Department of Health and Human Services
National Committee on Vital and Health Statistics
Subcommittee on Privacy and Confidentiality
November 18 – 19, 2004
Washington, D.C.
– Minutes –
The Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics (NCVHS) held hearings on November 18 and 19, 2004, at the Hubert H. Humphrey Building in Washington, D.C. The meeting was open to the public.
Present:
Subcommittee Members:
- Mark A. Rothstein, J.D., Chair
- Simon P. Cohn, M.D.
- Richard K. Harding, M.D.
- John P. Houston, J.D.
Staff and Liaisons:
- Amy Chapper, CMS
- J. Michael Fitzmaurice, Ph.D., AHRQ
- Maria Friedman, CMS
- Kathleen Fyffe, HHS
- Christina Heide, OCR
- Debbie Jackson, NCHS, CDC
- Catherine Lorraine, FDA
- Sue McAndrew, OCR
- Dr. Helga Rippen, ASPE
- Dr. Steve Steindel, CDC
- Marietta Squire, NCHS, CDC
- Sarah Wattenberg, SAMHSA
Others:
- Elena Anagnostiadi, National Association of Boards of Pharmacy
- Bill Bing, McKesson Corporation, assistant general counsel
- Geff Brown, J.D., Mayer, Brown, Rowe & Maw
- Anne Canfield, Rx Benefits Coalition.
- Brian Coy, Wexler and Walker Public Policy Associates
- Paul Donfried, Strategic Identity Group, SAFE
- Theresa Doyle, Health Care Leadership Council
- Lydia Duckworth, Veterans Health Administration.
- Suzanne Gelber, MSW, Ph.D., The Avisa Group
- Brian Gradle, Hogan and Hartson
- Peggy Hanney, Phillips Medical Systems
- Robin Kaigh, Esq.
- Jim Keese, Eastman Kodak
- Dave Kizner, Stentor
- Kelly Lavin, American Osteopathic Association.
- Bernie Liebler, AdvaMed.
- Robert MacNeil, McKesson Provider Technologies
- Anita Marton, Legal Action Center
- C. David McDaniel, Veterans Health Administration
- John Murray, FDA
- Michael Pollard, Medco Health Solutions.
- Alison Rein, M.S., National Consumers League
- Phil Rothermich, Express Scripts.
- Michelle Roye, MD, American Academy of Pediatrics.
- Andrew Shelton, The Pink Sheet
- Al Taylor, FDA Center for Devices and Radiological Health
- Jessica Townsend, Health Resources and Services Administration
- Laura Van Tosh, Consultant
- Stephen Vosterg, NEMA
- Jessica Wang, SAFE
- Patricia Watts, Veterans Health Administration.
- Stephen Wexler, Veterans Health Administration
- Ken Wittimore, Sure Scripts
- Marilyn Zigman-Luke, America’s Health Insurance Plans
EXECUTIVE SUMMARY
The Subcommittee on Privacy and Confidentiality held hearings on November 18 and 19, 2004, on implementation issues under the HIPAA Privacy Rule. The Subcommittee received nine presentations and talked with three panels about issues relating to electronic prescribing. Six panelists discussed the impact of the HIPAA Security Rule on medical equipment.
E-Prescribing – Panel 1
Geff Brown, J.D., Mayer, Brown, Rowe & Maw
Mr. Brown provided background on the current state of electronic prescribing and shared comments about related privacy and confidentiality issues. He explained that a comprehensive set of standards can promote the benefits of electronic prescribing and can clarify how privacy and confidentiality and security laws and regulations apply to e- prescriptions. He is in favor of rapid adoption of e-prescribing and use of its benefits and discussed the challenges of varying state laws affecting e-prescribing.
