EMR (In)Security
Marjorie Lazoff, MD
Emergency Medicine
Philadelphia, Pennsylvania
Medical Editor
Medical Computing Today

accepted for publication in Medical Computing Today December 1997

Originally published in edited form December 1997 in Medical Software Reviews.

Resources - Government - Journals - Organizations - Skeptics - Lists of lists - Summary

It's easy to empathize with both patient and physician in the December 1996 Annals of Internal Medicine Ethics Case Study. A general internist working for a large managed care organization is asked by one of her favorite patients not to document in his electronic medical record (EMR) her prescribed treatment for an acute grief reaction to his secret male companion's death. "'Doctor, I can't believe you are so naive,' he says. 'I'm in Army intelligence. I can promise you there are 10 ways I could breach the confidentiality of the medical record system right now if I wanted.'"
The case study commentary begins by stating the central ethical dilemma: "whether physicians are required ethically and/or legally to record information that could, due to an increasingly accessible medical record, harm the well-being of patients. Inability to guarantee the confidentiality of sensitive and potentially harmful information strikes at the core requirement of the doctor-patient relationship: trust. Without trust, patients do not feel that they can disclose intimate and potentially embarrassing and/or damaging details of their lives that physicians need to diagnose and treat effectively."
The commentary also provides background information. The American College of Physicians upholds the majority position that physical records are the property of the physician or institution -- a position easily extended to records kept electronically -- and that the information contained within the record is the property of the patient. From a privacy perspective, records should be accurate and complete, but contain only that information essential for patient care. This stance begs the question, though, since medical records today serve many other functions pertaining to patient care, such as billing and insurance purposes. Information protected by the doctor-patient privilege does not lose its confidentiality by virtue of being recorded -- but confidentiality is not absolute from a legal perspective, and records used for other functions bypass the physician's protection.
Beyond the basic dilemma, the advent of electronic charting and prescription distribution has resulted in breaches of patient confidentiality in ways that would have been unthinkable 20 years ago. We are reminded that "already, the sale of data from these sources to insurers, private companies, government agencies, and financial institutions has become widespread, much in the same way as credit information is exchanged." For example, businesses openly advertise background check services, where for a name, address, date of birth, social security number, and an undisclosed fee clients can purchase, among other things, the clinic name and date of that person's clinic visits for the past 10 years. The recent National Research Council report concluded that "the primary threats to the confidentiality of patient information originate from the lack of controls over the legal (and generally legitimate) demands for data made by organizations not directly involved in the provision of care," such as health services researchers, public health agencies, managed care organizations, insurers, and self-insured employers.
This particular case study has an unsatisfying conclusion and implicitly raises several disturbing questions. Is the perceived erosion in medical record security so real that physicians should consider adjusting their records' contents? Should theoretical security risks enter at all into how physicians chart and maintain patient records? Most important, is there anything we physicians can do to safeguard our patients' medical privacy in the electronic age, so as to protect our patients' trust and insure the integrity of the medical record within a technological framework certain to vastly improve the quality of care at a lower cost?
Sections Online Resources
For those seeking to better understand the ethics and politics of medical privacy or the technology and implementation of EMR security, the Web offers a complete array of freely accessible, timely, and authoritative resources. Everything is on line: the awesome benefits of a networked electronic patient database in terms of increased quality of care and decreased costs; the technical, ethical, and legal issues involving EMRs; and descriptions of the inadequate patchwork of state and federal laws safeguarding medical privacy, principally the Privacy Act of 1974. On the Web are details of hot topics created by computerization, such as the importance of unique patient identifiers; the "myth" of informed consent for release of records; the need to create medical standards for content/vocabulary, patient data, and system security; the pros and cons of online security using passwords, smart cards, encryption, and scanners; and the implications of linking to both internal and external databases, as part of either public and private networks, to and from an individual EMR.
