Patient Data Privacy in Electronic Records

3/9/2004

Patient Data Privacy in Electronic Records Peter Szolovits 6.872/HST950

Protecting… ¾ What? ¾ Privacy ¾ Individual’s desire to limit disclosure of personal information

¾ Confidentiality ¾ Information sharing in a controlled manner

¾ Security ¾ Protecting information against accident, disaster, theft, alteration, sabotage, denial of service, …

¾ Against what? ¾ ¾ ¾ ¾

“Evil hackers” Malicious insiders Stupidity Information Warfare

Clinical Computing in Patient Care, September 25, 1998

Peter Szolovits

Privacy

Privacy in obscurity

¾ Right to be let alone; e.g.:

¾ Right to remain unknown

2

¾ snooping on Dan Quayle by J. Rothfeder ¾ “outing” of Arthur Ashe (HIV), Henry Hyde (adultery) ¾ celebrity medical problems (Tammy Wynette, Nicole Simpson) ¾ … applies mostly to known individuals

¾ Correlation among pervasive databases: ¾ census ¾ marketing ¾ health

Peter Szolovits


3

Peter Szolovits


Confidentiality

Legitimate Concerns

¾ Use and sharing of information by multiple users at many institutions ¾ Should be controlled by coherent policy ¾ Enforced by appropriate technology

¾ Difficulty getting insurance

4

¾ “Individual insurers may deny you coverage based on your medical history if it includes: ¾ Use of prescription drugs to treat anxiety, depression or a physical condition, including Ativan, Klonipin, Paxil, Prozac, Serzone, Zoloft, Xanax and Wellbutrin. ¾ Counseling for anxiety, depression, grief or an eating or sleep disorder. Even if you briefly sought counseling as a way to cope with the Sept. 11 terrorist attacks, you could be denied individual health insurance, according to researchers with Georgetown's Health Privacy Project.” (MSN, March 9, 2004)

¾ E.g., who may use results of your life insurance physical exam, for what purposes?

¾ Medical Information Bureau ¾ Data on all applicants for private life insurance in past 7 years Peter Szolovits


5

Peter Szolovits


6

1

3/9/2004

National Academy of Sciences Study, 1997

More Legitimate Concerns ¾ When employer pays insurance premiums, you may lose your job ¾ Self-insured companies ¾ Small employers facing “experience rated” policies

¾ Non-employment discrimination based on health ¾ Adoption ¾ Politics

Peter Szolovits


7

Committee Members Paul Clayton, Chair,

Peter Szolovits


Site Visits

U.S. Naval Research Laboratory

Institutions Visited Large, urban hospital Integrated delivery system Affiliated health care system Community Health Info Network (CHIN) ¾ State health system ¾ Insurer ¾ ¾ ¾ ¾ ¾

Thomas Rindfleisch

Sandia National Laboratories Gordon DeFriese,

Stanford University Sheila Ryan

Sheps Ctr. for Health Services Research Susan Dowell,

Univ. of Rochester, School of Nursing Bruce Sams,

Medicus Systems Corp.

Kaiser Permanente (retired)

Mary Fennell,

Peter Szolovits

Brown University

MIT

Kathleen Frawley,

Robbie Trussell

AHIMA

Presbyterian Healthcare System, Dallas

John Glaser

Elizabeth Ward

Partners Healthcare System

Washington State Dept. of Health Paul Schwartz (Special Advisor),

Richard Kemmerer

Univ. of Calif., Santa Barbara

¾ Issues Discussed ¾ Problems encountered ¾ Security and confidentiality policies ¾ Security mechanisms ¾ Effectiveness of mechanisms ¾ Education and training ¾ Disciplinary sanctions ¾ Needs to promote better security

Univ. of Arkansas School of Law


9

Peter Szolovits


Trade-offs among IT characteristics

Privacy and Security Concerns Addressed in the Report

¾ Critical to improve the quality and reduce the costs of health care. ¾ Privacy and security must be resolved if patients are to share sensitive health information with care providers. ¾ Protect patient privacy while ensuring that providers have legitimate access to information for purposes of care.

¾ Inappropriate releases of information from individual organizations ¾ authorized users leaking information ¾ unauthorized users breaking into systems to retrieve or alter information, or to render systems dysfunctional ¾ Systemic flows of information among organizations in health care and related industries

Peter Szolovits

8

Carl Landwehr

Columbia Presbyterian Medical Center Earl Boebert,

Peter Szolovits

Charge to the committee: ¾ Observe and assess technical and nontechnical mechanisms for protecting privacy and maintaining security in health care information systems. ¾ Identify other methods worthy of testing in health care settings. ¾ Outline promising areas for further research.


