Skip to main content

Currently Skimming:

3 Privacy and Security Concerns Regarding Electric Health Information
Pages 54-81

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.


From page 54...
... These two categories of concerns are conceptually quite different and require different interventions or countermeasures. CONCERNS REGARDING HEALTH INFORMATION HELD BY INDIVIDUAL ORGANIZATIONS Electronic health records stored at individual organizations are vulnerable to internal or external agents that seek to violate directly the security and confidentiality policies of a specific organization (such agents are referred to as the "organizational threat" in this report)
From page 55...
... Health care organizations have long attempted to counter internal agents in their efforts to protect paper health records. They have less experience in protecting health information from technical attacks by outsiders because until recently, few health care organizations were connected to publicly accessible networks.
From page 56...
... Patient health records have economic value to insurers, employers, and journalists. Noneconomic motives can include curiosity about the health status of friends, potential romantic involvements, 4General Accounting Office.
From page 57...
... With respect to resources available to them, potential attackers can range from individuals with modest financial and computing resources to well-funded and determined intelligence agencies and organized crime. In between lie medium and large organizations that have an economic interest in gathering health data.
From page 58...
... The technical capabilities of potential attackers can be characterized by three broad categories: aspiring attackers, script runners, and accomplished attackers. Aspiring attackers are individuals with little or no computer expertise, but with ambitions and desires to learn more.
From page 59...
... Levels of Threat to Information in Health Care Organizations During its site visits, the committee discerned a number of distinct types of organizational threats described by different combinations of motive, resources, access, and technical capability. They are categorized here by levels numbered one through five (with five being the most sophisticated)
From page 60...
... Potentially embarrassing health information (e.g., psychiatric care episodes, substance abuse, physical abuse, abortions, HIV status, and sexually transmitted diseases) about politicians, entertainers, sports figures, and other prominent people regularly finds its way into the media.
From page 61...
... Countering Organizational Threats There are two basic approaches to countering organizational threats to the privacy and security of electronic health information: deterrence and imposition of obstacles. Deterrence seeks to prevent violations of policy by imposing sanctions on violators; these sanctions may include dismissal, civil liability, or criminal prosecution.
From page 62...
... Technology can also play a role in controlling inappropriate access to patient information. Strong user authentication, based on cryptographic techniques, can effectively control access to health information networks and computer systems at least to the extent that system users protect their identifying data and make appropriate use of the information they are authorized to access.
From page 64...
... Observations on Countering Organizational Threats Obstacles such as encryption and authentication are the only effective ways to counter organizational threats against systems that have an Internet interface because there are minimal, if any, accountability mechanisms in effect on the Internet. In addition, the Internet spans multiple legal and national jurisdictions.
From page 65...
... Secondary users employ health information for a variety of societal, business, and government purposes other than providing care.9 They include organizations that pay for health care benefits, such as traditional insurance companies, managed care providers, or government programs like Medicare and 9Consumer Reports.
From page 66...
... · To work with patient to ensure success of treatment plan · To work with other physicians as necessary to provide treatment · To maintain ongoing record of services provided to patient · To bill either patient or health insurance company for services provided to patient · To process health care claims to Yes reimburse provider of services · To approve consultation requests by primary care physician · To process and analyze patient's Yes specimen · To report results of analysis to patient's primary care physician · To maintain record of results of analysis · To bill patient, primary care physician, or health insurance company for services provided · To fill prescription for treatment of Yes patient's condition · To bill patient's pharmacy benefit program for medication · To process claim for medications Yes provided to patient by local pharmacy · To monitor prescription and suggest generic substitutes to patient's physician · To perform utilization review of patient's physician
From page 67...
... · To work with patient to ensure success of treatment plan · To work with primary care physician as necessary to provide treatment · To maintain ongoing record of services provided to patient · To bill either patient or health insurance company for services provided to patient · To provide care to patient as directed by patient's primary care physician · To maintain ongoing record of services provided to patient · To bill either patient or health insurance company for services provided to patient · To complete and send birth certificates to state's office of vital statistics Yes Yes State bureau of vital · To record birth of patient's baby in state Yes; baby statistics registry also · To initiate an immunization record identifiable Accrediting ·To review local hospital's operations Yes organization · To recommend improvement in operations based on review of patient records · To accredit local hospital for meeting both operational and quality standards Employer · To request claims data on employees Possibly · To review claims data to identify ways to reduce claims · To adjust benefits package based on review of data Life insurance company · To process patient's application for life Yes insurance · To request medical examination as a prerequisite for life insurance continued on next page
From page 68...
... for patient's prior medical history so as to assess risk · To grant life insurance to patient · To report relevant information to MIB Medical Information Bureau · To retain health information on individuals Yes requesting life insurance · To provide health information on individuals applying for insurance from MIB members, to reduce fraud Managed care company · To process health care claims · To evaluate consultation requests by primary care physician · To assess quality and appropriateness of care Attorney Yes · To understand standard of practice by No specialists treating specific ailments · To request data demonstrating adherence to standard of practice · To analyze data demonstrating adherence to standard of practice State public health and · To perform metabolic screening on Yes; baby also family physician newborns through blood tests identifiable State agency collecting · To analyze health services utilization and Yes; baby also hospital discharge data hospital cost and effectiveness of health identifiable care delivery Medical researcher · To research the appropriateness and No effects of a patient's medication Medicaid. As part of their management functions, these payer organizations also conduct analyses of the quality of health care delivered by provider organizations and its relative costs.