By way of background, those new to electronic medical records, unconvinced of their benefits and/or not familiar with the obstacles to its implementation, will find New Zealand Health Information Service's Electronic Medical Records and Lawrence Berkeley National Laboratory's Medical Privacy breezy but worthwhile overviews. Those who obsess over whether to hyphenate anal-retentive will appreciate the five increasingly complex levels of computerization for patient information systems as delineated by the Medical Record Institute's What is an Electronic Patient Record and dispensed by them to other sites. Patient rights regarding medical privacy are well summarized in Privacy Rights Clearinghouse's How Private is my Medical Information?.
The Millbank Quarterly is a new electronic journal of public health and health care policy. Its first article, Information Policy for the U.S. Health Sector: Engineering, Political Economy, and Ethics provides a balanced, well-referenced discussion touching on many medical privacy and technology issues. In particular, the ethical section critiques the five fair information principles from the Privacy Act of 1974 that form the foundation of present-day medical privacy legislation. The ethical considerations of the public sector contrast nicely with the physician-patient ethical dilemma presented above.
The most timely government resource on the Web is The National Research Council's For the Record: Protecting Electronic Health Information, a collaborative report by National Library of Medicine, the National Institutes of Health, and the Massachusetts Health Data Consortium. This is a comfortable online reference and a good starting point for gaining background and familiarity with basic medical privacy issues from the government's perspective. It is somewhat more pessimistic reading than other resources about present and future technology in security systems. Its Findings and Recommendations suggest public policies and several federal agency initiatives that, for better or worse, place government at the helm of U.S. healthcare information technology.
One of the longest, least elegant, but strongest online references concerning medical privacy issues is the 1993 Office of Technology Assessment (OTA), Protecting Privacy in Computerized Medical Information. It is based on the 1991 landmark report by the Institute of Medicine (IOM), The computer-based patient record: an essential technology for health care. Free download and a PDF version of the 1993 OTA report and others are available at OTA Archives. OTA's report to Congress reflects the need to establish electronic standards for medical privacy. "As a result of the linkage of computers, patient information will no longer be maintained, be accessed, or even necessarily originate with a single institution, but will instead travel among myriad facilities.... Existing models for data protection, which place responsibility for privacy on individual institutions, will no longer be workable for new systems of computer linkage and exchange of information across high-performance, interactive networks. New approaches to data protection must track the flow of the data itself."
The AMA's testimony to an HHS subcommittee from earlier this year includes six recommendations commensurate with its official policy that "conflicts between a patient's right to privacy and a third party's need to know should be resolved in favor of the patient, except where that would result in serious health hazard or harm to the patient or others." The American Counseling Association, which also testified to an HHS subcommittee, offers a succinct Congressional Summary of Confidentiality Bills.
In Juggling Privacy, Access, Information and Care the AMA explains why in the future physicians may well be denied full access to medical records: administrators, increasingly in the driver's seat, are unlikely to exempt physicians from their new organizational policies, and legislators are not likely to risk votes by opposing individual control over one's own medical record. The article then describes the automated records system at Columbia-Presbyterian, which provides its physicians full access to all patients' medical records but monitors and disciplines their online activity. From the left coast, PCASSO with a Mouse describes UCSD's electronic records system, notable for its Internet security measures and its open access to patients. This three-year project aims to add write capacity, so both physicians and patients can make notes in the same medical record.
Across the Atlantic, the British Medical Association and National Health System are struggling with the same issues. Confidentiality and Security Requirements and Primary Care Computing: Achilles' Heel or Secret Policeman's Ball?, an article from January 1977's Journal of Informatics in Primary Care, advocates a middle-of-the-road approach.
More pragmatic is American Health Information Management Association's Confidentiality and Compliance: Political and Public Interests. Written by an attorney, its alarmist but well-supported posturing slouches toward the end with several weak recommendations to medical administrators. Tampa Times' Privacy Lost, a newspaper series and update articles from earlier this year, also documents the extent to which medical privacy is not at present a legally protected right.
A group out of Georgetown University Medical Center, after Comparing the security risks of paper-based and computerized patient record system, optimistically concludes that "clear gains in both access and security are possible with the computerized record when compared to the paper record."
