The threats to electronic health information (EHI) security are numerous, and the press abounds with stories of security violations. EHI confidentiality could be compromised because of actions or omissions on the part of an entity’s own employees or external parties, which engage in either intentional wrongdoing or unintentional carelessness.
Ensuring the security of a computer system is an extremely challenging task. Operating systems and many application programs are very complex, consisting of millions of lines of program code developed and modified by hundreds of programmers over the course of years.
It is common for such software to contain unknown defects and security vulnerabilities, even after years of use. Connecting computers via a network multiplies overall system complexity while creating new avenues of attack. Much older software was designed without regard for network security. Computer hackers are often able to discover and exploit vulnerabilities by violating the basic assumptions of designers about how their systems will be used. Many hackers are experts in arcane details of system implementation that few professional programmers know about.
Hackers exploit the Internet to launch attacks, share information with each other, and enlist help in perpetrating attacks. The nature of the Internet makes it easy for them to conceal their identities and even to masquerade as legitimate users of a system. Security can also be compromised by mistakes in system configuration and administration and by failure to promptly install security updates to software. Finally, the human users of a computer system are often vulnerable to “social engineering,” in which someone, who wishes to attack the system, contacts them and, taking advantage of their good nature, dupes them into revealing a password or other sensitive information.
The Implication of Computer Security in The Health Field and Its Importance
There has been a great number of incidents dealing with security violations including the theft of computers, inappropriate deleting of data, etc (Johnston, 2009). For example, an unencrypted disc containing the EHI of 75,000 members of Empire Blue Cross and Blue Shield in New York was lost in March of 2007. Similarly, on April 26, 2006, Aetna announced that a laptop computer containing EHI for 38,000 insured individuals had been stolen and that the confidentiality of the data might have been compromised. In a different type of incident, a Maryland banker, who served on the state health commission, determined which of the bank’s customers were cancer patients and canceled their loans. Other reports document the accidental electronic posting of details concerning the sexual and psychological problems of patients and an incident in which overseas hackers accessed hospital computers, potentially obtaining 230,000 patient records from Children’s Hospital in Akron, Ohio.
Outsourcing of health information processing to overseas service providers can create particularly significant security vulnerabilities. The American Medical Association (AMA) has itself recognized that contracts with foreign business associates require special privacy safeguards.
Many different parties might be interested in patients’ health data. As described above, employers, insurers, advertisers, and marketers all have reasons to try to obtain personal health information. Other service providers might find medical records useful as well. Lenders, for example, could benefit from knowing which borrowers have significant health risks that might interfere with their ability to work and repay their loans. Educational institutions can also benefit from enrolling healthy students with the greatest potential for professional success, whose achievements will enhance the schools’ reputations and whose fortunes will enable them to become generous donors.
Like organizations, individuals may seek EHI about other persons for a variety of purposes. Those seeking romantic partners might wish to avoid mates who are at high risk for serious illness or for passing hereditary diseases to their children. Blackmailers may use private health information to extort payments from individuals, who have much to lose from disclosures concerning details of their medical histories, such as HIV status or psychiatric conditions. In the context of political campaigns, some might attempt to besmirch the reputations of particular candidates or cause voters to lose confidence in them by revealing damaging medical information.
Typically, the medical data are used to submit false bills to Medicare and health insurance providers. False entries placed in victims’ medical records can lead to inappropriate medical treatment, the exhaustion of health insurance coverage, and the victims’ becoming uninsurable. Because medical records also can contain Social Security numbers, billing information, and credit card numbers, medical identity theft can result in financial hardship for its victims, as perpetrators engage them in credit card fraud and other financial crimes using the information they have obtained.
The Privacy Rule’s “uses and disclosures” provision prohibits the utilization and dissemination of PHI without the patient’s consent except in specific circumstances related to medical treatment, payment, public health needs, or other obligations established by law. The Rule also addresses the fact that many covered entities retain other parties to perform legal, financial, and administrative services and that such “business associates” may process sensitive health information.
The HIPAA Security Rule’s requirements appear in two forms: standards and implementation specifications, with the latter being designated either “required” or “addressable.” Covered entities enjoy some flexibility with respect to addressable implementation specifications, because, in appropriate cases, entities are authorized to document why implementation of these criteria is not “reasonable and appropriate” and implement an equivalent measure if a suitable one is available.