Paul Donfried, Strategic Identity Group, SAFE
Mr. Donfried focused on electronic signatures within the context of e-prescribing, specifically the functioning and benefits of Secure Access for Everyone (SAFE). This is a biopharmaceutical industry initiative to provide secure identity infrastructure and electronic signatures. The system uses unique electronic identity credentials for legally enforceable and regulatory compliant electronic signatures and is built on a Public Key Infrastructure (PKI) bridge architecture.
E-Prescribing – Panel 2
Alison Rein, M.S., National Consumers League
The NCL’s assistant director of food and health policy, Ms. Rein provided a patient-oriented perspective on the issue of privacy in the context of electronic prescribing. She described an ongoing NCL initiative regarding the patient role in electronic prescribing and considered issues of data security and patient privacy. She advocated four steps in the Subcommittee’s efforts to advance e-prescribing systems that ensure patient privacy.
Robin Kaigh, Esq.
An attorney who has personally tracked medical privacy issues for the last eight years, Ms. Kaigh expressed strong opposition to e-prescribing, electronic health records and the HIPAA Privacy Rule itself, noting that she was not alone in these views. She emphasized that patients should decide whether the convenience and immediacy of an electronic record is worth the possibility of privacy invasion and repeatedly advocated patient ability to opt in or opt out. She expressed concerns about getting an objective second opinion or a fresh start with a new doctor if a second doctor can read the first doctor’s diagnosis and poor prognosis.
Laura Van Tosh, Consultant
Ms. Van Tosh warned that the Subcommittee and other groups must ensure that privacy is protected and that strategies to monitor technology are discussed, implemented, and overseen by external organizations that do not have financial interest in the technology. Particularly for consumers who take psychotropic medications, any inappropriate disclosure could destroy careers or even lives. She encouraged the Subcommittee to recommend patient education programs and receive regular input from consumers on e-prescribing technology.
E-Prescribing – Panel 3
Suzanne Gelber, MSW, Ph.D., The Avisa Group
Dr. Gelber described the unique issues in substance abuse treatment and mental health, such as its intersection with criminal justice. Unique privacy and confidentiality laws apply for the transmission of any related records. For example, redisclosure might make many groups aware of the protected diagnosis of substance abuse. There is substantial concern about infrastructure and the cost of upgrading, she stated. She added that e-prescribing can be a very positive step forward in avoidance of medical errors that cost excess money and lives, but it also bears very careful consideration with respect to substance abuse and criminal justice issues.
Anita Marton, Legal Action Center
Focusing on privacy issues related to treatment of drug and alcohol addiction, Ms. Marton stated that confidentiality must be protected but need not be an insurmountable barrier to e-prescribing and other new technologies. Records pertaining to alcohol and drug treatment are covered by HIPAA and by the earlier and sometimes stricter 42 C.F.R. Part 2. She described differences in how the two laws treat disclosure. For e-prescribing, she recommends the development of model implementation policies and forms, adding that the software and other technology for e-prescribing must comply with the federal confidentiality rules. She provided a copy of her organization’s book, Confidentiality and Community: A Guide to the Federal Drug and Alcohol Confidentiality Law and Regulations.
Commentary
Anne Canfield, Rx Benefits Coalition
Ms. Canfield described the existing e-prescribing process in the marketplace. She noted that RxHub is a router that enables payer and PBM information (formulary, current prescriptions) to be accessed by doctors at the point of care. The prescription is then transmitted to the pharmacy, preventing call backs. There is no centralized database of this information, rather, a router pulls data across the Web-based network from the payer and PBM and does not ever see the information. The e-prescribing process currently uses five identifiers rather than one.
Medical Equipment—Panel 1
C. David McDaniel, Veterans Health Administration
The vast majority of available medical devices and legacy devices in hospitals have inherent security limitations, Mr. McDaniel explained. There are cases when adding security to a device renders it ineffective to operate appropriately. The market delivery cycle for new medical devices is about three to five years. He described precautions VHA is taking to secure medical devices where possible and outlined VHA’s options for complying with the Rule by April 2005. First, they are making this issue of deficits in medical device security known to HHS. Second, they are assessing the information security risk of each medical device and mitigating that risk as much as possible. He found the third option, simply waiting, to be a cause for serious concern.
