CS 588: Cryptology

Group Project Final Report









The UVa Healthcare System:

Medical Privacy in the Information Age








December 5, 2001


Submitted by

Team 7: Allison Esclapez

   Jim Zeng

                 Eugene Lebanidze

          Keen Browne


Table of Contents


I.                   Introduction………………..…………………………………………….…………..1

II.                Related Work……………………………………………………………………..…2

III.             Privacy Law and Background Information..…………………………...…………5

a.      State Law…………………………………………………………………….…..5

b.      Summary of HIPAA…………………………………………………………….5

A.     Privacy…………………………………………………………………6

B.     Security….……………………………………………………………..7

IV.              UVA Medical Center Privacy..……………………………………………………..9

a.      How Medical Center currently protects privacy………………………….…..9

b.      HIPAA Initiatives…………………………………………………………..…...9

A.     Administrative…………………………………………………………9

B.     Technical………………………………………………………….…..13

V.                 Conclusion……………………………………………………………………..…....19

a.      Recommendations…………………………...………………………………….19

b.      Final Thoughts……………………………...………………………………..…20











I. Introduction


            In the past few decades, the rapid growth of technology has turned many industries upside down, often changing the way business is done both positively and negatively. In the case of the health care industry, technology has brought many great successes. Unfortunately, to each success, there is a drawback. Due to technology, medical records have become easier to manipulate and more accessible by doctors so that these can better understand and treat their patients. On the other hand, the privacy of medical records has lately become a growing concern.

In order to address this concern, Congress passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This act provides a new set of standards that will protect Americans by ensuring the privacy and security of their medical information. Each health care entity has to develop their own plan to comply with these standards. In this report, we will take a closer look at the HIPAA and we will assess the compliance of the University of Virginia Hospital in regards to these new standards. This report also outlines our recommendations for the UVA Hospital in their implementation of the HIPAA standards.

II. Related Work


While laws about computerized medical systems and information about their design is new, there are a variety of laws, books, and journals on the topic. Serious consideration about medical privacy in regards to the security of computerized medical records began in the early 1990’s because of a request by the Clinton administration to digitize and network medical information.  In September of 1993, the US congress released a study on the affect of computerization on the privacy of medical records. This study, done by the Office of Technology Assessment, produced a report entitled Protecting Privacy in Computerized Medical Information[1]. This report introduced the concepts involved in the computerization of the nation’s medical records, a patient’s right to privacy, described systems for computerized health care information, and outlined possible designs for protecting computerized healthcare information. In 1996, the U.S. Congress enacted the Health Insurance Portability and Accountability Act of 1996[2] (HIPAA). This bill and all the standards that follow it constitute the current body of law about computerized medical information privacy.  In 1997, the Department of Health and Human Services, pursuant to the HIPAA, issued a recommendation entitled Confidentiality of Individually-Identifiable Health Information[3]. This recommendation provided motivation for new policies about medical privacy. In 1999, the General Accounting Office released a report titled Medical Records Privacy: Access Needed for Health Research, but Oversight of Privacy Protections is Limited[4]. This report outlined privacy concerns in the distribution and collection of research information. Acting on information outlined in reports over the past seven years and orders by the US congress, the Department of Health and Human resources released the Standards for Privacy of Individually Identifiable Health Information[5]. There are many other reports released by the General Accounting Office and the US Congress that are associated with this standard; they await examination. Outside of legislation and congressional research, Networking Health Prescriptions for the Internet[6] by the National Research Council explores concerns about migrating from current medical record architectures to online systems. Within the realm of security, the author lists the attributes of a secure health system and explores several methods and protocols for constructing that system.Besides the National Research Council, the American College of Physicians and the American Medical Association have published books about privacy and the computerization of medical information[7]. Journals such as Health Data Management and Modern Healthcare have articles to inform readers about security. An article entitled HIPAA is larger and more complex than Y2K[8] by JW Tempesco argues that implementing the guidelines enumerated in the HIPAA will be significantly more complex than solving the Y2K problem. The University of Virginia maintains videos and online literature about the use of medical information systems and medical privacy. The Privacy and Confidentiality in Computer Medical Records[9] is a video produced by the University of Virginia Medical School detailing the University’s policies on the privacy of computerized medical records.