One section of the HIPAA Security Rule is devoted to administrative safeguards. The general standards established in this section focus on the following areas: security management processes, security awareness, training, etc. The implementation specifications require risk assessment, the creation of a sanctions policy for noncompliant employees, workforce clearance procedures, log-in monitoring, password management, and many other measures.
The physical safeguards section of the Security Rule articulates four standards relating to facility access controls, workstation use, workstation security, and device and media controls. Under the implementation specifications, covered entities must develop a number of plans and procedures, such as ones related to facility security, access control and validation, and data backup and storage.
Enforcement the HIPAA Privacy and Security Rules allow for administrative enforcement of the regulations but not for a private cause of action. Aggrieved individuals may file complaints with the secretary of HHS, and HHS may also conduct compliance reviews on its own initiative (Andress, 2003). The government enjoys discretion as to which complaints it will choose to investigate. If HHS finds a violation, it will attempt to resolve the matter informally. However, the secretary may also sanction offenders with civil penalties in an amount not to exceed $100 per violation or $25,000 during a calendar year “for all violations of an identical requirement”.
Health Information Confidentiality is not Sufficiently Protected under U.S. Law
Although many state and federal laws address medical data privacy, existing legal interventions are limited in scope and do not provide patients with comprehensive protection. Unfortunately, self-regulation on the part of private industry is often deficient. For example, a review of the privacy policies of thirty personal health record service providers revealed that existing policies were incomplete and left worrisome gaps.
The prospect of a national, interoperable health information network raises serious and novel concerns. With an NHIN, each patient’s EHR will be potentially accessible to any health care provider in the country, and information will be frequently transmitted electronically and shared with various medical team members. These capabilities will require enhanced mechanisms to achieve patient identification, user authentication, data integrity, access control, and confidentiality.
Critique of the HIPAA Privacy and Security Rules
The HIPAA Privacy and Security Rules suffer from several significant flaws. First, as noted above, the rules cover only health plans, health care clearinghouses, and health care providers, which transmit electronic PHI for claims or benefits purposes. Consequently, employers, marketers, operators of websites dispensing medical advice or selling medical products and all other parties, who possess and process EHI, are exempt from the requirements of the HIPAA Privacy and Security Rules. Even physicians, who require cash payments from patients upon provision of care and, therefore, do not bill any party or interact with insurers, fall outside the jurisdiction of the rules. This narrow scope of coverage is troubling, because some of the most serious threats to confidentiality are associated with entities that possess EHI but are not governed by HIPAA. As more and more parties process and utilize EHI for their own business objectives, there are growing dangers of hacking, theft, development of illicit health information markets, and other forms of malfeasance. Thus patients might increasingly find that unexpected people or organizations possess their EHI and become increasingly concerned that the data will be used in harmful and inappropriate ways. Without an ability to submit inquiries to covered entities concerning the origins and use of their medical data, health care consumers have little power to track their EHI and try to prevent its exploitation.
Third, the HIPAA Privacy Rule does not provide aggrieved individuals with a private cause of action. Instead, enforcement is achieved through HHS investigations, hearings, and fines or through criminal prosecutions. The absence of a right to sue significantly weakens the privacy regulations’ deterrent powers and means that those who have been injured by confidentiality or security breaches cannot obtain personal relief. With feeble enforcement, covered entities may have little incentive to comply with onerous regulatory requirements. By contrast, the threat of private litigation may lead covered entities to conclude that some violations could be costly. In addition, judicial scrutiny could contribute to the efficacy of the Privacy and Security Rules by providing opportunities for the interpretation of vague regulatory language, establishment of significant precedents, and education of the public concerning their legal rights and obligations through cases that are published or capture media attention.
Fourth, the HIPAA Security Rule provides only minimal compliance guidance to covered entities. The Security Rule boasts a “flexibility of approach” that allows covered entities to choose the mechanisms for “reasonably and appropriately implementing the Rule’s standards and specifications” (Brower & Chalk, 2003). However, most covered entities are unlikely to have the expertise or resources to make competent decisions concerning which security technologies to employ. Furthermore, entities with sophisticated HIT capabilities could take advantage of the rule’s vagueness in order to implement suboptimal security measures that circumvent the purpose of the rule. It does not provide any instruction as to how encryption should be implemented, such as specifying acceptable encryption algorithms or their properties. Similarly, the Security Rule fails to offer guidance as to how appropriate risk analysis should be conducted, even though accurate risk analysis is essential to a determination of what security risks a covered entity faces and, consequently, what solutions and safeguards it should implement. Lack of specificity and detail characterizes most other Security Rule requirements as well.
