The National Academies of Sciences, Engineering and Medicine
Office of Congressional and government Affairs
At A Glance
: Confidentiality of Medical Information
: 10/28/1997
Session: 105th Congress (First Session)
: John Glaser

Vice-President and Chief Information Officer, Partners HealthCare System, Inc., Boston, and Member, Committee on Maintaining Privacy and Security in Health Care Applications of the National Information Infrastructure, Computer Science and Telecommunications Board, National Research Council

: Senate
: Committee on Labor and Human Resources

For the Record: Protecting Electronic Health Information

Testimony of
John Glaser
Committee on Maintaining Privacy and Security in Health Care Applications of the National Information Infrastructure
Computer Science and Telecommunications Board
National Research Council
Vice President and Chief Information Officer
Partners HealthCare System, Inc.
Boston, MA

before the Committee on Labor and Human Resources
U.S. Senate

October 28, 1997

Mr. Chairman, distinguished members of the committee, I appreciate the opportunity to appear before you this morning to discuss privacy and security of health information. I recently served on the National Research Council committee that produced the report, For the Record: Protecting Electronic Health Information. That committee was asked by the National Library of Medicine, the Magnusson Clinical Center, and the Massachusetts Health Data Consortium to investigate ways of improving privacy and security in health care applications of national information infrastructure. In doing so, the committee drew upon the diverse perspectives of volunteer members who brought expertise in medical informatics, computer security, patient privacy, medical practice, and research. It further benefited from the testimony of privacy groups, users of health information, and security specialists.

As the committee discovered, protecting patient privacy requires efforts at two levels. First, individual institutions must improve the practices they use to protect health information within their organizations. They must ensure that authorized users don’t abuse their access privileges and that unauthorized users don't break into their information systems to alter or delete data. Second, the nation as a whole must decide how to address the privacy concerns that arise from the sharing of patient information among different entities in the nation’s health system. A surprising number of organizations receive information about patients’ health records—often without a patient’s knowledge or consent (Figure 1). These include care providers, insurers, pharmacists, state public health organizations—sometimes even employers, life insurance companies, or marketing firms. Unless ways can be found to balance the privacy rights of individuals against the legitimate needs of such institutions for patient information, health care may suffer as patients may become less willing to seek care, or they withhold sensitive personal information.

Protection at Individual Institutions

Protecting health information within individual institutions requires a combination of sound policies and strong security. Policies determine whom within an institution can access different types of data and under what circumstances. Security provides the technical means of implementing and enforcing policy. Health organizations are beginning to develop new means of protecting health information as they put it on-line. Most have developed policies and practices in an ad hoc fashion, reacting to individual incidents. Attempts to take a more pro-active approach have been hampered by three factors:

The first step in addressing these problems is to develop a set of standard practices for protecting health information within individual institutions. These practices should be adopted by all organizations that handle patient-identifiable health information, not just providers and payers. The practices should include technical tools to identify and validate the identity of users, limit their access to particular types of information, protect remote access points, and keep logs of all accesses to health information. They should also include organizational policies, procedures, and practices that ensure that institutions develop, implement, and enforce security and confidentiality policies.

The study committee articulated a set of practices that it believes can serve as the basis for such standards (Box 1). By focusing more on requirements than on particular mechanisms, these practices can be adopted by a wide range of organizations with different needs and resources. They are flexible enough to allow different technical approaches and to accommodate new technologies as they emerge. The committee hopes these practices will become the basis of industry-wide standards in this area.

The committee also recommends that industry work with government to develop the infrastructure needed to help health organizations better protect health information. Industry and government should continue support a health information security standards subcommittee within the National Committee on Vital and Health Statistics. They should also establish an organization modeled after the computer emergency response team at Carnegie Mellon University to collect information about security incidents in the health care community and to develop and disseminate effective solutions for addressing these concerns.

