I. Introduction
In the past few decades, the rapid growth of technology has turned many
industries upside down, often changing the way business is done both positively
and negatively. In the case of the health care industry, technology has brought
many great successes. Unfortunately, to each success, there is a drawback. Due
to technology, medical records have become easier to manipulate and more
accessible by doctors so that these can better understand and treat their
patients. On the other hand, the privacy of medical records has lately become a
growing concern.
In
order to address this concern, Congress passed the Health Insurance Portability
and Accountability Act of 1996 (HIPAA).
This act provides a new set of standards that will protect Americans by ensuring
the privacy and security of their medical information. Each health care entity
has to develop their own plan to comply with these standards. In this report, we
will take a closer look at the HIPAA and we will assess the compliance of the
University of Virginia Hospital in regards to these new standards. This report
also outlines our recommendations for the UVA Hospital in their implementation
of the HIPAA standards.
II. Related
Work
While laws about
computerized medical systems and information about their design is new, there
are a variety of laws, books, and journals on the topic. Serious consideration
about medical privacy in regards to the security of computerized medical records
began in the early 1990s because of a request by the Clinton administration to
digitize and network medical information.
In September of 1993, the US congress released a study on the affect of
computerization on the privacy of medical records. This study, done by the
Office of Technology Assessment, produced a report entitled Protecting
Privacy in Computerized Medical Information[1].
This report introduced the concepts involved in the computerization of the
nations medical records, a patients right to privacy, described systems for
computerized health care information, and outlined possible designs for
protecting computerized healthcare information. In 1996, the U.S. Congress
enacted the Health Insurance Portability and Accountability Act of 1996[2]
(HIPAA). This bill and all the standards that follow it constitute the current
body of law about computerized medical information privacy. In 1997, the Department of Health and
Human Services, pursuant to the HIPAA, issued a recommendation entitled
Confidentiality of Individually-Identifiable Health Information[3].
This recommendation provided motivation for new policies about medical privacy.
In 1999, the General Accounting Office released a report titled Medical
Records Privacy: Access Needed for Health Research, but Oversight of Privacy
Protections is Limited[4].
This report outlined privacy concerns in the distribution and collection of
research information. Acting on information outlined in reports over the past
seven years and orders by the US congress, the Department of Health and Human
resources released the Standards for Privacy of Individually Identifiable
Health Information[5].
There are many other reports released by the General Accounting Office and the
US Congress that are associated with this standard; they await examination.
Outside of legislation and congressional research, Networking Health
Prescriptions for the Internet[6]
by the National Research Council explores concerns about migrating from current
medical record architectures to online systems. Within the realm of security,
the author lists the attributes of a secure health system and explores several
methods and protocols for constructing that system.Besides the National Research
Council, the American College of Physicians and the American Medical Association
have published books about privacy and the computerization of medical
information[7].
Journals such as Health Data Management and Modern Healthcare have articles to
inform readers about security. An article entitled HIPAA is larger and more
complex than Y2K[8]
by JW Tempesco argues that implementing the guidelines enumerated in the HIPAA
will be significantly more complex than solving the Y2K problem. The University
of Virginia maintains videos and online literature about the use of medical
information systems and medical privacy. The Privacy and Confidentiality in
Computer Medical Records[9]
is a video produced by the University of Virginia Medical School detailing the
Universitys policies on the privacy of computerized medical
records.
III. Privacy Law and
Background Information
a. State Law
Privacy, as it currently stands, is a civil matter handled either by the court of law or equity in each state. Although medical privacy, especially psychological related information is guarded by state legislation with extra care, they are essentially tort laws.
Each state has unique laws
and remedies, and the most severe punishment is limited by money damages. In some states, punitive damages are
also given depending on the maliciousness and intent of the wrongful act. Although Virginia allows punitive
damages as well as compensatory damages, its laws are known to be conservative
and damages stringent; the punitive damages is capped at $250,000. This means fairly limited liability for
major medical institutions such as UVa Medical Center, it can be argued that the
legal implications do not dissuade careless or malicious actions by medical
record handlers as much as simple volunteer actions aimed at maintaining
reputation. It is not the law, but
rather the negative backlash of privacy violation, that encourages hospitals and
medical research facilities alike to securely and privately handle sensitive
personal medical care information.
