Testimony to the National Committee on Vital and Health Statistics Subcommittee on Health Data Needs, Standards and Security

Recommendations for Security Standards

Jim McCord, Chairman of the Board and Chief Executive Officer
Oacis Healthcare Systems Incorporated
100 Drake's Landing Road
Greenbrae, CA 94904

On August 6th, 1997.

I wish to express my appreciation to the Subcommittee members for the opportunity to speak with you today, and for your commitment on this evolving and complex issue.

Oacis Healthcare Systems supplies very large-scale clinical information systems, sometimes called "automated medical records," are built around a comprehensive clinical repository that forms a complete longitudinal medical record for large delivery organizations. Oacis also delivers a series of applications that use this database that provide physicians and clinicians with real-time access to information at the point of care. Oacis systems are installed in both the U.S. and international markets.

We understand that the HIPAA legislation focuses primarily on claims related data, not necessarily the detailed clinical information systems such as we provide. However, claims submissions typically contain clinical content such as diagnostic codes, which although not articulated in the legislation, are as much, if not more, sensitive to individual confidentiality concerns. Therefore, I would like to focus more on the confidentiality of clinical content standards issues relevant to the industry of which Oacis is a part.

It is hard to imagine a computer system that contains more sensitive information than an Oacis clinical data repository. A typical repository includes micro-level clinical data fed from dozens or hundreds of sources both automated and manual. Some of our clients have repositories that include hundreds of thousands of patients covering multiple years with tens and hundreds of gigabytes of data. Although each provider can make different decisions on exactly what is stored in the repository and who can access it for what purpose, there is no doubt that most of our repositories are much more complete than a paper chart and far more accessible.

Because of this sensitivity, our clients and their patients are increasingly concerned about confidentiality and security of clinical data. As more organizations put advanced clinical systems into production they are finding it a challenge to balance the need for electronic patient confidentiality with quick, simple and adequate caregiver access to the patient information. This balancing act is a significant issue in the acceptance of automated systems. If physicians have to wait 45 seconds while the system authenticates and audits a piece of clinical information they will most likely never use the system. Similarly, if security features are too stringent, a caregiver either may be denied access to a piece of critical data, with consequent potential for compromising patient care, or users may find ways around the restrictions — for example by sharing access codes or badges — that render all of the technical precautions useless.

Furthermore, we find that every healthcare organization we serve has a different set of standards for privacy issues. These are often dependent on institutional policies, usually conditioned by various external rules imposed by state or national agencies. Our major concern with confidentiality in healthcare is not so much the lack of standards, but rather the lack of uniform policies. The current patchwork of state legislation on patient health data privacy in an electronic world is very complex to navigate, and developing one software solution to meet all of these different requirements is difficult and costly.

To facilitate the myriad of requirements through the United States and international markets, Oacis has developed a system which is highly configurable and customizable so that it can be configured for each client based on their local policy. For example, security can be imposed down to the individual data element level by person. This solution works, but it imposes a high cost to the client who is implementing a clinical repository. We believe that uniform policies would reduce the costs of developing and implementing clinical information systems, and would allow us to provide secure solutions which are much closer to the client's needs while still maintaining the ability to tailor additional security functionality to meet specific requirements.

Our recommendation is that before security standards are selected for clinical data, a "National Confidentiality Policy with a Global View" should be put into legislation to provide a framework by which these standards can be set and met. This policy should of course be framed in the U.S. context, but it should also look to policies established by other countries so that software and systems vendors can compete in an international market. For example, the policy should be crafted with knowledge of the European Union's 1995 Directive on Data Protection and the more recent Council of Europe's recommendation on the protection of medical data. European countries are generally ahead of the U.S. in establishing policies for security of clinical data and there is much we can learn from them.

A national policy must also be capable of being implemented at a reasonable cost so that it does not further increase healthcare costs or delay the benefits of electronic medical records. For example, policy should not make blanket requirements such as "all events or access will be audited"; such a requirement would create audit trail databases three to five times the size of the clinical repository itself which is already straining the limits of current technology. Policy must also encompass all segments of the healthcare continuum, including the patient, clinician, medical records personnel, hospital, HMO or IDN, providers and insurers, health information services, and so forth. It is equally important that the policy take into account different uses of healthcare data, such as direct care, historical analysis for diagnosis, clinical research, and public health research, and define what constitutes improper uses of clinical data. Finally, the policy must not impede a clinician's ability to render quick, efficient, quality healthcare since that is what these systems are all about in the first place.

We are concerned that appropriate standards are selected for implementation of a national policy. The lack of good standards has been and continues to be a major impediment to the large scale adoption of automated medical record systems. Standards Development Organizations (SDOs) and their committees should be ANSI certified. In the current HIPAA legislation, we encourage the use of ANSI X12 standards for claims processing. However, in the broader context of the electronic medical record, such standards are not as relevant.

For security in the electronic medical record two checklist items that come up most often in RFPs are the CPRI "Security Features for Computer-based Patient Record Systems" and occasionally the Institute of Medicine's "Gold Standard". Although neither document has been approved by an ANSI certified SDO they are still a reasonable starting point given the lack of any official standard. Although we have never received any client inquiries about ASTM E1869, Standard Guide for Confidentiality, Privacy, Access and Data Security, we feel that this standard may also be a good starting point for defining the confidentiality of the electronic medical record.

For electronic transfer of healthcare information, we recommend the HL7 standard, which has wide acceptance in the health care industry. The HL7 community is actively working with X12 to enable the use of HL7 for the transfer of the clinical information needed for claims attachments. HL7 also has a Security Special Interest Group which is coordinating the efforts of several other SDOs in this area. We feel that HL7 has the broadest representation and support from both the healthcare provider community and vendor community which will help to provide standards which will be quickly implemented.

I would like to recommend to the Subcommittee that certain areas be taken into account during the process of proposing healthcare security standards. Among these are:

Finally, I would like to encourage the National Committee on Vital and Health Statistics and its subcommittee to work closely with national and international standards development organizations as well as with organizations representing providers, users and vendors in the healthcare field. Buy-in from all of these communities will be essential if we are to realize a workable balance between security and practicality in automated clinical information systems.

Thank you.