Systemic Concerns

Additional steps will be needed to address the systemic concerns that arise from the widespread sharing of patient information throughout the health care system. While academic research is generally subject to review and approval by Institutional Review Boards, few mechanisms exist to regulate or monitor the use of health information in other sectors, whether insurance, benefits management, or marketing. Patients fear that organizations may use the information in ways that will harm them, whether to deny insurance, employment, or a promotion.

To address these concerns the committee recommends that the federal government work with industry to promote an informed public debate that would determine how best to balance the privacy concerns of patients against the information needs of various organizations. Should Congress determine as a result that patient’s privacy interests need to be better protected, the committee identified three legislative options it could consider.

First, it could pass legislation to restrict access to patient-identifiable health information based on intended use. Such legislation would establish the “boundaries” Secretary Shalala described in her recent testimony to this committee. For example, it could allow the use of patient-identifiable information for caring for patients, reviewing claims for payment, conducting research approved by an institutional review board, analyzing the quality and cost of care in different organizations, and detecting fraud and abuse. It could require reliance on anonymized or aggregated data in all other uses. Before exercising this option, additional analysis is needed determine the extent to which—and the conditions under which—different users of health information require data containing patient identities. For example, is patient-identifiable data needed to detect fraud and abuse in the insurance industry? Do self insured companies need identifiable data to monitor their benefits programs? Or can anonymized data be used in these cases?

Second, legislation could be considered to prohibit specific practices of concern to patients. Such legislation could, for example, prevent employers from making individual employment decisions on the basis of patient-specific health information or prohibit genetic discrimination in the workplace. Doing so would eliminate or reduce many of the worst fears of consumers, especially if backed by strong penalties for violators.

Third, legislation could establish specific information rights for patients. Patients generally have no legal basis upon which to demand redress for violations of privacy, access to their own health records, or disclosure of information flows. Extending relevant provisions of the Fair Information Practices Act of 1974 to the health care arena could accomplish these objectives. For example, organizations that collect, analyze, or disseminate health information could be required to adopt a set of fair information practices. These practices would define the obligations and responsibilities of the organization, establish enforcement rights for patients, and make the flows of health information more transparent to patients.

These three approaches are not meant to be mutually exclusive. Congress might wish to implement some combination of these approaches to provide comprehensive protection for patients.

Universal Patient Identifiers

In addressing systemic concerns, Congress may also wish to examine current initiative to create a unique health identifier for each patient in the health care system. This effort is part of the response to the Health Insurance Portability and Accountability Act of 1996. A universal patient identifier clearly has many benefits, allowing the many different records referring to an individual patient across the health care system to be linked more easily for care, payment, administration, or research. But a universal identifier may also exacerbate systemic concerns over patient privacy. If information can be linked for legitimate purposes, such as collating a complete medical record for a physician, it also may be linked for other purposes that patients might not approve of. It might even allow health records to be linked with records outside the health care system.

The committee recommended three specific criteria that any system used to link patient records should meet, whether an individual number or a more sophisticated linking scheme.

Other criteria, such as ease of management and integration into existing information systems, will also need to considered in devising a universal patient identifier. These three criteria are intended to ensure that privacy concerns are explicitly recognized in the debate and that patient privacy is ultimately protected.


In conclusion, the committee believes that adoption of its recommendations will allow patient privacy to be protected as the health care industry improves care and lowers costs through computerization. By addressing issues at the level of individual institutions and the health care system as a whole, comprehensive protections can be put in place that will address the broad spectrum of privacy concerns.

Thank you for giving me this opportunity to testify. I will be pleased to answer any questions you may have.

BOX 1. Security Practices Recommended for Immediate Implementation

This box summarizes a discussion of practices recommended in Chapter 6 of the report, For the Record: Protecting Electronic Health Information. Readers should read Chapter 6 in full for the complete detail, argumentation, and support for these measures.