John Murray, FDA
Increasingly, medical devices are being connected into networks, Mr. Murray explained, with greater benefits and greater risks. MAWARE, malicious software, can be incorporated into a commercial off the shelf (COTS) software product or a network infrastructure component. FDA’s challenge is to ensure that network-connected medical devices are adequately safe-guarded, working within the required regulatory framework. The FDA’s principal concern is risks to health, and the software engineering community, not the FDA, will dictate the solutions to these threats. He shared the key points of a drafted formal policy statement on cyber security patches for the medical device industry.
Medical Equipment—Panel 2
Robert MacNeil, McKesson Provider Technologies
Mr. MacNeil described the possible consequences of malicious software and emphasized that detecting and guarding against it requires the regular application of current technologies in security software. He reported that medical device manufacturers must comply with Quality System Regulation, QSR. Regarding security software updates from third parties, he noted that almost all involve weekly virus definition updates and monthly updates by Microsoft on Windows operating system components and utilities. He emphasized that health care providers must wait for validation assurance from vendors before running patches or updates.
Dave Kizner, Stentor
Use of COTS software is prevalent in health care IT systems and medical imaging modalities in part because of cost savings to manufacturers and end users, Mr. Kizner stated. He explained that hackers and viruses often target widely used commercial software because weaknesses are known and the impact widespread. The QSR does not apply to COTS software, and the impact of a patch can be worse than the vulnerability. He recommended the patch deployment outline in the joint NEMA/COCIR/JIRA Security and Privacy Committee white paper, but warned that patch management is only one aspect of network security. Health care providers should also use firewalls, intrusion detection systems, virus protection, auditing and authentication.
Jim Keese, Eastman Kodak
NEMA and other industry groups are working collectively to assist in the transition from legacy systems, Mr. Keese stated. White papers are available at www.nema.org/medical, and NEMA has provided security architectures for patching, remove access and digital certificates. With the VA, NEMA is developing best practices for risk management to comply with the Security Rule and to assure uninterrupted patient care. With HIMSS, they are working on the MDS-2 form, a standard template for customers to evaluate products’ security compliance before purchase. Mr. Keese noted that in several instances, his company has been unable to deliver systems, operate systems, or provide services because of interpretation and enforcement of the Security Rule.
Peggy Hanney, Phillips Medical Systems
Ms. Hanney emphasized that manufacturers are looking for consistency in requirements and for language in providers’ purchasing contracts and she strongly encouraged involvement of acquisitions staffs. She noted that her company has also had many work stoppages, impacting the manufacturer and patients. Manufacturers often produce 100+ products, so must choose whether to focus their resources on retooling legacy products or engineering new technologies.
Subcommittee Discussion
With the first panel, subcommittee members worked to understand SAFE and its impact on e-prescribing. The system cannot currently interact with consumers as end users. Agreeing that state laws and their variations are one of the biggest challenges for e-prescribing privacy issues, the group discussed the MMA preemption provision and observed that under it, a different standard could be applied to Part D versus other areas. Mr. Brown emphasized the value of launching an e-prescribing system and stated his belief that an electronic system is more secure and private than a paper system.
The issue of different liability levels for those who opt out of e-prescribing and electronic health records was raised by the Subcommittee with panel two. Panelists agreed that patients should be able to control where their data goes once the e-prescription is written, but Ms. Kaigh also wanted the ability to decline all electronic prescription. Ms. Van Tosh stated the importance of ensuring that HIPAA structure is commensurate with new technology like e-prescribing. The Subcommittee asked the panelists to respond to Dr. Brailer’s RFI and to give specific input for architecture to support the areas they find important, rather than only expressions of concern.