HIPAA unifies and in some cases, creates new laws and the corresponding
punishments to promote better medical information handling and
processing.
b. Summary of HIPAA
In 1992, President George W. Bush Sr. pressured congress to form a committee to research methods for cutting down the cost of health insurance in the United States. Several congressional committees and reports later, the congress penned The Health Insurance Portability and Accountability Act of 1996. This act provided a mechanism for establishing federal standards in four areas:
- Electronic Health
Transactions
- Unique Identifiers
- Privacy &
Confidentiality
- Security & Electronic
Signatures
Currently, through the Department of Health, the government is finalizing the precise guidelines of this act. The government has finalized the guidelines for electronic health transactions and unique identifiers (without the national identifier card). The electronic health transaction guidelines specify a set of common codes that all hospitals must use. These codes standardize hospitals nationally and simplify the process of digitizing records and making requests for payment. The guideline for unique identifiers gives each insurance provider and hospital a unique identifier that they use to fill out all of their forms. This unique identifier creates a nationalized standard method of referring to hospitals and insurers. What follows is a brief description of the Privacy and Security Guidelines associated with this act.
A. Privacy
The government finalized the HIPAA guidelines
in 2000. Compliance is expected in
2003.
|
Right or
Responsibility |
Description |
|
Consents |
When seeking
treatment, the patient must consent (by signing a form) to the use of
their medical information for treatment, billing, and hospital business
operations and quality assurance.
Any other uses of their medical information are entirely up to the
patients discretion and they must agree to those other
uses. |
|
Authorization |
Unrelated to consent,
authorization pertains to who can view psychotherapy notes. The patient must authorize the use
of their psychotherapy notes for treatment, assuming that their disease
does not hinder their ability to make that
decision. |
|
De-identification |
When using medical
information that is not linked to individuals the hospital is responsible
for the adequate removal of identification from the record. A person is identifiable when
someone releases enough information to indicate, with reasonable
certainty, who the person is.
For example, Names, photos, and names of relatives and employees
constitute identifiable information. |
|
Specific
Disclosures |
The hospital has the
right to release private medical information without consent in cases of
public need (an epidemic), facility directories, marketing, and fund
raising. However, the
hospital must de-identify this material. Furthermore, being part of
marketing and fundraising are opt-out choices for the
patient. |
|
Minimum
Necessary |
The hospital must
divulge the minimum necessary information about a patient from their
medical records for any record use. |
|
Notices |
The patient has the
right to prevent or allow notice that they are in the
hospital |
|
Access |
The patient has the
right to see their own medical record, unless seeing it is a threat to
their health (there are a limited number of psychological related cases
where this restriction applies) |
|
Amendments |
The patient has the
right to make an addendum to their record |
|
Accounting of
Disclosures |
The patient has the
right to know where their medical record has been and who has had
it. |
|
Right of
Restriction |
The patient has the
right to control who has access to the record. |
|
Exceptions |
The Hospital has the
right to divulge medical information without patients consent for reasons
of public health, research where there is an Internal Research Board,
oversight, and law enforcement |
|
Contracts |
When dealing with
contracted businesses the hospital must ensure that they too adhere to the
regulations that guard patients
privacy. |
B. Security
The proposed security guidelines are
high-level requirements to protect against the disclosure of protected health
information. They include
requirements for policies, procedures, training, internal auditing, computer
systems, and physical security. The
guidelines also demand documentation, monitoring, reviewing and regular
updates. Currently, the proposed
security guidelines ask for:
- Contingency plans for
disasters
- Computer Network
Safeguards
- Personal Security and
Surveillance
- Mechanisms for the
prevention of security breaches
- Mechanisms for the
reporting of security breaches
- Mechanisms for the
detection of security breaches
- Mechanisms for the
containment of security breaches
- A Configuration Management
system that prevents software and hardware security
weaknesses
- Disk and Media Controls
for computer systems
- Formal termination
procedures
- Chain of Trust Agreements
with business associates
If a hospital does not comply with the HIPAA guidelines by the specified deadlines or breaks the law, they can incur civil and criminal penalties. The hospital can be charged $100 per violation capped at $25,000 for each violation per calendar year. Individuals and the hospital can suffer up to a $50,000 fine and one year in prison for committing a basic violation. If the individual commits the violation under false pretenses, they can suffer $100,000 in fines and up to five years in prison. If the individual maliciously commits the violation, they can suffer $250,000 in fines and up to ten years in prison.
IV. UVA Medical Center Privacy
a. How Medical Center currently protects privacy
Medical privacy and security at the UVa Medical Center is currently
handled as it has always been handled throughout the existence of the concept of
medical privacy. What individuals
across the western world count on is the Hippocratic oath, which is a sacred
oath taken by all medical professionals to not disclose a patients private
information. Whatever information a
medical provider has access to through his/her job is strictly
confidential. On the legal side,
this is a fiduciary relationship.
