We have access to nearly everything on-line – news of any variety, email, blogs (ahem), sports scores (congrats Colts!), music, family photos and our finances. But why is our healthcare data still largely missing in action? It’s not because IT is incapable of making it accessible. It’s more about the skittishness of the healthcare industry to expose sensitive patient data. The potential risks and consequences of granting the masses access to Electronic Protected Health Information (EPHI) is perceived to be far greater than the expected realized benefits.
The Health Information Portability and Accountability Act (HIPAA) altered the landscape for how healthcare entities manage private electronic medical data. Title II of HIPAA is normally the section which affects those of us in IT, and its aim is to create “standards for the use and dissemination of health care information.” While HIPAA is definitely a positive move in the protection of EPHI, it is also a major reason why that data is largely unavailable to patients over the Internet. And even though entities are expected to self-govern themselves, there is the threat of severe civil and even criminal penalties for non-compliance which cause a reluctance to provide remote data access.
For all of the advancements made in technology, healthcare has grossly lagged behind in many ways. You probably would not bank at a financial institution that does not offer the means to check your account balances on-line and make on-line bill payments. The good news is you don’t have to. Those have become basic perks which must be offered to customers in order to stay competitive.
When is the last time you were able to log onto a website to access portions of your health record? I know, most of you probably haven’t wanted to (yet), but I’m guessing the majority reading this have not even had the option to either. I am personally more concerned about my financial data being exposed than I am about my medical history, but there are different laws governing the two industries. (Strangely enough, many insurance carriers have been forward thinking enough to offer on-line claims access to their customers.)
So what will it take to make personal medical data accessible by patients over the Internet? Technically, not much. Many physicians and other medical professionals already can access hospital lab results and medical charts from their offices and homes. Access is usually granted through a web browser over an SSL VPN connection. For additional security, there is typically a firewall on the hospital network, additional access controls and an application layer proxy to protect the data from direct exposure to the Internet. It wouldn’t take much additional technical effort to extend a similar level of access to a patient wishing to view their personal medical records.
To assist healthcare entities, the Department for Health and Human Services has identified the potential risk management strategies associated with remote access into the areas of access, storage and transmission.
- Accessing EPHI – implement two-factor user authentication; establish session time-out parameters; employ the use of firewalls and updated anti-virus software.
- Storing EPHI – deploy policy to encrypt backup and archival media; implement audit procedures; establish EPHI deletion policies; prevent download of EPHI onto remote systems; minimize use of browser-cached data.
- Transmitting EPHI – implement strong encryption solutions
HIPAA places the responsibility of data security on the covered entity. The focus for HIPAA guidelines is geared toward healthcare employees and involved medical professionals who have a definite need to access protected information. I simply don’t read anything that suggests specific guidelines for a person needing or desiring access to their own medical records. That usually requires a personal trip to the medical records department to sign a release form.
Government guidelines warn healthcare providers to be extremely cautious about allowing remote access to EPHI, and to only allow it when it is deemed absolutely necessary. When providers do decide to offer remote access they must be prepared to prove that they have made every reasonable effort to maintain the confidentiality, integrity and security of the protected data. Reasonable efforts should include data encryption, detailed audit logs and granular user access control. Usage policies should also be in place which guard against potential abuse by requiring session timeouts and routine changes to unique user passwords. Allowing remote access to users on insecure PCs takes a certain level of control away from the healthcare providers and places them at risk for legal action. It is a risk most are not willing to take.