Implementation issues to meet specific requirements and sufficiency of current laws’ privacy protection for substance abuse patients were discussed with panel three. Panelists discussed the issue of coerced or required consent in order to receive services, noting that this is also an issue with paper systems. The group considered ways to implement tiered consent, definitions of “necessary” disclosure, and consent expiration.
With the fourth panel, the Subcommittee discussed extending the compliance time frame for legacy equipment. Panelists explained the details of the FDA review process, which does not include the new security requirements. For medical devices, updates to software are provided but devices cannot change operating systems or be reengineered. The VA has produced a document on security steps for legacy devices. The time frame for assessment of device risk and formulation of a mitigation plan concerned the panelists.
Manufacturers have been working to educate providers that they should not try to patch their own systems, the fifth panel explained. How to present this overall issue to the Secretary was discussed, and it was proposed that, in enforcing the Security Rule, the Department needs to be more flexible in terms of some legacy devices, while providers must take reasonable interim steps. Panelists recommended specific risk mitigation approaches and explained the situations in which customers were not implementing systems due to misunderstanding of the Security Rule.
In its final discussion period, the Subcommittee decided that a letter to the Secretary with recommendations would be sent as soon as possible. This would be drafted by Mr. Houston, circulated via email for consensus and discussion, and then submitted to the Full NCVHS for consideration.
DETAILED MINUTES
DAY ONE
Subcommittee Chair Mr. Rothstein established the context of the day’s hearings, explaining that e-prescribing can be thought of as part of the effort to convert the nation’s health record system from paper to electronic. He noted that this issue has been directed to NCVHS by Congress through enactment of the Medicare Modernization Act (MMA), which specifically contemplates e-prescribing as a way to improve efficiency and safety. A concerted effort is now underway at HHS to lead the establishment of a new health information infrastructure (NHII). On February 23-24, 2005, this Subcommittee will begin exploring privacy issues raised by the NHII.
E-prescribing is more than simply changing prescription writing from paper to electronic form, Mr. Rothstein asserted. This initiative could result in the creation of an individual, comprehensive, longitudinal, bi-directional, electronic record of drug prescribing and dispensing for every health consumer. Thus, the possible scope of e-prescribing is extraordinarily broad and there are many potential ramifications to consider.
Agenda Item: E-Prescribing – Panel 1
Geff Brown, J.D., Mayer, Brown, Rowe & Maw
Mr. Brown provided background on the current state of electronic prescribing and related privacy and confidentiality issues. He quoted the NCVHS letter of September 2, 2004, which cited an estimate that “e-prescribing systems can avoid more than two million adverse drug events annually, of which 130,000 are life threatening.” E-prescribing has the potential to save lives and money, he concluded, and the costs of delaying its implementation are high.
E-prescribing benefits patients and providers by making the process of writing and transmitting scripts from the physician’s office to a pharmacy more efficient by reducing handwriting and key punch errors. It also adds front-end information in real time at the point of care, such as medication history, drug interaction information, formulary and benefits.
The National Council for Prescription Drug Programs (NCPDP) is the source of the non-HIPAA script standard, which is used for formatting by most e-prescribing providers. NCPDP has begun to consider adding additional front end information standards, Mr. Brown reported.
On the list of stakeholders in e-prescribing, Mr. Brown included physicians, pharmacies, patients software and hardware vendors, front end information sources and information routers such as Sure Scripts and RxHub. He explained that there is more standardization in back end processing because those systems need to communicate and must certify themselves with RxHub and Sure Scripts to participate. PBMs, health plans and pharmaceutical companies provide front end information and information routers such as Sure Scripts and RxHub provide links between and among the stakeholders, largely invisible to physician and patient but important to functionality.
Privacy and confidentiality are key concerns in the electronic prescribing community, Mr. Brown stated. E-prescriptions and much of the front end information will qualify as HIPAA PHI and will also be considered electronic PHI under the Security Rule. Business associate agreements will come heavily into play with e-prescribing.
