EMR Confidentiality And Information Security - Provider's Edge

Journal of Healthcare Information Management — Vol. 17, No. 3 41

FOCUS: SECURITY

ince the time of Hippocrates the need tomaintain the confidentiality of medical infor-mation has been recognized. A tenet of

information practices is that one cannot have confidentialitywithout information security. In the case of medical infor-mation, a balancing act is always present between ease ofaccess for prompt medical care and that of informationsecurity to maintain confidentiality.

There is no doubt that information security measurescould be used to lock information up so tightly that no onecould access it. What purpose would that serve? Physiciansand caregivers need to be able to easily access patientinformation to provide care. What is the right mix to beable to do both? Information security must be proportionateto the risk and the value of the asset to be protected. Itseems that the magic formula is elusive.

The solution will probably be different for each health-care organization depending in large part on specific poli-cies and the culture. Some pieces will be the same, howev-

er the techniques might be different. The onus is on health-care providers to come up with information security solu-tions that don’t hinder patient care while still providing theconfidentiality of patient information.

The correct solution will probably be determined in yourorganization by who defines service and how informationsecurity is implemented.

DefinitionsThere are distinctions between the terms privacy, confi-

dentiality, and information security, and it is appropriate toestablish those definitions.1. Privacy is the right of an individual to control disclo-

sure of his or her medical information.2. Confidentiality is the understanding that medical infor-

mation will only be disclosed to authorized users atspecific times of need. It entails holding sensitive datain a secure environment limited to an appropriate setof authorized individuals or organizations.

EMRConfidentiality and Information

SecurityA B S T R A C T

Healthcare is no longer one patient and one physician. Many people and services are

involved, and they all need access to the same accurate, complete data to provide excellent

care.The onus is on healthcare providers to come up with information security solutions that

don’t hinder patient care while still providing the confidentiality of patient information.

Gary Kurtz, FHIMSS

K E Y W O R D S

Electronic medical record (EMR) Confidentiality Information security Privacy

SS

42 Journal of Healthcare Information Management — Vol. 17, No. 3

FOCUS: SECURITY

3. Information security includes the process-es and mechanisms used to control thedisclosure of information. It is the protec-tion of computer-based information fromunauthorized destruction, modification, or disclosure.1

Electronic Medical Record ProjectAttention to information security and confi-

dentiality started early in the electronic medicalrecord project with the formation of anInformation Security Work Group. The work-group knew that the patient/physician relation-ship is based on trust. Patients will share infor-mation only if they have this trust. It wasimportant to be able to maintain this trust withthe introduction of electronic records.

Many people are involved in the care of apatient and we have an acute responsibility toprotect that information and make sure it onlygets into the hands of those authorized to seeit. It is a trust issue with our patients. Themembers of the workgroup were laying thefoundation for policies and procedures aimedat ensuring the confidentiality of patient-identi-fiable medical information and thus maintain-ing trust.

Members of the workgroup included profes-sionals from health information management,medical informatics, physician ranks, internalaudits, legal services, human resources, andinformation technology. Their charge was toidentify issues and propose policy solutions in the areas ofinformation security, system security, and patient confiden-tiality. They did so, keeping in mind that some patientswould not be entirely comfortable having their records inelectronic form, which is Geisinger’s strategy.

As a result of the workgroup’s efforts, the following poli-cy recommendations were derived:1. The establishment of an ongoing oversight group with

responsibilities for managing information security, con-fidentiality, and access; overseeing the provision oftraining and awareness; disaster recovery; ongoingmonitoring of access; and keeping abreast of techno-logical and regulatory changes. This area was furtherexpanded with the impending Health InsurancePortability and Accountability Act of 1996 (HIPAA) toinclude the appointment of a corporate privacy officer,a much more robust privacy program, and an expand-ed organizational structure defined to oversee the pro-vision of information security and patient confidentiality(see GHS HIPAA Compliance Development FunctionalOrganizational Chart, figure 1). While some of the

boxes (functions) are specific to HIPAA and will goaway after the project, most will remain in effect intothe future and constitute the functional informationsecurity and confidentiality organizational structure.

