American College of Physicians: Internal Medicine — Doctors for Adults ®


How to keep electronic records private

New laws and high-tech solutions might work, but what is the downside?

From the September 1998 ACP-ASIM Observer, copyright 1998 by the American College of Physicians-American Society of Internal Medicine.

By Deborah Gesensway

At the University of California, San Diego School of Medicine (UCSD), a staff led by internist Daniel R. Masys, FACP, is attempting to pull off a nearly impossible balancing act. Physicians and researchers there are working on making medical records accessible from any personal computer linked to the Internet while at the same time ensuring that the charts remain confidential and private.

The idea is to give doctors and other health care providers timely access to patient information in order to provide the best care. The project, called "Patient Centered Access to Secure Systems Online," better known as PCASSO (pronounced like the artist's name), also aims to give patients online access to their own charts and to let them see an audit trail of everyone who has viewed their personal health care data. Ideally, the system, which researchers began testing this summer, will keep intruders from snooping around patient records they have no right to see and will catch eavesdroppers in the act.

UCSD's experiment to protect privacy comes at a time when public awareness about the potential for security breaches in medical records, spurred by advances in computer technology and by increasingly integrated health systems that make medical records available to numerous people, is front and center. Hospitals routinely find that privacy is one of the highest-ranking concerns mentioned on patient satisfaction surveys, and this public concern is prompting a wide range of individuals to focus more than ever before on issues relating to health care privacy.

On the national level, Congress has already mandated passage of a federal medical privacy law by August 1999. (The mandate was part of the 1996 Health Insurance Portability and Accountability Act, otherwise known as the Kassebaum-Kennedy Act.) This spring, hearings were held on a half dozen privacy bills. And this past May, President Clinton directed Cabinet departments and major federal agencies to appoint a senior officer responsible for ensuring compliance with privacy laws and regulations. But while everyone who testified before the Congressional committees agrees that the nation needs comprehensive legislation, they can't agree on what exactly the law should contain.

At the same time, architects of electronic medical records have recognized that unless they can work out the technological problems of making their systems tamper-proof, the public and medical profession may reject their technology altogether.


Perhaps the biggest challenge in protecting the confidentiality of health care records is making sure that information isn't so secure that health care providers don't have access to information when they need it.

"Not knowing that patients have a drug allergy when they hit your emergency room unconscious could kill them," said David M. Rind, ACP-ASIM Member, director of primary care informatics at the Center for Clinical Computing at Beth Israel Deaconess Medical Center in Boston. "Whereas I would guess that for 99% of the people who hit your emergency room, if you broadcast everything you did for them out over the Internet unencrypted, their lives would not be changed one little bit. However, that doesn't change the fact that there are a small number of people whose lives would be totally ruined by that."

In addition, there are a number of political, business and sociological factors that make protecting health records' confidentiality a difficult task. First, as of yet, no national law exists that makes it a crime for people to access health care information they are not entitled to see, and state laws vary widely in what they say on the subject. In other words, there is no powerful way to punish snoops even if you catch them.

Second, there are many people besides doctors and patients who legitimately have a need to see personal health information. These include payers, researchers, peer reviewers and public health officials.

And last, but certainly not least, is human nature. By far, most violations of patient confidentiality are due not to technological mishaps, but to sloppy or nosy people. Charts with the most intimate personal information routinely pass through many different hands, from receptionists to billing clerks and everyone in between.

Without a health privacy law that at least sets penalties for unauthorized access to personal medical records, said Janlori Goldman, director of the Health Privacy Project at Georgetown University Medical Center in Washington, the benefits of keeping medical records electronically could easily be overshadowed by the costs of allowing unfettered access by even more individuals to personal health information.

Already, there have been publicized cases of drug companies that have accessed databases of patients who have filled prescriptions for certain drugs and then used this information to market their products directly to patients. The Health Privacy Project, meanwhile, has collected a list of newspaper articles that describe breaches of privacy in medical records. In one case, for instance, Medicaid clerks in Maryland were prosecuted for selling computerized records of recipients' financial resources to sales representatives of managed care companies.

"About 20% to 30% of records are now available in electronic form, and if there is no privacy law passed, more personal information will be misused," Ms. Goldman said. "I believe that will have a dramatic effect on how people seek health care and whether they trust their doctors."

A survey done by Louis Harris & Associates in 1993 proved that patients are already engaging in what Ms. Goldman calls "privacy-protective behavior." In the survey, individuals admitted to doctor-hopping and lying or withholding information from their doctor about their health, tactics that can both hurt treatment and skew biomedical research that depends on claims data. The survey found that 11% of the public have on occasion chosen not to file an insurance claim; 7% told pollsters that they have at some point chosen not to seek care because they didn't want to harm their job prospects or other life opportunities.


