SECURITY: Protecting Medical Records in the Age of Digital Technology
Digital technology, which encompasses electronic mail, facsimile, and the Internet, is increasingly becoming the preferred means of maintaining and sharing medical records. The issue of security is of great concern for many industries that use digital technology to maintain and transfer records. For health care institutions, security is of utmost importance because of the highly sensitive information contained in medical records. Unauthorized access to and disclosure of such material can have devastating effects for both the patient and the health care institution. Patients face extreme embarrassment and the possible loss of their employment or insurance as the result of unauthorized disclosure of medical information. Health care institutions face the risk of exposure for liability resulting from disclosure of confidential medical information under several different legal theories, including invasion of privacy, breach of confidentiality, defamation, intentional infliction of severe emotional distress, and medical malpractice. This article explores the ramifications of sending unsecured confidential medical information through digital technology. In addition, the article discusses how health care institutions can take advantage of digital technology and still protect patients' confidentiality.
Health care institutions have a statutory duty, under both federal and state laws, to maintain medical records. In addition, health care professionals, such as physicians, have a legal duty to hold in confidence information obtained from a patient during medical consultations. State laws, licensing statues, and courts impose this duty of confidentiality. Furthermore, pursuant to the Federal Privacy Act of 1974, although physicians technically own information in the medical records, physicians must obtain the patient's consent prior to disclosing this information, unless the information is shared with other physicians in the patient's presence. In practice, however, access is rarely limited to physicians as both professional and non-professional medical personnel must have access to patients' records to properly treat them. In such situations, the consent is usually obtained from a generic consent form, which a patient must sign before receiving care, or is often presumed.
There are many benefits to maintaining medical records in electronic form for both the health care institution and the patient. In general, health care institutions can more efficiently store and more readily access patient data when it is in electronic form. Physicians can monitor patients without physically being in the hospital, which allows them more time in their offices and clinics to see patients. Pharmaceutical companies and universities can conduct more accurate and effective research because of better access to patient data. When physicians have immediate access to the most updated studies and can consult with other physicians instantaneously, patients benefit as a result of better quality of care. In addition, HMO's and other managed care organizations are beginning to take advantage of digital technology by creating Websites to enroll consumers at a lower cost than paper or phone-based mediums.
New Risks
Although increased access to patients' medical data provides many benefits, the reality is that along with greater access comes more opportunities for abuse. Health care institutions could be held liable for accidental or intentional breaches of confidence by the medical staff. Consequently, these institutions must focus their attention on implementing effective security mechanisms and administrative policies to restrict access to patients' records. If health care institutions overlook the importance of implementing security systems, the cost of liability could outweigh the benefits of digital technology.
Fortunately, the health care industry can utilize security systems that have successfully secured electronic records in other industries, such as encryption and message authentication systems. Encryption is a technological device that secures confidential information transferred via a computer network. Encryption works by scrambling the digital message so that it cannot be intercepted while in transit. The digital message is then decrypted when the recipient receives the message. This device is generally used to safeguard information transmitted over the Internet, but it is also a valuable device to secure the confidentiality of electronic mail.
Message authentication also offers a means to secure the confidentiality and integrity of records sent via digital technology. Under this device, "an invention called the 'check sum' or 'message authentication code' strategically extracts a unique summary of the message, compresses it and provides a comparison with the actual message after [it is] received. If any bit is changed . . . the check sum recognizes the change and exposes the corrupted file. An Internet message can be tagged so the sender [cannot] deny having sent it, and the recipient [cannot] deny having received it."
Individual passwords and firewalls that limit access onto computer systems are also important security devices. In general, when examining security devices, health care institutions should investigate whether the security system can:
- maintain the integrity of the original records;
- document and trace the sender and receiver; and
- limit access to authorized personnel with legitimate purposes.
Administrative Challenges
In addition to these technological security devices, health care institutions should also develop universal administrative policies for the release of all forms of patient records, including photocopies, electronic mail messages, facsimiles, voice mail messages, and transmittals over the Internet. Moreover, every employee who may come in contact with patient medical records should be required to sign a confidentiality agreement. Patients' consent should also be obtained, whenever possible, before electronic medical information is disclosed. Furthermore, health care institutions should conduct regular training sessions to educate and update health care professionals and other employees about the security systems and administrative protocols of the organization.
Even with the most up-to-date security devices, the threat of hackers disarming security devices and wreaking havoc on a health care facility's electronic medical records remains a real concern. Security analysts advise, therefore, that facilities are careful not to advertise their security systems because hackers may see this as a challenge. Furthermore, even when access is limited to authorized personnel, some individuals may take advantage of their position and disclose medical information for illegitimate purposes. In these instances, security devices and administrative protocols will not protect the confidentiality of electronic medical records; rather, legal redress against the perpetrator is necessary. Unfortunately, state and federal laws have not developed as rapidly as the technology in the area of electronic medical records. Although, several states have enacted new privacy laws to combat the unauthorized disclosure of electronic medical records maintained by private health care institutions, the laws vary greatly in scope.
To date, there is no federal law specifically addressing the issue of privacy and electronic medical records. Congress is under increasing pressure to pass legislation that limits the dissemination of authorized medical information and penalizes those who abuse their authority to access medical records, thereby affording health care institutions and patients legal redress. Under the Health Insurance Portability and Accountability Act of 1996 (HIPPA), if Congress fails to enact privacy legislation for medical records by August 1999, the Department of Health and Human Services (HHS) is authorized to enact privacy standards by regulation.
HHS recently proposed new standards for all health care institutions who maintain electronic medical records. Under these new standards, health care institutions will be required to adopt security plans based on the facility's individual needs; to establish responsible administrative protocols to limit physical access to records; to train employees regarding these systems and protocols; and to use electronic signatures to verify the identity of the signer when a signature is required under HIPPA.
In sum, digital technology is indeed a powerful tool for the health care industry. The ability to store vast amounts of medical information electronically and to quickly disseminate such information has forever changed the traditional physician/patient relationship. Gone are the days when physicians could simply lock the office doors to protect patients' medical records and fulfill their duty of confidentiality. The challenge for health care institutions who currently use digital technology to maintain medical records is forecasting how the laws will adapt to the new technology and, thereby, reconfigure the physician/patient relationship. In the interim, it is important to establish effective security systems and responsible administrative protocols to continue to fulfill the duty of confidentiality.