For the Record: Protecting Electronic Health Information / Edition 1

For the Record: Protecting Electronic Health Information / Edition 1

by Committee on Maintaining Privacy and Security in Health Care Applications of the National Information Infrastru, Mathematics Commission on Physical Sciences, National Research Council
     
 

ISBN-10: 0309056977

ISBN-13: 9780309056977

Pub. Date: 06/17/1997

Publisher: National Academies Press

When you visit the doctor, information about you may be recorded in an office computer. Your tests may be sent to a laboratory or consulting physician. Relevant information may be transmitted to your health insurer or pharmacy. Your data may be collected by the state government or by an organization that accredits health care or studies medical costs. By making

…  See more details below

Overview

When you visit the doctor, information about you may be recorded in an office computer. Your tests may be sent to a laboratory or consulting physician. Relevant information may be transmitted to your health insurer or pharmacy. Your data may be collected by the state government or by an organization that accredits health care or studies medical costs. By making information more readily available to those who need it, greater use of computerized health information can help improve the quality of health care and reduce its costs. Yet health care organizations must find ways to ensure that electronic health information is not improperly divulged. Patient privacy has been an issue since the oath of Hippocrates first called on physicians to "keep silence" on patient matters, and with highly sensitive data—genetic information, HIV test results, psychiatric records—entering patient records, concerns over privacy and security are growing.

For the Record responds to the health care industry's need for greater guidance in protecting health information that increasingly flows through the national information infrastructure—from patient to provider, payer, analyst, employer, government agency, medical product manufacturer, and beyond. This book makes practical detailed recommendations for technical and organizational solutions and national-level initiatives.

For the Record describes two major types of privacy and security concerns that stem from the availability of health information in electronic form: the increased potential for inappropriate release of information held by individual organizations (whether by those with access to computerized records or those who break into them) and systemic concerns derived from open and widespread sharing of data among various parties.

The committee reports on the technological and organizational aspects of security management, including basic principles of security; the effectiveness of technologies for user authentication, access control, and encryption; obstacles and incentives in the adoption of new technologies; and mechanisms for training, monitoring, and enforcement.

For the Record reviews the growing interest in electronic medical records; the increasing value of health information to providers, payers, researchers, and administrators; and the current legal and regulatory environment for protecting health data. This information is of immediate interest to policymakers, health policy researchers, patient advocates, professionals in health data management, and other stakeholders.

Product Details

ISBN-13:
9780309056977
Publisher:
National Academies Press
Publication date:
06/17/1997
Pages:
288
Product dimensions:
6.00(w) x 9.00(h) x (d)

