Information security risks have grown with the rapid growth in the number and types of people who have a legitimate interest in the information now kept in medical records. These risks will continue to grow. While 5x7 cards never left a physician's office, we now have insurers and health plan managers who need to see medical data to evaluate claims, insurers who share information to protect themselves from fraud, legal representatives and their assistants who review medical records in detail, and administrative staffs in corporate and government institutions who gather and collate large quantities of medical information in order to develop health care management policies.
The risks of inappropriate release of medical information inherent in this situation do not stem primarily from the records maintained in the clinician's office. Instead the primary risk comes from growing computer databases of clinical information kept by non-clinical entities. Many entities have accumulated this information over several years. They intentionally cross index personally identifiable medical information by patient across providers. These systems predate clinician use of computer-based patient records. As they accumulate clinical information, for instance genetic information, they will become increasingly controversial, and controls over access will become increasingly more important to both patients and the other users of the record.
These disclosures highlight the importance of the individual responsibilities of those handling confidential information and the critical requirement for education and monitoring of individuals with access to confidential material.
Clearly computer-based systems can abet personal misbehavior. They can provide the careless or unprincipled person with easy access to large amounts of sensitive information. But with their information access control features, computers can also help us restrict access to confidential information to those who have legitimate access requirements.
Hostile intrusion into computer-based record systems offers those with no authority to view medical records a greater potential for gathering large amounts of confidential information than a similar attack on a paper record system. Although such invasions are still rare, medical information is now a valuable commodity and computer-based record systems require thoughtful protection from external threats.
The clinical environment where health professionals work, however, is vastly different from other situations where people regularly handle sensitive and confidential information. Unlike clerical workers or bankers, clinicians frequently need to consult others and share clinical information in order to care for their patients. Unlike other information workers who rely on computers for information, clinicians do not sit before computer screens for lengthy periods of time. Instead they briefly consult and amend clinical records intermittently, during or between patient encounters. Because many clinicians serve four or more patients an hour, executing log-on procedures that another computer system user in a different environment could easily manage once or twice a day becomes insurmountable when repeated five or ten times an hour. System designers should consider these differences when planning security systems for clinical professionals to use.
Six main features characterize computer-based patient records that meet clinician needs. Implementing these features is important to creating successful computer-based record systems, systems that clinicians will embrace and accept for regular, direct use.
1. Security sophisticated enough to guarantee my patient and myself that there will be no unauthorized access to or release of confidential information
Clinicians need to assure their patients that their records are secure from unauthorized access or disclosure. Clinicians must also assure their patients that they will be able to exercise their right to detailed control of information release. This implies access control at the level of individual data fields.
In addition, clinicians will wish to keep other clinicians and health care management entities from inappropriate and unnecessary access to the records of the patients they treat. Unrestricted access by clinicians or health maintenance organizations to one another's records could create unfair marketing opportunities for competitors and erode the competitive advantage of individuals or organizations who had developed particularly effective methods of delivering health care. These concerns can become prominent in the community health information network environment.
2. One-stop access to the entire patient record
Clinicians seek a system that provides complete access to all existing information on their patients. Subject to patient-generated restrictions on viewing of data, clinicians expect to have full access to patient-specific information from hospitals, outside consultants and ancillary services like pharmacy, laboratory and imaging services, as well as information created in their own offices.
3. Incomplete access notification
Clinicians presume that they have access to the entire patient record. When a patient restricts access to part of the record, the record should clearly reflect that some information has been concealed at the patient's request. This notification would permit the clinician to judge whether the missing information might be important to the clinical task at hand. The clinician could then consider whether to inform the patient of the need for access to the concealed information and request its release. At the same time patients will have to take explicit responsibility for the consequences of errors that arise from failing to make important information available.
4. Rapid access -- don't slow me down
Access to clinical information must be easy and rapid. Security should be nearly transparent to authorized users making appropriate requests. Access must not be hindered by repetitive authentication requirements. Single sign-on techniques and rapid user authentication procedures are essential to making the record accessible enough to be useful.
The requirement for facilitated but reliable access control is particularly evident in clinical outpatient environments. Historical examples are common where difficult sign-on techniques and onerous authentication procedures have led clinicians to openly circumvent security procedures or abandon use of systems entirely. Examples include sharing passwords with colleagues so that others can input and retrieve information in their stead, or users who post their passwords at their terminals because system administrators demand that the passwords be difficult to guess and frequently changed. A successful computer-based patient record system will avoid these difficulties.
Similarly, clinicians must be able to execute electronic signatures easily and rapidly. There should be a provision for signing documents in groups. For example, the narrative note, all prescriptions, all test requests, all consultation requests and all correspondence executed at a single patient visit should be signed in a single event.
Nevertheless, the system should permit individual signatures for individual items.
Finally, there must be a provision for correcting errors in records that leaves the record easy to read and understand. The information displayed must be the most current and accurate available. To do otherwise invites confusion and error arising from clinical reliance on inaccurate information. If erroneous information in a record has been corrected by an approved process that preserves a detailed audit trail, the corrected information should be displayed. The system should alert the user that the information being viewed has been corrected or amended. The system should also provide the user the option to view the record as it was at any arbitrary point of time in the past and to review the audit trail.
5. Release control
Clinicians strongly desire to control who sees their medical records and what parts they see. They resist the idea of releasing more information to other medical information users than those users need to accomplish the tasks for which they request information. This concern arises from the concept of business record privacy. Subject to the restraints imposed by patients who have final release control with respect to patient identifiable medical information, clinicians will want to control who gets medical information from their practices and will want notification when others request and obtain information from their systems.