III. Privacy Law and Background Information

a. State Law


            Privacy, as it currently stands, is a civil matter handled either by the court of law or equity in each state.  Although medical privacy, especially psychological related information is guarded by state legislation with extra care, they are essentially tort laws. 

Each state has unique laws and remedies, and the most severe punishment is limited by money damages.  In some states, punitive damages are also given depending on the maliciousness and intent of the wrongful act.  Although Virginia allows punitive damages as well as compensatory damages, its laws are known to be conservative and damages stringent; the punitive damages is capped at $250,000.  This means fairly limited liability for major medical institutions such as UVa Medical Center, it can be argued that the legal implications do not dissuade careless or malicious actions by medical record handlers as much as simple volunteer actions aimed at maintaining reputation.  It is not the law, but rather the negative backlash of privacy violation, that encourages hospitals and medical research facilities alike to securely and privately handle sensitive personal medical care information.  HIPAA unifies and in some cases, creates new laws and the corresponding punishments to promote better medical information handling and processing.


b. Summary of HIPAA


In 1992, President George W. Bush Sr. pressured congress to form a committee to research methods for cutting down the cost of health insurance in the United States.  Several congressional committees and reports later, the congress penned The Health Insurance Portability and Accountability Act of 1996.  This act provided a mechanism for establishing federal standards in four areas:




Currently, through the Department of Health, the government is finalizing the precise guidelines of this act.  The government has finalized the guidelines for electronic health transactions and unique identifiers (without the national identifier card).  The electronic health transaction guidelines specify a set of common codes that all hospitals must use.  These codes standardize hospitals nationally and simplify the process of digitizing records and making requests for payment.  The guideline for unique identifiers gives each insurance provider and hospital a unique identifier that they use to fill out all of their forms.  This unique identifier creates a nationalized standard method of referring to hospitals and insurers.  What follows is a brief description of the Privacy and Security Guidelines associated with this act.


A. Privacy


The government finalized the HIPAA guidelines in 2000.  Compliance is expected in 2003.

Right or Responsibility



When seeking treatment, the patient must consent (by signing a form) to the use of their medical information for treatment, billing, and hospital business operations and quality assurance.  Any other uses of their medical information are entirely up to the patients discretion and they must agree to those other uses.


Unrelated to consent, authorization pertains to who can view psychotherapy notes.  The patient must authorize the use of their psychotherapy notes for treatment, assuming that their disease does not hinder their ability to make that decision.


When using medical information that is not linked to individuals the hospital is responsible for the adequate removal of identification from the record.  A person is identifiable when someone releases enough information to indicate, with reasonable certainty, who the person is.  For example, Names, photos, and names of relatives and employees constitute identifiable information.

Specific Disclosures

The hospital has the right to release private medical information without consent in cases of public need (an epidemic), facility directories, marketing, and fund raising.  However, the hospital must de-identify this material.  Furthermore, being part of marketing and fundraising are “opt-out” choices for the patient.

Minimum Necessary

The hospital must divulge the minimum necessary information about a patient from their medical records for any record use.


The patient has the right to prevent or allow notice that they are in the hospital


The patient has the right to see their own medical record, unless seeing it is a threat to their health (there are a limited number of psychological related cases where this restriction applies)


The patient has the right to make an addendum to their record

Accounting of Disclosures

The patient has the right to know where their medical record has been and who has had it.

Right of Restriction

The patient has the right to control who has access to the record.


The Hospital has the right to divulge medical information without patients consent for reasons of public health, research where there is an Internal Research Board, oversight, and law enforcement


When dealing with contracted businesses the hospital must ensure that they too adhere to the regulations that guard patients privacy.