Ross Anderson, a British computer expert and advisor on security systems to the British Medical Association, has placed a number of papers regarding computer privacy and security issues, almost all of which are applicable to medical system. Specifically, scroll midway down the page for a group of papers and excellent links addressing Security of Medical Information Systems.
Other online resources include the IOM's 1994 Health Data in the Information Age: Use, Disclosure, and Privacy and its book review by Marc Rotenberg. An active MED-PRIVACY listserv page gives information on subscribing to this unmoderated group, along with an archive of an unusually civil group of posts sharing philosophical, political, and personal (but not medical) perspectives.
Sections Government
Although better known for making health insurance more portable, the Health Insurance Portability and Accountability Act, (HIPAA or Kassebaum-Kennedy bill) as passed by Congress in August 1996 includes a key provision assuring the creation of new federal law protecting the confidentiality of medical records. Health and Human Services (HHS) was required to present its plan by August 1997, and if Congress does not pass comparable legislation before August 1999 the Secretary of HHS is to implement its plan by the following February.
The Web site for this Administrative Simplification provision contains a concise summary, offers free downloadable guides and transactions standards, provides a milestones calendar that projects into the next century, and posts Secretary Shalala's September 1997 report on Confidentiality of Individually-Identifiable Health Information and congressional testimony. As dictated by HIPAA, HHS's National Committee of Vital and Health Statistics made recommendations to Secretary Shalala to assist in the creation of her plan. While not absolutely mandating a national electronic health records database, most agree the creation of such a database has been bolstered by the passage of HIPAA and its Simplification.
For lighter reading, HHS has posted its Press Release and Sec. Shalala's July 1997 speech to the National Press Club on Privacy - Health Care.
The Medical Information Privacy and Security Act (MIPSA) (with this link, go to the search engine and enter S.1368), introduced by Senators Leahy and Kennedy in early November and now in committee, is Congress's latest version of medical privacy legislation. Senator Leahy's states, "a 'compromise of privacy' that sends information about health and treatment to a national data bank without a person's approval would be something that none of us would accept....Unfortunately we are now confronted with the fact that the computerization of health care record provisions are going into effect in the next few months but we are still contemplating the delay of promulgating privacy protection until August of 1999, unless Congress acts sooner."
Over the past month, the spin doctors have been selling The President's Advisory Commission on Consumer Protection and Quality in the Health Care Industry, one example of which is The Right to Confidentiality of Health Information. This draft version is filled with exceptions and qualifiers; it's a pro-citizen proposal whose devil (or angel) will be in the details. A number of related bills are in various legislative stages, such as the Medical Privacy in the Age of New Technologies Act of 1996. All can be located by searching on Thomas.
Sections Online Journals
The November 23, 1995, issue of New England Journal of Medicine published a Sounding Board on The Computer-Based Patient Record and Confidentiality. The author, a professor at Brandeis University, discusses the driving forces, role of computers, and security issues involved in the continuing transformation of medical charts into the now semi-public records used by many for medical and non-medical reasons. She encourages aggressive physician advocacy to insure patient confidentiality. One of several Correspondences and replies cites the interesting observation that virtual medical records in repressive regimes -- which heavily disguise or omit information that is critical for patient care but might attract official reprisals -- may foreshadow our future, as U.S. physicians reluctant to risk their patients' trust omit recording sensitive information on computerized records.
Lawrence Gostin, an attorney whose name is frequently associated with public health and national patient databases, wrote an article Health Care Information and the Protection of Personal Privacy: Ethical and Legal Considerations. The article appears in Measuring Quality, Outcomes, and Cost of Care Using Large Databases: The Sixth Regenstrief Conference, an October 15, 1997, supplement to Annals of Internal Medicine. Gostin supports government involvement in ensuring patient confidentiality in centralization of patient electronic data.
