39. In his article, "Protocols for the Secondary User of Personal Information," Professor George Trubow voiced the opinion of participants in a roundtablediscussion of the issue convened by the Center for Informatics Law at the John Marshall Law School in Chicago that an independent Federal and/or State oversight agency, similar to European models, would be necessary to issue regulations more specifically identifying information practices and to process complaints of noncompliance. Op. cit., footnote 22. 28. OTA Workshop, op. cit., footnote 1. ----------------------------------------- Appendix A: Selected Topics in Computer Security Originators of existing computer-based pa- tient record systems have been faced with the problem of ensuring their systems will provide high levels of clinical access and utility for their personnel and still maintain the security and confidentiality of patient information. Data secu- rity and confidentiality remain a central concern as the health care industry contemplates full automation and implementation of a networked computer system for individual health care information.1 The need for information security and trust in health care informa- tion computer systems, as in computer systems gener- ally, is described in terms of three fundamental goals: confidentiality, integrity, and access.2 Confidentiality involves control over who has access to information. Integrity assures that information and programs are changed only in a specified and authorized manner, that computer resources operate correctly and that the data in them is not subject to unauthorized changes. A system meeting standards for access allows authorized users access to information resources on an ongoing basis.3 The level of security provided may vary from one application to another.4 For example, security in computer systems containing classified national secu- rity information may have different specifications than a computer system designed for a nondefense manu- facturing company. Security in health care information systems would likely be designed somewhere along this spectrum. The emphasis given to each of the three requirements (confidentiality, integrity, and access) depends on the nature of the application. An individual system may sacrifice the level of one requirement to obtain a greater degree of another. For example, to allow for increased levels of availability of informa- tion, standards for confidentiality may be lowered. Thus, the specific requirements and controls for information security can vary.5 Applications linked to external systems will usually require different security controls from those without such connections because access is more open. A security policy is the framework within which anorganization, e.g., a hospital, outpatient clinic, mental health facility, or health insurance company, estab- lishes needed levels of information security to achieve, among other things, the desired confidentiality goals. A policy is a statement of information values, protec- tion responsibilities, and organizational commitment for a system. It is a set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information.6 A policy is imple- mented by taking action guided by management control principles and utilizing specific security stand- ards, procedures, and mechanisms.7 A security policy, to be useful, must state the security need (e.g., for confidentiality--that data shall be accessed only by authorized individuals) and also address the circum- stances under which that need must be met through operating standards. Institutions must access the threats to a system, assign a level of concern to each, and state a policy in terms of which threats are to be addressed.8 Management controls are administrative, technical, and procedural mechanisms that implement a security policy. Some management controls are concerned with protecting information and information systems, but the concept of management controls is more than merely a computer's role in enforcing security. Man- agement controls are exercised by users as well as managers. An effective program of management controls is necessary to cover all aspects of information security, including physical security, classification of information gauged to the desired levels of confidenti- ality and access, means of recovering from breaches of security, and training to instill awareness and user acceptance. There are trade-offs among controls. If technical controls are not available, procedural con- trols might be used until a technical solution is found.9 Nevertheless, technical controls are useless without procedural controls and robust security policy. Breaches in security sometimes occur by outside sources, but most often by "insiders"--individuals authorized to use the system. According to the report of the Workgroup for Electronic Data Interchange to the Secretary of the U.S. Department of Health and Human Services, the Health Care Financing Adminis- tration (HFCA) believes that the security technology available to systems developers is adequate to protect against breaches by an outside source, and does notconsider a breach of the system by outsiders a great concern. HFCA's concern lies with breaches of the system by "insiders," individuals who are authorized to use the system.10 Access control alone cannot prevent violations of the trust people and institutions place in individuals. Inside violations have been the source of much of the computer security problem in industry. Technical security measures may prevent people from doing unauthorized things, but cannot prevent them from misusing the capabilities with which they are entrusted to allow them to perform their job function. Thus, to prevent security problems resulting from violations of trust, one must depend primarily on human awareness of what others in an organization are doing and on separation of duties, as in regular accounting controls.11 But even a technically sound system with informed, watchful management and responsible users is not free of vulnerabilities. The risk that remains must be managed by auditing, backup, and recovery procedures supported by alert- ness and creative responses. Moreover, an organiza- tion must have administrative procedures in place to bring suspicious actions to the attention of responsible persons who can--and will--inquire into the appropri- ateness of such actions.12 In addition to these precau- tions, damage can also be avoided through close personnel checks to avoid hiring employees with questionable backgrounds in areas where sensitive data are available, periodic analysis of the computer system and the sensitivity of its data, and separation of critical duties between employees. Technical Safeguards Technical safeguards, along with administrative and procedural measures, are best established within the system application or program, e.g., medical record system software, instead of relying on the network infrastructure for security. These technical provisions include the following: Cryptography: can be used to encode data before transmission or while stored in a computer, provide an electronic signature and/or to verify that a message has not been tampered with. Cryptography can be used to 1) encrypt plain text to provide confidentiality 2) authenticate a message to ensure integrity and to prevent fraud by third parties, and 3) create a digital signature that authenticates a message and protectsagainst fraud or repudiation by the sender.13 Personal identification and user verification tech- niques: help ensure that the person using a communi- cation or computer system is the one authorized to do so and, in conjunction with access control systems and other security procedures, that authorized users can be held accountable for their actions. Access control software and audit trails: can help protect information systems from unauthorized access and keep track of each user's activities. Computer architecture: may be specifically de- signed to enhance security. Communications linkage safeguards: can hamper unauthorized access to computers through phone lines or other networks.14 CRYPTOGRAPHY Cryptography is one method of protecting data vulnerable to unauthorized access and tampering. Cryptography, along with electronic signatures, can be used to protect confidentiality and integrity. Confidentiality of information can be provided through encryption. Encryption15 is a process of encoding a message so that its meaning is not obvious; decryption transforms an encrypted message back into its normal form.16 When a message is encrypted, it is encoded in a way that can be reversed only with the appropriate key.17 Maintaining confidentiality requires that only authorized parties have the decrypting key. Integrity can be provided through message authenti- cation. An "authentic" message is one that is not a replay of a previous message, has arrived exactly as it was sent (without errors or alterations), and comes from the stated source (not forged or falsified by an impostor or fraudulently altered by the recipient). Encryption algorithms can be used to authenticate messages, but encryption in itself does not automati- cally authenticate a message. Message authentication techniques are based either on public or secret knowledge. Authentication tech- niques based on public knowledge can check againsterrors, but not against malicious modifications. Mes- sage authentication using secret parameters means that a message cannot be forged unless the secret parame- ters are compromised or one of the parties is doing the forging. Digital Signatures--The trend away from paper- based systems into automated electronic systems has brought about a need for a reliable, cost-effective way to replace the handwritten signature with a digital signature. Encryption or message authentication alone can only safeguard against the actions of third parties. They cannot fully protect one of the communicating parties from fraudulent actions by any other, such as forgery or repudiation of a message or transaction. Nor can they resolve contractual disputes between two parties. Like a handwritten signature, a digital signa- ture can be used to identify and authenticate the originator of the information. A digital signature can also be used to verify that information has not been altered after it is signed, providing for message integrity. In August 1991, NIST proposed the Digital Signa- ture Standard (DSS) as a Federal Information Process- ing Standard (FIPS), suitable for use by corporations, as well as civilian agencies of the government. The DSS specifies a Digital Signature Algorithm (DSA) for use in computing and verifying digital signatures. NIST suggests that DSA can be used in such applica- tions as electronic mail systems, legal systems, and electronic funds transfer systems. Some controversy surrounds NIST's choice of the DSS techniques.18 Encryption Algorithms--The original form of a message is known as plaintext, and the encrypted form is called ciphertext. Messages are encrypted using mathematical algorithms implemented in hardware or software, and secrecy is provided through use of cryptographic keys. These keys are seemingly random sequences of symbols. The encryption algorithm is a mathematical process that can transform plain text into ciphertext and back again, with each transformation depending on the value of the key. Symmetric ciphers use the same key for encryption and decryption. One key, known to both the sender and receiver of a message, is used to both encrypt and decrypt the message. Symmetric keys present problems of key distribution, since secrecy in the key must be main-tained by both parties to the communication. The traditional means of key distribution--through couriers-- places the security of the cipher system in the hands of the courier(s). Courier-based key distribution presents challenges when keys need to be changed often. Asymmetric ciphers use different but related keys. One key is used to encrypt and another to decrypt a message.19 A special class of asymmetric ciphers are public-key ciphers, in which the "public" encrypting key need not be kept secret to ensure a private communication. Rather, Party A can publicly an- nounce his or her public key, PKA, allowing anyone who wishes to communicate privately with him or her to use it to encrypt a message. Party A's "secret" decrypting key (SKA) is kept secret, so that only A or someone else who has obtained his or her decrypting key can easily convert messages encrypted with PKA back into plaintext. Determining the secret decrypting key is difficult, even when the encrypted message is available and the public key is known; in practice only authorized holders of the secret key can read the encrypted message. If the encrypting key is publicly known, however, a properly encrypted message can come from any source, and there is no guarantee of its authenticity. It is thus crucial that the public encrypting key be authentic. An impostor could publish his or her own public key, PKI, and pretend it came from A in order to read messages intended for A, which he or she could intercept and then read using his or her own secret key, SKI. Therefore, the strength of a public key cipher system rests on the authenticity of the public key. A public key system can be strengthened by providing means for certifying public keys via digital signature, a trusted third party, or other means.20 Techniques for encrypting messages based on mathematical algorithms vary widely in the degree of security they provide. The various algorithms differ in the following ways: o The mathematical sophistication and computa- tional complexity of the algorithm itself. More complex algorithms may be harder for an adversary to break. o Whether the algorithm is for a symmetric cipher or for an asymmetric one. o The length of the key used to encrypt and decrypt the message. Generally, for an algo- rithm of a given complexity, longer keys are more secure. o Whether the algorithm is implemented in software or hardware. o Whether the algorithm is open to public scru- tiny. While some argue that users have more confidence in an algorithm if it is publicly known and subject to testing, the National Security Agency and others assert that secret algorithms are more secure.21 Data Encryption Standard (DES)--The U.S. Data Encryption Standard (DES) is a well-known example of a symmetric cryptosystem and probably the most widely known modern encryption algorithm. DES was developed to protect unclassified computer data in Federal computer systems against passive and active attacks in communication and computer systems.22 DES is the result of a National Bureau of Standards initiative to create an encryption standard. Based on an algorithm developed by IBM, DES was officially adopted as a Federal Standard in November, 1977, and endorsed by the National Security Agency.23 After over 10 years of the public scrutiny, most experts are confident that DES is secure from virtually any adversary except a foreign government.24 DES is a private key cryptographic algorithm, which means that the confidentiality of the message, under normal conditions, is based on keeping the key secret between the sender and receiver of the message.25 DES specifies a cryptographic algorithm that converts plaintext to ciphertext using a 56-bit key. Encryption with the DES algorithm consists of 16 "rounds" of operations that mix the data and key together in a prescribed manner. The goal is to so completely scramble the data and key that every bit of ciphertext depends on every bit of the data plus every bit of the key.26 In early 1993, the executive branch announced its policy to implement a new encryption device called"Clipper Chip," discussed in box A-1. RSA--RSA is a patented public key encryption system that has been in use since 1978. It was invented at the Massachusetts Institute of Technology (MIT) by Ronald Rivest, Adi Shamir, and Leonard