2. Access to patient identifiable information should be ona “need to know” basis. Role-based access was theorder of the day. Access would be granted based onthe role of each person in the provision of patient care.Furthermore, the caregivers should only access therecords of those patients for whom they were providingcare. (See Information Security Architecture, figure 2)

3. If the capability to tie physicians and patients togetherto control access is not implemented, then more strin-gent audit controls and monitoring should be institut-ed. Geisinger restricts access on a “need to know”basis through policy and education as opposed to soft-ware features. Geisinger would rather err in regard toconfidentiality than make a mistake where informationwas withheld and treatment was compromised.

4. The system should be designed with sufficient redun-dancy to minimize the risk of system downtime or data

Third Party Contracted Resources(if required)

Operations Task ForceDeliverables

Medical RecordsDeliverables

Health PlanDeliverables

EDIDeliverables

Data Center, Networks and DesktopsDeliverables

Security OfficeDeliverables

Investigational Review BoardDeliverables

Human ResourcesDeliverables

Human ResourcesAwareness/Communications

Others To Be NamedDeliverables

Program Development Task ForcesHIPAA Compliance Development

Information Security and Confidentiality CommitteeSystem Practices

Information Security CouncilBusiness Unit Based Security Officers

Security OfficeInformation Security Monitoring and Policy Development

Medical Information Practice CommitteeHealth Plan PHI Repository

IRB Information Practice CommitteeResearch PHI Respository

Medical Information Practice CommitteeSystem PHI Repository

Human Resources Training and DevelopmentStaff Programs for Awareness and Education

Information TechnologyTechnology Evaluation and Approval

Internal AuditsIndependent Internal Compliance Monitoring

Patient Care AdvocatePatient Ombudsman

Others To Be NamedStanding Functions

Program Management CommitteesOn Going Functions

HIPAA Program Management OfficeIintial Compliance Plan Development and Coordination

HIPAA Coordination TeamProgram Review and Approval

Figure 1. GHS HIPAA Compliance DevelopmentFunctional Organizational Chart


FOCUS: SECURITY

loss. Disaster recovery plans would berequired. With the need to have access topatient information 24 hours a day sevendays a week for the provision of care, thisaspect of the system is extremely impor-tant. Eventually, all of the records of thepatients will be in electronic form and lossof access to this data could jeopardizepatient care. Care should be taken to pro-vide the correct services for the riskinvolved. Backup copies of data and shad-ow copies of data with fail-over capabilitiesare some examples of how Geisinger pro-tects its data resources. Applications suchas the electronic medical record (EMR) willhave the most stringent mechanisms inplace to ensure continued operation anddata integrity, and to minimize risk.

5. An ongoing audit trail must be implement-ed for all transactions and accesses to thesystem. Random and directed review ofthe audit trail should be accomplishedregularly to test compliance with confiden-tiality policies. Attention should also begiven to feeder systems in reviewing audittrail capabilities. These could be vulnera-ble without proper information securityand auditing capabilities.

6. Provision for restricted visit types (HIV,EtoH, drug treatment, and mental health)and restricted records (VIP, employees,etc) should be made. Access to this pro-tected information for those not alreadyproviding direct care should be via “breakthe glass” access, creating an audit trail.

7. It would be imperative to follow federaland state regulations on medical record information tocontinue to be in compliance. At the time of these pol-icy recommendations, the HIPAA regulation was notreceiving widespread attention and was only a gleamin a legislator’s eyes. As it turns out, some ofGeisinger’s provisions were right in line with the pro-posed regulations...a solid foundation on which tobuild our privacy program.

8. Database review and report generation for purposesother than direct care will be restricted. Care must betaken to ensure that printed patient information wouldbe afforded similar measures as the electronic versions.Release of information would continue to be handledby health information management. Research requestswould continue to be reviewed by the institutionalreview board. Data leaving the Geisinger HealthSystem (GHS) should only contain patient identifiers

when absolutely necessary as required by law, rule, orregulation. Creation of secondary databases, especiallythose containing protected health information, wouldbe strongly discouraged because they pose a signifi-cant risk to confidentiality. They are also subject tocorruption, and hence repeated or later queries againsta secondary database may lead to erroneous conclu-sions. Information becomes out of date very quickly. It should also be noted that “secondary databases,”while they may contain the same information as the“original” EMR, may not be subject to the same protec-tions — firewall, antivirus, back-up, etc. — as the EMRand thus represent an area for increased risk of “hack-ing” and possible disclosure.