Finally, the HIPAA Privacy Rule has been criticized for providing ineffectual privacy protections, because it fails to adequately limit disclosures and empower data subjects. For example, some argue that the Privacy Rule compromises patient protection by allowing disclosure of PHI to third parties for purposes of treatment, payment, and health care operations without patient consent.
While the rule requires that patients receive notice of a covered entity’s anticipated uses and disclosures, it does not enable individuals to prohibit transmission of their PHI for such purposes. In addition, some have noted that the Privacy Rule allows parties, which obtain authorizations for release of information from patients, to obtain limitless amounts of data rather than restricting the contents of disclosures to information that is actually needed by such parties, because it is business-related. Thus, if an employer requires applicants to sign authorizations for release of all their medical records, the employer can gain access to intimate details about candidates that will have no impact on job performance.
Recommendations for Improving Protection of EHI
Many entities other than health care providers, insurers, and clearinghouses routinely obtain personal health data, and the data that they handle are vulnerable to abuse without sufficient security and privacy safeguards. The term “business” should be defined as an “activity or enterprise undertaken for purposes of livelihood or profit”.
This definition would remedy the current problem of under-inclusiveness without being overly inclusive. Employers, financial institutions, educational institutions, website operators, and others, who process EHI for business reasons and have a financial interest in the data subject’s health status, would be required to implement appropriate security and privacy measures. These safeguards should address the threats of both inadvertent and malicious data disclosures. However, the revised definition would not cover benign circumstances, such as private citizens emailing each other about a friend’s illness or volunteers organizing food or transportation for the sick and disabled. Thus, the rules would not intrude upon private conduct and would not be overzealous in imposing onerous requirements in inappropriate circumstances. The HIPAA Privacy Rule should be revised to allow individuals to submit inquiries to covered entities concerning the origin and use of their health information.
These inquiries could be submitted through websites that are established by covered entities, and responses could be provided by email, where possible. Covered entities could also charge fees for the processing of these requests, since the rule already permits organizations to require payment for information that is provided to patients pursuant to their inquiries. Thus, those who become aware that unanticipated parties possess their information might be able to determine how and why their data were obtained without their authorization.
It is particularly challenging to litigate and prosecute privacy and security violations that originate in foreign countries, because the reach of American law is limited in such cases. As an increasing amount of medical work is outsourced, and EHI is more frequently processed internationally, such violations are a growing concern. In the future, regulators might consider placing appropriate restrictions on the transfer of EHI to foreign parties.
In order to determine best practices for particular functions, most covered entities would need to hire security product vendors. These vendors should be certified either directly by the government or by certifying organizations that are themselves licensed by CMS. Many tools and technologies that can improve EHI security already exist. Security alerts and solutions are also offered through the website of a well-respected, federally funded organization, the Computer Emergency Response Team (CERT).
Furthermore, a Google search reveals numerous products that advertise themselves as turnkey solutions for HIPAA Security Rule compliance. It is likely that, as public awareness and demand for EHI security rise, increasingly sophisticated, effective, and reasonably priced technologies will be developed.
The government and privacy advocacy groups could also play a role in facilitating compliance with the Security Rule. Public interest organizations could research and distribute materials concerning computer security best practices. In addition, CMS could maintain publicly accessible websites with lists of available products and with comment areas in which covered entities could post input concerning security practices that they have utilized.
As evidenced by numerous studies and reported incidents, Americans’ private health information faces a set of challenges and difficulties nowadays. The dangers of privacy and security violations will only intensify in the future as greater numbers of providers transition from hardcopy medical files to electronic health records. Health data vulnerabilities can have significant social, policy, and economic impacts.
The federal and state governments have enthusiastically promoted health information technology and have responded to concerns about privacy by enacting various laws and regulations. The existing legal scheme, however, does not provide health care consumers with comprehensive protection. Focusing on the HIPAA Privacy and Security Rules, this chapter has outlined several recommendations to rectify some of the regulatory shortcomings.
As medical practice increasingly transitions to electronic and automated formats, we must not remain complacent about privacy and security threats to EHI. It is only with appropriate legal interventions that the great promise of health information technology will be realized and that its valuable benefits will outweigh its significant risks.