Adelman. These three inventors formed RSA Data Security, Inc. in 1982, and obtained an exclusive license for their invention from MIT, which owns the patent. The firm has developed proprietary software packages imple- menting the RSA cipher on personal computer net- works. These packages, sold commercially, provide software-based communications safeguards, including message authentication, key management, and en- cryption. RSA relies on the difficulty of factoring large numbers to devise its encryption codes. Asymmetric cipher systems (like RSA) are more efficient than symmetric ones for digital signatures.27 Personal Identification and User Verification The purpose of user verification systems is to ensure that those accessing a computer or network are authorized to do so. Personal identification techniques are used to strengthen user verification by ensuring that the person actually is the authorized user.28 Authenti- cation technology provides the basis for access control in computer systems. If the identity of a user can be correctly verified, legitimate users can be granted access to system resources. Conversely, those attempt- ing to gain access without proper authorization can be denied. Once a user's identity is verified, access control techniques may be used to mediate the user's access to data. The traditional method for authenticating users has been to provide them with a secret password, which must be used when requesting access to a particular system. However, authentication that relies solely on passwords has often failed to provide adequate protec- tion for computer systems for a number of reasons, including careless use and misuse--e.g., writing pass- words on the terminal, under a desk blotter, etc. Where password-only authentication is not adequate for an application, a number of alternative methods can be used alone or in combination to increase the security of the authentication process. User verification sys- tems generally involve a combination of criteria, suchas something in an individual's possession, e.g., a coded card or token (token-based authentication), something the individual knows, e.g., a memorized password or personal identification number (password authentication), or some physical characteristic of the user, e.g., a fingerprint or voice pattern (biometric authentication).29 Token-based authentication requires the system user to produce a physical token that the system can recognize as belonging to a legitimate user. These tokens typically contain information that is physically, magnetically, or electronically coded in a form that can be recognized by a host system. The most sophisticated tokens take the form of "smart cards," and contain one or more integrated circuits that can store and, in some cases, process information.30 Token-based systems reduce the threat from attackers who attempt to guess or steal passwords, because the attacker must either fabricate a counterfeit token or steal a valid token from a user and must know the user's password. Biometric authentication relies on a unique physical characteristic to verify the identity of system users. Common biometric identifiers include fingerprints, written signatures, voice patterns, typing patterns, retinal scans, and hand geometry. The unique pattern that identifies a user is formed during an enrollment process, producing a template for that user. When a user wishes to authenticate access to the system, a physical measurement is made to obtain a current biometric pattern for the user. This pattern is compared to the enrollment template in order to verify the user's identity. Biometric authentication devices tend to cost more than password or token-based systems because the hardware required to capture and analyze biometric patterns is more complicated. However, biometrics provide a very high level of security because the authentication is directly related to a unique physical characteristic of the user that is difficult to counterfeit. At the same time, passwords, authentication tokens, and biometrics are subject to a variety of attacks. New technologies and microelectronics, which are more difficult to counterfeit, have emerged to over- come these problems. These technologies have also enabled the merging of the identification criteria, so that one, two, or all the criteria can be used as needed. Microelectronics make the new user identificationmethods compact and portable. Electronic smart cards now carry prerecorded, usually encrypted access control information that must be compared with data that the proper authorized user is required to provide, such as a memorized personal identification number or biometric data like a fingerprint or retinal scan.31 Merging criteria allows authentication of the individ- ual to his or her card or token and only then allows access to the protected computer or network. This can increase security since, for example, one's biometric characteristics cannot readily be given away, lost, or stolen. Biometrics permit automation of the personal identification/user verification process. ACCESS CONTROL SOFTWARE AND AUDIT TRAILS Once the identity of a user has a been verified, it is still necessary to ensure that he or she has access only to the resources and data that he or she is authorized to access. For host computers, these functions are per- formed by access control software. Records of users' accesses and online activities are maintained as audit trails by audit software. Access control methods include user identification codes, passwords, login controls, resource authorization, and authorization checking. These methods, as well as use of audit trails and journaling techniques, are discussed in box A-2. COMPUTER ARCHITECTURE The computer itself must be designed to facilitate good security, particularly for advanced security needs. For example, it should monitor its own activi- ties in a reliable way, prevent users from gaining access to data they are not authorized to see, and be secure from sophisticated tampering or sabotage. However, while changes in computer architecture will gradually improve, particularly for larger computer users, more sophisticated architecture is not the primary need of the vast majority of current users outside of the national security community. Good user verification coupled with effective access controls, including controls on database management systems, are the more urgent needs for most users.32 COMMUNICATIONS LINKAGES SAFEGUARDS Computers are vulnerable to misuse through theports that link them to telecommunication lines, as well as through taps on the lines themselves. As computers are linked through telecommunication sys- tems, the problem of dial-up misuses by hackers may increase. For purpose of this study, of particular interest in the area of medical information are port protection de- vices.33 One means of limiting misuse via dial-up lines has been dial-back port protection devices. Newer security modems are microprocessor-based devices that combine features of a modem with network security features, such as passwords, dial-back, and /or encryption, and offer added protection. For some computer applications, misuse via dial-up lines can be dramatically reduced by use of dial-back port protec- tion devices used as a buffer between telecommunica- tion lines and the computer. In addition to these dial-back systems, security modems can be used to protect data communication ports. These security modems are microprocessor-based devices that com- bine features of a modem with network security features, such as passwords, dial-back, and/or encryp- tion.34 1. Institute of Medicine, The Computer-Based Patient Record: An Essential Technology for Health Care, Richard S. Dick, and Elaine B. Steen, eds., (Washington, DC: National Academy Press, 1991), pp. 42-43, 65-66, 83-85. This is a publication of the Committee on Improving the Patient Record, Division of Health Care Services. See also, Gretchen Murphy, "System and Data Protection," Aspects of the Computer-Based Patient Record, Marion J. Ball and Morris F. Collen, eds., (New York, NY: Springer-Verlog, 1992), p. 205. 2. See Gretchen Murphy, op. cit., footnote 1. For general definitions of security terms and concepts, see Dennis Longley, Michael Shain, William Caelli, Information Security: Dictionary of Concepts, Standards and Terms (New York, NY: Stockton Press, 1992). 3. Charles P. Pfleeger, Security in Computing (Englewood Cliffs, NJ: Prentice Hall, Inc. 1989), pp. 5-6. 4. National Research Council, Computers at Risk: Safe Computing in the Information Age (Washington, DC: National Academy of Sciences,1991), p. 55. This is a publication of the System Security Study Committee, Computer Science and Telecommunications Board, Commission on Physical Sciences, Mathematics, and Applications. 5. Ibid., p. 52. 6. See, Dennis Longley et al., op. cit., footnote 2, pp. 467-468. 7. National Research Council, op. cit., footnote 4, p. 50. 8. Ibid. 9. Ibid. 10. U.S. Department of Health and Human Services, Workgroup for Electronic Data Interchange, Report to the Secretary, July 1992, p. 29. However, the report later states that computer "hackers" have circumvented the security systems of a variety of computer systems; while access in some cases was limited to unauthorized "browsing" through database records, other instances of access have been accompanied by alteration or deletion of data or disruption of system operations. 11. See U.S. Congress, Office of Technology Assessment, Defending Secrets, Sharing Data: New Locks and Keys for Electronic Information, OTA-CIT-310 (Washington, DC: U.S. Government Printing Office, October 1987); Robert H. Courtney, Jr., "Considerations of Information Security for Large Scale Digital Libraries," contractor report prepared for the Office of Technology Assessment, Mar. 27, 1993. 12. National Research Council, op. cit. footnote 4, pp. 50-51. 13. See Defending Secrets, op. cit., footnote 11, pp. 174-180. See also, Datapro Reports on Information Security, "Host File Encryption Software Overview," IS54-001-101, May 1992. 14. See generally, Defending Secrets, op. cit., footnote 11. See also, Datapro Reports on Information Security, "Host Security Software," IS50-140-103, November 1992, and generally, Dennis Longley et al., op. cit., footnote 2. 15. Encryption is an essential method for ensuring the three goals of computer security: confidentiality, integrity, and access. Encryption provides confidentiality for data. Encryption can also be used to achieve integrity, since data that cannot be read, generally cannot be changed. Encryption is important in establishment of secure communication protocols (a sequence of steps taken by two or more parties to accomplish some task) between users. Some of these protocols are implemented to ensure access to data. Defending Secrets, op. cit., footnote 11, pp. 54-63. See also, Datapro Reports, op. cit., footnote 13. 16. The words encode and decode, or encipher and decipher, are often used instead of the verbs encrypt and decrypt. A system for encryption and decryption is called a cryptosystem. Charles P. Pfleeger, op. cit., footnote 3, p. 23. 17. Charles P. Pfleeger, op. cit., footnote 3, p. 23. 18. NIST originally chose DSS, in part because of patent considerations. Some critics of the choice (including the company marketing the RSA system) have asserted that the RSA algorithm is superior and that NIST deliberately chose a weaker cipher. In late 1991, NIST's Computer Security and Privacy Advisory Board went on record as opposing adoption of the proposed DSS. 19. Defending Secrets, op. cit., footnote 11, p. 176. 20. Defending Secrets, op. cit., footnote 11, p. 180. 21. Defending Secrets, op. cit., footnote 11, pp. 54-55. 22. U.S. Department of Commerce, National Institute of Standards and Technology, NCSL Bulletin, Advising Users on Computer Systems Technology, June 1990. 23. Charles P. Pfleeger, op. cit., footnote 3, p. 107. 24. According to NIST, appropriate applications of DES include electronic funds transfer, privacy protection of personal information, personal authentication password protection, access control, etc., U.S. Department of Commerce, National Institute of Standards and Technology, NCSLBulletin, Advising Users on Computer Systems Technology, June 1990, pp. 1-2. 25. Defending Secrets, op. cit., footnote 11, p. 55. 26. Ibid. 27. Ibid., p. 63. See also, Datapro Reports on Information Security, "Microcomputer Encryption and Access Control: Technology Overview," IS31-001-125, April 1991, and Dennis Longley et. al., op. cit., footnote 2, pp. 165-171. 28. Defending Secrets, op. cit., footnote 11, p. 72. See also, Datapro Reports on Information Security, "Host Access Control Software Overview," IS52-001-103, July 1992. 29. Department of Commerce, National Institute of Standards and Technology, CSL Bulletin, Advising Users on Computer Systems Technology, November 1991. 30. For further discussion of use of smart card systems for health care information, see ch. 3. 31. CSL Bulletin, op. cit., footnote 29. 32. Defending Secrets, op. cit., footnote 11, pp. 88-89. See also, Dennis Longley et al., op. cit., footnote 2, p. 464. 33. Discussion of other communications linkage safeguards can be found in Defending Secrets, op. cit., footnote 11, pp. 89-92. See also, Dennis Longley et al., op. cit., footnote 2, p. 408. 34. Datapro Reports on Information Security "Protecting Information by Authentication and Encryption," IS50-140-103, June 1993. ------------------------------------------------- Appendix B: Model Codes for Protection of Health Care Information Chapter 175I of the Massachusetts State Code--Insurance Informa- tion and Privacy Protection..............102-118 Ethical Tenets for Protection of Confidential Clinical Data.......119-126 Uniform Health Care Information Act (As codified in Chapter 16, Part 5 of the Montana Code).........127-138 The American Health Information Management Association's Health Information Model Legislation Language.........139-152 ----------------------------------------------------- Box 1-A--The Problem of Definition--Privacy and Confidentiality In discussions about privacy and information policy, the terms privacy and confidentiality are often used interchangeably. Neither term possesses a single clear definition, and theorists argue variously that privacy and confidentiality (and the counterpart to confidentiality, secrecy) may be concepts that are the same, completely distinct, or in some cases overlapping. While definitions of privacy and confidentiality and distinctions between the two cannot be tightly drawn (as indeed, the two terms are not necessarily exclusive of one another), for purposes of this report, OTA will attempt to use the terms in the following ways, largely mirroring approaches to the subject matter taken by Alan Westin and Charles Fried. Confidentiality will refer to how data collected for approved purposes will be maintained and used by the organization that collected it, what further uses will be made of it, and when individuals will be required to consent to such uses. It will be achieved, as Anita Allen states, when designated information is not disseminated beyond a community of authorized knowers. According to Allen, confidentiality is distinguished from secrecy, which results from the intentional concealment or withholding of information.1 Privacy will refer to the balance struck by society between an individual's right to keep information confidential and the societal benefit derived from sharing the information, and how that balance is codified into legislation giving individuals the means to control information about themselves. "Privacy" can be viewed as a term with referential meaning; it is typically used to refer to or denote something. But "privacy" has been used to denote many quite different things and has varied connotations. As Edward Shils observed 20 years ago: Numerous meanings crowd in the mind that tries to analyze privacy: the privacy