The Bennett-Leahy bill described as stalled in the beginning of Drug Benefit Trends's Ensuring Patient Confidentiality in the Electronic Age was last year's hot item, but has since been replaced by HIPAA and the Medical Information Privacy and Security Act. Otherwise this article, written from the patient's perspective by staff members of the Center for Democracy and Technology (please note that in the first item the date should read August 1997, not February 1998), seems accurate -- and sobering. It states that, in the present absence of a policy protecting an individual's medical privacy, several courts have ruled against individuals' rights in favor of an employer's need to control costs -- even when the technology existed to maintain patient confidentiality, when confidentiality would not impede cost analysis, and when exposure resulted in malicious action against the patient. The strength of HIPAA is its insurance that much-needed, if limited, federal protection for medical privacy will eventually become law.
May 1997's issue of Family Practice Management's somewhat pedestrian lead article asks How Safe Are Computerized Patient Records?, but it does offer some Pretty Good Education on PGP and other encryption programs, several scary stories about breaches in electronic and paper medical records security, and a nice glossary of data security terms.
W3-EMRS is a collaborative project among three Harvard-affiliated hospitals and MIT that will use the Internet and the World Wide Web to transfer hospitals' computer-based patient information to the emergency departments of participating institutions. Maintaining the confidentiality of medical records shared over the Internet and the World Wide Web, published in the July 15, 1997, issue of the Annals of Internal Medicine, describes W3-EMRS's process of safeguarding access and authentication of the patient and authorized recipients. The system relies heavily on patient consent, both implied and explicit, and will not electronically release records if a patient refuses, even in an emergency. (Security practices to help safeguard patient information, typified by this journal article, are shared as practical guidelines and government panel suggestions, among others throughout the Web.)
The National Library of Medicine's Current Bibliographies in Medicine: Confidentiality of Electronic Health Data lists offline journal articles and publications up to 1996.
Sections Organizations
Among its other achievements, the landmark 1991 IOM report also led to the creation of the Computer-based Patient Record Institute, a nonprofit membership advocacy organization supported by corporations in the health care, insurance, data-processing, and computer industries, and some professional groups. Its mission is to facilitate the development, implementation, and dissemination of a comprehensive, longitudinal ("womb-to-tomb") computer-based patient record, one that includes all clinical, financial, and research data.
CPRI lists relevant policy papers on the bottom half of its Documents page, Security Guidelines and Related Documents. All are important reading, but note the links are incorrectly HTML'd; when the '404 Not Found' page appears, just delete the final slash at the end of URL and click again. The last paper categorizes the Security Features for Computer-Based Patient Records into authentication, authorization, integrity, audit trails, disaster prevention/recovery, and secure data storage and transmission, and provides a checklist of desirable features under each category. CPRI echoes the popular sentiment among experts that educating persons with EMR access about medical privacy is an essential but frequently overlooked component of any security system. Among experts who support a CPRI-like national databank of health in formation, the greatest threat to patient confidentiality is perceived as coming from trusted insiders who seek to profit financially or professionally by release of confidential information.
Medical Records Institute describes itself only as a force in the movement toward an electronic health record since 1981. This frames site gives information about its annual Towards an Electronic Health Record convention, and links to legislative news regarding EMRs
The Electronic Privacy Information Center is a public interest research center established in 1994 to focus attention on civil liberties issues. Its well-regarded Web site includes an annotated list of up-to-date Medical Record Privacy Web resources, and a thoughtful collection of Principles for Federal Privacy Protection of Medical Records. The quotation that completes this article comes from its pages.
Sections Skeptics
EMR skeptics of many types abound. Some accuse HIPAA of prioritizing the computerization of health records over protecting an individual's right to medical privacy and consent. They warn that increasing the flow of information before security measures are enacted lets the horse out of the barn, so to speak, making it even more difficult to insure patient confidentiality in the future. Others suggest that, through HIPAA, President Clinton and Congress have given federal healthcare regulators too much authority to seek out healthcare abusers. Though ostensibly designed to save some of the $100 billion presently wasted in health care fraud, detractors view this as excessive federal power, which government can potentially use to trump individual rights. Some feel the bill fails to address the greatest threat to medical privacy -- insider access to medical records -- although most admit access to paper charts is even more poorly monitored and that establishing penalties for infractions is a step in the right direction.