Since the violation of ones privacy, especially medical and
psychological information, is handled at the state level, a victim can always
bring a civil case against anyone who violates the patients privacy. To prevent liability and potential
reputation-damaging lawsuits, UVa Medical Center has implemented limited
traditional privacy and security measures.
So traditional are its practices that the tracking of records are
analogues of checking out books at a library in that each party who whishes to
see a particular record logs his/her access in a central database maintained by
UVa Medical Center. As for
security, since most records are still in paper form, they are simply locked up
with a physical key.
b. HIPAA Initiatives
A. Administrative
The University of Virginia
Medical Center has an administrative department for HIPAA compliance. The hospital started this initiative in
1999 to become compliant with all four HIPAA guidelines. So far, the HIPAA Initiatives department
has directed the hospital to be compliant with the Transactions and the
Identifiers portion of the HIPAA guidelines. They are working to satisfy all of the
newly released privacy guidelines by 2003 and are waiting for the finalization
of the security guidelines. A large
portion of their current work involves analyzing their current privacy rules and
the state laws as compared to the new HIPAA regulations.
The HIPAA Initiatives and
Risk Management departments closely tied to risk management. The Risk Management Department deals
with the sequestering of medical records in reaction to law suits and deals with
planning for emergency situations such as hospital fires, bio-terrorist attacks,
and disease outbreaks.
The HIPAA initiatives
department consists of several standing committees directed by Ms. Marge
Sidebottom. Ms. Sidebottom had
previous experience in disaster management, administration, and privacy
concerns. As the director of HIPAA
Initiatives she directs a Steering Committee. This Steering committee has several
subcommittees as indicated in the figure below. All of these committees existed before
HIPAA; the hospital has reused them to decrease the amount of time necessary to
formulate policies for HIPAA compliance.
The subcommittees include a committee on Human Resources, Policies, Risk,
and Technology. The committees are
staffed by people who represent a variety of medical interests including people
from the hospital, the Health Services Foundation, treatment, payment, business,
operations, and academic backgrounds (including the medical school, the
education school, athletic department, and psychology). Directed by Ms. Sidebottom, each
subcommittee decides on interim and long term implementations for HIPAA
guidelines that relate to their specialties.
Administrative
Organization of HIPAA
Initiatives
The committees see the
largest risk to individuals privacy to be hospital employees. While cases of malicious privacy
infringement are exceedingly rare, accidental infringement is not. The UVa Medical Center is an academic
hospital, so doctors often openly discuss peoples private medical information
in front of a variety of people.
This discussion is important for treatment, but can also be a violation
of privacy if doctors do not keep good track of who is near while they discuss
cases. The most commonly leaked
private information is about who is in the hospital. Tags on doors make this information
readily available, and, even with HIPAA, this information is difficult to
protect and assure good and timely treatment. Even a desk clerk can irresponsibly give
away a patients private information by openly discussing a patients address
for verification without their permission.
Everyone from Janitors to Doctors must be trained to respect patients
privacy.
Currently, every employee of
the UVa medical center as well as many contracted employees must take training
courses for payroll certification.
Amongst other topics, the training courses inform employees about the
patients right to privacy. The hospital has designed these training systems for
people with a fourth grade to doctor reading level. It encompasses full time and part time
workers and is set up for people who work during the day and night (since the
hospital is a twenty four hour business).
The training takes the form of classes, booklets, and tests. There is currently research in creating
online training systems. The
Hospital has the ability to mandate training for its employees at any time. Completing the training program is
necessary for pay. Each employee
re-trains every six to twelve months.
Training is the largest tool
that the hospital plans to use for HIPAA compliance. However, they will employ several
computer systems in the future for compliance. Currently, a computer system tracks the
checking out and returning of medical records. The system stores where a medical
employee checked the record out to and how long that employee held the
record. In the future, the hospital
hopes to enhance this system to provide more detailed information about who
checked out and viewed the record.
The hospital has posted the
core information from medical records on the hospitals internal network. The Access Control Committee decides who
can access the information. The
application, the Clinical Archival System (CAS), has a username password
login. The hospital hopes to
enhance this system to hold more medical information. If secure, it will allow the hospital to
better track who is viewing medical information because they can track login
usernames.
The HIPAA Initiatives
department has not begun changing their current security system to make HIPAA
compliance because the government has not finalized the security
guidelines.