of private property; privacy as a proprietary interest in name and image; privacy as the keeping of one's affairs to oneself; the privacy of the internal affairs of a voluntary association or of a business; privacy as the physical absence of others who are unqualified by kinship, affection or other attributes to be present; respect for privacy as the respect for the desire of another person not to disclose or to have disclosed information about what he is doing or has done; the privacy of sexual and familial affairs; the desire for privacy as the desire not to be observed by another person or persons; the privacy of the private citizen as opposed to the public official; and these are only a few. Definitions of privacy may be narrow or extremely broad. One of the best known definitions of privacy is that set forth by Samuel Warren and Louis Brandeis in a 1890 article that first enunciated the concept of privacy as a legal interest deserving an independent remedy. Privacy was described as "the right to be let alone."2 In spite of its breadth, this view has been influential for nearly a century.3 In the 1960s, 1970s, and 1980s, the proliferation of information technology (and concurrent developments in the law of reproductive and sexual liberties) has inspired further and more sophisticated inquiry into the meaning of privacy.4 In his work, Privacy and Freedom5, Alan Westin conceived of privacy as "an instrument for achieving individual goals of self realization," and defined it as "the claim of individuals, groups or institutions to determine for themselves when, how and to what extent information about them is communicated to others," approaching the concept in terms of informational privacy. W. A. Parent defined privacy in terms of information as "a condition of not having undocumented personal information about oneself known by others."6 In contrast, Ruth Gavison defines privacy broadly as "limited access in the senses of solitude, secrecy and anonymity." In her view, "privacy" is a measure of the extent to which an individual is known, the extent to which an individual is the subject of attention, and the extent to which others are in physical proximity to an individual. Her definition of privacy was to include: . . . such "typical" invasions of privacy as the collection, storage, and computerization of information; the dissemination of information about individuals; peeping, following, watching, and photographing individuals intruding or entering "private" places; eavesdropping, wiretapping, reading of letters, drawing attention to individuals, required testing of individuals; and forced disclosure of information.7 In Computers, Health Records, and Citizens Rights, Westin draws a clear distinction between the concepts of privacy and confidentiality in the context of personal information. Privacy is the question of what personal information should be collected or stored at all for a given social function. It involves issues concerning the legitimacy and legality of organiza- tional demands for disclosure from individuals and groups, and setting of balances between the individual's control over the disclosure of personal information and the needs of society for the data on which to base decisions about individual situations and formulate public policies. Confidentiality is the question of how personal data collected for approved social purposes shall be held and used by the organization that originally collected it, what other secondary or further uses may be made of it, and when consent by the individual will be required for such uses. It is to further the patient's willing disclosure of confidential information to doctors that the law of privileged communications developed. In this perspective, security of data involves an organization's ability to keep its promises of confidentiality. Allen notes the unsettled relationship between secrecy and privacy in the privacy literature. In her view, secrecy is a form of privacy entailing the intentional concealment of facts. She claims that it does not always involve concealment of negative facts, as is asserted by other privacy scholars.8 She points to the work of Sissela Bok, who defines secrecy as the result of intentional concealment and privacy as the result of "unwanted access."9 Since privacy need not involve intentional concealment, privacy and secrecy are distinct concepts. Privacy and secrecy are often equated because "privacy is such a central part of what secrecy protects." Bok viewed secrecy as a device for protecting privacy.10 Charles Fried also discusses the relationship between privacy and secrecy. He states that at first glance, privacy seems to be related to secrecy, to limiting the knowledge of others about oneself. He argues for refinement of this notion, stating that it is not true that the less that is known about us the more privacy we have. He believes, rather, that privacy is not simply an absence of information about us in the minds of others, it is the control we have over information about ourselves. It is not simply control over the quantity of information abroad; it is the ability to modulate the quality of the knowledge as well. We may not mind that a person knows a general fact about us, and yet we feel our privacy invaded if he knows the details.11 1. Anita L. Allen, Uneasy Access: Privacy For Women in a Free Society (Totowa, NJ: Rowman & Littlefield, 1988), p. 24. 2. The term "the right to be let alone" was borrowed by the authors from the 19th century legal scholar and jurist, Thomas Cooley. See T. Cooley, Law of Torts (2d ed. 1888). 3. Allen argues that if privacy simply meant "being let alone," any form of offensive or harmful conduct directed toward another person could be characterized as a violation of personal privacy. 4. Anita L. Allen, op. cit., footnote 1, p. 7. 5. Alan F. Westin, Privacy and Freedom (New York, NY: Atheneum, 1967). 6. W. A. Parent, "Recent Work on the Conception of Privacy," American Philosophical Quarterly, vol. 20, 1983, p. 341. 7. Ruth Gavison, "Privacy and the Limits of Law," Yale Law Journal, vol. 89, 1980, p. 421. 8. Ibid. 9. Sissela Bok, Secrets: On the Ethics of Concealment and Revelation, (New York, NY: Oxford University Press, 1984), p. 10. 10. Ibid. 11. Charles Fried, "Privacy," Yale Law Journal, vol. 77, 1968, p. 474, at p. 782. SOURCE: Office of Technology Assessment, 1993, and cited footnotes. --------------------------------- Box 1-B--Proposals for Medical Information Technology and Challenges to Privacy Proposals for computer systems for collection and handling of medical information generally include online networked systems, as proposed by the report of the Institute of Medicine and the Workgroup for Electronic Data Interchange, and smart card systems, reportedly to be proposed in the report of the Administration Task Force on Health Care Reform. While both approaches solve a variety of health care delivery, administration, reimbursement and, in some cases, privacy problems, they also present new privacy concerns. Online Systems The report of the Institute of Medicine, The Computer-Based Patient Record: A New Technology for Healthcare (hereafter referred to as "the IOM study"), and the report of the Workgroup for Electronic Data Interchange (hereafter referred to as the "WEDI Report") look toward integrated systems of electronic communication networks that would allow exchange, storage, and processing of health care information. Online networked systems would allow entities within the health care system to exchange information and process transactions with other entities in the industry, facilitate integration of patient information over time and from one care provider to another, improve data and data access available to researchers and make research findings available to practitioners over medical information computer systems. While acknowledging the benefits online systems provide, organizations involved in evaluating plans for computerization recognize the serious implications for privacy that are raised by use of computer databases linked electronically for information exchange. The WEDI report states that electronic technology threatens individual privacy, and that the ability to transmit data from one computer to another also enables violations of data integrity and security. The IOM study points out the concern about access from outside of computer systems by hackers. The report of the Work Group on Computerization of Patient Records notes the tremendous capacity to link data that computers provide,and that the same ability to link patient data by insurers and providers for legitimate purposes would also create opportunities for abuse. Concerns about data integrity reflect the possibility computers create for "'invisible" modification, deletion or addition of data. Smart Cards A smart card is a credit card-sized device containing one or more integrated circuit chips, which perform the functions of a microprocessor, memory and an input/output interface. Proposals for use of smart cards have been of three major kinds: Cards could be used as a means of access control; they could serve as a medium for storing and carrying the entire patient record; or they could combine the two function by providing an access control mechanism while storing certain limited patient information. Proponents of smart cards argue that they provide the ultimate distributed system, so that individual patients can maintain their own medical records, and would be empowered with the ability to consent to any access to the data by authorization of access to the card. Real-time access to information would be available only with the consent of the patient with the exception possibly of emergency information. This system contrasts with the risk of computer network penetration whereby access could be gained to thousands of clinical records. The system presents drawbacks however, which may limit its ability to protect patient privacy. Current proposals for use of the cards for health care data suggest that the medical data reside solely on the card, but the card is useless if lost, damaged or forgotten. The proposed solution to the problem is the creation of a back-up database containing the patient information. Such a database would also address the concerns of medical researchers and accreditation organizations, whose need for aggregate data would not be well served by storage of medical records on individually held cards. Addressing these needs might require that the card serve as the patient's personal copy of his or her record, or would function as an access control tool, but would not be the sole source of patient information. A back-up database would present many of the same problems an online computerized systemwould. Questions about who (insurers, researchers, public health agencies, financial institutions) would appropriately have access to information would remain, as well as concerns about abuse of the information by persons with proper access to the system. Computer banking of information with some unique identifier would occur, creating questions about linking of information, as well as the nature of the identifier. In addition to these concerns, privacy advocates have voiced issues specific to smart cards themselves. Some have noted that, while the smart card allows for control over the information while it is in the patient's's possession, it is entirely possible that the patient will not know the nature of the information he or she is carrying on their person, so that concerns about patient access to information and informed consent would remain. They indicate uneasiness with a system of identification cards containing large amounts of personal information to be carried by individuals, and the implications such a system may have for a large-scale national identification card system. SOURCE: Office of Technology Assessment, 1993. ----------------------------------------------- Box 2-A--Instances of Health Care Information Abuse--United States o While researching the life of a well known member of the film industry, a journalist entered a New York hospital disguised as a physician. The journalist obtained the actress' medical record and published that the actress had been treated for a sexually transmitted disease. o While a prominent Washington politician was under consideration for a Federal Government post, researchers reviewed his personal data and found that 26 years earlier he had been admitted into a mental institution. Although details of his treatment were unclear, on the basis of the information he was eliminated from consideration for the post. o A Colorado medical student provided medical records to attorneys practicing malpractice law, copying them in the medical records department at night and selling them to in-State and out-of-State attorneys for $50.00 each. SOURCE: Comments of Peter Waegemann, Executive Director, Medical Records Institute, to the Conference on Health Records: Social Needs and Personal Privacy, Washington DC, Feb. 11-12, 1993. * * * * * o A researcher conducted two studies on tobacco and cancer and assured his research subjects that the information they provided would remain confidential. In a lawsuit not involving the researcher or the two institutions where the information is stored, American Tobacco and two other companies compelled the researcher by subpoena to provide the data. A court held him in contempt for failing to comply, though it noted that it would take more than 1000 hours to delete data identifying the study subjects.1 o In an article on emergency health care technologies, a local newspaper published details of B.J.R.'s wife's fatal illness. Despite B.J.R.'s distress, a court ruled that the newspaper was free from liability.2 o A physician was tested for the AIDS virus as part of a survey of health-care workers. Although the physician was promised confidentiality, the researcher disclosed the fact of her positive test result to her employer, the county hospital. The physician learned the results of her AIDS test through her employer.3 o An insurance company discovered that one of its agents had AIDS and terminated him without the 30-day notice required in its contract. The man died before recovering $16,000 in back pay through arbitration.4 o On the basis of parents' objections to reported curious remarks made by a school bus driver while driving children on his route, the school superintendent investigated the complaints and reported that as long as the driver followed his medical regimen there was little likelihood that his disorder would interfere with his work. The parents insisted on seeing complete medical reports on the driver, and in 1986 the State Supreme Court ruled that they were entitled to them.5 o A physician under contract with R. B.'s company discussed the individual's health condition with managers, in apparent violation of the company's rules on the confidentiality of employee information.6 1. Mount Sinai School of Medicine v. American Tobacco Co., 866 F. 2d 552 (2d Cir. 1989). 2. The Morning Call, Allentown PA, Nov. 19, 1982, Privacy Journal, victims file. 3. Associated Press story dated Jan. 2, 1990, New York Times, Jan. 24, 1990, p. B-3. 4. Privacy Journal, September 1987, p. 5. 