It's not surprising that the American Civil Liberties Union (ACLU) has Web pages sharply criticizing what it views as the Clinton Administration's failure to safeguard medical privacy. "In a particularly disappointing failure," the news release states, "the Shalala recommendations did not prohibit the creation of a system of 'unique health identifiers' -- a de facto national I.D. -- that many in Congress and industry want to see attached to every piece of medical information. Such an identifier would serve as a key to track and unlock personal information stored in computer databases." (Also, see Letter to Hillary Clinton.) For a more technologic approach to this important issue, Peter Szolovits from MIT and Isaac Kohane, MD, from Boston's Children's Hospital co-authored a paper, Against Simple Universal Health-Care Identifiers. They advocate technically sophisticated identifiers such as some variant of public (asymmetric) key cryptography or a trusted national gatekeeper. The ACLU article summarizes, "because Shalala failed to stop the creation of easily accessible databases, the net effect of her proposals is to radically increase law enforcement access."
Elsewhere on ACLU's Web site, Medical privacy is under attack! warns that "under the guise of 'streamlining' management of patient records, the deceptively labeled 'Administrative Simplification' amendment would create a computerized 'lending library' of all of your medical records, giving large corporations access to your confidential records." The incognito staff behind Hippo Health's HotList attempts to raise the same consciousness regarding the federal government; scroll halfway down the page to Medical Records Confidentiality for their slant on Secretary Shalala's recommendations. Those who tremble at the mere mention of HillaryCare should scroll a third of the way down the January 1996 issue of the Association of American Physicians and Surgeon's AAPS News to Confidentiality, for flashbacks on the old Health Security Act. HIPAA is felt by many to be a "kitchen door approach" to enacting the same Clintonian health care policies already rejected by this country during his first term, a perspective AAPS clearly shares.
The ACLU also sees threats to encryption privacy, alleging that "Privacy in America is being held hostage by a law enforcement community determined to have access to every e-mail, telephone conversation and digital communication we transmit...." Evocative of the old Clipper chip debate, the issues are updated to address electronic privacy, of which EMR security is one component. Those interested can start at ACLU's Take Back your Data Campaign, and view information and links on the Electronic Frontier Foundation Web site.
Sections Lists of Lists
Medical Records, Privacy & Confidentiality is a nice collection of links gathered by an attorney who specializes in health care law. The Information for State Health Policy Program is worth a visit, if only to read the cute comic leading its list of related sites. See Internet/WWW Resources for an excellent annotated list of all relevant organizations.
Sections In Summary
The ethical dilemma that opened this article gets lost amid the politics and technology, either of which can threaten, or help protect, medical privacy. This is particularly true on the Web, where the numerous reports and speeches the government has placed on line, and the technical aspects of EMRs to which the Web is a natural medium, overwhelm the more reflective resources.
EMR logistics are now in the planning and testing stages, and their clinical success will depend in large part on whether the computerized record keeping process and uniform standards are user-friendly and clinically accessible for doctors and other health professionals. An October 1997 press release describes federal support behind the creation of a national master patient index. Given the likelihood of the U.S. developing such a national health information database, it is fortunate a database's advantages outweigh its disadvantages.
The Web showcases many government agencies and private companies that have money and power invested in EMRs and a technologically sophisticated national network; fortunately, these biases are balanced somewhat by articles and organizations voicing objections or alternatives. The Web, to its credit, also offers many opinions on how to invest in technological safeguards, mass education, and punitive legal sanctions so individual medical privacy remains prioritized in the greater scheme of things. What remains unaddressed, on and off line, is ethical and practical advice on how physicians should proceed if we believe our patients' medical privacy have not been appropriately prioritized by others or has been, but with insufficient results.
Such was Hippocrates' concern, as reflected in a passage from his oath:
----Whatsoever things I see or hear concerning the life of men, in my attendance on the sick or even apart therefrom, which ought not be noised abroad, I will keep silence thereon, counting such things to be as sacred secrets.
- Oath of Hippocrates, 4th Century, B.C.

Comments or questions for posting?
Archives of other articles
Other MCToday articles on Electronic Medical Records: Introduction and List of other NetView articles