Neither the HIPAA Privacy nor Security regulations require the use of electronic signatures, Mr. Brown noted, adding that PKI signatures provide high levels of authentication, non-repudiation and integrity of transmissions. He explained that most e-prescribing programs today do not include PKI digital signature capabilities, in part because NCPDP Script does not include a data element for any kind of electronic signature. Two task groups are looking into this issue. Electronic signatures have other technical challenges because they are designed to work with unchanging data, but data does change in the e-prescription process.
Mr. Brown believes that existing electronic systems already provide better security than paper systems because of encryption and tracking of information. He encouraged the Subcommittee to consider this when deciding whether to include in the initial standards levels of both security and confidentiality protections that would potentially slow down the adoption of electronic prescribing, leaving people to continue use of less private and less secure paper prescriptions.
Regarding privacy and state laws, Mr. Brown noted that some states do not permit e-prescribing and others prohibit transmission of information about certain sensitive drugs. Physicians today cannot reliably send patient consent to an information source to obtain a medication history; instead, the information source must obtain a specific consent. Privacy laws are often applied in the jurisdiction in which the information source is located, so a physician may be affected by differing laws in a number of states. He felt a federal standard in this area would be very helpful.
Mr. Brown concluded that a comprehensive set of standards can promote the benefit of electronic prescribing and can also clarify how privacy and confidentiality and security laws and regulations apply to electronic prescriptions. He believes that the challenge is to promote the objectives of those regulations while at the same time promoting and trying to get rapid adoption of electronic prescribing and utilize its benefits.
Paul Donfried, Strategic Identity Group, SAFE
Mr. Donfried focused on electronic signatures within the context of e-prescribing. He believes suitable technology is available, but people must change their behaviors to facilitate applying it. The technologies his group is utilizing have been available for ten to 20 years but must be surrounded with appropriate frameworks to effectively manage risk and its application.
A founder of Secure Access for Everyone (SAFE), a biopharmaceutical industry initiative to provide secure identity infrastructure and electronic signatures, Mr. Donfried asserted that a trusted identity framework is absolutely critical to privacy, confidentiality and non-repudiation. He reminded the Subcommittee that electronic signatures were identified as a top requirement for e-prescribing. SAFE offers the strong identity framework and open standards-based solutions needed for an appropriate foundation for e-records, he stated.
As described by Mr. Donfried, SAFE delivers unique electronic identity credentials for legally enforceable and regulatory compliant electronic signatures. SAFE is based on international contract law, to be used for business to business and business to government transactions. It has not yet focused on consumer transactions.
Pharmaceutical research and manufacturing companies are establishing a common electronic trust infrastructure for electronic transactions based on the use of digital signatures certified by third parties. SAFE’s trust framework is based on a Public Key Infrastructure (PKI) bridge architecture, allowing interoperability between previously separate isolated domains. Cross certification with other PKI bridges like the U.S. Federal Bridge is possible.
Mr. Donfried stated that SAFE is a non-profit entity that acts as the standards management policy approval authority responsible for maintaining and evolving the standards. SAFE also will operate minimal infrastructure, called the bridge certification authority. SAFE members use SAFE electronic identity credentials to apply, execute and validate electronic signatures. SAFE issuers are accredited organizations that act as trusted third parties, responsible for the provision, issuance and management of the credentials. The electronically signed record is the authoritative source document, eliminating the need for paper copies with wet signatures. SAFE’s operating rules are modeled on precedents set by organizations like MasterCard, Visa, Bolero or traditional EDI networks.
To illustrate the scope of the paper issue and its economic impact, Mr. Donfried referred to recent data from the New England Journal of Medicine, which estimates that, for clinical trials, about 30 percent of the cost structure is directly related to the management and manipulation of paper documentation, amounting to potentially $500 billion per year for health care. In the short term, the biopharma industry could save about $200 million annually by replacing all of the current replicated electronic identity credentials for clinical trials, such as individual laptops with secure identity fobs at every location, with a single SAFE credential for all users.