5. Morgantown Dominion Post, Morgantown, WV, Nov. 13, 1989, p. 1; Privacy Journal, victims file. 6. Bratt v. IBM Corp., 785 F. 2d 352 (1986); Privacy Journal, May 1986, p. 6. SOURCE: Robert Ellis Smith, with Eric Siegel, War Stories: Accounts of Persons Vicitmized by Invasions of Privacy, July 1990. ---------------------------------- Box 2-B--Investigation of Information Brokering--An International View The Krever Commission On Sept. 30, 1980, the Royal Commission of Inquiry Into the Confidentiality of Health Records in Ontario, Canada, headed by Mr. Justice Horace Krever (The Krever Commission), submitted its report about abuse of confidential health information. That report dealt with the breaches of privacy in information maintained in both paper and computer record keeping systems. The Krever Commission found that the acquisition of medical information by private investigators without patient consent and through false pretenses was widespread.1 During a 14-month period, the Krever Commission heard from over 5000 witnesses, including private investigative firms, insurance companies, hospitals and others. For the years 1976 and 1977, the Krever Commission found that there were hundreds of attempts made in Ontario to acquire medical information without consent from hospitals and physicians, and that over half of the attempts were successful. As a result of the Krever Commission's inquest, several investigative firms went out of business. So many insurance companies were found to have been using medical information obtained under false pretenses that the Insurance Bureau of Canada made a general admission to the Royal Commission that its members had gathered medical information through various sources without the authorization of the patient. The Independent Commission Against Corruption of New South Wales In 1992, the Independent Commission Against Corruption of New South Wales released its Report on unauthorized government information. According to the report, its investigation revealed a massive illicit trade in government information. Standard practice in this trade was to buy and sell government information, in some cases on a very large scale, for purposes of locating debtors and preparing for civil and criminal litigation. The most common sources for information were driver's license and motor vehicle registration, police records, government departments and agencies, and, in spite of criminal sanctions provided by the Social Security Act of New South Wales, information from the Department of Social Security. Principal participants included public officials of New South Wales, who sold information, insurance companies, banks and financial institutions that provided a market for information and private investigators who act as information brokers and retailers.2 1. For an explanation of the methods used by the Krever Commission to uncover these abuses, see Federal Privacy of Medical Information Act, S. Rept. 96-832, Part 1, 96th Cong., Mar. 19, 1980, pp. 24-26. 2. "Report on Unauthorized Release of Government Information," Publication of The Independent Commis- sion Against Corruption, vol. 1, August 1992, Ian Temby, Commissioner. SOURCE: Office of Technology Assessment, 1993 and cited footnotes. ------------------------------------------- Box 2-C--Investigations of Information Brokering--The United States The U.S. Social Security Administration As part of its system modernization effort, the Social Security Administration (SSA) converted many of its files to online databases. As a result of these efforts, claims processing was vastly streamlined. While the SSA took steps to safeguard the records in this database, the new ease of access brought with it new threats to the confidentiality of records, a fact revealed in an investigation of suspected misconduct by SSA employees. The Office of the Inspector General (OIG) investigated 200 allegations of illegal disclosure of confidential information by Social Security Administration employees. The computerization of the files making the information immediately accessible and vastly more systematized than paper files, coupled with the personal nature of the information housed in SSA records, made the records an attractive target for individuals attempting to obtain or authenticate information. The OIG testified before the Subcommittee on Social Security and Family Policy that there has been an expansion in the number of "information brokers" who attempt to obtain, buy and sell SSA information to private companies, for their use in locating people or making decisions on hiring, firing, using or lending. As the demand for the information grows, brokers turn to increasingly illegal methods. In a case involving Nationwide Electronic Tracking (NET), a Florida based firm that promised "instant access" to "confidential data . . . 24 hours a day, 7 days a week," 23 individuals, including private investigators, department employees, and law enforcement officers, were indicted by Federal grand juries for buying and selling confidential information held in government computers. The information released included SSA earnings information, Social Security numbers, full names, dates of birth, names of parents, names of all current and past employers, salary information, and other nonpublic information. The investigation revealed that the government employees were allegedly bribed for access to the information, which was then sold. The OIG identified three methods used by information brokers to obtain SSA information. First, the broker entered into a "contract" with one or more SSA employees, who sold earnings histories to the brokers for about $25 apiece. The brokers marked up the price to $300 or more. Brokers tended to set a fee schedule, depending on the type of information requested and how quickly it was needed. Second, brokers went through an entity that legitimately contracted with SSA to obtain earnings record information. These entities included private investigators, insurance companies, law enforcement personnel, attorneys, credit unions, and employment agencies. The contract holder furnished a forged Social Security number release form to the SSA office of central records operation, which then supplied the information within 6 weeks. A third scheme was "pretexting." This method, generally used by private investigators, involved calling an SSA office, claiming to be an SSA employee from another office where the computers were down. The employee was requested to obtain the information and read it over the phone. The investigator then wrote down the information and passed it to his client. SOURCE: Statement of Larry D. Morey, Deputy Inspector General for Investigations, Department of Health and Human Services, in Hearings before the Subcommittee on Social Security and Family Policy, Feb, 28, 1992, S. Hearing 102-679, pp. 62-67. ------------------------------------------------------- Box 2-D--Private Sector Computerization of Health Care Information Medical Information Bureau The Medical Information Bureau (MIB) was established in 1902 by a group of 15 life insurance companies. Now located in Westwood Massachusetts, the object of the industry-supported MIB is to keep underwriting costs down by uncovering dishonest or forgetful applicants for insurance. MIB's stated purpose is to discourage fraud when companies are called on to write insurance for applicants with conditions significant to longevity or insurability. MIB acts as a medical and other risk information clearinghouse for member companies. About 700 U.S. and Canadian life insurance companies at 1,054 locations belong to MIB. According to MIB, its ranks now include virtually every major company issuing individual life, health and disability insurance in the United States and Canada.1 While MIB was set up by and for life insurance companies, a member of MIB can also access its file for health or disability insurance purposes if the member sells those products. Information about persons applying for individual health insurance through a member of MIB can be entered into MIB. Applications for individual insurance--health, life, or disability--carry an explanation about MIB. If an insurance company finds something in an applicant's history that could affect longevity, the member company must file a report with MIB about the applicant's insurability. A potential insurer may request an MIB check to see if past reports about the applicant have been filed by other companies; MIB makes about 22 million such checks each year for member insurers. MIB's reports alert a potential insurer to omissions or misrepresentation of facts by an applicant. In principle, an applicant can refuse to allow his or her information to be communicated to MIB. The price of such a refusal to an applicant is usually refusal by the insurance company to process the application. MIB keeps its medical reports on patients for 7 years. MIB stores its records in a specially coded format, which the company will not disclose to regulators, legislators, or consumer groups on the grounds that to do so would compromise the firm's confidentiality.2 (MIB did, however, make its code list without numerical security codes available to about six government organizations including the FTC on a proprietary, confidential and privileged basis).3 MIB enters approximately 3 million coded records a year and has information on about 15 million persons in the United States. The basic identifiers are limited to the person's name, birthdate, birth-State, occupation, and a single letter, usually signifying residence in a multi-State region such as New England. Street, mail address or telephone numbers are never included. Social Security numbers (SSN) presently are not included on MIB reports, but this may change.4 Information about applicants is encoded into a set of 210 medical categories and 5 nonmedical codes (e.g., hazardous sports, aviation activities, poor driving record) at the time an individual applies for medically underwritten life, health, or disability insurance from a member company. MIB does not validate the accuracy of the information. Not all information entered into MIB is negative information about an applicant, as normal results of tests are also submitted to MIB. For example, if an applicant has a previous record for high blood pressure, an entry might be made at a later date reflecting a normal blood pressure reading. Insurance claims made by individuals are not a source of records and codes for MIB. According to MIB, the organization attempts to maintain a reasonable balance between a person's right to privacy and an insurer's need for protection against fraud or omission. Among the safeguards it has established to protect confidentiality are its computer system that is "exceptionally user unfriendly" to the 1000 terminals in its network. MIB verifies that reports are properly requested and transmitted, and it documents all access to MIB. According to MIB, its staff of 200 is educated as to expectations of confidentiality and is limited in its access to the MIB code book, to the computer room, and the MIB database. Member companies of MIB must make an annual agreement and pledge to protect confidentiality, and are required to adhere to confidentiality requirements. Any individual can inquire whether MIB retains a record on him or her. Individuals can inspect and seek correction of their own records. According to MIB, on average, 48,000 people request disclosure annually,5 and after reviews conducted by the insurers who originally sent the disputed information to MIB, about 400 records are corrected.6 MIB retains records on an individual for 7 years, if no additional reports come to MIB during that time, the record is purged. MIB emphasizes that its reports are not used as the basis for a decision to reject an application or to increase the cost of insurance premiums. Actual underwriting decisions are based on information from the applicant and from medical professionals, hospital records, and laboratory results. In 12 States it is illegal under the National Association of Insurance Commissioners Insurance Information and Privacy Protection Model Act to make underwriting decisions solely on the content of an MIB record; the act also is adhered to by some insurers in States that have not enacted it. Another deterrent to using MIB codes to deny coverage is the requirement that insurers disclose the basis for an adverse underwriting decision under the Federal Fair Credit Reporting Act (Public Law 101-50). Physician Computer Network, Inc. Physician Computer Network, Inc. (PCN) operates a national, interactive communications network linking its 2,000 office-based physician members to a variety of healthcare organizations including hospitals, clinical laboratories, Medicare/Medicaid intermediaries, Blue Cross/Blue Shield providers, managed care providers, insurance carriers, and pharmaceutical companies. For a yearly fee of approximately $3,000, PCN provides member physicians with software, peripherals, computer hardware (an IBM Personal System/2 Model 30 for the physician and a PS/2 Model 80 running Unix as the server) installation, computer training, maintenance, and telephone support for the system. The PCN system then acts as a computer gateway link with financial management services (including patient and insurance billing and receivables), office management and administration (including word processing and scheduling), relational database manager (managing medical records, patient charts and prescriptions), practice analysis reports, interfaces with hospitals and laboratories, and electronic claims processing. In return for these services, the physician pays the relatively modest enrollment and rental fees, and agrees to watch certain promotional/educational materials, keep patient records on the system, and allow the aggregate clinical data to be used by PCN for some time in the future, for commercial purposes (see figure 2-D-1). The PCN Electronic Communica- tions Data-Link Service attempts to ease the burden of rising administra- tive costs by providing "point-to-point" electronic insurance claims process- ing for physicians in the New York State, Alabama and New Jersey areas. PCN plans to expand this electronic claims processing capability to Penn- sylvania, Georgia, Florida and Califor- nia. The PCN Clinical Database and Market Research/Medical Information Services has been the subject of some controversy. PCN has investigated and planned for the development of a database for the purpose of providing market-related clinical data and infor- mation relevant to the office-based physician's activities and clinical trends. Under its agreement with physician members, PCN can electronically access anonymous, aggregate clinical data from the practice's databases, and can use or sell this data to market research providers, information services and other organizations. According to PCN's 1991 Annual Report, "[u]nlike drug prescription databases derived from other sources, such as wholesaler, pharmacy and mail order prescription services, the database available to PCN consists not only of prescription information, but also includes diagnoses, treatments and procedures, as well as patient and practice demographics." PCN sees its end users of the PCN-sourced data products as pharmaceutical manufacturers, insurance companies, health maintenance organizations and other health care institutions. By virtue of the Physician Member Agreement, entered into by the physician member and PCN, PCN has the right to market the anonymous, aggregate clinical data contained in the databases of its physician members. In anticipation of marketing this data in the future, PCN has implemented internal security and has engaged in the services of a certified public accounting firm to certify that the data PCN retrieves remains anonymous. PCN also is investigating the possibility of establishing a Confidential Data Intermediary (CDI) to act as guarantor that aggregate data is, in fact, anonymous. PCS Health Systems, Inc. PCS Health Systems, Inc., is a managed prescription drug care company, which processes payments for companies that give their employees a PCS insurance card to present at pharmacies. In doing so, PCS looks at 120 million prescriptions a year. Ninety- five percent of pharmacies are online with PCS. These pharmacies agree to PCS participant standards, and range from large chain stores to individually owned ones. PCS does not engage in its own underwriting; rather, PCS' customers are third-party payers with prescription drug benefit programs. PCS processed claims for these third-party payers. The PCS system involves a card