B. Security


The proposed security guidelines are high-level requirements to protect against the disclosure of protected health information.  They include requirements for policies, procedures, training, internal auditing, computer systems, and physical security.  The guidelines also demand documentation, monitoring, reviewing and regular updates.  Currently, the proposed security guidelines ask for:



If a hospital does not comply with the HIPAA guidelines by the specified deadlines or breaks the law, they can incur civil and criminal penalties.  The hospital can be charged $100 per violation capped at $25,000 for each violation per calendar year.  Individuals and the hospital can suffer up to a $50,000 fine and one year in prison for committing a basic violation.  If the individual commits the violation under false pretenses, they can suffer $100,000 in fines and up to five years in prison.  If the individual maliciously commits the violation, they can suffer $250,000 in fines and up to ten years in prison.

IV. UVA Medical Center Privacy

a. How Medical Center currently protects privacy

            Medical privacy and security at the UVa Medical Center is currently handled as it has always been handled throughout the existence of the concept of medical privacy.  What individuals across the western world count on is the Hippocratic oath, which is a sacred oath taken by all medical professionals to not disclose a patient’s private information.  Whatever information a medical provider has access to through his/her job is strictly confidential.  On the legal side, this is a fiduciary relationship.  Since the violation of one’s privacy, especially medical and psychological information, is handled at the state level, a victim can always bring a civil case against anyone who violates the patient’s privacy.  To prevent liability and potential reputation-damaging lawsuits, UVa Medical Center has implemented limited traditional privacy and security measures.  So traditional are its practices that the tracking of records are analogues of checking out books at a library in that each party who whishes to see a particular record logs his/her access in a central database maintained by UVa Medical Center.  As for security, since most records are still in paper form, they are simply locked up with a physical key.


b. HIPAA Initiatives

A. Administrative


The University of Virginia Medical Center has an administrative department for HIPAA compliance.  The hospital started this initiative in 1999 to become compliant with all four HIPAA guidelines.  So far, the HIPAA Initiatives department has directed the hospital to be compliant with the Transactions and the Identifiers portion of the HIPAA guidelines.  They are working to satisfy all of the newly released privacy guidelines by 2003 and are waiting for the finalization of the security guidelines.  A large portion of their current work involves analyzing their current privacy rules and the state laws as compared to the new HIPAA regulations.

The HIPAA Initiatives and Risk Management departments closely tied to risk management.  The Risk Management Department deals with the sequestering of medical records in reaction to law suits and deals with planning for emergency situations such as hospital fires, bio-terrorist attacks, and disease outbreaks.

The HIPAA initiatives department consists of several standing committees directed by Ms. Marge Sidebottom.  Ms. Sidebottom had previous experience in disaster management, administration, and privacy concerns.  As the director of HIPAA Initiatives she directs a Steering Committee.  This Steering committee has several subcommittees as indicated in the figure below.  All of these committees existed before HIPAA; the hospital has reused them to decrease the amount of time necessary to formulate policies for HIPAA compliance.  The subcommittees include a committee on Human Resources, Policies, Risk, and Technology.  The committees are staffed by people who represent a variety of medical interests including people from the hospital, the Health Services Foundation, treatment, payment, business, operations, and academic backgrounds (including the medical school, the education school, athletic department, and psychology).  Directed by Ms. Sidebottom, each subcommittee decides on interim and long term implementations for HIPAA guidelines that relate to their specialties.


Administrative Organization of HIPAA Initiatives




The committees see the largest risk to individual’s privacy to be hospital employees.  While cases of malicious privacy infringement are exceedingly rare, accidental infringement is not.  The UVa Medical Center is an academic hospital, so doctors often openly discuss people’s private medical information in front of a variety of people.  This discussion is important for treatment, but can also be a violation of privacy if doctors do not keep good track of who is near while they discuss cases.  The most commonly leaked private information is about who is in the hospital.  Tags on doors make this information readily available, and, even with HIPAA, this information is difficult to protect and assure good and timely treatment.  Even a desk clerk can irresponsibly give away a patient’s private information by openly discussing a patient’s address for verification without their permission.  Everyone from Janitors to Doctors must be trained to respect patients’ privacy.

