|
An Abridged Version
of a Report for the Telemedicine |
| Index CHAPTER 8: PRIVACY, CONFIDENTIALITY AND SECURITY ISSUES INTRODUCTION Many of the "information age" privacy, security and confidentiality issues confronting telemedicine are no different to those confronting the broader health sector and numerous other industry sectors. Like the USA, Australia has developed a "patchwork quilt" of common law, regulatory and legislative approaches to the protection of privacy and confidentiality.(1) However, the American experience differs significantly from Australia’s, and in many respects privacy protection in Australia is more developed than in the USA. This Chapter will focus on the identification and analysis of those privacy, confidentiality and security issues which are either unique to telemedicine or which have the greatest relevance to telemedicine, and on those US initiatives which most usefully address those issues. It is submitted that telemedicine does not raise any new "philosophical" problems but does present challenges to the "craft of privacy" - how to implement practical steps to accommodate the new communications environment. DEFINITIONS As with "telemedicine" and "telehealth", the concepts of "privacy" and "confidentiality" and "security" while sometimes used interchangeably, are separate concepts that raise different issues. Numerous definitions have been formulated , (2) but for the purposes of this Chapter, the following definitions, devised by Mr John Fanning of the US Department of Health and Human Services, Division of Data Policy, will be adopted. "Confidentiality — a status accorded to information that indicates that it is sensitive for stated reasons, must be protected, and access to it controlled. Privacy — the claim of individuals, and the societal value representing that claim, to control the use and disclosure of information about them. Security — the safeguards (administrative, technical, physical) in an information system that protect it and its information against unauthorized disclosure, and limit access to authorized users in accordance with an established policy" (3) CONCERNS ABOUT THE PROTECTION OF HEALTH INFORMATION Concerns about the protection of privacy and confidentiality have been long-standing issues in health, as the OTA has observed: "Health care information relates to profoundly personal aspects of an individual’s life. The medical records kept by physicians and hospitals about patients may include identifying information, x-ray films, ECT and lab tests results, daily observations by nurses, physical examination results, diagnoses, drug and treatment orders, progress notes and post-operative reports from physicians, medical history secured from the patient, consent forms authorizing treatment or the release of information, summaries from the medical records of other institutions, and copies of forms shared with outside institutions for insurance purposes. But in addition to objective observations, diagnoses, and test results, medical records may also contain subjective information based on impressions and assessments by the health care worker. Medical records may also include impressions of mental abilities and psychological stability and status… increasingly sophisticated diagnostic tools yield more and more detailed, and potentially sensitive, information about a person’s body-genetic research and testing results in information that not only indicates a patient’s present condition but also enables prediction of his or her future medical conditions and prospects of developing specific medical problems… simply stated, disclosure of medical information by the patient, free of the fear of improper disclosure is necessary to obtaining good quality medical care. An environment must be maintained in which this kind of disclosure is possible".(4) The protection of this sensitive information is made harder by virtue of the increasing complexity of the health care delivery system: "Earlier in the Twentieth Century, when sole practitioners dominated the medical profession, the typical medical record consisted of a ledger card noting the date of visit, the course of treatment, and the fees charged. The specialization of health care, the rise in clinical and outpatient care, and increased patient mobility have fostered greater interaction between the average individual and the health care system. In addition, the decline of the long-term, one-on-one physician-patient relationship made necessary more comprehensive medical records to provide continuity and communication within the medical community. The use of the medical record as a general source of information for decisions and control in non-treatment contexts also has proliferated. Access to the medical record has become vital to institutions which once had a marginal interest - but no legitimate need - for such personal information".(5) As the US National Research Council noted: "Health information - both paper and electronic — is used for many purposes by a variety of individuals and organizations within and outside the health care industry… users include physicians, clinics, and hospitals that provide care to patients. Secondary users employ health information for a variety of societal, business, and government purposes other than providing care. They include organizations that pay for health care benefits… as part of their management functions, these payer organizations also conduct analyses of the quality of health care delivered by provider organization and its relative costs. Other secondary users include medical and social science researchers, rehabilitation and social welfare programs, public health services, the judicial system and the media… types of information collected by primary and secondary users vary greatly across individual organizations. Exchanges of data among these organizations are highly complex and dynamic.".