This is part two of a three-part series on IT security. Part three, on authorization issues, will appear in the December issue of Health Data Management.
The Indiana University Health Center in February started offering students the opportunity to create and maintain personal health records via a secure page on the Bloomington-based school's student Web portal.
The PHR serves dual purposes, says Pete Grogg, associate director at the health center. It will help streamline administrative procedures, such as the completion of intake forms prior to an appointment. In addition, it should bridge the mobility gap of students whose regular physician remains in their hometown. With the PHR, students can show caregivers treatment received at home and the university, Grogg explains. "We're enabling a process where providers feel they're getting better information in the care process."
The university is using the PHR software of NoMoreClipboard.com, Fort Wayne, Ind. The vendor controls the PHR platform and is responsible for most of the technology to secure data in the PHRs. That's why appropriate protection of patient information was a major part of the vendor selection process, Grogg says.
The university's requests for proposal had questions pertaining to a number of security areas. These included: user authentication, access management, data breach policies and use of information for marketing purposes. Information technology staff at the university, along with security, privacy and compliance officers, participated in vendor interviews. The team scrutinized their security and privacy procedures. "The final two vendors did not use information for marketing purposes," Grogg says. "We wanted the patient to have control over how that information was used."
There's not a lot of difference in how an organization secures PHR data compared to how it secures other electronic health information, says C. Martin Harris, M.D., CIO at Cleveland Clinic. Best security practices are the rule regardless of where the information is stored, he adds. "That's where the expertise is, and that expertise is constantly changing and improving."
However, there are subtle changes in security policies surrounding PHRs, Harris notes. Cleveland Clinic permits the viewing via the PHR of specific data elements from a patient's electronic health records systems. But some information, particularly abnormal test results, never will be viewable before a patient learns of the results from a physician.
Before launching the PHR several years ago, Cleveland Clinic conducted focus groups with patients to learn what data from information systems was most valuable to them and what they were concerned about, Harris says. "What they didn't want was to learn of a catastrophic diagnosis through a computer."
Some personal health records vendors sell software that enables a consumer to download a PHR template to a computer, then create and maintain the document. But in general, vendors remotely host most PHRs, particularly those that provider organizations, insurance companies or employers sponsor. So much of the task of protecting the security and confidentiality of the data rests with the vendor.
But PHR vendors often use identifiable and aggregate data for a variety of purposes. These include improving the quality of service, complying with legal processes and engaging in marketing activities. PHR sponsors and vendors sometimes want to use data to send appropriate, personalized information to consumers, such as medical research updates and best treatment practices for particular conditions. Vendors, however, often also use patient data to target advertisements from drug companies for condition-appropriate medications.
Take a look at the privacy policies of PHR vendors and you'll see spelled out a bunch of ways they could use your identifiable or aggregate data. But vendors need to abide by a core principle, says George Scriban, HealthVault product management at Microsoft Corp., Redmond, Wash. "Data in your PHR is controlled by you," he notes. "We forsake any right or ability to monetize that data without you giving us explicit consent in each instance."
Assessing Data Integrity
Regardless of how well consumer-entered PHR data is secured, it still isn't data from the official medical record.
And that's a security issue because the integrity of the data is questionable. Some physicians have been skeptical of the trustworthiness of information in a PHR since the technology first became available to consumers.
Yet these same physicians - just like most physicians - would rely on the same information given by a patient verbally. That contradiction aside, questions remain as to how physicians can ensure the medication list and other data in a PHR is accurate, acknowledges Grogg of Indiana University Health Center.
"It's the responsibility of the provider," he notes. "They still have to ask the patient about the information and probe and prod during the interview process just as if the patient was telling what medications they are taking."
The University of Indiana Health Center is working with its vendors to enable providers to know if information in a PHR came from its own electronic records system or was generated by the student user. When the work is complete, official data from the university will be flagged. Until then, at least some official data will be identifiable as provider-originated because it will be scanned images or PDF files.
As more consumers adopt PHRs, a growing number of providers want to be able to import at least some of that data, such as vital signs from monitoring devices, into their EHRs, says Scriban of Microsoft.
Providers are starting to accept that patient-generated data beats having no data, he explains. And PHR data may bring value to the medical encounter. The frequency and intensity of headaches over a period of time that is recorded in a PHR is likely much more accurate, for example, than a patient might recollect in the presence of a physician.
Shielding Student Records
Protecting the medical records of college students can be a bit tricky. The students are adults, but at the same time often still are dependent on their parents and may live under their roof when not in school.
The PHR being offered at the Indiana University Health Center resides on the student portal. Many parents have student-authorized access to the portal so they can view grades and make tuition payments.