11

Peter Szolovits


10

12

2

3/9/2004

Health Information Held by Individual Organizations Can Be Protected

Two Approaches to Protect Privacy

¾ Technical practice: A variety of practices provide effective protection in an operational environment and can be implemented with reasonable effort. ¾ Policy and implementation: Technical mechanisms must be accompanied by organizational mechanisms for developing access and release policies, training workers, and penalizing violations of policy. ¾ Incentives: Health care organizations need proper set of incentives to address privacy and security concerns.

¾ Pre-emptive controls ¾ Lock & key ¾ “Need to know” … often need pre-specified understanding of who needs what under which circumstances -- military model ¾ Retroactive controls ¾ Community of trust ¾ Checking up, not prevention ¾ Sanctions

Peter Szolovits


13

Peter Szolovits


Credible threats: ¾ accidental disclosures by insiders ¾ abuse of record access priveleges by insiders ¾ insider access for profit or spite ¾ unauthorized physical intruder ¾ vengeful outsider who seeks to access, damage, disrupt


15

¾ Individual Authentication—such as login IDs and passwords to ensure accountability ¾ Access Controls—restrict access to need-to-know ¾ Audit Trails—track all accesses to clinical information ¾ Protection of remote access points ¾ Software discipline—limit ability to download, install, or copy software ¾ System assessment—evaluate vulnerabilities ¾ Physical Security & Disaster Recovery

Peter Szolovits


Authentication and Access

System and Software Discipline

Eliminate undesirable (horrendous) current practices, e.g., ¾ all doctors log in as “MD” ¾ nurses, receptionists use doctor’s account ¾ four-digit (or six-digit) “id+password” ¾ all data available to everyone ¾ no record of who creates, alters or destroys data ¾ poorly-controlled access from networks, remote sites

¾ Standard workstations ¾ hardware ¾ approved software ¾ Control over networking ¾ Control over software installation/dissemination ¾ viruses ¾ network downloads ¾ floppy drives ¾ Testing of security features

Peter Szolovits

14

Recommended Technical Practices for Immediate Implementation

Threat Model Must understand what you are protecting against: ¾ Nature: confidentiality, security ¾ Source: insider, outsider ¾ Means: tourist, cracker, …, NSA ¾ Information at risk ¾ Scale

Peter Szolovits


17

Peter Szolovits


16

18

3

3/9/2004

Physical Security ¾ Lock the computer room (wherever it may be!) ¾ Backups, recovery procedures ¾ protect the backup data ¾ test the recovery procedure ¾ Erase the disk when de-commissioning the computer


Peter Szolovits

19

Observed Security Features


Site Security Feature

A

B

C

D

E

F

Physical

Site

Terminal security

Security Feature

9

Security perimeter/network layout

9

9

Network physical security 9

Server physical security

B

9

9

C

D

E

F

9

Need to know/right to know

9

9

Access control list technology/management 9

Secure destruction of obsolete data/equip

Role-based access profiles

Authentication

Access overrides for emergencies

Token -based authentication (card plus password)

Audits 9

Audit trails & self audit

Change passwords often

Software-based audit analysis

No cleartext passwords Uniform user ID across organization 9

Incentives to reduce key sharing

9

9

9

9

9


Peter Szolovits

A

Access Control

21



Peter Szolovits

22




A

B

C

D

E

External Access Firew all

9

Dial-in protections

9

M obile access protection

9

9

n/a

n/a

n/a

C

Use antivirus technology

9

Checksum/validate software

9

n/a

Control PC software loading

9

Network software census

9

Control IP addresses

B

E

F

9

Integrated software tools

Encryption

Disaster Recovery

Crypto-based authentication

Backups, multiple storage sites

Encrypt network traffic

Data content integrity

Encrypt database contents

Operations recoverability

Digital signatures

Evaluation/Staying Technically Current

Docum ent integrity

Run anti-intrusion programs

9

Transaction non-repudiation

Vulnerability evaluation

9

Encrypt backup m edia

Stay up on CERT alerts

9

Avoid/update obsolete technologies

9


D

Control user software

Intruder script protection

Peter Szolovits

9

n/a n/a

A

Software Discipline

F

23

Peter Szolovits

9

9

9

9

9

9

9

9

9

9


24

4

3/9/2004

Recommended Organizational Practices for Immediate Implementation ¾ ¾ ¾ ¾ ¾ ¾ ¾

Policies and Governance ¾ Clearly stated policy:

Security and confidentiality policies Security and confidentiality committees Information security officers Education and training programs Sanctions Improved authorization forms Patient access to audit logs


Peter Szolovits

25

Peter Szolovits

Enforcement

Testing

¾ Auditing

sine qua non

¾ Periodic sampling of access logs ¾ Users’ ability to check

¾ ¾ ¾ ¾ ¾

¾ Human Resources (Personnel) ¾ ¾ ¾ ¾

¾ Governance

Responsibility Education Data access Guardianship Associating people with their actions (identification, capabilities, temporary access, termination) ¾ Enforcement ¾ Testing ¾ Transparency ¾ ¾ ¾ ¾ ¾

Emphasize importance Explicit criterion of evaluation Education and training Reprimand, …, termination

¾ Policy-making body ¾ Security officer ¾ Buy-in ¾ CIO ¾ Human Resources ¾ Entire community

¾ Education


26

Monitoring and awareness Review of performance Auditing “Tiger teams” Published results

for all levels of employees

¾ “Public floggings”

Peter Szolovits


27

Recommended Security Practices for Future Implementation

28

¾ Strong incentives to use IT, but fewer incentives to address privacy and security issues.

¾ single-session passwords, ¾ encrypted authentication sessions, ¾ token-based authentication

¾ Existing legislation is inconsistent across states; no strong federal legislation mandating protections [in 1997] ¾ Sporadic violations of privacy and security have not rallied broad public interest.

¾ Enterprise-wide authentication (single logon) ¾ Access validation—to ensure that retrieved information matches user’s access privileges ¾ Expanded audit trails

¾ Little guidance for improving privacy and security ¾ no effective standards to guide attempts to better protect health information. ¾ few means of sharing information about privacy and security violations, effective ways of protecting health information

¾ all internal accesses to information ¾ global audit trails to trace secondary distribution of data

¾ Electronic authentication of records Clinical Computing in Patient Care, September 25, 1998


Stronger Incentives Needed

¾ Strong authentication:

Peter Szolovits

Peter Szolovits

29

Peter Szolovits


30

5

3/9/2004

Recommended Elements of Industry Infrastructure for Privacy & Security

Systemic Concerns Regarding Privacy and Security

¾ Standing committee for developing and updating privacy and security standards.

¾ Many concerns regarding patient privacy stem from sharing of information among organizations in health care industry. ¾ Existing data flows are largely unregulated and often occur without patient consent or knowledge. ¾ Possible development of a universal patient identifier could exacerbate such concerns.

¾ examine security mechanisms and help establish rules governing data flows. NCVHS ¾ reports directly to Secretary of HHS

¾ Organization for gathering and sharing information about security threats, incidents, and solutions in health care. ¾ similar to the computer emergency response team (CERT) for the Internet ¾ seed funding from Congress Clinical Computing in Patient Care, September 25, 1998

Peter Szolovits

31

Typical Flows of Health Information Patient’s Employer

Clinical Laboratory

Employer’s Clinic & Wellness program

State Bureau of Vital Statistics

Encourage national debate to determine appropriate balance between patient privacy and organizational needs for information

Medical Researcher

¾ Fair information practices (e.g., federal Privacy Act of 1974) ¾ DHHS should establish program to promote consumer awareness of issues and uses of health information. ¾ Professional societies should educate members about privacy and security issues ¾ DHHS should conduct studies to determine extent to which various users need patient identifiable health information ¾ DHHS should work with the U.S. Office of Consumer Affairs to determine way to give consumers a visible, centralized point of contact re: privacy issues (such as an ombudsman).

Accrediting Organization

Life Insurance Company

Retail Pharmacy

Pharmacy Benefits Manager

32

Consulting Physician

Managed Care Organization

Health Insurance Company


Proposed Means of Addressing Systemic Concerns

Care Provider (physician, hospital

Patient

Peter Szolovits

Spouse’s Employer

Medical Information Bureau

Lawyer in malpractice case

long term repository, patient-identified data short term repository, patient-identified data

flow of patient-identified medical information

temporary access, patient-identified data

flow of non-identifiable medical information

long term repository, non-patient-identified data temporary access, non-patient-identified data

Peter Szolovits


34

Fair Information Practices (Federal Privacy Act, 1974)

Recommendation on Patient Identifiers

¾ No secret databases that include personally identified information

Any method used to identify patients or link patient records should: 1. be accompanied by a policy framework that identifies the kinds of linkages that violate patient privacy and that specifies legal sanctions. 2. facilitate identification of parties that link records. 3. allow unidirectional linking of information: it should facilitate linking of records based on information given by patient (such as an identifier), but prevent a patient’s identity from being easily deduced from records or the identifying scheme itself.