(6) The development of health care networks, the creation of computerized databases and the availability of long-distance health care via telemedicine has added a new dimension to these concerns. Central to the emerging challenges posed by technology is the development of such tools as the "electronic medical record" (7) "digital signatures" (8) and "universal patient identifiers". CHALLENGES POSED BY ELECTRONIC STORAGE AND MANAGEMENT While the challenges posed by paper-based medical records are shared by a computerised environment, the latter environment does raise significant, new challenges. In its report Telemedicine, the IOM observed that: "(While) conventional health care practices and paper medical records offer numerous opportunities for unintentional, careless, or deliberate infringement of medical privacy… the electronic recording, storage, transmission and retrieval of patient information has complicated the situation and increased the opportunities for the privacy and confidentiality of personal medical information to be infringed… such personal medical information extends beyond the written word to include still images, audio records, and videos of patients".(9) Computerized medical records generate the following problems that are not encountered in a conventional, paper-based medical record system setting:
In addition: "The increased quantity and availability of data and the enhanced ability that computerization provides to link these data raise privacy concerns about new demands for information for purposes beyond providing health care, paying for it, or assuring its proper delivery. Among these concerns is that information more easily gathered, exchanged, and transmitted will be sought and acquired by more parties for uses not connected to health care delivery — parties that may have little concern about the confidentiality of the data in their possession and individual privacy".(11) In summary, as the OTA noted: "It is clear that it is easy to gain access to, copy, remove, and destroy paper patient records. However, computers create new and more clearly defined problems about confidentiality and privacy than exists in paper records system, and also bring longstanding confidentiality and privacy issues into sharper focus".(12) Management of these privacy, confidentiality and security challenges is "a broad institutional process, not just a function of the information system" (13) AMERICAN INITIATIVES Not surprisingly, there are many reports which analyse privacy, confidentiality and security associated with electronic data and the health sector.(14) Of particular interest is an initiative of the National Committee on Vital Health Services (NCVHS)Subcommittee on Privacy and Confidentiality. That Committee unanimously recommended that Congress should enact a health privacy law and called for laws that require creators and users of identifiable health information to:
TELEMEDICINE - ARE THERE UNIQUE ISSUES Clearly, privacy, security and confidentiality concerns are not unique to telemedicine. However, as the Telemedicine Report to Congress observed: "… The challenge for telemedicine policymakers lies in identifying emerging concerns that are unique to telemedicine. Lack of privacy and security standards do play an important role in the legal challenges facing telemedicine (e.g. Malpractice) and have profound implications for the acceptance of telemedicine services. This is of particular concern in the use of telemedicine technologies for treating mental illness, substance abuse, and other conditions that carry a social stigma … Telemedicine technology brings with it concerns about privacy, security and confidentiality that go beyond those associated with protecting medical records… because of the unique combination of patient data, video imaging, and electronic clinical information that is generated between two distant sites during a telemedicine encounter, privacy concerns that normally pertain to patient medical records may be magnified within the telemedicine arena or may be different in character altogether".(16) REFORM/RISK MANAGEMENT OPTIONS Many of the initiatives required to optimise telemedicine are substantially identical to those which need to be addressed as part of a broader framework of activity involving the national and health information infrastructures. Given the potential for the systemic and occasionally cross-border sharing of vast amounts of data that was not possible with paper-based medical records, legislative or regulatory guidance is needed. The Federal Government’s decision to promote self-regulation is a step in the right direction but it is submitted that legislative reform would have been a more meaningful step. This Report shares the view of the Law Council of Australia (LCA) that: "A set of national principles, which are not legislatively based, are relatively meaningless from a legal perspective".(17) Regardless of whether legislation is ultimately passed, there are other steps that need to be taken, at institutional and at industry level, to protect privacy, confidentiality and security. While some of the those steps will need to be directed towards the specific and unique challenges posed by the health information infrastructure, others will require no more than an application of existing principles, practices and common sense. Institutional endeavors alone, however, will not suffice. As the report For The Record stated: "Although individual organizations can make considerable progress in improving patient privacy and the security of health information by implementing the policies, practices, and procedures (outlined in its report), additional efforts must be taken at the industry level to facilitate long-term advances in privacy and security. To date, most healthcare organizations have attempted to assess the vulnerabilities of their electronic health information systems and to develop solutions in isolation, without benefiting from the experience of others. Greater collaboration in both of these areas promises long-term improvements in privacy and security throughout the industry".