system for identification and for establishment of eligibility and level of benefits. At the time the card is presented at the pharmacy, the claim is processed and any co-payment is collected. Records of these transactions are maintained to provide for drug utilization and review, and certain information is aggregated, "sterilized" and used for marketing and academic purposes. According to PCS, the entire database is sold to PDS, a division of Walsh America, a medical information collector, without patient names or social security numbers.7 According to Walsh, patient information is frequently compiled for pharmaceutical market research purposes. Studies to view patient compliance, drug concomitancy and demographics are vital to the market research needs of many pharmaceutical companies and drug researchers.8 In none of these studies is it important to know or personally identify the patient. The need is only to be able to match prescriptions to a "unit of observation" without any means of specific identity. Walsh claims that is will only accept and use patient/drug data when the information is provided in a form in which the patient cannot be identified. In order to address the question of confidentiality in patient data, PCS issues a Data Security Manual, that includes a "PCS Employee Data Security Agreement," which is signed by PCS employees. Violation of this agreement to comply with the guidelines stated in the Data Security Manual may be cause for disciplinary action. The Data Security Manual sets forth the purpose of the data security policies and procedures as the minimization of exposures to data and data processing resources due to errors, purposeful acts and disasters resulting in loss of assets or service to customers. It establishes a data security administration, which is responsible for, among other things, administration and control of security software systems, establishment and maintenance of the PCS corporate security policy and manual, monitoring and reporting violations of data and physical security, establishing and maintaining data security standards and procedures, password management guidelines, access rules detailing who has access to which datasets/transactions, and participation in the development of automated applications, providing data security guidance where needed. The Manual discusses the separation of functions between the Information Security Department and the user organizations, as well as within the Information Security Data Department. PCS sets forth access and security standards, including provisions for physical security, access to hardware, access to files and access to documentation. The manual also discusses policies regarding passwords, logon IDs, automatic cancellation of terminals after 15 minutes of nonuse, investigation of attempted violations to access unauthorized data, and shredding of hardcopy. 1. MIB, Inc., A Consumer's Guide, Publication of the Medical Information Bureau, November 1990, p. 5. However, Blue Cross and Blue Shield do not belong to MIB. 2. Simson L. Garfinkel, "From Database to Blacklist," The Christian Science Monitor, Aug. 1, 1990, p. 12. 3. Neil Day, President, MIB Inc., personal communication, April 1993. 4. MIB, Inc.: A Consumer's Guide, publication of the Medical Information Bureau, p. 6. However, MIB states that, after further study, use of the Social Security number has become less likely. 5. Michael Day, President, MIB, Inc., personal communication, April 1993. 6. According to MIB, the company is required to change records that are not correct under the Fair Credit Reporting Act. Ibid. 7. PCS had originally developed a policy, at a time when PDS was a PCS subsidiary, of transmitting the database to PDS with social security number included, with PDS encrypting the numbers before transmitting the data to any third party. A Wall Street Journal article, published Feb. 27, 1992, asserts that this policy was employed at that time. PCS comments on this situation further that when the Wall Street Journal article was published, PDS was independent of PCS but was located physically on PCS premises. However, according to PCS, the data processing functions of both organizations were performed on the same hardware as an integrated operation. While technically the responsibility for encrypting the data remained with PDS, even after it was no longer a subsidiary of PCS, the procedure was so automated and the process so fully integrated between the two organizations, that as a practical matter PDS staffs were not even aware that they were receiving unencrypted data. When PDS and PCS became aware of this situation, the technical responsibility for data encryption was reassigned to PCS. PDS, as of October 1992 no longer occupies space at the PCS site and the data processing operations of the two firms are separate. Stephan E. Chertoff, Director, Government Relations, PCS Health Systems, personal communication, April 1993. 8. "Doctors' and Pharmacies Files are Gathered and Mined for Use by Drug Makers," The Wall Street Journal, Feb. 27, 1992, p. A1. SOURCES: Jerry Brager, Chairman and Chief Executive Officer, Physician Computer Network, Inc. personal communication, January 1993, and PCN documents; Stephan Chertoff, PCS Health Systems, Inc., personal communication, February 1993; and cited footnotes. ------------------------------------------------------- Box 2-E--Development of the Right to Privacy in Information Although a right to privacy is not set forth in the Bill of Rights, the Supreme Court has protected various privacy interests. The Court has found sources for a right to privacy in the First, Third, Fourth, Fifth and Ninth Amendments. The concept of privacy as a legal interest deserving an independent remedy was first enunciated in an article co-authored by Samuel Warren and Louis Brandeis in 1890,1 which describes it as "the right to be let alone."2 Since the late 1950s, the Supreme Court has upheld a series of privacy interests under the First Amendment and due process clause, for example, "associational privacy,"3 "political privacy,"4 and the "right to anonymity in public expression."5 The Fourth Amendment protection against "unreasonable searches and seizures" also has a privacy component. In Katz v. United States, the Court recognized the privacy interests that protected an individual against electronic surveillance. But the Court cautioned that: . . . the Fourth Amendment cannot be translated into a general constitutional "right to privacy." That Amendment protects individual privacy against certain kinds of governmental intrusion, but its protections go further and often have nothing to do with privacy at all. Other provisions of the constitution protect personal privacy from other forms of governmental invasion.6 The Fifth Amendment protection against self incrimination involves a right to privacy against unreasonable surveillance or compulsory disclosure.7 Until Griswold v. Connecticut, 381 U.S. 479 (1965), any protection of privacy was simply viewed as essential to the protection of other more well-established rights. In Griswold, the Court struck down a Connecticut statute that prohibited the prescription or use of contraceptives as an infringement on marital privacy. Justice Douglas, in writing the majority opinion, viewed the case as concerning "a relationship lying within the zone of privacy created by several fundamental constitutional guarantees," i.e., the First, Third, Fourth, Fifth and Ninth Amendments, each of which creates "zones" or "penumbras" of privacy. The majority supported the notion of an independent right of privacy inhering in the marriage relationship. Not all agreed with Justice Douglas as to its source; Justices Goldberg, Warren, and Brennan preferred to locate the right under the Ninth Amendment. In Eisenstadt v. Baird, 405 U.S. 438 (1972),8 the Court extended the right to privacy beyond the marriage relationship to lodge in the individual: If the right of the individual means anything, it is the right of the individual, married or single, to be free from unwarranted governmental intrusion into matters so fundamentally affecting a person as the decision whether to bear or beget a child. Roe v. Wade, 410 U.S. 113 (1973),9 further extended the right of privacy "to encompass a woman's decision whether or not to terminate her pregnancy." The court argued that the right of privacy was "founded in the Fourteenth Amendment's concept of personal liberty and restrictions on State action." The District Court had argued that the source of the right was the Ninth amendment's reservation of the right to the people. In the earliest case that raised the issue of the legitimate uses of computerized personal information systems, the Supreme Court avoided the central question of whether the Army's maintenance of such a system for domestic surveillance purposes "chilled" the first amendment rights of those whose names were contained in the system.10 In two cases decided in 1976, the Court did not recognize either a constitutional right to privacy that protected erroneous information in a flyer listing active shoplifters11or one that protected the individual's interests with respect to bank records.12 In Paul v. Davis, the court specified areas of personal privacy considered "fundamental": . . . matters relating to marriage, procreation, contraception, family relationships, and child rearing and education. Davis' claim of constitutional protection against disclosure of his arrest on a shoplifting charge was "far afield from this line of decisions" and the Court stated that it "declined to enlarge them in this manner."13 In United States v. Miller, the Court rejected Miller's claim that he had a Fourth amendment reasonable expectation of privacy in the records kept by banks "because they are merely copies of personal records that were made available to the banks for a limited purpose," and ruled instead that "checks are not confidential communications but negotiable instruments to be used in commercial transactions."14 1. Warren & Brandeis, The Right to Privacy, 4 Harvard Law Review, 193 (1890). 2. The term "the right to be let alone" was borrowed by the authors from the 19th century legal scholar and jurist Thomas Cooley. See T. Cooley, Law of Torts 29 (2d ed. 1888). 3. NAACP v. Alabama 357 U.S. 449 (1958). 4. Watkins v. United States 354 U.S. 178 (1957), and Sweezy v. New Hampshire, 354 U.S. 234 (1957). 5. Talley v. California, 362 U.S. 60 (1960). 6. Katz v. United States 389 U.S. 347, 350 (1967). 7. See Escobedo v. Illinois, 378 U.S. 478 (1964), Miranda v. Arizona, 384 U.S. 436 (1966); and Schmerber v. California, 384 U.S. 757 (1966). 8. In which the Court struck down a Massachusetts law that made it a felony to prescribe or distribute contraceptives to single persons. 9. In which the Court struck down the Texas abortion statute. 10. Laird v. Tatum 408 U.S. 1 (1972). 11. Paul v. Davis 424 U.S. 693 (1976). 12. United States v. Miller 425 U.S. 435 (1976). 13. Ibid., p. 713. 14. U.S. v. Miller, 425 U.S. 435, 442 (1976). In response to this decision Congress passed the Right to Financial Privacy Act of 1978 (Public Law 95-630) providing bank customers with some privacy regarding records held by banks and other financial institutions and providing procedures whereby Federal agencies can gain access to such procedures. SOURCE: U.S. Congress, Office of Technology Assessment, Federal Government Information Technology: Electronic Record Systems and Individual Privacy, OTA-CIT-296 (Washington D.C.: U.S. Government Printing Office, June 1986). -------------------------------------------- Box 2-F--Recordkeeping and Information Flow In Health Care Data Medical recordkeeping usually begins with an individual patient's personal physician, hospital, health center, or clinic. Traditionally, record keeping in the office of the physician has varied depending on medical philosophies, the nature of the medical practice, and the idiosyncrasies of the physician; some physicians use their office records only to jog their memories about the social and medical characteristics of the patients, while others may keep records that are very detailed in descriptions, diagnosis, and treatment. Participation in a group practice may affect the physician's habits of record keeping, since there is likely to be a greater need for clear communication between physicians in the group responsible for the patient's care. Psychiatrists, psychologists and psychotherapists in private practice vary in the amount of detail they include in the patient record, from very detailed records, including notes of physical ailments, to coded shorthand notes, to no written record at all. Among the physician's considerations in determining the manner in which he or she keeps records is the requirement of insurance companies to justify payment for services and public reporting requirements under State statutes. In addition to the need for records to comply with government requirements that the incidence of certain communicable diseases, child abuse and neglect, and accidental and industrial deaths, physicians must keep a record of their prescriptions for certain narcotics and controlled substances. The increase in filings of malpractice suites has led to the practice of "defensive medicine," the ordering of tests and consultations so that the record will show the doctor undertook all reasonable measures. This practice is reflected in office records, which as a result are a prime source of information about the quality of care. The medical records kept by hospitals about admitted patients may include identifying information, x-ray films, EKG and lab test results, daily observations by nurses, physical examination results, diagnoses, drug and treatment orders, progress notes and post- operative reports from physicians, medical history secured from the patient, consent forms authorizing treatment or the release of information, summaries from the medical records of other institutions, and copies of forms shared with outside institutions for insurance purposes. Medical records may also include impressions of mental abilities and psychological stability and status; lifestyle information or suppositions, including sexual practices and functioning; dietary habits; exercise and recreational activities, including dangerous ones life insurers would want to know about; religious observances and their impact treatment decisions; alcohol and drug use; and comments on attitudes toward illness, physicians, treatments, compliance with therapy and advice, etc. Staff comments about the patient's character or demeanor are sometimes included in the record. In addition to the central record, files may be maintained in several departments of a hospital, including such departments as social service, billing, and pharmacy. Information kept in one such file may also be of relevance in another, so that the patient's hospital record becomes several different files that may overlap and are often maintained in separate places. Hospital records are subject to both internal and external review. In instances such as Medicaid or Medicare, where Federal money is disbursed for health care, Federal regulations require the establishment of a Professional Review Organization (PRO) to determine that facilities and professional services are used properly.1 Medical records play a central role in this process. Local and State agencies also conduct hospital reviews. The Joint Commission on Accreditation of Health Care Organizations makes considerable use of patient records when reviewing hospital facilities and procedures. That organization sets standards for hospital accreditation, requires that standard nomenclature be used in diagnoses, and requires that records contain information sufficient to justify a diagnosis and to warrant the choice of treatment and outcome. Thus, like private practitioners' records, hospital records are used for insurance, both private and governmental, protection