9. Remote access capabilities for caregivers should beprovided with maximum protection against unautho-rized access. The concept of accessing patient informa-

Figure 2. Information Security Architecture


FOCUS: SECURITY

tion “where you need it” and “when you need it” wasadopted. This would evolve into a more robust accessmethodology including encryption and strong authenti-cation. It was believed this would improve productivityand “quality of life” for physicians. One of the mindsetchanges our organization went through was movingfrom a geographical record to “healthcare withoutwalls.” Being electronic and accessible from anywhereis quickly becoming the norm.

10. Printers represent a significant problem with confiden-tiality. Their location, access, and use must be carefullyprotected. Temporary paper copies of portions of theelectronic medical record represent an important riskto confidentiality, and their use, storage, and disposalshould be managed appropriately.

11. Procedures for regular backup of the database must beestablished to include the capability to reload the data-base in case of disaster.

To support the policy statements, the workgroup createdseveral documents that required signing prior to providingaccess to electronic patient information:1. Electronic Signature Authorization Agreement to

Participate2. Password Authorization Agreement

Further Workgroup ConsiderationsPhilosophically speaking, what constitutes an EMR? In

the paper world, it was much easier to define. Generallyspeaking, it was what was inside the record jacket. In theelectronic setting, this expands to many more data points.For instance, ECHO and EKG images may be stored in theirrespective databases with the EMR having pointers to thisdata. In some organizations ECHO and EKG applicationsmay not have traditionally come under IT purview and thusmay not be afforded the same protections.

When a patient makes a request for release of informa-tion, what will we give them in this new environment? Willorders and requests be included as part of the record?

It is important to cast away the paper world thinkingand take a new view. This new view will undoubtedlyrequire new thinking for information security and confiden-tiality as well.

Additionally, we are seeing a shift in how data is beingpresented so that the patient can easily understand itsmeaning. Another shift that is occurring is from the databelonging to the caregiver to a model where the provideror healthcare system is the repository of patient-owned andcontrolled data.

Views of patient data will probably be tailored to eachpatient and be more individualized. If you have a particularcondition such as diabetes, you will be provided informa-tion tailored to that particular condition — for example, a

patient portal with a section called My Diabetes. This willlead to a fundamental shift, providing the patient with morecontrol of their care.

Exam Rooms/OfficesPhysicians would be required to “secure” their screens

whenever they leave the room to maintain confidentiality ofpatient information. Logging in and out of the applicationeach time they left a computer would be too burdensomeand time consuming, as physicians go back and forth fromoffice to exam room many times a day.

Instead, a feature of the EMR system would be utilized(secure screen) that enables the caregiver to initiate a curtainover the patient data. This would provide for confidentialitywhile enabling the caregiver to pick up where they left offin the electronic medical record. This was accomplished bysimply re-entering their user identity and password.

Current technologies such as biometrics and proximitybadges are being investigated to further reduce the amountof time a physician must spend entering user identity andpassword. Care must still be taken to ensure that balance ismaintained between ease of access and confidentiality.

An example of this increased risk versus access is thepotential practice of physicians wanting to have “concurrentsessions” under their user identity: one in the exam roomfor charting, and one in their private office for answering e-mail. Such a physical situation has minimal confidentialityissues, and certainly reduces the onerous task of “loggingon” for the physician, but does raise significant issues withauthentication. What if while the physician worked in theexam room an office worker conducted an e-mail sessionunder the physician’s user identity? In the virtual world, theidentity of the physician can become clouded.

The emergency room is a place where conventionalmethods for information security will be challenged. Timeis of the essence, and physicians and nurses do not havetime to be burdened with lengthy procedures to accessmedical information. EMR and information security vendorsneed to work in concert for an acceptable solution in thisoften life-and-death setting.