(18) INSTITUTIONAL MEASURES As John Fanning of the HHS said of confidentiality, but which can be applied to privacy and security as well: "The law is very important. But many issues …can be dealt with by thoughtful application of principles and practices we already know".(19) The required measures are likely to require a combination of physical measures, organizational practices, a revised technological framework and staff training. These observations are shared by the majority of policy papers that have looked at the issues, both in Australia (20) and the USA.(21) TECHNOLOGICAL CHANGE The technologies available to enhance patient privacy, security and confidentiality include: "Tokens log-in ID’s, and passwords… to authenticate or verify the identification of users. Access control techniques can be used in combination with a well-managed information repository to limit the types of data that individual users can read, enter, or alter and the types of functions they can perform. Audit trails can record all transactions that access patient information. Encryption can be used to protect log-in ID’s, passwords, databases or information transmitted over open communication systems. Public-key cryptography tools can ensure information integrity, user authentication (for digital signatures and non-repudiation), and audit trails. The use of these technical measures can provide reasonable security for most healthcare applications but does not guarantee invulnerability against all technical attacks".(22) ORGANIZATIONAL PRACTICES As For The Record noted: "Organizational policies and practices are at least as important an element of security. Organizations need explicit policies governing the privacy and security of health information… organizational mechanisms are needed to ensure that employees, medical staff, contractors, and vendors properly protect health information. Policies are needed to specify the formal structures, ensure responsibility and accountablity, establish procedures for releasing information and assigning access privileges, create sanctions for breaches of security at any level of the organization, and require training in the privacy and security practices of an organization".(23) Organizational security and confidentiality policies should clearly state the types of information considered confidential, the people authorized to release the information, the procedures that must be followed in making a release, and the types of people who are authorized to receive information.(24) Both the American AHIMA and Standards Australia (25) expressed the view that organizations will need to issue security policies in order to create an information security program and assign responsibility for it, outline its approach to information security, address specific issues of concern to the organization and outline decisions for managing a particular system. The number and breadth of the required policies and procedures may be considerable, as noted by the AHIMA. Specific issues to be addressed may include access control; access to information; access to information by physician; access to information by patients and their family members; access to information for research; audit trails, backup-procedures; disaster recovery; disposal of printed reports; electronic data interchange; passwords and other access control measures; encryption of files and electronic mail; remote access to information systems; retention, archiving and destruction of electronic and paper-based information; staff responsibility for data accuracy and integrity; staff responsibility for data confidentiality and penalties for violation, and use of electronic mail including the level of privacy users may expect etc.(26) (1) For example, the Federal Privacy Act, the Victorian Health Services Act 1988 (particularly section 141), the National Principles for the Fair Handling of Personal Information published by the Federal Privacy Commissioner, a series of standards promulgated by Standards Australia (for example, the Standard Personal Privacy and Health Care Information Systems AS4400-1995) and the Victorian Data Protection Framework bill. (2) For example, The Office of Technology Assessment stated that: "Privacy is essentially the right of an individual to limit access to information regarding that individual. Confidentiality is a form of informational privacy characterized by a special relationship between people, such as the relationship between doctor and patient. Security refers to technical and organizational procedures that protect electronic information and data-processing systems from unauthorized access, modification, destruction or misuse" :Protecting Privay and Computerised Medical Information, September 1993, p. 7. The National Information Infrastructure Advisory Council (NIIAC), in its report: Common Ground: Fundamental Principles for the National Information Infrastructure (March 1995), stated that: "Information privacy is the ability of an individual to control the use and dissemination of information that relates to himself or herself. Confidentiality is a tool for protecting privacy. Sensitive information is accorded a confidential status that mandates specific control, including strict limitations on access and disclosure. These controls must be adhered to by those handling the information. Security is all the safeguards in a computer-based information system. Security