Currently, every employee of the UVa medical center as well as many contracted employees must take training courses for payroll certification.  Amongst other topics, the training courses inform employees about the patients’ right to privacy. The hospital has designed these training systems for people with a fourth grade to doctor reading level.  It encompasses full time and part time workers and is set up for people who work during the day and night (since the hospital is a twenty four hour business).  The training takes the form of classes, booklets, and tests.  There is currently research in creating online training systems.  The Hospital has the ability to mandate training for its employees at any time.  Completing the training program is necessary for pay.  Each employee re-trains every six to twelve months.

Training is the largest tool that the hospital plans to use for HIPAA compliance.  However, they will employ several computer systems in the future for compliance.  Currently, a computer system tracks the checking out and returning of medical records.  The system stores where a medical employee checked the record out to and how long that employee held the record.  In the future, the hospital hopes to enhance this system to provide more detailed information about who checked out and viewed the record.

The hospital has posted the “core” information from medical records on the hospital’s internal network.  The Access Control Committee decides who can access the information.  The application, the Clinical Archival System (CAS), has a username password login.  The hospital hopes to enhance this system to hold more medical information.  If secure, it will allow the hospital to better track who is viewing medical information because they can track login usernames.

The HIPAA Initiatives department has not begun changing their current security system to make HIPAA compliance because the government has not finalized the security guidelines.

The UVa medical center is planning a mix of old and new techniques to become HIPAA compliant.  They will first formulate interim fixes for policies that are not HIPAA compliant and then move over to a final plan that involves training and computer systems.  The task of compliance will be difficult, but possible.  The difficulties are from the number of records, the number of people, and the multitude of regulations.  However, the hospital has experience in these disciplines, and they will succeed.


B. Technical


            As one might expect, the technical standpoint for securing sensitive information plays a substantial role in achieving HIPAA compliance.  As the automation of health care information management becomes more widespread, the health care industry faces new challenges in assuring that information remains secure.  The security challenges with physical paper records were already significant, but they cannot even come in comparison with the tremendous difficulty of securing electronic records.  The simple reason for that is that most security measures with regards to paper records have to do with physical location and people, where as the measures pertaining to electronically stored information must also deal with constantly growing and improving information technology.  When HIPAA was passed in 1996, it contained a security rule outlining the technical standards essential for ensuring security and integrity of health information that is maintained and transmitted electronically.  The standards apply to storage of electronic medical records, data repositories, networking, Internet access and other issues pertinent to security of sensitive electronic information.


            As security breaches such as hacking of medical networks and patient databases, misdirected patient emails, and unauthorized access, just to name a few, became fairly frequent, it became clear that the current security measures in place were inadequate.  This was more of a general problem, not specific to the University of Virginia hospital, for as it was mentioned before, the hospital is still largely in transition from paper to electronic storage, and they are taking the initiative to do things right.  The design of a medical LAN where most of the sensitive information is accessed is not a trivial business, and highly trained technical personnel of the MCC is currently in the midst of implementing additional security measures.  Some of the issues that come into play here are authentication, access controls, audit trails, controls of external communications links (such as Internet hubs) and access, physical security, system back ups and disaster recovery (contingency plans).  In addition, since most of the time, network security breaches actually come from within (from authenticated users), a monitoring system must be in place to ensure proper usage of network services.  The two important aspects of the overall security scheme are obviously physical security, such as having your database and application servers in secure location, and also policy for use of network services.  At this point, however, we will concentrate more heavily on the more technical security features that need to be implemented to protect sensitive medical information against the prying eyes of hackers or otherwise unauthorized users with increasingly sophisticated set of tools at their disposal.