against malpractice claims, and quality assurance. Hospitals are also subject to the same public reporting requirements as private physicians: communicable disease, law enforcement, child abuse, controlled substance prescriptions, and birth and death certificates. Third-Party Payers and Health Care Reviews Medical records are used by those who pay for medical care--third party payers--both private insurance companies and government programs such as Medicare and Medicaid. Groups and government agencies that review individual medical records as part of their attempt to analyze the quality of medical care and to determine whether hospitals and other health providers are in fact delivering the health care for which they are being reimbursed also have access to medical records. Third-party payers, whether government agencies or private companies, require positive identification of the patient and what medical services he or she received. Without this basic information, claims for benefits or reimbursement are not honored. Frequently, third party payers require more than this basic information to protect themselves against fraud by the patient or by the health care provider. Private companies may also collect medical information and other personal data in advance of granting insurance coverage underwriting to make sure that the individual is an appropriate financial and medical risk. The three types of information generally collected by the third- party payor from the patient record are: 1. patient identification, including name, address, name of subscriber, relationship of patient to subscriber, patient's occupation and employer, age, sex and identifying number; 2. clinical information, including attending physician, referring physician, description of accident or illness, description of operations or medical procedure, dates of service and final diagnosis and complications; and 3. financial information, including length of stay, charge per day, and accommodations. Hospitals and outside monitoring agencies attempt to determine how the hospital's facilities are being used by means of utilization review. The examination of whether the treatment prescribed for the patient is appropriate, and whether the actual delivery of that treatment is appropriate according to professional standards,is involved in quality care assurance. Hospitals carry out these kinds of reviews in order to plan the most efficient use of their facilities at the lowest costs. Third party payers engage in these examinations to control health care costs and to assure that good quality medical care is delivered. Among the kinds of utilization reviews carried out is that of the Joint Commission on Accreditation of Hospitals, which reviews hospital performance to make sure that they meet certain professional standards. State and local agencies responsible for monitoring hospitals supervise sanitary facilities, compliance with building, fire and safety codes; as well as costs, procedures and length of stay. Professional review organizations, physician staffed and directed commissions under the aegis of State Medical societies, are designed to detect fraud and misuse of facilities by health care providers and to assure that proper standards of care are secured under public funds. Secondary Users of Personal Medical Data The power of computers to facilitate gathering, exchanging and transmitting data could spur increased demands for use of medical information beyond the more traditional uses described above. Secondary users of personal health care data are parties that use medical records for purposes not directly involved in providing health care, paying for it or assuring its proper delivery. Rather, such information is obtained for various business or governmental purposes. Among these secondary users are life and auto insurers, employers, licensing agencies, public health agencies, the media, medical researchers, education institutions, and rehabilitation and social welfare programs. The flow of information to these parties in some cases affects people's lives in very direct ways, determining whether they are hired or fired, whether they can secure business licenses and life insurances, whether they are permitted to drive cars, whether they are placed under police surveillance or labelled as security risks. Medical records are also used in civil and criminal judicial proceedings, and in quasi-judicial proceedings such as disability hearings, probation hearings, and workmen's compensation reviews. Protection of privacy in computerized medical information also involves the responsibilities of these secondary users in maintaining confidentiality in the information. As discussed earlier, medical records are used to comply with public health reporting requirements. Law enforcement sees patient medical records as a resource in solving cases. Medical records are maintained as part of school records, and medical research has long been viewed as a worthwhile reason to allow access to personal medical information. (figure 2-F-1) Computers may well force society to make clear value choices about to whom this information is made available. Security measures such as audit trails, etc., allow for the enforcement of these decisions.2 1.The Social Security Act, Sections 1151-64. 2.Alan Westin, Professor of Public Law and Government, Columbia University, personal communication, February 1993. SOURCE: Alan F. Westin, Computers, Health Records, and Citizen Rights, National Bureau of Standards Monograph 157 (Washington, DC: U.S. Government Printing Office, 1976). -------------------------------------------- Box 3-A--The French System: A Smart Card Approach The French Social Security System and the Health Insurance Scheme The French Social Security system was established shortly after World War II and was designed to work on the basis of mutual cooperation between all beneficiaries. The compulsory Health Insurance scheme is administered by employers and representatives of workers subscribing to the system. The Social Security system, which is financially independent from the State, draws its resources from contributions paid by people insured and their employers. These contributions are calculated according to earnings. The Health Insurance branch of the Social Security system performs two main roles: 1. It reimburses most health charges incurred by French workers and their families. Presently someone requiring medical treatment can expect to have about 75 percent of his ambulatory care bills reimbursed by Social Security. 2. The Social Security System provides a guaranteed income for people unemployed for medical reasons. In addition to belonging to the statutory, compulsory Social Security system, the French are often covered either by complementary health insurance contracts negotiated by their employers with nonprofit mutual insurance companies, or by contracts with private health insurance companies. This enables the patient, once Social Security has reimbursed him or her about 75 percent, to recover part or all of the remaining 25 percent. Approximately 80 percent of the population has supplementary private or nonprofit health insurance. Although there are only three major compulsory health insurance schemes in France, there are over 10 thousand complementary insurance organizations. Growth in Health Expenditures and Information Flows Transfer of information and communication between all the public and private health professionals and institutions in this sector is increasing rapidly. The exchange of medical and administrative data between patients and the Social Security Organization, nonprofit insurance companies (known as mutuelles) and private insurance companies shows a similar trend. The Health Insurance branch of the Social Security System in 1989 processed 760 million paper health care reimbursement claims. In its efforts to reduce the cost of health care, the government is attempting at the same time to preserve the fundamental principles of the French health service: free choice of health services for patients; free choice on the part of doctors as to methods; conditions and areas to establish medical practice; and respect for the confidentiality of medical information and the protection of individual rights. The Health Professional Card (discussed below) was designed to assist in this effort. Card Systems SESAM/VITALE PROJECT of the Social Security Organization Among experiments involving the use of smart cards, the Social Security Organization's SESAM/VITALE is a system aimed at the substitution of the Social Security insurance paper card (45 million are issued every year) as well as the 800 million reimbursement claim forms processed per year, by a microchip card called VITALE, a "portable family administrative file." All paper transactions will be replaced by electronic information transfers. The essential purpose of the SESAM/VITALE project is to improve the quality of administrative services and to reduce costs. As of 1992, 300,000 cards have been issued in the SESAM/VITALE Project. MUTUSANTE CARD of the Mutuelle Medicale et Chirurgicale des Alpes Mutusante is issued by the Alpes Surgery and Medical Mutuelle in Digne. In 1987 the Mutuelle decided to launch a smart card project with the following objectives in mind: o simplifying and reducing administrative procedures; o replacing financial paper transactions by electronic transfers between the different organiza- tions; and o allowing prepaid health care services for drugs and laboratory work. The card contains personal identification, identification of all members of the family and their insurance coverage, the rights and dates of validation. By the end of 1992, 50,000 cards were distributed in this program. Carte Sante of the Federation des Mutuelles de France (SMS) The aim of this project, now being implemented in various sites throughout France, is to offer new services to members of the Mutuelle and to establish a new partnership with health professionals in offering new services, particularly financial ones. In this program, 250,000 cards have been issued. The card contains: 1. Social Security and Mutuelle rights; 2. bank references to allow for deferred payment; 3. an emergency zone with emergency data, permanent data such as blood group and missing organs, and variable data such as pregnancy, special treatments, etc; 4. a surveillance zone listing illnesses and periodic examinations, their dates and locations, regular check-ups; and 5. a preventive zone including the work environment with its specific risks and genetic factors. Updating of the card is possible at the doctor's office or at any branch of the Mutuelle. SANTAL CARD of the Centre Hospitalier de Saint-Nazaire The Santal system was first tested in 1987 in the Saint Nazaire area of France and was developed in close collaboration with members of the medical profession. Thirty-two thousand patients as well as hundreds of health professionals and employees are now involved. Four public hospitals, 4 private clinics, and 11 laboratories and health insurance companies are also participating in the project. The aims of the project are to facilitate reception of patients at medical facilities, to provide easier communication between hospital services, and to optimize use of hospital and medical resources. The Santal card includes an administrative section concerning the personal identification and health insurance affiliation, the names of the doctor and of persons to be alerted in case of an emergency; a medical segment used as an alert to significant surgeries, in-patient hospitalizations or out-patient diagnoses, drug treatments, previous hospital stays, date of admissions, etc.; and data concerning blood groups, nurses' files, and prescription information. DIALYBRE CARD of the Fondation de L'Avenir Dialybre is a project supported by the French mutuality organizations, with the purpose of increasing patient autonomy and mobility, and keeping medical information current. The early pilot study was launched in 1988. The system consists of a smart card, used as a hand portable, minimum medical file given to every patient with terminal renal failure treated by hemodialysis. Patients undergoing hemodialysis are free to travel from center to center for treatment. The Dialybre Card carries the minimum data records concerning the care given to the patient. By the end of 1992, 6,000 cards were in use in this program. CARTE DU PROFESSIONNEL DE SANTE (Health Professional Card) The French see the use of a "Health Professional Card" as the key to promoting coherent communication and security between all the different health information systems (patient Smart Card systems as well as traditional medical information system), while at the same time respecting the autonomy of various participants in the system in making management decisions. The Health Professional Card is a smart card designed to give nationwide identification of health care professionals to be used as a single access key to all the medical and social security data systems. It is issued in partnership between the Ministry of Health and Social Security, professional unions and all sector's organizations. It has been conceived by representatives of the professions doctors, pharmacists, nurses, dentists, midwives, etc. and will be issued to France's health professionals. The Health Professional Card is a portable data support tool permitting the holder to identify himself or herself, to state his or her professional qualifications, to read and/or write medical information from medical files or health cards according to their status and qualification within the health care system, and to sign electronically the medical information put into the patient card or database. It is seen by some as a sort of "box" of safety measures for the broader smart card system for health care, providing a source for identification, authentication, certification, electronic signature, and encryption. The Health Professional Card, it is believed, allows for integration of a variety of computerized information sources only by appropriate persons. At the same time, these databases can remain decentralized, which many believe is imperative to maintaining the confidentiality of the data contained in them. Approximately 1.3 million health professionals are expected to be issued cards. While planning for the implementation of this technology, the French Ministry of Social Affairs and Health has also been working with its partners to determine laws and regulations to permit the implementation and use of this technology. The challenge is to balance legal, institutional, technical, administrative and social demands to provide computerized health services. SOURCE: Elsbeth Monod, Mission Carte Communication Sante, International Relations, French Ministry of Social Affairs and Health, 1992. -------------------------------- Box 3-B--International Examples of Health Care Applications for Smart Cards Since the mid-1980s, approximately 100 pilot projects using smart cards for medical purposes have been initiated internationally. Applications for smart cards in health care can be classified in two major categories: cards with administrative data and cards with clinical data. International pilot projects have tested various applications. Identification and social security card: replaces an existing paper insurance card for identification of the patient and his or her claim. Health pass: replaces an existing paper health card for patients who need intensive care in a particular phase of their lives (mother-child pass, senior citizen pass, health examination pass). General patient card: a patient health card on which the patient's medical record is stored; the primary aim is to improve the information flow within the entire health service. Blood type card: replaces an existing paper blood group card. Emergency card: replaces an existing paper identification card of an accident