Access to InformationThe use of a unique user identity and password combi-

nation is still the primary method of providing access toinformation.

In addition, policy prohibits the sharing of individualelectronic access with anyone. This constitutes a change inbehavior from the paper medical record world that may dis-rupt workflow. In the paper world, it was easy to instructsomeone else to do some of the work. In the electronicworld, they need appropriate access and may not qualify.

With the introduction of the EMR we have shiftedaccountability to many more people than when the record


FOCUS: SECURITY

was in paper form. For example, physicians did not need todeal with sign-on to access the paper record. Information isnow available on any workstation that has proper accessthrough the network and for any authorized user.

Most healthcare providers do not think of information inthe course of their daily work, nor should they have to. Itis up to the information security function to educate userson the risks and to provide the appropriate level of infor-mation security for the user.

Geisinger Health System has developed policies that reg-ulate the composition of the password and how often itshould be changed. The idea of requiring a password to bechanged periodically has posed quite a debate for sometime. If a password is changed often it is more inclined tobe written down, which is against policy, thus creating apotential for others to obtain the password. If it is notchanged periodically, how will it be known if it has beencompromised? Others could use it indefinitely without beingdetected. At least if it changes periodically, unauthorizedaccess would be reduced. As stated previously, we areinvestigating other avenues, e.g., biometrics, to providingauthentication of users to access information, which wouldlead to discontinued need to change passwords periodically.

For remote access to patient information we have imple-mented the use of nonrecurring one-time passwords sup-plied via a device the caregiver must carry. The combina-tion of something they know and something they possess isconsidered strong authentication. This password generatormay resolve the debate over changing of passwords sincethey are never the same and the user will not need to writeit down to remember. It is displayed on a mini-screen andis constantly changing.

For the virtual world of medicine, consideration must begiven for the use of biometric authentication. This technolo-gy takes authentication to the next higher level, for it is atest of “a live presence.” Thus the virtual physician interpret-ing or prescribing remotely can be authenticated to be phys-ically present at the time of intervention, rather than permitthe possibility of delegation to a colleague and/or identitytheft by having someone else possess a valid password ortoken. It would certainly appear likely that such validationfor “a live presence” would be a possible federal mandatefor payment purposes in the future of telemedicine.

As more information becomes electronic and accessiblevirtually anywhere, more employees will do their workonline, i.e., analysis, release of information, and coding.While this is an advantage to the organization, i.e., employ-ees not tied geographically to the record, care will need tobe taken to maintain confidentiality and information security.

Failed LogonsAuditors view the suspending of access for failed logons

as a preventative control geared at limiting exposure while

providing system administrators with an opportunity to per-haps be advised of an attack on their system. Electronicmedical records systems need to provide application securi-ty administrators with sufficient tools and information toassist them in determining if this is an attack or simply auser issue.

In addition, we need to select the number of consecutivefailed logons as a trigger to suspending access. This is adelicate balance especially when a patient may be presentand the caregiver cannot access the patient’s record due toa failed logon suspension. This is a situation that we needto eliminate. Geisinger has established three consecutivefailed logons as its standard.

We do not want to create an impediment to adopting theuse of systems. On the other hand, we need to weigh therisks of a breach and implement the appropriate safeguards.

We hear complaints from users who say they cannotremember their user identity and password, yet we knowsome of these same people use ATM machines that requiresimilar memory skills. There is a perception that informa-tion security just slows us down. Geisinger will look to newsecure technologies to assist in this area. Possibly usingbiometrics, tokens, or proximity devices would reduce thenumber of failed logons.

In the future, audit trails with concomitant alarm func-tions may well need to be expanded beyond the traditionalfailed login parameters. Consideration must be given toaudit trails that are more granular, i.e., the authorized andauthenticated EMR user that attempts to view records forthose patients not currently under their care or perhapsthose of relatives, which traditionally has been discouragedby the American Medical Association.

Policies and ProceduresGHS has a termination policy requiring notice to the infor-

mation security office of all employees terminating employ-ment with the organization. Steps are taken to remove allaccess to data in conjunction with the termination.