            HIPAA Security Rule focuses on both external and internal security threats, with the understanding that internal threats are actually far more likely to occur.  Some of the external vulnerabilities might include outsiders who break through the network firewalls, email attacks involving either interception or viruses, compromise of passwords, pretending to be authorized users, computer viruses and modem number prefix scanning.  This is in no way an exhaustive list of security threats from the outside, and in some sense, perhaps the most challenging task is protecting the information from unpredictable attacks.  The attacks hitherto mentioned could have the effects of denial of service, crashing or overloading critical servers and the network traffic in general or compromising sensitive information.  The more likely attacks from the inside might include simply users unaware of security issues who use the services insecurely, or insiders with foul intentions who wish to gain unauthorized access to some information or to simply disrupt the services.  Therefore, any technical solution of security issues must address all of these and other potential threats before it can be HIPAA compliant.  The technical aspect becomes increasingly difficult as the size of operation increases.  The technical solution requires highly skilled personnel, expensive up to date hardware and software among other things, and that is part of the reason that HIPAA compliance is so expensive.  An important issue here is also a tradeoff between security and functionality.  There is an inherent problem in achieving both perfect security and functionality, which is providing timely access to needed health information requested by authorized parties, so that is sort of where policy comes in to be the moderator between the two.  Let us now examine some of the concrete specifications and standards as suggested by HIPAA Security Rule to counteract some of the threats and vulnerabilities aforementioned.


            As it is to be expected, the actual recommendations are both scalable and technology independent, to accommodate systems of various size as well as constantly changing technology.  The rules in a sense set the minimum necessary technical security guidelines.  There are two key technical security services mentioned.  One is to protect and monitor information access.  The other is the implementation of security mechanisms that prevent unauthorized access to data that is protected over the network.  In many respects, the network administration issues involved here are similar to any other corporate network administration.  Access controls must be implemented to provide limited access to information.  In most cases there are various levels of access controls.  Audit controls, which involves implementing a system capable of recording and monitoring network activities and access to data banks.  Authorization controls, this involves obtaining and tracking the consents of the patients to be treated.    Finally, data authentication and entity authentication.  Data authentication ensures the integrity of data, in other words, preventing it from being altered without authorization.  For instance, if a hacker was successful in modifying data within a database, at least there must be an ability to detect this violation in data integrity.  Entity authentication employs mechanisms such as automatic logoffs (timeouts), passwords, PINs and even biometrics to identify authorized users.  In addition, organizations that transmit health information over open networks must protect it from being intercepted or corrupted by the outside world via some external entry points such as hubs, routers and modems. Several communication and network controls are necessary for this purpose.  Integrity controls verify the validity of data transmitted or stored. Message authentication assures that messages sent and received are the same, this can be achieved with parity checks and digital signatures.  Digital signatures are better in a sense that they will also solve the problem of entity authentication.  Some sort of access controls are necessary by either using dedicated secure communication lines or encryption based schemes such as SSL.  And finally, several standard network protection mechanisms would be necessary, such as using alarms, audit trails, entity authentication and event reporting. 


            No policy can outline the exact set of technologies to be used to achieve the desired state of security.  However, HIPAA provided general technical and policy guidelines that would ensure the minimum required level of security regardless of which specific technology was actually used.  We have already outlined some of the services required for HIPAA compliance, the mechanisms and products described here can provide the required technology for the implementation of these services.  If the Health Service provider does not host their own network providing the services, they will need the service of an ASP (Application Service Provider).  Note, ASP will also have to be HIPAA compliant.  In the case of UVA medical center, MCC is responsible for all the health computing services.  Use of mechanisms employing cryptography and digital signatures will be required for confidential transmission and authentication of sensitive information, this falls in the general category of security protocols, such as SSL, SSH, HTTPs, etc.  If a network is in place, firewalls and proxy servers and configuration thereof become a serious issue that requires constant attention by qualified network administrators.  A system for intrusion detection and classification is also a must, this system fits within the larger scheme of monitoring of the network.  S/MIME (Secure/Multipurpose Internet Mail Extensions) system will be required for confidentiality (using encryption) and authentication (using digital signatures) of email.  These are only a few examples of the kind of mechanisms that will need to be implemented.  A medical services network is not that much different from any large corporate network, however, unlike the corporate network, medical network services are subject to HIPAA regulations with regards to their security, confidentiality and usage.

