““Security and Privacy in Security and Privacy in Electronic Health Records”Electronic Health Records”

Peter P. SwirePeter P. SwireOhio State UniversityOhio State University

Consultant, Morrison & Foerster, LLPConsultant, Morrison & Foerster, LLPHospital Wireless ConferenceHospital Wireless Conference

July 25, 2005July 25, 2005

The Schedule Shift TodayThe Schedule Shift Today

Privacy meeting today with Homeland Privacy meeting today with Homeland Security Secretary ChertoffSecurity Secretary Chertoff

Planned privacy meeting with HHS Planned privacy meeting with HHS Secretary LeavittSecretary Leavitt

Privacy and security as strategic issues for Privacy and security as strategic issues for top leadershiptop leadership

Our Puzzle for TodayOur Puzzle for Today

Health IT Health IT MustMust Improve Considerably Improve Considerably Often a decade or more behind other sectorsOften a decade or more behind other sectors Manila folders behind the nurses’ stationManila folders behind the nurses’ station

• Other sectors – banks, travel, retail?Other sectors – banks, travel, retail?• Inconceivable in today’s marketInconceivable in today’s market

Perhaps a federal law – manila folders Perhaps a federal law – manila folders banned from health care providers?banned from health care providers?

The Gingrich version: “paper kills”The Gingrich version: “paper kills”

Our PuzzleOur Puzzle

Health IT is Health IT is HARDHARD to Improve to Improve Reimbursement reasonsReimbursement reasons

• Medicare, insurers usually do not pay more for Medicare, insurers usually do not pay more for good ITgood IT

• Customers don’t discipline providers on health IT, Customers don’t discipline providers on health IT, the way they would banks or travel providersthe way they would banks or travel providers

• Quality-of-care ROI is usually easier to show than Quality-of-care ROI is usually easier to show than financial ROI for health ITfinancial ROI for health IT

Our PuzzleOur Puzzle

Health IT is Health IT is HARDHARD to Improve to Improve Privacy and security reasonsPrivacy and security reasons Recent Westin/AHRQ pollRecent Westin/AHRQ poll

• More respondents worried about privacy & security More respondents worried about privacy & security than favored new use of electronic health recordsthan favored new use of electronic health records

Polls and focus groupsPolls and focus groups• Risks are top-of-mind to consumersRisks are top-of-mind to consumers• Benefits are much less evidentBenefits are much less evident

OverviewOverview

HIPAA and my backgroundHIPAA and my background Electronic Medical Records, Connecting Electronic Medical Records, Connecting

for Health & David Brailerfor Health & David Brailer National health IDs vs. a linking National health IDs vs. a linking

approachapproach IT progress together with security and IT progress together with security and

privacyprivacy

I. HIPAA and Health ITI. HIPAA and Health IT

HIPAA statute in 1996HIPAA statute in 1996 The political engine was transactionsThe political engine was transactions

Early 1990s and no agreement on standardsEarly 1990s and no agreement on standards One HIPAA client paid in > 2000 formatsOne HIPAA client paid in > 2000 formats Statute said standards for electronic Statute said standards for electronic

paymentspayments My sense – improvement, but harder to get My sense – improvement, but harder to get

standard implementation than was hopedstandard implementation than was hoped

HIPAA and Health ITHIPAA and Health IT

Privacy and security came with new health Privacy and security came with new health ITIT Political realization that patient records would Political realization that patient records would

be electronic for payment purposesbe electronic for payment purposes HIPAA statute said build in privacy and HIPAA statute said build in privacy and

security at the same time as ramp up the level security at the same time as ramp up the level of electronic paymentsof electronic payments

That makes sense – upgrade (for That makes sense – upgrade (for transactions) easiest time to upgrade for transactions) easiest time to upgrade for security and privacysecurity and privacy

HIPAA PrivacyHIPAA Privacy

Congress gave itself until summer, 1999 to Congress gave itself until summer, 1999 to write a medical privacy statutewrite a medical privacy statute

When it couldn’t, Administration required When it couldn’t, Administration required to issue a privacy ruleto issue a privacy rule

WH Coordinator for Oct. 99 proposed ruleWH Coordinator for Oct. 99 proposed rule 53,000 public comments53,000 public comments Final privacy rule Dec. 2000Final privacy rule Dec. 2000

HIPAA Privacy After 2000HIPAA Privacy After 2000

After Jan. 2001, political effort to cancel After Jan. 2001, political effort to cancel HIPAA privacyHIPAA privacy

President Bush overruled his advisors, President Bush overruled his advisors, and kept itand kept it

2002 final privacy rule mostly the same as 2002 final privacy rule mostly the same as 2000 privacy rule2000 privacy rule

HIPAA security was delayed, but now in HIPAA security was delayed, but now in placeplace