Table of Contents

Executive Summary 1(18)
Introduction
19(18)
The Growing Use of Information Technology in Health Care
20(6)
Changes in the Health Care Delivery System
21(1)
Integrated Delivery Systems
22(1)
Managed Care
22(2)
New Users of Health Information
24(1)
The Electronic Medical Record
25(1)
Content of Electronic Medical Records
25(1)
Advantages of Electronic Medical Records
26(1)
Protecting the Privacy and Security of Health Information
26(7)
Privacy and Security Concerns
27(2)
Addressing Privacy and Security Concerns
29(4)
Goals and Limitations of This Report
33(2)
Objectives
33(1)
What This Report Does Not Do
34(1)
Organization of This Report
35(2)
The Public Policy Context
37(17)
Federal and State Protections
39(8)
Federal Statutes and Regulations
40(2)
Limitations of Federal Protections
42(2)
State Statutes and Regulations
44(1)
Limitations of State Protections
45(2)
Nongovernmental Initiatives
47(2)
American National Standards Institute
47(1)
Computer-based Patient Record Institute
48(1)
Joint Commission on Accreditation of Healthcare Organizations
48(1)
Improving Public Policy
49(5)
Building National Consensus
50(2)
Legislative Initiatives
52(2)
Privacy and Security Concerns Regarding Electronic Health Information
54(28)
Concerns Regarding Health Information Held by Individual Organizations
54(11)
Scale of the Threat to Health Information Held by Individual Organizations
55(1)
General Taxonomy of Organizational Threats
56(1)
Factors Accounting for Differences Among Threats
56(3)
Levels of Threat to Information in Health Care Organizations
59(2)
Countering Organizational Threats
61(1)
Developing Appropriate Countermeasures
61(3)
Observations on Countering Organizational Threats
64(1)
Systemic Concerns About Health Information
65(17)
Uses and Flows of Health Information
65(4)
Alice's Medical Records
69(3)
Government Collection of Health Data
72(2)
Risks Created by Systemic Flows of Health Information
74(4)
Universal Patient Identifiers
78(2)
Conclusions Regarding Systemic Concerns
80(2)
Technical Approaches to Protecting Electronic Health Information
82(45)
Observed Technological Practices at Studied Sites
84(30)
Authentication
86(2)
Authentication Technologies Observed on Site Visits
88(1)
Authentication Technologies Not Yet Deployed in Health Care Settings
89(4)
Access Controls
93(1)
Access Control Technologies Observed on Site Visits
94(2)
Access Control Technologies Not Yet Deployed in Health Care Settings
96(1)
Audit Trails
97(1)
Audit Trail Technologies Observed on Site Visits
98(1)
Audit Trail Technologies Not Yet Deployed in Health Care Settings
98(1)
Physical Security of Communications, Computer, and Display Systems
99(3)
Control of External Communication Links and Access
102(2)
Network Control Technologies Observed on Site Visits
104(1)
Network Control Technologies Not Yet Deployed in Health Care Settings
104(2)
Encryption
106(2)
Software Discipline
108(2)
Software Control Technologies Observed on Site Visits
110(1)
Software Control Technologies Not Yet Deployed in Health Care Settings
110(1)
System Backup and Disaster Recovery Procedures
111(1)
System Backup Procedures Observed on Site Visits
111(1)
System Backup Procedures Not Yet Deployed in Health Care Settings
112(1)
System Self-Assessment and Attention to Technological Awareness
112(2)
Site Visit Summary
114(3)
Key Issues in Using Technology to Protect Health Information
117(5)
Patient Identifiers and Techniques for Linking Records
117(3)
Control of Secondary Users of Health Care Information
120(2)
Obstacles to Use of Security Technology
122(5)
Difficulty of Building Useful Electronic Medical Records
122(1)
Lack of Market Demand for Security Technology
123(1)
Organizational Systems Accumulate---They Are Not Designed
123(1)
Cryptography-based Tools Are Still Out of Reach
124(1)
Effective Public-key Management Infrastructures Are Essential but Still Nonexistent
124(1)
Helpful Technologies Are Hard to Buy and Use
125(1)
Education and Demystifying Issues of Distributed Computing and Security
125(2)
Organizational Approaches to Protecting Electronic Health Information
127(33)
Formal Policies
128(10)
Policies Regarding Information Uses and Flows
129(1)
Security Policies
129(1)
Confidentiality Policies
130(1)
Policies to Protect Sensitive Information
131(3)
Policies on Research Uses of Health Information
134(1)
Policies Guiding Release of Information
135(1)
Patient-centered Policies
136(1)
Patient Bill of Rights
136(1)
Authorization Forms
136(1)
Access to Records and Audit Logs
137(1)
Organizational Structures
138(4)
Policy Development Process
138(1)
Structures for Implementing Policy
139(1)
Structures for Granting Access Privileges
140(2)
Education and Training
142(7)
Training Programs
143(1)
Nonformal Training
144(1)
Educational Tools
145(4)
User Confidentiality Agreements
149(1)
Sanctions for Breaches of Confidentiality
149(4)
Improving Organizational Management: Closing the Gap Between Theory and Practice
153(7)
Implementing an Integrated Security and Confidentiality Management Model
154(1)
Overcoming Obstacles to Effective Organizational Practices
155(1)
Lack of Public or External Incentives
155(1)
Resource Constraints
156(1)
Competing Demands
156(1)
Lack of Focus on Information Technology
157(1)
Cultural Constraints
158(2)
Findings and Recommendations
160(37)
Findings and Conclusions
161(6)
Recommendations
167(27)
Improving Privacy and Security Practices
167(2)
Technical Practices and Procedures for Immediate Implementation
169(4)
Organizational Practices for Immediate Implementation
173(2)
Security Practices for Future Implementation
175(2)
Creating an Industry-wide Security Infrastructure
177(3)
Addressing Systemic Issues Related to Privacy and Security
180(5)
Developing Patient Identifiers
185(4)
Meeting Future Technological Needs
189(2)
Technologies Relevant to the Computer Security Community as a Whole
191(1)
Technologies Specific to Health Care
192(1)
Testbeds for Privacy and Security
193(1)
Concluding Remarks
194(3)
BIBLIOGRAPHY 197(58)
APPENDIXES
A Study Committee's Site Visit Guide
211(10)
B Individuals Who Briefed the Study Committee
221(1)
C National Library of Medicine Awards to Develop Health Care Applications of the National Information Infrastructure
222(11)
D Sections of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) Related to the Privacy and Security of Electronic Health Information
233(14)
E Committee Biographies
247(8)
Index 255

Customer Reviews

Average Review:

Write a Review

and post it to your social network

     

Most Helpful Customer Reviews

See all customer reviews >