protects both the system and the information contained within it from unauthorized access and misuse, and accidental damage": quoted in Telemedicine Report to Congress, p. 80. (3) J.P. Fanning "Confidentiality of Individually-Identifiable Health Information: Recommendation for a Federal Law". A Paper Delivered to the Joint Working Group on Telemedicine, 21 May 1998 (4) US Congress, Office of Technology Assessment (OTA) Protecting Privacy in Computerized Medical Information, September 1993, pg. 26, 29 and 30 (5) ibid, p. 71 (6) National Research Council Computer Science And Telecommunication Board, For the Record: Protecting Electronic Health Information, 1997, pg. 65 and 66. (7) See For the Record, pg. 25-26, 122 and 129; OTA Report Protecting Privacy in Computerized Medical Information p. 64 (8) See A. Bacard The Computer Privacy Handbook, 1995, p. 83. (9) Telemedicine p.101 (10) OTA Protecting Privacy in Computerized p. 37 (12) ibid, p. 36, Almost identical observations were made by Standards Australia in its Preface to AS 4400-1995: "The issues are not new; they have always been present. But technological developments and current initiatives have served to raise their profile". Similarly, the Harvard Risk Management Foundation stated that: "… the potential for violating a patient’s right of privacy is a familiar risk, and the basic legal rights of patients have not changed. What has changed is the impact of technology on the accepted methods for defining legitimate access and maintaining security": N.R. Rice "Confidentiality and the Electronic Medical Record", Forum, April 1996, p.1 (13) J. Collmann, M.C. Meissner, W.J. Tohme, J. Winchester and S.K. Mun, "Comparing the security risks of paper-based and computerized patient record systems", SPIE Vol. 3035 p. 172 at p. 180 (14) Major reports include: National Research Council, Computer Science and Telecommunication Board For the Record: Protecting Electronic Held Information (1997). Committee on Regional Health Data Networks, Division of Health Care Services, Institute of Medicine Health Data in the Information Age-Use, Disclosure and Privacy (1994). Office of Technology Assessment — Protecting Privacy in Computerized Medical Information (1993). Institute of Medicine Telemedicine: A Guide to Assessing Telecommunications in Health Care (1996) — Section on "Privacy, Confidentiality and Security", p. 100 et seq. Office of Technology Assessment: Bringing Health Care Online: The Role of Information Technologies (1995) — Section on "Privacy, Confidentiality and Security of Health Information" , p 115 et seq.. National Technical Information Service, US Department of Commerce Telemedicine Report to Congress (1997) — Sections on "General Privacy, Confidentiality and Security Issues" and "Emerging Privacy, Confidentiality and Security Issues" p. 80 et seq Various Guidelines published by the Computer-Based Patient Record Institute, including Guidelines for Establishing Information Security Policies at Organizations Using Computer-Based Patient Records (1996), Information Security Education Programs (1995); Managing Information Security Programs (1996). (15) "Health Privacy and Confidentiality Recommendations of the National Committee on Vital and Health Statistic Approved on June 25, 1997", (Internet Publication — http://aspe.os.dhhs.gov\\ncvhs), p.3 (16) Telemedicine Report to Congress p.79, 82 and p.81 (17) "Non-Binding Privacy Principles of Concern" Australian Lawyer, April 1998, p. 1 (18) For the Record p. 177 (19) Fanning "Confidentiality of Individually-Identifiable Health Information: Recommendation for a Federal Law", May 1998, p. 14 (20) For example, Department of Human Services Information Privacy Principles (21) For example, For The Record (22) For the Record, p. 166 (24) Similar views were expressed by the NCVHS, in its report to the Secretary of DHHS in September 19, 1997: "The integrity of health information is critical to providing quality care to patients. Organizations must implement a process to ensure that information systems do not compromise data integrity. There are a series of organizational practices that the Committee believes are imperative:
(26) A very useful document is contained in the Appendix A of For The Record. Prior to preparing its report, the Study Committee conducted numerous site visits. In preparation for those visits, and to ensure consistency of approach, a "visit guide" was prepared. The guide could be usefully adopted at institutional level to formulate the sorts of questions that need to be addressed when scrutinizing an institution’s privacy, security and confidentiality practices. For example, according to the guide the topics that could be covered by an internal review include privacy policies; implementation of privacy policies; responsibility for developing and enforcing policies; training of employees; past security incidents/events; definitions of privacy, confidentiality, and security; content of electronic medical records (if any); perception of security threats both internal and external; description and evaluation of security mechanisms; disaster planning and security/damage control plans. The types of documents that could be reviewed, the guide suggested, include an organization’s Mission Statement; an organizational chart; privacy and security policies, the enabling/implementation documents for privacy/security policies; description of personnel practices for punishing violators; policies on record-keeping; policy for release of information from medical records; strategic plan for information system; description of security systems for information system and list of responsibilities within information systems department concerning who is responsible for data release internally and externally and who has administrative oversight. |