patient and provides the immediate availability of emergency data. Work or sports medical card: replaces and introduces a card for a particular group of people who are under permanent medical supervision or who are exposed to special risks. Risk group card: introduces a specialized patient card for patients with chronic pathologies requiring long-term treatment or medication. Laboratory or pharmacy card: a card facilitating communication between the prescribing doctor and the laboratory or pharmacist, as a means of conveying accurate information. Payment or accounting card: a card that rationalizes accounting and cost refunding and facilitates financial transactions. SOURCE: Claudia Wild and Walter Peissl, "Patient Cards: An Assessment of a New Information Technology in Health Care," IT in Medicine, Project Appraisal, vol. 7, No. 2, June 1992, pp. 68-74. ---------------------------------------------- Box 3-C--Standards Development Efforts Among the groups developing standards for health care information systems in the areas of communication protocols and the characteristics of information collection and use are the Institute of Electrical and Electronics Engineers (IEEE), the American Society for Testing Materials (ASTM), the International Standards Organization (ISO), and Health Level 7 (HL7), the only standard currently being implemented by vendors. To facilitate the establishment of such standards, the American National Standards Institute has established a Healthcare Informatics Standard Planning Panel (HISPP). Its charter is to set forth standards for: 1. health care models and electronic health care records; 2. the interchange of health care data, images, sounds and signals within and between organizations/practices; 3. health care codes and terminology; 4. the communication with diagnostic instruments and health care devices; 5. the representation and communication of health care protocols, knowledge, and statistical databases; 6. privacy, confidentiality and security of medical information; and 7. additional areas of concern or interest with regard to health care information.1 The planning panel coordinates the work of the standards groups for health care data interchange and other relevant standards groups toward development of a unified set of standards that are compatible in International Standards Organization (ISO) as well as non-ISO communications environments. The ANSI HISPP coordinates organizations and committees that develop standards, but does not write standards or make technical determinations, leaving this function to the accredited standards development organizations and committees. Those interested in the development of these standards are encouraged to enter into this discussion, thus fostering cooperation and coordination. Voting membership in the ANSI HISPP consists of private companies, government agencies, individual experts, and other organizations. The membership is classified by interest groups, e.g., users, producers, professional and trade associations, government agencies, and standards developers. ANSI HISPP acts on the basis of a majority vote of the full voting membership, either at a meeting with a quorum present, or by letter ballot. 1. American National Standards Institute, Healthcare Informatics Standards Planning Panel (HISPP), "Charter Statement," Revised September 1992. SOURCE: The American Health Information Management Association, 1992. ----------------------------------------------- Box 4-A--Model Codes for Protection of Health Care Information Proposed codes, model statutes, and legislation enacted to protect privacy in health care information are largely based on principles of fair information practices. The following briefly summarizes the purpose and applicability of major initiatives relied on in this chapter to address features of health care information privacy legislation. The complete text of the initiatives is included in Appendix B. Chapter 1751 of the Massachusetts State Code--Insurance Information and Privacy Protection Massachusetts law regarding information practices and protection of privacy in insurance information is based in large part on model rules proposed by the National Association of Insurance Commissioners (NAIC). While several States have adopted the NAIC rules, Massachusetts law provides an even higher level of protection than that provided by the NAIC model. While this law was drafted specifically to address the problems of life, health, and disability insurance information, many of the definitions, principles, and provisions are equally applicable to providing privacy protection for health care information generally. Ethical Tenets for Protection of Confidential Clinical Data The Ethical Tenets focus directly on maintenance of the clinical data in a computerized environment.1 While these Tenets have not been enacted into law in any jurisdiction, like the ethical codes discussed in chapter 2, they set forth guidelines that may serve as a model for legislation. In particular, the Tenets attempt to delineate what is subject to protection and what is meant by the requirement to maintain information in strict confidence. They address in some detail the issues of informed consent, patient access to his or her medical record, and patient education about the record-keeping process. In addition, they suggest a regulatory scheme to assure proper confidentiality and security procedures are established and maintained, using internal and external oversight groups. Unlike the more general approach of the Privacy Act, the Ethical Tenets speak directly to specific concerns encountered in the area of health care information. However, the Tenets have never had the force of law in any jurisdiction. Uniform Health Care Information Act The Uniform Health Care Information Act (UHCIA) has been enacted in Montana and Washington, and addresses at the State level concerns about privacy in medical information. It does not, however, focus specifically on the problems presented by computerization of this information. Many of the provisions of the UHCIA are applicable in both a computerized or noncomputerized environment. The provisions of this act are limited, however, to providers and hospitals in a relationship with the patient. It does not address secondary uses of health care information. The American Health Information Management Association's Health Information Model Legislation Language Draft model language has been proposed by AHIMA to address concerns about movement of patients and their health care information across State lines, access to and exchange of health care information from automated data banks and networks, and the emergence of multi-state health care providers and payors. It is based on the patients' need to access their own health care information and the need for clear rules about disclosure of that information. The model language also addresses proper use and disclosure of health care information by secondary users. It specifically sets forth its standards for information practices, incorporating principles of the patient's right to know, restrictions on collection and use only for lawful purpose, notification to patient, restriction on use for other purposes, right to access, and required safeguards. However, it provides for no oversight or enforcement mechanism for the system. 1. The Ethical Tenets were developed by a Joint Task Group on Confidentiality of Computerized Records, created in 1968. Dr. Elmer Gabrieli chaired the Task Group. When the work was completed, the Medical Society of the State of New York approved the proposal, and it remains the official guideline for the medical profession in the State of New York. Elmer Gabrieli, personal communication, April 1993. SOURCE: Office of Technology Assessment, 1993, and cited footnotes. ------------------------------------------ Box A-1--The CLIPPER Chip On April 16, 1993, the White House announced a new initiative to create encryption technology that can be used to protect proprietary information, and the privacy of personal phone conversations and electronically transmitted data. The technology is also aimed at preserving the ability of Federal, State, and local law enforcement agencies with legal authorization to conduct a wiretap to intercept phone conversations. The system involves establishment of a "key- escrow" system, in which each device containing the chip will have two unique "keys" to decode messages encoded by the device. When the device is manufactured, the two keys will be deposited separately in two "key-escrow" databases that will be established by the Attorney General. Access to these keys would be limited to government officials with legal authorization to conduct a wiretap. As of this writing, public debate about the technology involved in CLIPPER Chip, as well as about the legal implications of implementing such a system continue. However, the National Institute of Standards and Technology has released the following information about the CLIPPER Chip: The CLIPPER Chip was developed by the National Security Agency. It is a hardware oriented, cryptographic device that implements a symmetric encryption/decryption algorithm and what is referred to as a "law enforcement satisfying" key escrow system. While the key escrow system design is not completely designed, the cryptographic algorithm (called SKIPJACK) is complete as of this writing (and classified SECRET). According to the information provided by NIST, the cryptographic algorithm has the following characteristics: 1. symmetric, 80-bit key encryption/decryption algorithm; 2. similar in function to Data Encryption Standard (DES); 3. 32 rounds of processing per single encrypt/decrypt operation; and 4. design started by NSA in 1985; evaluation completed in 1990. The CLIPPER chip is just one implementation of the cryptographic algorithm. The CLIPPER Chip designed for the AT&T commercial secure voice product has the following characteristics: 1. functions specified by NSA; logic designed by MYKOTRONX; chip fabricated by VLSI, Inc.; manufactured chip programmed (made unique) by MYKOTRONX security equipment manufacturers willing to follow proper security procedures for handling and storage of the programmed chip; 2. reportedly resistant to reverse engineering, even against a sophisticated, well funded adversary; 3. 15-20 megabit per second encryption/decryption constant throughout once cryptographic synchronization is established with distant CLIPPER Chip; 4. the chip programming equipment writes (one time) the following information into a special memory (called VROM or VIA-Link) on the chip: a. (unique) serial number b. (unique) unit key c. family key d. specialized control software 5. Upon generation (or entry) of a session key in the chip, the chip performs the following actions: a. Encrypts the 80 bit session key under the unit key producing an 80 bit intermediate result; b. Concatenates the 80 bit result with the 25 bit serial number and a 23 bit authentication pattern (total of 128 bits); c. Enciphers this 128 bits with family key to produce a 128-bit cipher block chain called the Law Enforcement Field (LEF) d. Transmits the LEF at least once to the intended receiving CLIPPER Chip. e. The two communicating CLIPPER chips use this LEF to establish cryptographic synchronization. 6. Once synchronized, the CLIPPER chips use the session key to encrypt/decrypt data in both directions; 7. The chips can be programmed to not enter the secure mode if the LEF field has been tampered with (e.g., modified, superencrypted, replaced); 8. CLIPPER Chips are expected to be available from a second source in the future; 9. CLIPPER Chips are expected to be modified/ungraded in the future; 10. According to NIST, CLIPPER chips presently cost $16.00 (unprogrammed) and $26.00 (programmed). SOURCE: National Institute of Standards and Technology, Press Release, May 1993. -------------------------------------- Box A-2--Access Control Software and Audit Trails Access control determines who can access the system, what system resources they can access, and how they may use those resources. Adequate access control prevents users from intentionally or accidentally obtaining data without prior permission. At the host, access control usually involves two forms of security, system access control, which prevents unauthorized users from logging onto the system, and data access control, which prevents authorized users from accessing and/or modifying a particular file unless the user has been given prior permission. The following is a brief descriptive list of access control methods: User Identification. The user identification code (ID) identifies the terminal users or application programs to other applications, data, devices, or services. Access to the system or application is denied if the user name or identification code is not listed in the access control file. User IDs also enable the system to report the activities of each individual logged onto the system. Passwords. Passwords provide for verification of the identity of users. Passwords, secret and unique codes known only to their owners and recognizable only to a related target system, are intended to identify the user and ensure authorized access. Permission to access a system is typically denied until the individual supplies the password assigned to the username and access type. A system file stores passwords with the user names they reference. Host access control software packages attempt to prevent individuals from guessing or otherwise improperly obtaining a password. To do this, they may: 1. specify a minimum length for passwords to prevent the creation of overly simple passwords; 2. require users to change their passwords at regular intervals; 3. limit the number of login attempts; 4. record unsuccessful login attempts; 5. require users to accept machine-generated passwords, which can offer more security than self-generated passwords because they are randomly generated pseudo words not found in the dictionary; 6. cancel passwords that have not been used for a specified period of time; 7. perform password trapping to capture users with stolen passwords; and 8. one way encrypt the password in the system's protected password file. Login Control. Login controls specify the conditions users must meet for gaining access. In most cases, access will be permitted only when both a username and password are provided. More complex systems grant or deny access based on the type of computer login, i.e., local, dial-up, remote, network, batch, or subprocess. The security system can restrict access based on the type of terminal or remote computer--access will only be granted when the user or program is located at a designated terminal or remote system. Also, access can be defined by time of day and day of the week. As a further precaution, the more complex systems monitor unsuccessful logins, send messages to the system operator and disable accounts when a break-in occurs. Resource Authorization. User profiles, resource profiles, and access control lists created and maintained by the host access control software identify the system resources to be protected, describe who can use resources, and detail the manner in which resources can be used. The protection is typically applied to applications, files, data sets, and system utilities. It may also be applied to program processes, system commands, individual application transactions, and workstations, i.e., terminals and printers. Users and programs can have read, write, execute, delete, alter, or control access, or a combination thereof. Access authority is granted to a user or program based on whether it is an individual with unique needs or a member of a registered group. Authorization Checking. Host access control packages control all interaction between the user and protected resources. The software: 1. intercepts access requests for resources from the operating system; 2. determines if the resource is protected by host access software; 3. references the security rights database for access profiles; 4. determines if the user's access request is a valid request based on the permission assigned to the user; and 5. passes the status of the request to the operating system, which then grants or denies the access request. Auditing. Since breaches of security can occur from within an organization, and many systems can also be compromised if improper access is gained by an authorized party, accountability is key to security protection. Auditing allows a system to record significant events. Since auditing is generally tied to authentication and authorization, every authorization and attempted access is usually recorded. Examination of audit trails may also reveal suspicious patterns of access and allow detection of improper behavior by both legitimate users and impostors. Events that may be audited are: 1. selected uses of files and hardware devices; 2. logins, logouts and break-in attempts; 3. activities of specific, individual users; 4. changes to passwords; 5. disk and tape value changes; 6. selected transaction types; 7. issuance of system commands; and 8. changes to security profiles. Some systems allow selection of the specific security-relevant events to be recorded. In addition, security alarms (electronic messages) can be generated to be sent immediately to the security administrator or system operator when specific events take place. Journaling. Journaling involves recording all system activities and uses of a system resource. By analyzing this activity, the security administrator can: 1. identify access violations and the individual accountable for them, 2. determine security exposures, 3. track the activities of selected users, and 4. adjust access control measures to changing conditions. Program and Data Integrity. Several types of controls and func- tions address program and data integrity: 1. Dataset naming conventions separate production data from test data. The assignment of unique types of dataset names for separate categories of data en- sures that the difference between test and production data is maintained. 