This is part two of a three-part series on IT security. Part three, on authorization issues, will appear in the December issue of Health Data Management.
The Indiana University Health Center in February started offering students the opportunity to create and maintain personal health records via a secure page on the Bloomington-based school's student Web portal.
The PHR serves dual purposes, says Pete Grogg, associate director at the health center. It will help streamline administrative procedures, such as the completion of intake forms prior to an appointment. In addition, it should bridge the mobility gap of students whose regular physician remains in their hometown. With the PHR, students can show caregivers treatment received at home and the university, Grogg explains. "We're enabling a process where providers feel they're getting better information in the care process."
The university is using the PHR software of NoMoreClipboard.com, Fort Wayne, Ind. The vendor controls the PHR platform and is responsible for most of the technology to secure data in the PHRs. That's why appropriate protection of patient information was a major part of the vendor selection process, Grogg says.
The university's requests for proposal had questions pertaining to a number of security areas. These included: user authentication, access management, data breach policies and use of information for marketing purposes. Information technology staff at the university, along with security, privacy and compliance officers, participated in vendor interviews. The team scrutinized their security and privacy procedures. "The final two vendors did not use information for marketing purposes," Grogg says. "We wanted the patient to have control over how that information was used."
There's not a lot of difference in how an organization secures PHR data compared to how it secures other electronic health information, says C. Martin Harris, M.D., CIO at Cleveland Clinic. Best security practices are the rule regardless of where the information is stored, he adds. "That's where the expertise is, and that expertise is constantly changing and improving."
However, there are subtle changes in security policies surrounding PHRs, Harris notes. Cleveland Clinic permits the viewing via the PHR of specific data elements from a patient's electronic health records systems. But some information, particularly abnormal test results, never will be viewable before a patient learns of the results from a physician.
Before launching the PHR several years ago, Cleveland Clinic conducted focus groups with patients to learn what data from information systems was most valuable to them and what they were concerned about, Harris says. "What they didn't want was to learn of a catastrophic diagnosis through a computer."
Some personal health records vendors sell software that enables a consumer to download a PHR template to a computer, then create and maintain the document. But in general, vendors remotely host most PHRs, particularly those that provider organizations, insurance companies or employers sponsor. So much of the task of protecting the security and confidentiality of the data rests with the vendor.
But PHR vendors often use identifiable and aggregate data for a variety of purposes. These include improving the quality of service, complying with legal processes and engaging in marketing activities. PHR sponsors and vendors sometimes want to use data to send appropriate, personalized information to consumers, such as medical research updates and best treatment practices for particular conditions. Vendors, however, often also use patient data to target advertisements from drug companies for condition-appropriate medications.
Take a look at the privacy policies of PHR vendors and you'll see spelled out a bunch of ways they could use your identifiable or aggregate data. But vendors need to abide by a core principle, says George Scriban, HealthVault product management at Microsoft Corp., Redmond, Wash. "Data in your PHR is controlled by you," he notes. "We forsake any right or ability to monetize that data without you giving us explicit consent in each instance."
Assessing Data Integrity
Regardless of how well consumer-entered PHR data is secured, it still isn't data from the official medical record.
And that's a security issue because the integrity of the data is questionable. Some physicians have been skeptical of the trustworthiness of information in a PHR since the technology first became available to consumers.
Yet these same physicians - just like most physicians - would rely on the same information given by a patient verbally. That contradiction aside, questions remain as to how physicians can ensure the medication list and other data in a PHR is accurate, acknowledges Grogg of Indiana University Health Center.
"It's the responsibility of the provider," he notes. "They still have to ask the patient about the information and probe and prod during the interview process just as if the patient was telling what medications they are taking."
The University of Indiana Health Center is working with its vendors to enable providers to know if information in a PHR came from its own electronic records system or was generated by the student user. When the work is complete, official data from the university will be flagged. Until then, at least some official data will be identifiable as provider-originated because it will be scanned images or PDF files.
As more consumers adopt PHRs, a growing number of providers want to be able to import at least some of that data, such as vital signs from monitoring devices, into their EHRs, says Scriban of Microsoft.
Providers are starting to accept that patient-generated data beats having no data, he explains. And PHR data may bring value to the medical encounter. The frequency and intensity of headaches over a period of time that is recorded in a PHR is likely much more accurate, for example, than a patient might recollect in the presence of a physician.