Looking Back on HIPAALooking Back on HIPAA

Much of it good practices that had not Much of it good practices that had not necessarily been built in previouslynecessarily been built in previously

Some was bureaucratic overkillSome was bureaucratic overkill One criticism since 2001 – much less One criticism since 2001 – much less

outreach and guidance than plannedoutreach and guidance than planned Another criticism – no enforcement yet, Another criticism – no enforcement yet,

with risk that those who comply will lose with risk that those who comply will lose faith in the systemfaith in the system

II. EMRs, Markle & BrailerII. EMRs, Markle & Brailer

Next, beyond electronic transactions to Next, beyond electronic transactions to electronic medical records (EMRs)electronic medical records (EMRs)

A great resource – Markle Foundation’s A great resource – Markle Foundation’s Connecting for Health ProjectConnecting for Health Project www.markle.orgwww.markle.org: Roadmap & other docs: Roadmap & other docs I’ve been involved in 3 working groups of itI’ve been involved in 3 working groups of it Currently, my focus is on authentication for Currently, my focus is on authentication for

patients and system userspatients and system users

Markle & HHSMarkle & HHS

Spring, 2004 – Pres. Bush announces Dr. Spring, 2004 – Pres. Bush announces Dr. David Brailer as “Health IT Czar”David Brailer as “Health IT Czar”

Brailer had been chair of a Markle Brailer had been chair of a Markle committeecommittee Great background on health care economics, Great background on health care economics,

health IThealth IT New HHS Sec. Leavitt was on Markle New HHS Sec. Leavitt was on Markle

committee, is making health IT one of his committee, is making health IT one of his signature issuessignature issues

Where We Are TodayWhere We Are Today

Markle and numerous stakeholdersMarkle and numerous stakeholders HHS – Leavitt & BrailerHHS – Leavitt & Brailer Congress – Newt and Hillary become best friendsCongress – Newt and Hillary become best friends BUT, some health care stakeholders are unconvinced:BUT, some health care stakeholders are unconvinced:

Doctors, reimbursement & data input challengesDoctors, reimbursement & data input challenges Consumers and fears on privacy/securityConsumers and fears on privacy/security Interconnection challenges and fear that early Interconnection challenges and fear that early

adopters won’t get paid for their effortsadopters won’t get paid for their efforts

III. Health ID v. LinkingIII. Health ID v. Linking

A key issue in EMRs is whether to have a A key issue in EMRs is whether to have a national health IDnational health ID Most doctors and techies initially assume that Most doctors and techies initially assume that

it is appropriate and necessaryit is appropriate and necessary My argument here is that it is a bad idea and My argument here is that it is a bad idea and

that a “linking” or “record locator service” that a “linking” or “record locator service” approach is feasible and better policyapproach is feasible and better policy

National Health IDsNational Health IDs

The attraction is the idea that records from The attraction is the idea that records from home, work, and travel all can be matched home, work, and travel all can be matched by tagging them with a unique identifier for by tagging them with a unique identifier for each patienteach patient

Most providers use a unique identifier, Most providers use a unique identifier, such as SSN, in their own system – why such as SSN, in their own system – why not use it across systems?not use it across systems?

Most plans have envisioned national ID Most plans have envisioned national ID and a central EMR repositoryand a central EMR repository

The Politics of Health IDsThe Politics of Health IDs

Unique patient IDs were actually Unique patient IDs were actually requiredrequired in the in the 1996 HIPAA statute1996 HIPAA statute Supported by many vendors and system Supported by many vendors and system

ownersowners By 1998, Clinton Administration said no health By 1998, Clinton Administration said no health

IDs unless strong privacy & security in placeIDs unless strong privacy & security in place Bush Administration has confirmed that there will Bush Administration has confirmed that there will

be no such IDs for patientsbe no such IDs for patients Moral – huge political opposition to the ideaMoral – huge political opposition to the idea Waiting for health IDs means to wait a long timeWaiting for health IDs means to wait a long time

The Markle Linking AlternativeThe Markle Linking Alternative

Create a Create a Record Locator ServiceRecord Locator Service (RLS), not (RLS), not an EMR central databasean EMR central database

The RLS authenticates based on The RLS authenticates based on demographic, not clinical, datademographic, not clinical, data

Federated – decision at the edges whether a Federated – decision at the edges whether a record is listed on the RLSrecord is listed on the RLS• E.g., substance abuse & HIV may not be listedE.g., substance abuse & HIV may not be listed

Advantages of RLS ApproachAdvantages of RLS Approach

Avoids single point of failure of central Avoids single point of failure of central EMR database – the data breach problemEMR database – the data breach problem

Control at edgesControl at edges Patients can opt outPatients can opt out Providers can decide what (not) to linkProviders can decide what (not) to link

Graceful transition from current systemGraceful transition from current system No required new data field for health IDsNo required new data field for health IDs No “rip and replace”No “rip and replace”