¾ Agencies must publish policies on all databases

¾ Right to see my information, with ability to correct ¾ Prevent data collected for one purpose from being used for another ¾ Agency responsible for reliability and security of data ¾ Right to sue

Peter Szolovits


35

Peter Szolovits


UHID postponed until privacy legislation

36

6

3/9/2004

Recommendation for Meeting Future Technological Needs

Meeting Future Challenges Continued attention to privacy and security issues is necessary to keep pace with the evolution of: ¾ applications of information technology in health care; ¾ nature and capabilities of the threats to electronic health information; ¾ technical and nontechnical mechanisms for providing privacy and security


Peter Szolovits

37

Future Security Technologies of Particular Interest to Health Care

Peter Szolovits


38

Closing thoughts

¾ Methods of identifying and linking patient records that protect patient privacy. ¾ Technologies for enabling patients to receive health care anonymously: pseudonyms, cryptographically generated aliases, narrative templates, smart cards. ¾ Audit tools that allow more frequent examination of audit logs to detect inappropriate accesses to information. ¾ Tools for rights enforcement and management to control secondary distribution of data Clinical Computing in Patient Care, September 25, 1998

Peter Szolovits

¾ establish formal liaisons with industry and government security working groups. ¾ support research in areas of particular importance to health care, but that might not be otherwise pursued. ¾ fund experimental testbeds to explore different means of controlling access in an operational environment.

39

¾ Plan and design security and confidentiality, don’t just tack it on ¾ Leverage: ¾ ¾ ¾ ¾

Technology Policy Standards and Cooperation Legislation

¾ Remember “Spy vs. Spy”

Peter Szolovits


40

Why? HIPAA Regulations on Individually Identifiable Health Information

¾ Part of Administrative Simplification section of HIPAA (Health Insurance Portability and Accountability Act of 1996 --Kennedy/Kassebaum Bill) ¾ 1/5 of Americans believe personal health information (PHI) has been used inappropriately ¾ PHI use necessary for improved quality, reduced cost ¾ existing protections fragmented

Based on 45 CFR parts 160 & 164 Federal Register Vol. 65, No. 250, Pp. 82462-82829, Dec. 28, 2000 http://aspe.hhs.gov/admnsimp/final/PvcPre01.htm

Peter SzolovitsPeter Szolovits


41

Peter Szolovits


42

7

3/9/2004

History of Privacy Provisions

Other “simplification” issues

¾ Congress gave itself until Aug 21, 1999 to enact legislation -- it did not do so ¾ Backup was that Secretary of HHS was to promulgate rules by Feb 21, 2000 -- this was extended because of 70,000 comments ¾ Rule promulgated Dec. 2000 ¾ Bush administration has put it on “hold”, mainly because of cost complaints ¾ Sec. Thompson agreed to issue the rule, Apr. 2001 ¾ Congress may legislate later, based on experience ¾ Rules are now in force, mostly ¾ work in progress

¾ Standards for electronic health care transactions, including detailed data elements


Peter Szolovits

¾ unique health identifiers ¾ providers ¾ patients

¾ ¾ ¾ ¾

code sets security standards electronic signatures transfer of information among health plans

¾ Target date: Feb 21, 1998

43

Peter Szolovits


Sanctions

Principles

¾ Civil penalties for violations of standards: $100/person/violation, max $25,000/violation/year ¾ Knowing violations of health identifier or deliberate disclosure:

¾ Allow smooth flow of PHI for treatment, payment, related operations, public interest ¾ Prohibit flow of PHI for other purposes, without consent of subject ¾ Fair information practices

¾ $50,000 + 1 year jail ¾ $100,000 + 5 years jail if “under false pretenses” ¾ $250,000 + 10 years jail if “with intent to sell, transfer or use … for commercial advantage, personal gain, or malicious harm”

44

¾ Allow subject to access PHI (later, excludes psych notes) ¾ Allow subject to have records amended for errors or incompleteness ¾ Allow subject to know who else uses PHI

¾ Require persons who hold PHI to safeguard it ¾ accountable for own use and disclosure ¾ legal recourse

¾ Minimal Necessary Use and Disclosure ¾ Few limits on use for treatment, more for other functions Peter Szolovits


45

Limitations of HIPAA

Peter Szolovits


46

Consent (before HIPAA) ¾ Most patients believe their private medical data may not be divulged without specific consent ¾ But, consent may effectively be forced ¾ But, many exemptions exist:

¾ Responsibilities cannot follow data; therefore ¾ Recommendation applies to

Covered Entities

¾ Health Plans ¾ Health Care Clearinghouses ¾ Providers who transmit PHI electronically

¾ Does not apply to others who hold/process data ¾ contractors, third-party administrators, researchers, public health officials, life insurance issuers, employers, marketing firms, ...