One of the toughest barriers is getting the appropriate parties to agree on what the federal law should contain. According to HHS Secretary Donna Shalala, law enforcement personnel should have access to personal health information without patient authorization, an allowance that most privacy advocates adamantly oppose.

Another contentious issue facing lawmakers is how much patient-identifiable data should be available to medical researchers without specific patient authorization. The College, in a letter last fall to Sen. James Jeffords (R-Vt.), a sponsor of one of the most far-reaching medical privacy bills, said it supports allowing the disclosure of some individually identifiable health information without patient authorization for certain medical research projects. The College supports such disclosure only if the research can't be done any other way, if an institutional review board has determined that the research project is so important it would outweigh any intrusion into a patient's privacy, and if the research would be of minimal risk to the patient.

"This falls in between what a physician needs to do to protect the rights of an individual patient vs. our obligation to create new knowledge that will further protect the health of the public," said College Regent Risa Lavizzo-Mourey, FACP, Chair of ACP-ASIM's Ethics and Human Rights Committee. "To say that we can't release any data for research or public health purposes means that we are going to chill research at a time when we need more research related to quality of care and how well our health systems are doing."

The AMA's policy on confidentiality of medical records, meanwhile, makes a distinction between "needs" and "rights," saying that "needs do not bestow rights. . Conflicts between a patient's right to privacy and a third party's need to know should be resolved in favor of the patient, except where that would result in serious health hazard or harm to the patient or others."

Some privacy advocates want to go even further. The American Civil Liberties Union (ACLU), for instance, has said that Americans should be able to opt out of having any of their patient records kept in computerized networks. Citing a survey it conducted in 1994, the ACLU reported that 75% of the public is concerned about health insurers' ability to put medical information about them into databases accessible by others. The ACLU concluded that Americans should be able to choose to have a "paper-only" patient record.

Groups ranging from the ACLU to the AMA are also adamantly opposing a proposal to create a national patient identifier. Under the Kassebaum-Kennedy bill, HHS was to develop a plan by last February for a patient identifier to track every citizen's medical history from cradle to grave. The agency has not made any proposals and instead held hearings on the subject this summer. Critics claim that a national identifier would make it too easy for everyone from employers to the government to learn about people's health conditions.


Developers of electronic medical records, meanwhile, are forging ahead with efforts that, if successful, could address many of the public's fears about loss of control over electronic records.

Technology, in fact, plays both Dr. Jekyll and Mr. Hyde roles when it comes to issues of health care privacy. On the downside, having vast amounts of personal medical data available in large databases increases the chances of unauthorized access. But on the plus side, explained Georgetown University's Ms. Goldman, it's "much easier to talk about security in electronic networks than to talk about how we are going to create secure paper records in file drawers where you have no way of knowing who has looked at records and under what circumstances."

In San Diego, for instance, the PCASSO program is attempting to combine a number of technologies that will enable electronic medical records to be securely transmitted over the Internet. This is increasingly important, explained Dr. Masys, as one patient's health care information may now be delivered to many different sites, from multiple offices to outpatient labs, radiology clinics, nursing homes and hospitals.

In short, PCASSO works this way: Health care workers only have access privileges based on their specific roles in providing health care to a particular patient. The system uses digital signatures, common Internet security strategies like encryption that are already being used for electronic commerce, and continuously changing passwords. These are all security protections that cannot be imposed on paper records.

PCASSO then adds a piece of software called an intrusion detector that looks to see if "Trojan horse" software (a kind of computer virus that allows eavesdropping on Internet transactions) is stored in the memory of the computer trying to log on. If a Trojan horse-type program is detected, PCASSO will not let the medical records program run and will tell the user that it has detected a potential security risk. PCASSO also won't let that user save any of the medical record or print the record to a networked printer.

"A lot of these things are not in and of themselves bulletproof, but they raise the cost and complexity of trying to break into PCASSO to the level that it is more trouble than it's worth," Dr. Masys said. This, he said, should help raise the public's confidence in electronic medical records and the current state of security on the Internet.

Halfway across the country in Chicago, Paul C. Tang, FACP, medical director of information services at Northwestern Memorial Hospital, has decided that the public isn't ready for their records to go on the Internet. He worries that without a national privacy law on the books, the potential for security breaches could jeopardize further adoption of his computerized patient record system, known as EpicCare. As a result, he is concentrating on improving the security of the hospital's internal network so that physicians can securely access records from remote sites, such as their homes.

Like PCASSO, EpicCare allows users to access only select portions of the record; physicians have certain access privileges, while clerks have others. The system also tracks who looks at what part of each record, and this "audit trail" is sent to a security officer every day. Finally, all the employees have signed a confidentiality agreement stating that they will only look at records for which they have a need.

Doctors who want to access EpicCare from outside the campus need a "secure ID card," a credit-card sized card with an LCD panel that flashes a six-digit password that changes every 60 seconds. After connecting to EpicCare through the phone lines, users need both this card and a personal identification number to get into the network. Once they're in the network, users need to know how to use the system to get to specific patient records.