Technical Practices and Procedures

Individual authentication of users. To establish individual accountability, every individual in an organization should have a unique identifier (or log-on ID) for use in logging onto the organization’s information systems. Strict procedures should be established for issuing and revoking identifiers. Where appropriate, computer workstations should be programmed to automatically log off if left idle for a specified period of time.

Access controls. Procedures should be in place for ensuring that users can access and retrieve only that information that they have a legitimate need to know.

Audit trails. Organizations should maintain in retrievable and usable form audit trails that log all accesses to clinical information. The logs should include the date and time of access, the information or record accessed, and the user ID under which access occurred. Organizations that provide health care to their own employees should enable employees to conduct audits of accesses to their own health records. Organizations should establish procedures for reviewing audit logs to detect inappropriate accesses.

Physical security and disaster recovery. Organizations should limit unauthorized physical access to computer systems, displays, networks, and medical records; they should plan for providing basic system functions and ensuring access to medical records in the event of an emergency (whether a natural disaster or a computer failure); they should store backup data in safe places or in encrypted form.

Protection of remote access points. Organizations with centralized Internet connections should install a firewall that provides strong, centralized security and allows outside access to only those systems critical to outside users. Organizations with multiple access points should consider other forms of protection to protect the host machines that allow external connections. Organizations should also require a secure authentication process for remote and mobile users such as those using home computers. Organizations that do not implement either of these approaches should allow remote access only over dedicated lines.

Protection of external electronic communications. Organizations should encrypt all patient-identifiable information before transmitting it over public networks, such as the Internet. Organizations that do not meet this requirement either should refrain from transmitting information electronically outside the organization or should do so only over secure dedicated lines. Policies should be in place to discourage the inclusion of patient identifiable information in unencrypted e-mail.

Software discipline. Organizations should exercise and enforce discipline over user software. At a minimum, they should install virus-checking programs on all servers and limit the ability of users to download or install their own software. These technical practices should be supplemented with organizational procedures and educational campaigns to provide further protection against malicious software and to raise users’ awareness of the problem.

System assessment. Organizations should formally assess the security and vulnerabilities of their information systems on an ongoing basis. For example, they should run existing “hacker scripts” and password “crackers” against their systems on a monthly basis.

SOURCE: Computer Science and Telecommunications Board, National Research Council, For the Record: Protecting Electronic Health Information (Washington, DC: National Academy Press, 1997).

Security Practices Recommended for Immediate Implementation—Continued Organizational Practices

Security and confidentiality policies. Organizations should develop explicit and clear security and confidentiality policies that express their dedication to protecting health information. These policies should clearly state the types of information considered confidential, the people authorized to release the information, the procedures that must be followed in making a release, and the types of people who are authorized to receive information.

Security and confidentiality committees. Organizations should establish formal points of responsibility (standing committees for large organizations, a single person or a small committee for small organizations) to develop and revise policies and procedures for protecting patient privacy and for ensuring the security of information systems.

Information security officers. Organizations should identify an information security officer who is authorized to implement and monitor compliance with security policies and practices. The security officer should maintain contact with relevant national information security organizations.

Education and training programs. Organizations should establish programs to ensure that all users of information systems receive some minimum level of training in relevant security practices and knowledge regarding existing confidentiality policies before being granted access to any information systems.

Sanctions. Organizations should develop a clear set of sanctions for violations of confidentiality and security policies that are applied uniformly and consistently to all violators, regardless of job title.

Organizations should adopt a zero-tolerance policy to ensure that no violation goes unpunished.

Improved authorization forms. Health care organizations should develop authorization forms that will improve patients’ understanding of health data flows and limit the time period for which authorizations are valid. The forms should list the types of organizations to which identifiable or unidentifiable information is commonly released.

Patient access to audit logs. Health care providers should give patients the right to request audits of all accesses to their electronic medical records and to review such logs.

SOURCE: Computer Science and Telecommunications Board, National Research Council, For the Record: Protecting Electronic Health Information (Washington, DC: National Academy Press, 1997).