¾ … but: Covered Entities required to contract with business associates to pass on responsibilities, along with identified health data used “in behalf of” a covered entity

¾ For treatment and related purposes (e.g, utilization review) ¾ For obtaining payment ¾ Emergency care, health depts., law enforcement, coroners, business operations, oversight, research, …

¾ Does not apply to paper records ¾ … but: if the information was ever in electronic form, responsibility is “sticky”

¾ No private right of action Peter Szolovits

Changed, applies to all PHI


47

Peter Szolovits


48

8

3/9/2004

When is a nod a nod?

Uses of data by Covered Entities

¾ Agreement: informal, perhaps implied, e.g., to let a consultant see clinical notes, let hospital include patient in a directory ¾ Consent: written, but often generic, e.g., on admission to hospital. This covers most “health care operations” ¾ Authorization: written, specific to the case. For psychiatric notes and all data uses other than health care operations. E.g., research. ¾ Patient may negotiate Restrictions on disclosure, e.g., to particular staff, family members, etc.

¾ For treatment, payment, health care operations without patient authorization changed ¾ For public health, research, health oversight, law enforcement, use by coroners, mandatory State reporting, search warrants without patient authorization ¾ Must allow access to the subject of the records ¾ Must get individual consent for any other uses


Peter Szolovits

Rejected in comment period 49

Health Care Operations ¾ ¾ ¾ ¾ ¾ ¾ ¾ ¾



Peter Szolovits

50

NOT Health Care Operations

Treatment Payment Quality assessment and improvement activities Review competence of professionals, organizations; conduct training; accreditation Insurance rating concerning existing coverage Auditing Legal proceedings Added: Business planning and development, management, general administration, fundraising, “internal marketing”

Peter Szolovits

Substitute regulatory protections for pro forma authorizations often used today.

¾ ¾ ¾ ¾ ¾ ¾ ¾

51

Marketing Sale, rent or barter of information Use in parts of organization not health-related Rate setting prior to subject’s enrollment Employment determinations Fund raising These uses Research “to obtain generalizable require explicit knowledge” authorization


Peter Szolovits

52

Sweeney’s “All the Data on All the People”

Identifiable ¾ Name, address, phone number, fax number, email address, URL, IP address, social security number, medical record n., health plan n., account n., certificate/license n., vehicle id, device id, biometric id, full-face photo,

¾ Global disk storage per person:

¾ “any other unique identifying number, characteristic, or code” ¾ “actual knowledge that the information could be used … to identify”

1983

1996

2000

0.02

28

472

¾ Date of birth, zip code, gender, race, profession, etc. ¾ 9-digit zip code + dob make 97% of Cambridge, MA residents uniquely identifiable (!!!!)

(MB/person)

¾ Patterns of doctor visits, immunizations, etc. ¾ identifiable by inference ¾ depends on knowledge and abilities of data user

¾ Small bin sizes lead to identifiability ¾ Aggregate data into larger bins ¾ dob => age ¾ 3 digits of zip codeClinical Computing in Patient Care, September 25, Peter Szolovits

1998

53

Peter Szolovits


54

9

3/9/2004

Sweeney’s Cambridge

Problem of “other information”

¾ 1997 Cambridge, MA voting list on 54,805 voters

¾ Governor Weld’s data found in Mass “de-identified dataset” ¾ Dates you visited a health care provider (over a lifetime) are probably unique ¾ Can be used to re-identify you if someone has both deidentified data and other data that link to identifiers

¾ Name, address, ZIP, birth date, gender, …

¾ Combinations that uniquely identify: ¾ ¾ ¾ ¾

Birth date (mm/dd/yy) BD + gender BD + 5-digit ZIP BD + 9-digit ZIP

12% 29% 69% 97%

¾ Unique individuals ¾ Kid in a retirement community ¾ Black woman resident in Provincetown

Peter Szolovits


55

Danger of Re-identification

Peter Szolovits


57

56

Peter Szolovits


58

Methods of Generalization/Suppression

¾ Make sure data cannot be traced back to a set of size