The New York Times printed a letter I submitted in response to a Jan. 18 article by reporter Robert Pear about privacy of patient data in electronic form, in which consumer groups and some members of Congress rightly express concern that President Obama’s plan to stimulate the use of information technology in the healthcare field presents challenges to individual privacy unless there are strong privacy safeguards.
Data Privacy Day 2009 seemed to be the perfect opportunity to give you some more insight into my response. Using more space here to elaborate than is provided in a newspaper letters section, let me expand on the issue and what I believe is being resolved by the certification process.
Among the safeguards proposed in the referenced campaign for privacy protection are: the ability of patients to impose controls on certain sensitive information; the use of strong encryption technology to protect personal health information stored in or sent by computers; and the right of patients to get an accounting of any disclosure of their data.
The security features needed to support this level of privacy protection are required to be present in all electronic health record (EHR) products tested and certified this year by the Certification Commission for Healthcare Information Technology. Among the 275 separate criteria that must be met to earn that certification are more than 40 security requirements including the ability to:
- Assign restrictions or viewing privileges to different users or groups of users.
- Set up a security formula for access to a record based variously on the need of any one individual to see it, the general role of a person in a patient’s care (different for doctor, nurse, billing clerk, and so on), or the circumstance or setting of the care situation (different depending on the time of day, location, an emergency).
- Enforce the most restrictive set of rights or privileges necessary for the patient’s situation and the needs of nurses, doctors and other medical professionals to administer care.
- Detect when a record is opened, and by whom, and generate a usage record that can be audited.
An EHR certified today must use strong encryption methods and protocols when delivering all protected information over the Internet or other open networks. It also must be able to identify certain information as confidential and limit the number of people authorized to view it. Starting in the fall, EHRs also will have to be able to block specified individuals from accessing a chart—for example, someone in the doctor’s office or hospital with a personal relationship with the patient. For emergency situations, however, the electronic record will have to allow a brief and limited exception—and then provide an ability to audit that access.
This annual cycle of setting certification criteria sets the bar higher every year, not just for security but also for the things an EHR should be able to do to help a physician manage every patient’s care efficiently, safely, and with high quality, electronically—instead of on paper.
Having these security features in EHRs ensures that the technology is ready, but that doesn’t guarantee that these measures will be used to their fullest extent by the healthcare organizations that implement EHRs; for that, enforcement measures are necessary, as I mentioned in the Times letter.
{ 1 trackback }
{ 0 comments… add one now }
Leave a Comment