From page 69...
... a conventional indemnity insurance program in which all charges are reimbursed at the same rate after an annual deductible is met, with supplementary major health insurance to cover extraordinary expenses. Differences in the ways their health records may be stored and controlled are not outlined in the program descriptions, and Alice and Bob do not consider this factor in their decision.
From page 70...
... The pharmacy records Alice's name and address, reads her pharmacy benefits card, notifies the benefits program, and is reimbursed. Parts of Alice's health record now reside with the retail pharmacy and the pharmacy benefits provider, as well as her care provider.
From page 71...
... Alice applies for coverage with a large, respected firm, which will provide the coverage she wants if she passes a physical examination. The life insurance company will pay for the examination, but she must sign a release permitting the results of the examination to be forwarded to the Medical Information Bureau (MIB)
From page 72...
... The records are provided as requested, but with the name, address, and Social Security number fields scrambled in such a way as to allow Alice's records to be linked without divulging her identity. At this point, parts of Alice's health record are held by a wide variety of organizations: her primary care physician's practice, a clinical laboratory, the local pharmacy, the pharmacy benefits provider, the practice of the consulting physician, the local hospital, the state bureau of vital statistics, the hospital accrediting agency, her husband's employer, her life insurance company, the Medical Information Bureau, the outcomes researcher, and various lawyers (Figure 3.1~.
From page 73...
... Environmental services, Medicaid, professional and facility licensing, and alcohol and drug abuse or mental health services are not located consistently in all state health departments across the country. State health departments generally collect patient-identifiable data ~2 For a review and analysis of state laws that regulate the acquisition, storage, and use of public health data, see Gostin, Lawrence O., Zita Lazzarini, Verla S
From page 74...
... Finally, state laws include penalties that prohibit improper release of data by a state government employee. Risks Created by Systemic Flows of Health Information As Alice's story shows, the types of organizations that collect, process, and store health information include not only other members of health care provider teams, such as referral providers, nurses, and laboratory technicians, but also groups such as insurance companies and thirdparty payers, utilization and outcomes assessment groups, public health and disease registry groups, clinical research groups, and a growing health information services industry.
From page 75...
... c. .lnlcs Information on vaccination status of adults in schools and adults in health care facilities Information on individual childhood immunizations and rates Information on all reported Class IV AIDS cases; used for disease surveillance and trend analysis Yearly telephone survey on health-related behaviors of a sample of individuals 18 and older, used to develop statewide prevalence estimates to target preventive health services to counties, age groups, and so on Information on all births occurring in a particular state; used to monitor trends in population fertility and maternal and child morbidity, to establish legal residence, and to assist in epidemiological analyses Linkage of records from the Hospital Abstract System Documentation of statewide incidences of cancer from hospital tumor registries and laboratory data Information from studies on prenatal care and outcomes studies Information on all deaths occurring in a particular state; used to monitor trends in mortality, establish legal benefits, and assist in epidemiological analyses continued on next page
From page 76...
... and conditions Information on morbidity and epidemiological investigations and followup actions for individuals or partners testing positive for sexually transmitted diseases Information on management of individual cases of persons with tuberculosis and individuals exposed to tuberculosis and their follow-up and treatment Minimum information required by U.S. Department of Agriculture to certify clients for Women, Infants, and Children Supplemental Food Program Information on child abuse or neglect referrals, subsequent investigations, and responses to referrals and investigations SOURCE: Washington State Department of Health, 1996: personal communication (October)
From page 77...
... Rather, data are treated in accordance with a variety of local policies that may or may not be consistent with the patient's understanding when signing a form that authorizes initial release of the information. Individual organizations often have strong business incentives to protect health information from other parties because they regard such information as having significant business value; nevertheless, almost all of the sites that the committee visited during the course of this study expressed serious concerns about potential harm to patient interests resulting from unrestrained use of patient information by organizations not involved in the provision of care.
From page 78...
... Furthermore, no legal standard prevents Bob's old employer from discussing Alice's condition with a potential new employer or prevents some entrepreneur from establishing a clearinghouse of data on employees with high insurance costs. Universal Patient Identifiers Concerns about the systemic sharing of electronic health information are linked to efforts to establish a universal patient identifier for indexing patient records throughout the U.S.
From page 79...
... For example, the idea of using the Social Security number (SSN) as a universal health identifier raises concerns not only that all medical data associated with a given individual can be linked, but also that an individual's medical data could be linked with financial data, purchasing habit data, family details, and other items of information many of which are already indexed by the SSN to create a personally identifiable, interlinked record containing sensitive information.
From page 80...
... The chapters include recommendations for extensive education of the public about threats to the privacy of health care information and criteria for ensuring that the development of any universal patient identifier explicitly recognizes its potential effects on privacy. They also include recommendations for the passage of legislation setting down the principles by which trustees of health care information are limited in its collection, use, and disposal and are responsible for disclosure of accesses to it.
From page 81...
... Although addressing this problem is largely a matter of public policy, judicious design of the method used to link patient records may help mitigate some privacy concerns and help enforce any policy framework established for protecting privacy.


This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.