But does a student who was tested or treated for a sexually transmitted disease at the university really want a parent to have access to that data? To enable students to keep their medical data private, the university encourages a PHR password that is different from the student's portal password, Grogg says. "We didn't want single-sign-on access from that portal to the PHR."
To extend the value of the PHR, the university is working with its electronic health records vendor, Cleveland-based Workflow.com, to generate a continuity of care document that can be imported into the PHR. The document will be a clinical summary generated at the health center. Data exchanged will include demographics, medications, allergies and medical conditions, among other information.
Students will be able to choose to have the continuity of care document sent to a secure "staging area" rather than have the university directly import EHR data into the PHR. This will enable students to look at their EHR data and pick what actually goes into their PHR. Students also can fax information from their PHR to another provider or grant providers "read only" access to the information.
Students must give consent before data will flow from the health center EHR to the PHR.
"We'll be requiring any student to present credentials in person at the health center before exporting any data to their PHR," Grogg says.
The health center "soft launched" the PHR service in February with about a month to go in the semester. It expects this spring to complete its integration with the EHR and an online scheduling application.
The soft launch enables the health center to fine-tune the service before ramping up in the fall. "We're going to take that opportunity to educate students and their parents on what the PHR is and how they can use it," Grogg says. Already, he notes, the parent of an incoming student expressed worries over privacy and asked if students had to have a PHR. "That just reinforced to me that we've got to be very open and clear with our message."
Consequently, the health center plans a series of articles in the student newspaper to explain the risks and benefits of a PHR and the security and privacy policies. The student portal will include a Frequently Asked Questions section on PHRs. And health center staff will introduce the PHR to students and parents of each new class.
PHR security starts at the very beginning of the service with positive identification of the patient requesting the service, says CIO Harris of Cleveland Clinic.
The clinic launched its free PHR more than four years ago, using software from Verona, Wis.-based Epic Systems Corp., its core clinical systems vendor. The clinic hosts the PHR just as it hosts the other clinical systems, primarily using third-party security software, such as access control, on the front end. Initially, patients had to enroll when they came in for treatment, presenting identifying credentials in person.
Cleveland Clinic migrated to online enrollment about two years ago. Today more than 180,000 patients have a PHR account, Harris says. After enrollment, the clinic mails an access code to the patient, who subsequently presents the credentials online. These credentials are data elements about the patient already in the clinic's information systems. So the patient has to enter certain requested information, and that information is matched with data elements in the systems before credentials are accepted and access is granted. Patients also must comply with a set of rules for selecting a user name and password.
They are counseled to not share their user name and password. But Cleveland Clinic doesn't have a detailed patient education program on PHR security issues because patients decide with whom to share their PHR information. "It's really the same as if they were going to share any kind of medical information," Harris says. "Our clear directive is that the information is the patient's and should only be shared at the patient's discretion."
Patients with a Cleveland Clinic PHR can view some information from the clinic's clinical systems through the PHR. This includes medications and allergies, their past and future appointment schedules and test results. The information, however, stays in the clinical systems and isn't imported into the PHR. "We're making visible literally the same information a doctor is looking at," CIO Harris says.
Patient-entered PHR information, such as self-monitored blood glucose values and blood pressure readings, can be shared with physicians. But the physicians decide if that information should go into the EHR. If so, it is flagged as PHR information.
Cleveland Clinic last year started working with Google Health and Microsoft HealthVault to enable patients outside its service area to share their Cleveland Clinic data with their home providers. A patient returning to Arizona, for instance, can go into their Google or Microsoft account, pull down data from the clinic and print it. Data that is from the clinic is flagged so a physician knows what information came from the clinic and what is patient-entered.
Microsoft's HealthVault isn't a PHR. It is a platform on which vendor partners can offer PHRs, medical information content and a host of other services to help consumers better understand and track their health status.
So, not all patient data of HealthVault users resides on - and is protected on - Microsoft's servers. Who holds what data? "It's an architectural question," explains product manager Scriban of Microsoft.
If a third-party vendor builds a native PHR application on the HealthVault platform, Microsoft stores all the information. If a third-party vendor retrofits an existing PHR to sit on HealthVault, then some data resides on the vendor's servers and some on Microsoft's. If that retrofit application is fully synchronized, then all the data rests on both the vendor and Microsoft servers.
Data on HealthVault is governed by HealthVault's privacy policies. Data held elsewhere by a HealthVault vendor partner is governed by that vendor's policies. Microsoft "explicitly" requires HealthVault partners to treat users' data with the utmost care, Scriban says. Further, Microsoft gets a good idea of a vendor's security architectures and policies as the companies establish a partnership, Scriban notes.
This article can also be found at HealthDataManagement.com.