After much debate about potential risks and benefits, the inevitable is happening: Medical information is going online. The first step has been online enrollment in health plans. But enrollment is just the tip of the iceberg: Some health plans and providers offer telephone and online help lines, through which patients can ask questions about their medical conditions. Drugstores are all over the Web too, and very soon employees will be able to file their medical claims online. None of this is surprising.
While the health-care industry has rarely taken the lead in IT investment, health-care providers, insurance companies and managed-care organisations have been storing medical records in electronic format for some time, and it is a short step from a database to an intranet or the Internet. But as personal medical information starts to fly around the world on electronic networks, legal and ethical issues are flying into the corporate suite.
The advantages of online medical information are clear: It can improve the quality and reduce the cost of health care. A Boston resident might become so ill while visiting Houston that he could not give his medical history to the attending physician. If his records were available electronically, the physician could make informed decisions. Similarly, 24/7 access to records would alleviate the need to complete forms each time a patient visits a new doctor, lab, dentist or clinic, saving health plans, and ultimately all companies, money and time. Health plans are already feeling the impact. Aetna US Healthcare, for example, claims a 40 per cent boost in efficiency since its implementation of online enrollment.
But the prospect of electronic medical records (EMRs) also raises serious concerns about the increased risk of loss of privacy. Society has rightfully attributed special sensitivity to protecting an individual's health information. An individual treated by a psychiatrist, a woman who has had an abortion or a man completing genetic testing, for example, might want to limit access to that information. In these and other cases, there can be great anxiety that the transfer of medical records among professionals will allow strangers access to sensitive personal data.
In fact, maintaining security can be an issue with any medical information. Confidentiality can be broken in hospital elevator conversations, and paper records in a physician's office or a hospital can be misplaced, damaged, misused or even stolen.
We hear of public figures whose psychiatric records circulate during election campaigns, of a senior citizen whose medical history became public at an open court hearing and of an AIDS patient whose hospitalisation records were passed to his coworkers by a hospital receptionist. While companies are legally barred from using employee health information to make personnel decisions, recent court cases show that the reality is somewhat different.
With online information, the danger seems intensified. Anyone might gain access to records and use the information inappropriately. Unfortunately, some health-care organisations tend to have a dangerously relaxed attitude about electronic security. Instead they are dealing with the more immediate concern of gaining quick and easy access to data that will help diagnose illness, manage disease and support medical research.
Clearly, everyone must take pains to secure all medical information regardless of the cost. Employees must be confident that their information is used only as needed and by the appropriate people. But what exactly should one do? For many CIOs, the situation is a potential minefield. The rules are still uncertain, there is little time and emotions run high.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) calls for new security and electronic signature standards to improve the efficiency of data transfer between health-care organisations and ultimately to produce data that would be more useful for government oversight and assessment of health outcomes. HIPAA's Administrative Simplification subtitle requires protecting the confidentiality of medical data and has recently emerged as a major challenge for designers of medical information systems.
Critics have focused on the issues of confidentiality. A provocative proposal for a unique patient identifier number-the equivalent of a Social Security number-has generated additional protest. Nevertheless, the data standard regulations are already authorised and have been issued as Notices of Proposed Rulemaking by the Department of Health and Human Services.
Health-care organisations will have to develop policies and procedures to implement these data standards. This is more than a technical issue, more than needing the right software or hardware. It is instead a process.
CIOs will need input from a multidisciplinary group that understands the organisation's risks and security needs. Together, they must outline basic protocols for screening processes, awareness programs, access control systems, and health information management and disaster recovery policies. In addition, they have to create ways to avoid sabotage, theft and unauthorised linkages.
Planning efforts also require an understanding of the varying attitudes about privacy. Some religious groups, for example, do not want any clinical information made available, and their rights should be respected. In a study conducted at the University of Missouri School of Medicine, patients indicated a great deal of interest in privacy issues and information protection.
As the CIO, you are at particular risk. If employees complain about a breach of confidentiality, the CIO will receive a large share of the blame. If the organisation loses money from fraud or civil liability, the finger will be pointed at the CIO for not enforcing the rules. If a hacker gains access, it is the CIO's reputation that will falter.
You should take the lead in setting standards for your organisation. As an information protector, you should:
-- Establish a task force that sets the EMR policy and monitors its impact.
-- Develop a risk analysis that determines the adequacy of firewalls, security administration, auditing tools and monitoring tools.
-- Assess the organisation's awareness of security issues at all levels and the effectiveness of abuse monitoring and reporting systems.
-- Prioritise what needs to be protected. Do not look at all information monolithically.
-- Identify the most sensitive data in terms of its value to the organisation and employee privacy, and consider segmenting the information and applying security measures appropriately.
-- Ensure that you have an infrastructure in place to protect security, technical skills, organisational environment and structure, and appropriate lines of authority.
-- Communicate your plan throughout the organisation to avoid misunderstandings.
-- Make employees comfortable with the importance of efficient transfer and appropriate disclosure of health-care data and the potential for abuse.
-- Articulate your perspective on privacy and confidentiality issues in relation to the significant benefits of electronic medical records.
With input from your key sources, you should be preparing your company to meet the mandated new standards for accountability, responsibility and integrity of information. You should find models for establishing security policies that successfully integrate the seemingly contradictory goals for data integrity, data access and confidentiality.
The CIO must be a key player in the development of policies and procedures that address these issues. While EMRs may never be perfectly protected, like all security systems, they must balance privacy with access and be in sync with an organisation's culture.
No one can guarantee absolute privacy of online medical records, but everyone can surround them with security measures that ensure appropriate use. For the CIO, it is a necessity, not an option.
(James Hudak is the global managing partner in health services at Andersen Consulting. He can be reached via e-mail at firstname.lastname@example.org.)