Medical Records Privacy Confidentiality And Security
1. Medical Records Security By: Dr. Abbas Shojaee Nov, 2009 Part 1 This presentation uses works of: M. E. Kabay, PhD – Norwich university Juan J. Cruz - General Counsel for United I.S.D. C. Peter Waegemann - CEO, Medical Records Institute (MRI) Joseph Tan – Ehealth care information systems Edward H. Shortliffe – Biomedical Informatics
2. Introduction How Information is Critical in Healthcare Necessities Meanings Aspects Security Problems at a Hospital Medical Records Privacy Toward a security framework Topics
3. Patient care: instant access to current, correct, readable data Data transfer to other treatment centers Prescriptions Drug interactions Patient histories (sensitivity) Billing insurance companies – cash flow Notification of infectious diseases to state and federal authorities Collaboration with law enforcement Telemedicine Links to doctors' offices How Information is Critical in Healthcare Some Samples
4. Medical data is highly sensitive as: Its disclosure may harm somebody. Needs to kept safe from lost Must be accurate and up to date Have to be provided by authorized staff Must support administrative reviews and legal issues The law and government enforcements Collegiality vs confidentiality Data and System Security: What necessitates it?
5. Privacy The desire of a person to control disclosure of personal health and other information Confidentiality The ability of a person to control the release of his or her personal health information to a care provider or information custodian under an agreement that limits Security Is the protection of privacy and confidentiality through a collection of policies, procedures, and safeguards Health information Protection: What does it means?
6. The security steps taken in a health care information system serve five key functions (National Research Council, 1997): Availability Accountability: Authentication, Authorization, Audit trails Perimeter definition Inside - outside Role-limited access: Patients, Community physicians, Specialty physicians, Public health agencies, Medical researchers, ,Billing clerks, Insurance payers: justifications of charges Comprehensibility and control Security: What are different aspects?
7. Authentication Authorization Cryptography technology Symmetric or Secret key Asymmetric or Public key- private key Usages: digital signature, content validation, non repudiation operation Challenges: computation power, certification authority …
8. Minimal disclosure Risk analysis at core Auditing procedures Authentication Access profile Emergency override Append-only Audit trail Printing, data transfers Network access Training and awareness Example on practical requirements
9. Networks not integrated Laboratories disparate systems Doctors' PCs largely uncontrolled and unprotected Terminals / workstations unprotected impossible to use individual sessions Security Problems at Hospitals
10. Data protection conflicts with ease of use Password management poses problems Medical and non-medical staff don't cooperate Non-medical use is a reality Shared responsibilities complicate audit trail Medicine is a high-stress job READ/APPEND access only: no WRITE Special Requirements for Access Control
11. How much patient data should be available to Treating physicians? Consulting physicians? Medical students? Pharmacy staff? Dietary staff? Chaplains? Unit coordinators after patient discharge? Employees in multi-facility applications (clinics) Vendors (Managed Care reps, technicians)? Information technology staff? Volunteers? Controlled Access – but for Whom?
12. Non-admitting doctor misuses patient info for insurance company Online discharge summaries available to everyone in hospital Snooper chats up secretaries for access to doctors' office files Staff members' families provoke curiosity and snooping on patient records Paparazzi bribe employees for access to VIP records (may need special protection for files of VIPs) Criminals use patient info for blackmail Staff use patient data to get dates or to stalk victims Some Scenarios for Abuse
13. Paper records Paper records let medical-records staff monitor usage; usually highly professional Paper records provide good security simply because of lower accessibility But poor reporting facilities – need manual search of text Hybrid systems use online database with manual input of usage records Audit trails (1)
14. Electronic records Who will analyze audit trails? Need exception reports Audit trail a deterrent to misuse? Audit trails (2)
15. Risk from poorly-controlled data access Fears are hindering networking Limited awareness, little understanding Ineffective classification methods Inadequate controls drawn from other work environments Summary of Problems
16. Education essential Develop Informatics Risk Management Committee Resources must be assigned to improve security Requirements are stringent but must be met Tokens or face-recognition systems offer best solution for identification & authentication Security awareness must be an ongoing process Solutions
17. Privacy and the Medical Record Privacy and Confidentiality: Different? Regulations Affecting Patient Records Basic Principles of Medical Informatics Security Medical Records Privacy
18. General principles Context-specific Technology has always incited worry Breach of privacy is a tort Rights of privacy unreasonable intrusion appropriation of name, appearance unreasonable publicity public misrepresentation Implications: change / common sense / interest groups Privacy and the Medical Record
20. Debate: Who Regulates? Quill Pen Laws Boards of Medical Examiners: physicians' offices JCAHO: Utility and security WEDI argues for federal intervention Wright argues against federal intervention Regulations Affecting Patient Records