V. Conclusion

a. Recommendations


            As we have shown in this report, the HIPAA guidelines are very complex. Institutions such as the UVA Medical Center will need to make a concerted effort to be compliant with this new legislation because there are many changes to be made in a small amount of time. The Medical Center HIPAA Initiatives Department seems to be extremely dedicated to this transition process. Unfortunately, since the team responsible for HIPAA Initiatives is also responsible for Risk Management, the team’s focus on HIPAA compliance has recently been diverted. We strongly believe different teams should handle these two tasks as they are both of great importance and require much time.

            Indeed, time will be of the essence in the transition phase between non-compliancy and full compliancy with the HIPAA. This transition will be quite a challenge. As technological systems are modified, digitized records may be temporarily less secure. As training takes place in one section of the hospital, employees from another wing may not yet know how to work the new technology or how to comply with the newly implemented security measures. Introducing the changes in a methodical and careful way will be essential in order to avoid mistakes. Thoroughness and attention to detail will be the key to a smooth transition. We strongly recommend that the UVA Medical Center pay special attention to this period.

            Although the technical issues involved are considerable, the most challenging aspect of the transition period will be the training of all Medical Center employees. We have found that the University of Virginia employs, directly or through contractors, over 8,000 people. The difficulty lies in adapting the training to the variety of these 8,000 employees. They have different types of jobs, different shifts, different levels of education and different levels of medical record clearance that they specifically need to be trained for. Our group expects that this will be the biggest challenge in the Medical Center race for HIPAA compliance.


b. Final Thoughts


            In speaking to various members of the HIPAA Initiatives committees, we felt that they were all very concerned with privacy issues and took the HIPAA Initiatives very seriously. Indeed, they seem to have a good handle on the changes that need to take place and how these changes will be implemented. Unfortunately, HIPAA Initiatives is such a large project that there is much more than a semester’s worth of work involved. With more time, our team would have been able to explore more aspects of the HIPAA implementations and we hope that in the future someone will be interested in continuing the work that we have commenced.

[1] U.S. congress, Office of Technology Assessment, Protecting Privacy in Computerized Medical Information, OTA-TCT-576 (Washington, DC: U.S. Government Printing Office, September 1993

[2]U.S. Congress. (1996). Health Insurance Portability and Accountability Act of 1996 (HR3103). Washington, DC: U.S. Government Printing Office.

[3] Department of Health and Human Services. (1997). Confidentiality of Individually-Identifiable Health Information. Washington, DC: U.S. Government Printing Office.

[4] General Accounting Office. (1999). Medical Records Privacy: Access Needed for Health Research, but Oversight of Privacy Protections is Limited. Washington, DC: U.S. Government Printing Office.

[5] Department of Health and Human Services. (2000). Standards for Privacy of Individually Identifiable Health Information (45 CRF). Washington, DC: U.S. Government Printing Office.

[6] National Research Council. (2000). Networking health: Prescriptions for the Internet. Washington, DC: National Academy Press

[7] Carter, Jerome H. (2001). Electronic Medical Records.  Philidelphia, PA: American College Of Physicians-American Society of Internal Medicine

[8] Tempesco, JW. (Jul. 2000) HIPAA is larger and more complex than Y2K.  Managed Care Interface p54-59

[9] The University of Virginia Medical School (Producer).  (1997). Privacy and Confidentiality in Computer Medical Records [Videotape]. Charlottesville, VA: Medical Center Video