Since the patient information does not belong to thecaregiver, they cannot take it with them when they leavewithout patient authorization. A good termination policywill include this directive. As part of our HIPAA complianceefforts we will implement a release and acknowledgementform that the terminating user will be required to sign,acknowledging they are not removing any protected infor-mational assets of the health system.

GHS has other policies covering risk acceptance, access,application criticality, Internet access, e-mail usage in a clin-ical setting, confidentiality, and remote access, to name afew. As part of the compliance for HIPAA, we have devel-oped many more policy statements as required dealing withprivacy, security, and transactions.


FOCUS: SECURITY

Information Security Organizational StructureThe information security function at GHS is a decentral-

ized structure for application security administration, and acentralized structure for policy and procedure development.The director of information security and confidentiality isresponsible for the development and implementation of thecorporate information security and confidentiality program.

Most applications have their own information securityadministrator who is part of the user area and establishesthe requested level of access based on the authorization ofthe data manager. A data manager is defined as a seniormanager (e.g., vice president, department head, administra-tor, etc.) in a user department with responsibility to controland supervise specific data and to authorize access by users.

Access to applications and the information are controlledby the owners of the information, e.g., the finance depart-ment owns the financial information. They work within aframework that has been established by a central informa-tion security function that administers the program.

As with many paradigms, there are advantages and dis-advantages to the decentralized information security model.One positive aspect is that it permits a much reducedresponse time and sensitivity to the needs of the businessunit, thus permitting information security not to be per-ceived as a significant barrier to operations. The downsidefor the decentralized model is that it is much harder tomaintain consistent application of policy and procedure.One way to remedy this shortfall is the creation of an infor-mation security officer’s council composed of the businessunit-based information security individuals. Such a groupwould meet on a periodic basis to review information secu-rity policy and procedure and discuss problematic areas.

PrivacyAs defined earlier, privacy is the right of an individual to

control disclosure of his or her own medical information.“Privacy,” an influential journalist and editor wrote inScribner’s magazine in 1890, “is a distinctly modern prod-uct, one of the luxuries of civilization.”

One of the earliest technologies, writing, enabled a newand enduring form of private communication. The printingpress popularized reading, an intensely private affair. Thewristwatch privatized time. The gummed envelope boostedexpectations of privacy in the mail. The single-party tele-phone line, television, and radio are also examples of howtechnology has created private forms of communication.2

Today privacy is not a luxury. National surveys haveshown that privacy is now something that most consumersand patients demand. They are keenly aware of what cango wrong when their information is stored in electronicform and, by accident or by malicious intent, their most pri-vate information is made public. Under intellectual propertylaw, should that which was desired to be privileged

become public? Sanctions and remuneration can beimposed in an attempt to “make whole” the injured party.How does one compensate a patient whose genetic make-up is now public and has been used against them?

In the paper world it is impossible to know who haslooked in the record as it flows from the central files to therequestor. This could be for a patient appointment or forreview of case or filing of additional information. At leastwith the electronic record, in our case, each person access-ing the record is recorded and date and time stamped, pro-viding a record of all access to the patient’s information.

InternetNo article on confidentiality and information security

would be complete without discussing the Internet. This isthe fastest growing method of access to information in theworld. All that is needed is a personal computer with amodem, a phone line, and an Internet service provider, andyou are connected. While there are other devices, such ascell phones and personal digital assistants, that can accessthe Internet, for our purposes we will stay with the person-al computer. Many of the issues will be the same regardlessof the device.

The Internet is open and used as an easy method tocommunicate with people around the globe. Just considerthe number of people who use e-mail, which is offeredfree on many sites. So what you have are millions of peo-ple who have access to the Internet and the informationthat resides and flows over the electronic highway. Much ofthis information is not protected by encryption.

So enter the use of the Internet for healthcare applica-tions and the flow of patient information over this conduit.Physicians want to be able to access this type of informa-tion when they need it and where they need it. This couldbe at home or while they are off to conferences. TheInternet provides an ideal avenue for this type of access.Unfortunately, not everyone who is connected to theInternet is trustworthy. Some even go out of their way to bedisruptive and some even prey on unsuspecting individuals.