6. Perpetual access
Clinicians have an important interest in the medical information regarding patients they have treated even if they no longer have a professional responsibility for those patients. Security procedures should guarantee clinicians perpetual access to information that they were entitled to view during the time they were caring for a particular patient.
Professionals accept responsibility for their actions. Clinicians rely on the medical record to document their actions, and they rely on the information present in the medical record when deciding their actions. Clinicians may be questioned about their actions at any time and must be able to return to the record to refresh their memories regarding events. The medical record system must support clinician access to the information they put into the record and to the information that was available to them at the time they were responsible for caring for a particular patient (archival access).
Clinicians also have a legitimate requirement to review information from the records of patients they have treated in order to devise and refine their own diagnostic and treatment strategies for improving patient care.
A clinician who has no ongoing professional relationship with a patient but who did care for the patient at one time does not require access to information entered into the record after the professional relationship with the patient terminated.
1. Patient is in ultimate control.
All access authority to patient-identifiable medical information ultimately arises from permission granted by the patient. Governments will undoubtedly compel some access in executing its public health responsibilities despite reservations by some patients.
2. No one has access to a medical record without specific permission.
All access must be specifically granted to specific individuals. In particular, physicians and nurses should not have routine and unlimited access to the records of patients who are not under their care at the moment. The concept of access by role should be a guide to the specific privilege a system may grant a specific user, but should never be the basis for access to a record belonging to a person with whom the user has no professional relationship.
3. Access terminates immediately (and automatically) when no longer appropriate.
When a patient withdraws access privileges, when a clinician loses staff privileges or when an employee ceases to work in a position requiring medical record access, access must terminate immediately. If a clinical professional requires subsequent archival access the system should provide that access, but the system should log each instance of such access and administrators should review the logs to detect abuse of the privilege.
1. Clinicians request access from patients.
Although patients will be the ultimate authority for release of medical information, patients are likely, as a matter of convenience, to employ their primary care givers as their agents for this responsibility. Primary care givers will request and patients will grant primary access to medical records subject to specific, patient-originated restrictions. Access will terminate on a date certain and will be for specific purposes (e.g., to provide medical care). The patients will indicate release authority by executing an informed consent for release of medical information. This release will include a computer-based document that the patient record software consults to verify access authority asserted by various users.
2. Primary care givers will become patient fiduciaries and grant secondary access.
The primary care giver will grant secondary access to other care givers as required to provide the patient with medical care. People granted secondary access will have the same privileges, limited by role, as people with primary access. However, all access except archival access will terminate when secondary users complete their care of a particular patient. Software will handle the details.
3. Several primary care givers may coexist.
Patients may designate as many primary care givers as they choose. Patients will be responsible for terminating any primary access authorities they have granted.
4. Exceptions must be granted for emergency access.
In a health care environment anyone may need to provide emergency care for a patient. In these situations the emergency care providers, regardless of usual employment, may require access to any patient's medical information despite having no formal professional relationship with the patient. The record system should permit such emergency access to any specific patient record on assertion of an emergency requiring such access. Each example of such access should be logged and immediately evaluated for legitimacy.
5. Simplify clinical access.
System designers should use any available hardware and software solutions to simplify using the system. Simplify user authentication. Provide access to multiple systems from a single sign on. Use security processes appropriate for the physical environment. Do not create barriers that are not justified by a credible risk. Implement simple safeguards that will prevent innocent meddling by the curious. Permit remote access, but be circumspect about potential unauthorized access attempts. Consider encryption on the fly and hardware token authentication for remote access.
6. Execute confidentiality agreements periodically.
Create agreements that clearly disclose management policy regarding user responsibilities accompanying the privilege of access to confidential information. Include employees, clinical staff, volunteers and vendors among the users. Emphasize individual responsibility for maintaining security. Insist on password protection. Describe clearly the penalties that accompany inappropriate access or disclosure of confidential information. Train individuals to understand the agreements and repeat the training periodically. Execute and renew the agreements as part of the training program. Condition access to confidential information on successful completion of the training program.
7. Enforce security policy vigorously and uniformly.
Because most serious violations of privacy and confidentiality involve inappropriate behavior by individuals with authorized access, an essential feature of clinical information system security is the policy for dealing with violations. Whatever policy management adopts, the policy must be one with clearly stated penalties that management can uniformly enforce. Management must consider that, as experience has shown, the person making inappropriate and unjustifiable inquiries to the record system may be a senior officer in administration or a highly valued clinical department head.
The entire issue of sophisticated access control to personal health information has gained new prominence and is a stumbling block to widespread use of clinical information systems. The urgency and importance of clinical information security stem from the growing detail of clinical records and the ever widening circle of users who view the information. The oft-cited failures of privacy and confidentiality have generally arisen not from the existence of computer-based records per se, but from inappropriate behavior of personnel handling confidential information. We should take advantage of the improvements in access control that computer-based systems offer and strictly limit inappropriate access to avoid inappropriate disclosure. Computer-based patient records should be more secure than traditional paper records. To create successful systems we must aggressively employ technology to simplify legitimate access and avoid procedures that limit access that clinicians require and presently enjoy. In particular systems must not slow clinicians in completing their work. Finally, we must always hold users of confidential information responsible for their actions. When we are successful, we will be able to provide users with rapid access to appropriate information, and we will be able to assure our patients that we are handling the information they entrust to us with the care it deserves.
Douglas M. Stetson, M. D., is principal scientist with J. D. Stetson Associates, Inc., in San Francisco.