"First we try to limit your ability to get into trouble, and then we'll take action if you get around that," Dr. Tang said. The system has been up and running for a small number of workers at two Northwestern clinics for two years, he said, with no security breaches.

In addition to such high-tech solutions, some hospitals and health systems are taking a decidedly low-tech approach to protect privacy. They are looking at their own policies, employee training and facilities to see if they can do better in making patients feel more secure that their medical privacy will be respected.

The University of Pennsylvania Health System in Philadelphia, for example, made improving patient privacy a top priority in the past year after administrators realized that not all hospital employees understood what information should be kept confidential and how it should be treated. From rebuilding hospital waiting rooms so that doctors have a private place to talk with waiting relatives to posting flyers reminding clinicians not to talk about patients in elevators, the idea is to get everyone in the system's four hospitals and its doctors' offices to practice confidentially at all times, explained Debra Roberts, director of guest services at the health system.

Penn decided to beef up its security even though the system so far has only a fledgling electronic medical record. Explained David Shulkin, ACP-ASIM Member, Penn's chief medical officer, "I think that whenever people look toward technology to solve a problem that really has to do with human behavior, they are usually disappointed with the results. And it seems to me that this is a behavioral issue, albeit one complicated by technology."

Ways to protect your patients' privacy around the office

It was only after going through training on how to improve patient privacy that Risa Lavizzo-Mourey, FACP, said she realized how much information an interloper could glean from all those stickies around her desk reminding her to call individual patients about test results or medical questions.

"There are all sorts of ways that we violate patient confidentiality, but unless people point them out, you don't think of them," said Dr. Lavizzo-Mourey, chief of the division of geriatrics and director of the Institute on Aging at the University of Pennsylvania Health System. The training she went to earlier this year is now mandatory for all new employees—everyone from doctors and medical students to billing clerks—at Penn's hospitals and physician practices. Dr. Lavizzo-Mourey is an ACP-ASIM Regent and chair of the College's Ethics and Human Rights Committee.

Experts say that physicians need to realize that their patients commonly fear breaches of medical privacy. Penn, for instance, regularly finds that privacy is one of the highest-ranking concerns mentioned on patient satisfaction surveys, said David Shulkin, ACP-ASIM Member, chief medical officer of the Penn Health System.

Moreover, the College's ethics manual (available on the Web at says that physicians, recognizing that "confidentiality is a fundamental tenet of medical care," have an obligation within their own institutions to "advocate policies and procedures to secure the confidentiality of patient records."

Mary LeGrand, RN, a St. Louis-based practice management consultant with Karen Zupko & Associates, said it is apparent from her experience visiting medical practices that most can easily improve their handling of medical records to make them more secure. "We've been very lax as a society in terms of [securing] our medical records," she noted.

The following are some points internists can think about to improve medical privacy in their own practices:

  • Delineate a formal medical records management system for your office. Include policies spelling out who can remove a chart, when it needs to be returned, how to identify who has removed a chart and where it went.
  • Develop a standard format and procedure for the release of medical records. Decide whether requests must be made in writing, whether records can be faxed out and how the authenticity of requests will be checked. Ms. LeGrand recommended that practices adopt the policy that no records are released without sign-off from a physician.
  • Ensure that patient charts contain only objective information relevant to the care of the patient. This is important as more states and the federal government are ruling that patients own the information in their personal medical record and can correct information contained in them. Doctors will not fare well under these laws if their charts contain notes describing individuals as difficult patients, Ms. LeGrand said.
  • Be clear in every employee's job description that maintaining patient confidentiality is a responsibility of the position, and make sure employees know that they can be fired for breaching this. This is especially important in small towns or rural areas, where employees are likely to know patients, Ms. LeGrand said. But it is also important in a big city system like Penn, Dr. Shulkin added, because the system wants to convince its many employees to turn to Penn for care for themselves and their families.
  • Make sure you have a private place to give patients both good and bad news, said Regina Sturgis, coordinator for accreditation and regulatory compliance at Penn, and one of the developers of its "Hush" patient confidentiality staff training program. There are obvious reasons for breaking bad news in a private place, she said, but delivering good news in private can also improve patient confidence in your practice.

This is a printer-friendly version of this page

Print this page  |  Close the preview




Internist Archives Quick Links

Not an ACP Member?

Join today and discover the benefits waiting for you.

Not an ACP Member? Join today and discover the benefits waiting for you

ACP offers different categories of membership depending on your career stage and professional status. View options, pricing and benefits.

A New Way to Ace the Boards!

A New Way to Ace the Boards!

Ensure you're board-exam ready with ACP's Board Prep Ace - a multifaceted, self-study program that prepares you to pass the ABIM Certification Exam in internal medicine. Learn more.