Patients today are expecting to communicate with theirphysicians via e-mail, and they do this easily over theInternet. They want to be able to access their personalhealth records online any time of the day or night. Againenter the Internet. Not everyone is going to embrace thistechnology and some may even object.

Relationships between patient and physician are built ontrust. Patients must have trust that their most private infor-mation will be kept confidential. This was easier for thepatient to accept when the record consisted of paper andwas stored at a single location. With the advent of the elec-tronic medical record and access over the Internet, health-care needs to find new methods to ensure confidentialityand maintain trust.


FOCUS: SECURITY

Patients who want to access their medical informationonline are required to go through an enrollment process sopositive identification can be made before allowing them toaccess their personal data online. Coupled with that,encryption tools are used to scramble information so it isnot readable if intercepted as it travels over the Internet.Once it reaches your personal computer it is unscrambledand readable only to the owner.

E-mail is handled in much that same manner with mes-sages being deposited in a mailbox that is located at theprovider site and only accessible by the owner through anencrypted online session. Reminders are sent to patients let-ting them know that an e-mail exists for their retrieval.These reminders are void of any patient information.

In conjunction with the implementation of the electronicmedical record, the use of electronic means of communica-tion with patients and other providers has become moreprevalent. As a result, Geisinger Health System has devel-oped Guidelines for the Use of Electronic Mail in ClinicalCommunications.

Patient Access from HomeGeisinger has introduced a patient portal to view and

manage their healthcare. With the patient portal, patients can:• View their health information• View lab results for several common tests• Send e-mail to their provider• Review their scheduled appointments and request new

appointments• View past and future office visits• Request prescription renewals• Request referrals• Review their medical history

This leading edge health management tool requires additional safeguards, and Geisinger has taken steps to pro-vide them.

Patients who elect to sign up for this service receive arandom access code, with authentication of the individualbeing done either in a face-to-face session or via onlineenrollment. This is accomplished by comparing “in-band”and “out-of-band” data points as a means of authenticatingthe user.

For information security reasons once authentication hasoccurred, the random access code is no longer valid. Inaddition, the random access code has a short life cycle incase it is not used promptly. The patient must sign on andcreate their own user identity and password. Since theychoose their own user identity and password, and Geisingerdoes not have a record of their password, they are the onlyone who can access their information. The patient isinstructed to use caution not to share their access informa-tion with anyone else.

While using the patient portal, all communicationsbetween the patient and their Geisinger healthcare team arecarried over a secure, encrypted connection. This secure con-nection utilizes, at a minimum, industry standard SecureSocket Layer (SSL) 128-bit encryption as well as server-sidedigital certificate authentication to ensure secure data trans-mission between the patient and Geisinger.

Information Technology and Vendor PersonnelThis group of people requiring access can pose an espe-

cially touchy problem. To do their job, some of themrequire “keys to the kingdom” access. Virtually all data isavailable to them whether it be patient, application, oroperating system.

Special monitoring must be provided of these individualsvia audit trails. Information security personnel need toreview this special type of log information on a daily basis.Providing a data backup process is extremely important tobe able to restore information in the event of an incident.

Personnel with this level of access should be madeaware of the monitoring they will be under and shouldhave annual reminders of the access they possess. This isaccomplished at GHS through signing a confidentialitystatement on an annual basis.

Vendors are also granted access to applications on an as-needed basis. Occasionally, issues arise that require theirexpertise. Prior to granting access that might include patientdata, a few things must be established:• Vendor contract includes clauses on confidentiality. With

HIPAA near, a business associate agreement will be uti-lized. Refer to the HIPAA privacy regulation for completedetails. It can be found at: http://www.hipaadvisory.com/programs/documents/complete.htm

• Vendor confidentiality statement.• The capability to toggle vendor access on and off, pro-

viding access only when required, and controlled byGeisinger.

• Procedures covering the monitoring of vendor accessthrough audit logs. Notification and involvement of thebusiness unit-based analyst responsible for the applica-tion to ensure that vendor monitoring is timely.