In sum, privacy & security built inIn sum, privacy & security built in

The State of Play on RLSThe State of Play on RLS

Current Markle work onCurrent Markle work on Model contract for participants (RHIOs) and Model contract for participants (RHIOs) and

their participants (such as small practice their participants (such as small practice groups)groups)

Policies and procedures – the big picture for Policies and procedures – the big picture for communities who are interestedcommunities who are interested

FAQs for deeper technical dives on hard FAQs for deeper technical dives on hard issuesissues• E.g., scoring & procedures for authenticationE.g., scoring & procedures for authentication

Test interchange: Indiana and BostonTest interchange: Indiana and Boston

IV. Privacy, Security & EMRsIV. Privacy, Security & EMRs

Must be credible on privacy & security or the Must be credible on privacy & security or the benefits of EMRs will be underminedbenefits of EMRs will be undermined

The architecture must be secureThe architecture must be secure Centralized databases, even for sophisticated Centralized databases, even for sophisticated

financial data, have been publicly breachedfinancial data, have been publicly breached Health care is unlikely to be (or to be seen as) Health care is unlikely to be (or to be seen as)

doing better than banks, who have centuries doing better than banks, who have centuries of practice in guarding the moneyof practice in guarding the money

Many consider medical data more sensitive Many consider medical data more sensitive than financial datathan financial data

Some Privacy BasicsSome Privacy Basics

Goal should be to improve patient privacy & Goal should be to improve patient privacy & security in shift to EMRssecurity in shift to EMRs

Safeguards must be explainable to publicSafeguards must be explainable to public Patient access to linking system (what’s in the Patient access to linking system (what’s in the

system?) and means to correct (those aren’t my system?) and means to correct (those aren’t my records)records) Access in HIPAA and FCRAAccess in HIPAA and FCRA

Patient opt-out from the system, working with Patient opt-out from the system, working with providersproviders

Mission Creep & EMRsMission Creep & EMRs

Many stakeholders will push for access to linked Many stakeholders will push for access to linked identities and records:identities and records: Health quality measurementsHealth quality measurements Cost controlsCost controls Bioterrorism & law enforcementBioterrorism & law enforcement Medical researchMedical research Marketing researchMarketing research

Not all those who want the data should get itNot all those who want the data should get it Model contract for linking will address these issuesModel contract for linking will address these issues

EnforcementEnforcement

Looking ahead, I believe that enforcement against bad Looking ahead, I believe that enforcement against bad actors should occur, while good faith efforts by data actors should occur, while good faith efforts by data holders should not receive enforcementholders should not receive enforcement

To date, 0 civil enforcement actions for 13,000 To date, 0 civil enforcement actions for 13,000 complaints to the Office of Civil Rightscomplaints to the Office of Civil Rights

Recently, DOJ opinion that criminal laws do not apply to Recently, DOJ opinion that criminal laws do not apply to most employees of covered entitiesmost employees of covered entities

The right level of enforcement is not zero The right level of enforcement is not zero The system should be credible, without chilling much-The system should be credible, without chilling much-

needed sharing of EMRs for legitimate usesneeded sharing of EMRs for legitimate uses

ConclusionConclusion

EMRs as the health IT challenge for the next EMRs as the health IT challenge for the next decade, following the ten-year cycle since decade, following the ten-year cycle since HIPAA was enactedHIPAA was enacted

Privacy & security concerns for consumers often Privacy & security concerns for consumers often outweigh the perceived benefitsoutweigh the perceived benefits

Strategic challenge for health IT professionals Strategic challenge for health IT professionals and the entire sector on how to use health IT and the entire sector on how to use health IT consistent with the public’s concernsconsistent with the public’s concerns

In ClosingIn Closing

As you build your health IT systems, imagine As you build your health IT systems, imagine your own records and those of your family being your own records and those of your family being in the infrastructurein the infrastructure

Can you say with confidence to your family that Can you say with confidence to your family that their records are secure and confidential?their records are secure and confidential?

For substance abuse, psychiatric records, HIV, For substance abuse, psychiatric records, HIV, and other extra-sensitive data?and other extra-sensitive data?

That’s the standard we should apply to our That’s the standard we should apply to our systems – that each patient’s data is held the systems – that each patient’s data is held the way we want out own data to be treatedway we want out own data to be treated

In ClosingIn Closing

That’s the high-tech version of the Golden That’s the high-tech version of the Golden RuleRule

Do unto other’s data as you would have Do unto other’s data as you would have them do unto youthem do unto you

Thank you.Thank you.

Contact InformationContact Information

Peter P. SwirePeter P. Swire Consultant, Morrison & Foerster, LLPConsultant, Morrison & Foerster, LLP Phone: (240) 994-4142Phone: (240) 994-4142 Email: Email: peter@peterswire.netpeter@peterswire.net Web: Web: www.peterswire.netwww.peterswire.net