The UVa medical center is
planning a mix of old and new techniques to become HIPAA compliant. They will first formulate interim fixes
for policies that are not HIPAA compliant and then move over to a final plan
that involves training and computer systems. The task of compliance will be
difficult, but possible. The
difficulties are from the number of records, the number of people, and the
multitude of regulations. However,
the hospital has experience in these disciplines, and they will
succeed.
B. Technical
As one might expect, the technical standpoint for securing sensitive
information plays a substantial role in achieving HIPAA compliance. As the automation of health care
information management becomes more widespread, the health care industry faces
new challenges in assuring that information remains secure. The security challenges with physical
paper records were already significant, but they cannot even come in comparison
with the tremendous difficulty of securing electronic records. The simple reason for that is that most
security measures with regards to paper records have to do with physical
location and people, where as the measures pertaining to electronically stored
information must also deal with constantly growing and improving information
technology. When HIPAA was passed
in 1996, it contained a security rule outlining the technical standards
essential for ensuring security and integrity of health information that is
maintained and transmitted electronically.
The standards apply to storage of electronic medical records, data
repositories, networking, Internet access and other issues pertinent to security
of sensitive electronic information.
As security breaches such as hacking of medical networks and patient
databases, misdirected patient emails, and unauthorized access, just to name a
few, became fairly frequent, it became clear that the current security measures
in place were inadequate. This was
more of a general problem, not specific to the University of Virginia hospital,
for as it was mentioned before, the hospital is still largely in transition from
paper to electronic storage, and they are taking the initiative to do things
right. The design of a medical LAN
where most of the sensitive information is accessed is not a trivial business,
and highly trained technical personnel of the MCC is currently in the midst of
implementing additional security measures.
Some of the issues that come into play here are authentication, access
controls, audit trails, controls of external communications links (such as
Internet hubs) and access, physical security, system back ups and disaster
recovery (contingency plans). In
addition, since most of the time, network security breaches actually come from
within (from authenticated users), a monitoring system must be in place to
ensure proper usage of network services.
The two important aspects of the overall security scheme are obviously
physical security, such as having your database and application servers in
secure location, and also policy for use of network services. At this point, however, we will
concentrate more heavily on the more technical security features that need to be
implemented to protect sensitive medical information against the prying eyes of
hackers or otherwise unauthorized users with increasingly sophisticated set of
tools at their disposal.
HIPAA Security Rule focuses on both external and internal security
threats, with the understanding that internal threats are actually far more
likely to occur. Some of the
external vulnerabilities might include outsiders who break through the network
firewalls, email attacks involving either interception or viruses, compromise of
passwords, pretending to be authorized users, computer viruses and modem number
prefix scanning. This is in no way
an exhaustive list of security threats from the outside, and in some sense,
perhaps the most challenging task is protecting the information from
unpredictable attacks. The attacks
hitherto mentioned could have the effects of denial of service, crashing or
overloading critical servers and the network traffic in general or compromising
sensitive information. The more
likely attacks from the inside might include simply users unaware of security
issues who use the services insecurely, or insiders with foul intentions who
wish to gain unauthorized access to some information or to simply disrupt the
services. Therefore, any technical
solution of security issues must address all of these and other potential
threats before it can be HIPAA compliant.
The technical aspect becomes increasingly difficult as the size of
operation increases. The technical
solution requires highly skilled personnel, expensive up to date hardware and
software among other things, and that is part of the reason that HIPAA
compliance is so expensive. An
important issue here is also a tradeoff between security and functionality. There is an inherent problem in
achieving both perfect security and functionality, which is providing timely
access to needed health information requested by authorized parties, so that is
sort of where policy comes in to be the moderator between the two. Let us now examine some of the concrete
specifications and standards as suggested by HIPAA Security Rule to counteract
some of the threats and vulnerabilities aforementioned.
As it is to be expected, the actual recommendations are both scalable and
technology independent, to accommodate systems of various size as well as
constantly changing technology. The
rules in a sense set the minimum necessary technical security guidelines. There are two key technical security
services mentioned. One is to
protect and monitor information access.
The other is the implementation of security mechanisms that prevent
unauthorized access to data that is protected over the network. In many respects, the network
administration issues involved here are similar to any other corporate network
administration. Access controls
must be implemented to provide limited access to information. In most cases there are various levels
of access controls. Audit controls,
which involves implementing a system capable of recording and monitoring network
activities and access to data banks.