Vendors typically design applications to provide func-tionality. Customers buy applications for that very same rea-son. We would propose that applications will need morerobust information security functionality since healthcareproviders are going to be required to implement more strin-gent information security measures, not only becauseHIPAA says we need to, but because it makes good busi-ness sense. And we in healthcare need to include informa-tion security as part of our daily routine, and not as anafterthought as was the case in the past.


FOCUS: SECURITY

It sometimes seems that the technology is not able tokeep up with the fast-changing environment. Policies, pro-cedures, and well-defined training programs can be used tofill gaps.

Application UpgradesInternal information technology (IT) policies and proce-

dures should include change control. Whenever new ver-sions of the application are introduced, thorough testingshould be done. This testing should happen in a non-pro-duction environment. This is done to ensure that the appli-cation functions properly and without any flaws prior tobeing introduced in production.

An integral part of this testing needs to be the informa-tion security functionality. This is especially true when deal-ing with patient information. Care should be taken toensure the information security features continue to protectthe confidentiality of the information.

Only after rigorous testing should the new version of theapplication be moved to the production environment.Remember, in today’s world our patients are users of theapplication through the introduction of the patient portal.

The patient portal allows access to portions of a patient’srecord through an encrypted link over the Internet intotheir homes. Secure e-mail is used to convey informationsuch as appointments, test results, prescription refills, andphysician communication.

While change control mechanisms may seem burden-some, they are certainly preferable to doing them twice.For example, what would occur if the change was not test-ed properly and required a second or third attempt to get itcorrect? If there is time to do it over, there is time to do itright the first time.

Change control should be used for operating systems,equipment, processes, etc., and not just for healthcare appli-cations. Change control procedures are a way of identifyingwhere you have come from and where you want to go.

Health Insurance Portability and Accountability Act(HIPAA)

HIPAA was initially designed to provide employees withportability of their health insurance from one employer tothe next without loss of coverage. Along the way, itemssuch as privacy, security, electronic transactions, and stan-dard code sets were added. Specifically, the privacy andsecurity aspects will have an effect on the electronic storageand transmitting of patient health information.

ConclusionThe patient/physician relationship is built on trust. To

earn that trust, a physician and the organization must proveto patients their respect for confidentiality. There is morerisk inherent with our environment today, and it will con-tinue to be a challenge.

While the EMR may be the primary source of access topatient information, remember that many systems may infact be feeding information to the EMR. When designing aninformation security program, remember to include thefeeder systems. It is also important to pay attention to thesecondary databases that are so easy to establish and use inthis day of desktop tools.

We are sharing much more information with many morepeople than we did in the past. We need to operationallybalance the risks of business and service while protectingpatient confidentiality. In addition, dual systems (paper andelectronic) will be in place for many years to come.

Privacy is not absolute. It is one of the primary goals,but there are many. For instance, in an emergency depart-ment setting, survival of the patient overrides informationsecurity. Healthcare is no longer one patient and one physi-cian. Many people and services are involved, and they allneed access to the same accurate, complete data to provideexcellent care.

We must always be on guard to ensure the confidentialityof our most trusted information - patients’ healthcare data. Itis essential that an organization in this new world of instan-taneous access from anywhere ensure they have a robustinformation security program in place. We need to create aninformation security consciousness within all organizations.

AcknowledgementsA very special thanks to the following individuals for

their contributions:• Jean Adams, Director I, Ambulatory/Physician Systems• Dr. Joseph Bisordi, Associate Chief Medical Officer• Kevin Kerestus, Vice President, System, Internal Audits• Janet Anderson, Director, Medical Information

Management• John Gildersleeve, Director, Information Security/

Confidentiality Administration

About the AuthorGary L. Kurtz, FHIMSS, is Associate Vice President of

Information Services for Geisinger Health System, Danville, PA.

References1Nicholson, L., ed. The Internet and Healthcare. Chicago, IL: Health

Administration Press, 1999, p. 94.

2Lester, T. “The Reinvention of Privacy,” The Atlantic Monthly, March2001, 287(3), 38.

Documents

EMR Confidentiality And Information Security - Provider's Edge