2. Naming conventions are also used for unique and specifically defined program names, job names, and terminal usage. 3. File placement ensures that files reside on the proper direct access storage device so that datasets do not go to a wrong device by accident 4. Program control allows only assigned programs to run in pro- duction and eliminates the problem of test programs accidentally entering the production environ- ment. 5. Separation of production and testing ensures that no test data or programs are used in normal production. SOURCE: Datapro Reports on Information Security, "Host Access Control," IS52-210-103, July 1992. -------------------------------------------- Index Abuse of medical information, 11-12, 20, 26-29, 75-76, 81-82 Access issues access control technology, 54, 57-58, 62-63, 96, 97-99 increasing demands for computerized information, 6, 15-16, 31, 36, 71 management security controls, 90 patient access to records, 17, 70-73, 76, 82-84 secondary users of information, 16, 18, 20, 71, 76, 84-85 security breaches by "insiders," 11-12, 90-91 Accreditation Manual for Hospitals, 63 Administration Task Force on Health Care Reform, 12 Administrative costs. See Cost savings Alcohol and drug abuse laws, 14, 42, 72 AMA. See American Medical Association American Health Information Management Associa- tion, 5, 17, 77, 80-82 American Hospital Association's Patient's Bill of Rights, 41 American Medical Association Council on Ethical and Judicial Affairs, 38, 40-41 ethics codes and principles, 14, 30, 38, 43 Model State Legislation on Confidentiality of Health Care Information (American Medical Association), 4-5, 80 American National Standards Institute, 69 Audit trails, 54, 96, 97-99 Australia, smart card system proposal, 58, 61 Back-up databases, 10, 13, 63 Biometric authentication systems, 95-96 Breach of contract, 43 Canada Commission d'Acces a l'Information, 85 information brokering investigations, 28 unique patient identifier use, 66 Card systems. See Smart cards Cipher systems, 92-93 CLIPPER Chip, 93, 94-95 Common law. See State laws and regulations Communications linkage safeguards, 96, 98 Communications networks, 8-10, 24, 53 Computer architecture security measures, 96 The Computer-Based Patient Record, An Essential Technology for Health Care. See Institute of Medicine report Computer-based Patient Record Institute, 24 Computer security. See also Implementing a compu- terized medical information system; Recordkeep- ing and information flow; Standards for compu- terized medical information; Technology of computerized medical information data and system security standards, 20-21, 67 data protection initiatives, 19, 76-77 management controls, 90-91 online systems, 11-12, 54-55 policy options, 20, 76, 85-86 security policies, 35, 89-90 smart cards, 11-13, 55-64, 96 technical safeguards, 86, 91-99 technology and security, 6, 9-10, 11-12, 36, 52 Computer service companies. See Private sector com- puterization of medical information Computers and the Rights of Citizens, 77-78 Confidentiality of information. See also Computer security; Ethical origins of right to privacy; Ethical Tenets for Protection of Confidential Clinical Data; Right to privacy in medical information alcohol and drug abuse laws, 14, 42, 72 defined, 4-5 privacy versus confidentiality, 6, 7-9 standards for computerized medical information, 67 State law sources, 15, 42-44 Consent. See Informed consent to disclosure of information Constitution as source for right to privacy, 14, 38, 39-40 Content standards. See Standards for computerized medical information Cost savings, 9, 23-24, 53 Cryptography, 57-58, 65, 91-93, 94-95 Data and system security standards. See Computer security; Standards for computerized medical information Data connectivity, 8-10, 18, 24-25, 52-53. See also Online systems Data Encryption Standard, 58, 93 Data-exchange standards. See Standards for computer- ized medical information Data protection. See Computer security Data Protection Board, 21 Defamation, 15, 42-43 Digital signatures, 91-92 Disclosure issues. See also Informed consent to disclosure of information; Privacy Act effects of disclosure, 5-6, 29-30, 48, 50 Federal employees' disclosure, 11-12, 26, 29 State law sources of confidentiality obligation, 15, 42-44 Discriminatory practices, 29-30 Doe v. Roe, 43 Drug treatment. See Alcohol and drug abuse laws Education of patients. See Patient education rules Eisenstadt v. Baird, 39 Electronic Record Systems and Individual Privacy, 79 Encryption, 58, 65, 91. See also Cryptography Encryption algorithms, 92-93 Ethical origins of right to privacy, 13-14, 15, 30, 38, 40-41, 43 Ethical Tenets for Protection of Confidential Clinical Data, 76-77, 80, 83, 84-85 Fair Credit Reporting Act, 33, 80 Fair information practices, 18-19, 77-79 Family Educational Rights and Privacy Act, 80 Federal employees' disclosure of personal informa- tion, 11-12, 26, 29 Federal laws protecting privacy, 14-15, 19-20, 41-42, 44, 48-50, 72, 79-80. See also Privacy Act Federal Register, 78-79, 82 France, smart card system, 10, 59-61 Greidinger v. Davis, 65 Griswold v. Connecticut, 14, 39 Hammonds v. Aetna Casualty and Surety Co., 43 Health Cards and Numbers Control Act (Canada), 66 Health care cards, 58-64 Health care delivery-computerization relationship, 9, 23-24, 37 Health Care Financing Administration, 31, 90 Health care industry records computerization, 6, 8-10 Health care information privacy committee, 87 Health care information protection schemes, 18-19, 79 Health care reviews, 31, 47 Health Insurance scheme (France), 59 Healthcare Informatics Standard Planning Panel, 69 High-performance computing networks, 53-54 Hospital recordkeeping, 45-46, 63 Identification cards, 10, 64 Identifiers for patients. See Unique patient identifiers Implementing a computerized medical information system. See also Computer security informed consent to disclosure of information, 17, 20, 69-74, 76, 82 standardization of computerized medical informa- tion, 17-18, 20, 53, 66-69 technology of computerized medical information, 51-64 unique patient identifiers, 16-17, 64-66 Independent Commission Against Corruption of New South Wales, 28 Information brokering, 26, 28-29, 81 Information flow. See Recordkeeping and information flow Information infrastructure, 8-10, 53. See also Commu- nications networks; Online systems Information services. See Private sector computeriza- tion of medical information Informed consent to disclosure of information, 17, 20, 69-74, 76, 82 Institute of Medicine report computerization issues and concerns, 2, 6, 23-24 data connectivity, 8-9, 12, 16, 52-53 increasing demand for access to data, 18, 31 Insurance industry computerization of information, 11, 32-35 Insurance Information and Privacy Protection Model Act, 33 International data protection boards, 85, 87 International projects using smart cards, 59-62 IOM report. See Institute of Medicine report Joint Commission on Accreditation of Healthcare Organizations, 31, 63 Katz v. United States, 39 Krever Commission (Canada), 28 Legal origins of right to privacy, 14-15, 41-44 Longitudinal patient records, 9, 24, 68-69 Management controls, 90-91 Marketing of medical information. See Abuse of medical information; Private sector computeri- zation of medical information Massachusetts Institute of Technology, 93 Massachusetts law on Insurance Information and Privacy Protection, 76, 81, 82-83 Medical Information Bureau, 30, 32-33 Medical information definition, 2-5, 20, 68, 75, 80-81 Medical Practices Acts, 43 Medicare peer review organization program, 31 Message authentication, 91 Model legislation language, 5, 80-82 Model State Legislation on Confidentiality of Health Care Information (American Medical Associa- tion), 4-5, 80 Models for protection of information, 18-19, 75-77 Montana, Uniform Health Care Information Act, 77, 81 National Association of Insurance Commissioners, 33, 76 National Bureau of Standards, 93 National identification card system, 10, 64 National Institute of Standards and Technology, 92, 94 National Practitioner Data Bank, 86 National Security Agency, 93, 94 New South Wales, Independent Commission Against Corruption of New South Wales, 28 Offline technology. See Smart cards Online systems, 10, 11-12, 26, 52-55 Ownership of medical records, 70, 83 Passwords, 54, 94-95 Patient cards, 58-64 Patient concerns access to records, 17, 70-73, 76, 82-84 disclosure to physician, 5-6, 30, 48, 50 Patient education rules, 20, 75-77, 82-84 Patient identifiers. See Unique patient identifiers Patient records. See Longitudinal patient records; Medical information definition; Patient con- cerns; Policy issues and options; Recordkeeping and information flow; Secondary users of medi- cal data; Workgroup on Computerization of Patient Records report Paul v. Davis, 40 PCS Health Systems, Inc., 34-35 Personal identification security techniques, 93-96 Physician Computer Network, Inc., 33-34 Physicians. See also Ethical origins of right to privacy; Ethical Tenets for Protection of Confidential Clinical Data; Patient concerns recordkeeping by, 45, 48, 50, 63 withholding of information by, 17, 71-72 Policy issues and options background and study approach, 1-5 computerization of medical records, 6, 8-12 computerization-related policy problems, 16-18 congressional options, 19-21, 75-76, 79-87 fair information practices and the Privacy Act, 18-19, 77-79 models for protection of information, 18-19, 75-77 need for privacy in medical information, 5-6 privacy versus confidentiality, 6, 7-9 protection of privacy in medical information, 12-16 technology proposals and challenges to privacy, 12-13 Port protection devices, 96, 98 Primary uses of medical information, 2-3 Privacy Act Federal agency requirements, 41-42, 82 information brokering guidelines, 81 patient access to information, 72 provisions of, 18, 74, 77-79 and Social Security number as identifier, 65 Privacy definition, 6, 7-9. See also Right to privacy in medical information Privacy of Medical Information Bill of 1980, 81 Privacy oversight Data Protection Board, 21 Health care information privacy committee, 87 Privacy Protection Study Commission, 72 Private sector computerization of medical information, 11, 30-31, 32-35 Professional ethical codes. See Ethical origins of right to privacy; Ethical Tenets for Protection of Confidential Clinical Data Public sector abuse of medical information, 11-12, 26, 29 Public's concerns about privacy, 25-26 Reasonable use of medical information, 73-74 Recordkeeping and information flow Federal legislation need, 44-50 standards for computerized medical information, 66-69 tracing information flow, 20, 76, 85-86 Right to Financial Privacy Act, 80 Right to privacy in medical information. See also Constitution as source for right to privacy; Ethical origins of right to privacy; Legal origins of right to privacy; Policy issues and options; Privacy Act computerization and privacy, 6, 8-12, 15-16, 23-29, 36-37 defining violations and providing sanctions, 20, 75-76, 81-82 importance of privacy, 5-6, 26, 28-30 and increased demands for information, 15-16, 18, 31, 36, 71 private sector computerization, 11, 30-31, 32-35 recordkeeping and information flow, 20, 44-50, 66-69, 76, 85-86 Social Security number as identifier, 16-17, 65 Roe v. Wade, 40 RSA encryption system, 93 Sale of personal information. See Abuse of medical information; Private sector computerization of medical information Secondary users of medical data access protocols, 20, 76, 84-85 private sector computerization, 11, 30-31, 32-35 recordkeeping and information flow, 47-48 rising demand for records, 15-16, 18, 71 uses of patient records, 2-4, 5, 9 Secrecy definition, 7, 9 Security modems, 95-96 Security of patient information. See Computer security Security policies, 89-90 Smart cards as access control means, 11, 12-13, 57-58 description, 10 French system, 10, 59-61 as information storage means, 55-57 as medical data carrier, 58-64 personal identification techniques, 96 Social Security Act of New South Wales, 28 Social Security Act (United States), 14-15, 65 Social Security Administration (United States), 29 Social Security number as identifier, 16-17, 64-66 Social Security system (France), 59 Standards for computerized medical information, 17- 18, 20-21, 53, 66-69 State laws and regulations congressional options, 19-21 Massachusetts law on Insurance Information and Privacy Protection, 76, 81, 82-83 patient access to health records, 72 sources of confidentiality obligation, 15, 42-44 Uniform Health Care Information Act, 77, 81, 83-84 Storage of information on smart cards, 55-57 Supreme Court, 14, 39-40 Technology of computerized medical information computer security topics, 6, 10-13, 20-21, 86, 89-99 elements of computerized systems, 51-52 online systems, 52-55 smart cards, 52, 55-64 standards for information, 17-18, 20-21, 53, 66-69 Third-party payers, 31, 34-35, 47 Token-based authentication systems, 95 Uniform Health Care Information Act, 77, 81, 83-84 Unique patient identifiers, 16-17, 64-66 United States of America v. Westinghouse Electric, 6 United States v. Miller, 40 U.S. Department of Health, Education and Welfare, 77-78 U.S. Department of Health and Human Services, 14-15 U.S. Social Security Administration, 29 User identification names, 54 User-specific menus, 54 User verification systems, 93-96 Videotape Privacy Protection Act, 80 Vocabulary standards. See Standards for computerized medical information Washington, Uniform Health Care Information Act, 77, 81 WEDI report. See Work Group for Electronic Data Interchange report Work Group for Electronic Data Interchange report clarity problems with existing law, 44, 50 computerization issues and concerns, 9, 12, 24, 25 confidentiality of health information, 44 security technology, 90 Workgroup on Computerization of Patient Records report, 12, 25, 36 ÿ