Authorization controls, this involves obtaining and tracking the consents
of the patients to be treated.
Finally, data authentication and entity authentication. Data authentication ensures the
integrity of data, in other words, preventing it from being altered without
authorization. For instance, if a
hacker was successful in modifying data within a database, at least there must
be an ability to detect this violation in data integrity. Entity authentication employs mechanisms
such as automatic logoffs (timeouts), passwords, PINs and even biometrics to
identify authorized users. In
addition, organizations that transmit health information over open networks must
protect it from being intercepted or corrupted by the outside world via some
external entry points such as hubs, routers and modems. Several communication
and network controls are necessary for this purpose. Integrity controls verify the validity
of data transmitted or stored. Message authentication assures that messages sent
and received are the same, this can be achieved with parity checks and digital
signatures. Digital signatures are
better in a sense that they will also solve the problem of entity
authentication. Some sort of access
controls are necessary by either using dedicated secure communication lines or
encryption based schemes such as SSL.
And finally, several standard network protection mechanisms would be
necessary, such as using alarms, audit trails, entity authentication and event
reporting.
No policy can outline the exact set of technologies to be used to achieve
the desired state of security.
However, HIPAA provided general technical and policy guidelines that
would ensure the minimum required level of security regardless of which specific
technology was actually used. We
have already outlined some of the services required for HIPAA compliance, the
mechanisms and products described here can provide the required technology for
the implementation of these services.
If the Health Service provider does not host their own network providing
the services, they will need the service of an ASP (Application Service
Provider). Note, ASP will also have
to be HIPAA compliant. In the case
of UVA medical center, MCC is responsible for all the health computing
services. Use of mechanisms
employing cryptography and digital signatures will be required for confidential
transmission and authentication of sensitive information, this falls in the
general category of security protocols, such as SSL, SSH, HTTPs, etc. If a network is in place, firewalls and
proxy servers and configuration thereof become a serious issue that requires
constant attention by qualified network administrators. A system for intrusion detection and
classification is also a must, this system fits within the larger scheme of
monitoring of the network. S/MIME
(Secure/Multipurpose Internet Mail Extensions) system will be required for
confidentiality (using encryption) and authentication (using digital signatures)
of email. These are only a few
examples of the kind of mechanisms that will need to be implemented. A medical services network is not that
much different from any large corporate network, however, unlike the corporate
network, medical network services are subject to HIPAA regulations with regards
to their security, confidentiality and usage.
V.
Conclusion
a. Recommendations
As we have shown in this report, the HIPAA guidelines are very complex.
Institutions such as the UVA Medical Center will need to make a concerted effort
to be compliant with this new legislation because there are many changes to be
made in a small amount of time. The Medical Center HIPAA Initiatives Department
seems to be extremely dedicated to this transition process. Unfortunately, since
the team responsible for HIPAA Initiatives is also responsible for Risk
Management, the teams focus on HIPAA compliance has recently been diverted. We
strongly believe different teams should handle these two tasks as they are both
of great importance and require much time.
Indeed, time will be of the essence in the transition phase between
non-compliancy and full compliancy with the HIPAA. This transition will be quite
a challenge. As technological systems are modified, digitized records may be
temporarily less secure. As training takes place in one section of the hospital,
employees from another wing may not yet know how to work the new technology or
how to comply with the newly implemented security measures. Introducing the
changes in a methodical and careful way will be essential in order to avoid
mistakes. Thoroughness and attention to detail will be the key to a smooth
transition. We strongly recommend that the UVA Medical Center pay special
attention to this period.
Although the technical issues involved are considerable, the most
challenging aspect of the transition period will be the training of all Medical
Center employees. We have found that the University of Virginia employs,
directly or through contractors, over 8,000 people. The difficulty lies in
adapting the training to the variety of these 8,000 employees. They have
different types of jobs, different shifts, different levels of education and
different levels of medical record clearance that they specifically need to be
trained for. Our group expects that this will be the biggest challenge in the
Medical Center race for HIPAA compliance.
b. Final Thoughts
In speaking to various members of the HIPAA Initiatives committees, we felt that they were all very concerned with privacy issues and took the HIPAA Initiatives very seriously. Indeed, they seem to have a good handle on the changes that need to take place and how these changes will be implemented. Unfortunately, HIPAA Initiatives is such a large project that there is much more than a semesters worth of work involved. With more time, our team would have been able to explore more aspects of the HIPAA implementations and we hope that in the future someone will be interested in continuing the work that we have commenced.