On an industry level, Mr. Donfried believes an additional $100 to $150 million of savings is possible, independent of the process improvements of being able to sign forms electronically. He described the National Cancer Institute’s pilot of Firebird, which will use SAFE electronic signatures to automate clinical investigators’ registrations to participate in clinical trials. It will eliminate the need for paper and wet signatures and has been developed to be independent of any specific business processes or industries.
Relating to e-prescribing, Mr. Donfried reported that SAFE plans to deploy its infrastructure and credentials to physicians and pharmaceutical manufacturers globally. They have not yet connected pharmacies or distributors. He favors using the same infrastructure for e-signatures and authentication for e-prescriptions that will already be in use for drug development.
DISCUSSION
Mr. Brown agreed with Mr. Houston that state laws and the variations among them are one of the biggest challenges in e-prescribing privacy issues, making e-prescribing more expensive and less effective and causing market variation between states. Mr. Brown noted that a national solution is desired and did not expect success working with each state Board of Pharmacy. This raised the subject of the MMA preemption provision. Mr. Brown feels there is an opportunity in the short term to ensure that interim standards and pilots can be a national set of pilots. In the longer term, it offers a chance to have a true preemptive force for e-prescribing standards.
After inconclusive discussion regarding the exact meaning of the preemption language, Dr. Cohn pointed out that it is a very unclear statement in the law meriting significant continued conversation. The provision reads: “In relation to state laws, the standards promulgated under this subsection shall supersede any state law or regulation that A, is contrary to the standards or restricts the ability to carry out this part, and B, pertains to the electronic transmission of medication history and of information on eligibility, benefits, and prescriptions with respect to covered Part D drugs under this part.” Mr. Rothstein concluded that it could create the situation in which a different standard applied to Part D versus other areas.
“With e-prescribing…let’s try to get something up and running so that people can see that this is going to save lives and save time… and save money,” Mr. Brown urged. He concurred that the majority of his colleagues would favor a single, unified, preemptive standard. He added that it would be very difficult to have a preemptive standard for Part D under MMA and have state standards under the rest of e-prescribing.
SAFE’s function was not clear to Ms. Fyffe, who asked Mr. Donfried to describe how SAFE would change current processes. Mr. Donfried explained that within the SAFE system, all participants are issued a credential, such as a smart card, that is protected by hardware. The electronic applications that SAFE members will use are also SAFE enabled. Anyone with a SAFE credential, either the application system or the end user, has the ability to authenticate or identify themselves using that credential, possibly by logging on to a site that unlocks the credential on the card and verifies the integrity of the message and the credential.
The combination of signing an electronic document with a SAFE credential and then validating that signature and the status of the credential constitutes a SAFE system transaction, Mr. Donfried explained. By exchanging signed messages, people use the credentials to identify themselves to machines or to other human beings electronically. These credentials are also then used to apply legally enforceable electronic signatures to any sort of data. This can be a PDF document that, once signed, can be opened with Acrobat Reader and shows the validation time.
To improve user confidence, Mr. Houston supports user ability to see who has actually accessed their e-prescribing information and possibly change the access authorization. He also asked whether SAFE could limit access of certain information and certain individuals. Mr. Donfried said that these are issues of digital rights management (DRM), which relies on the underlying identity infrastructure. “If your DRM solution is built on a legally enforceable identity model, you can fundamentally control any and all aspects of document readability, printability, transferability, etc,” he explained. He stated that in the electronic world there is no such thing as a naturally occurring original, but it is possible to create the equivalent of an electronic original using cryptographic technology. With a digital rights solution, this could achieve all of Mr. Houston’s suggestions.
Regarding the state preemption issue, Dr. Cohn felt that the Subcommittee should investigate the opportunity for state boards of pharmacy to facilitate e-prescribing use by enhancing interstate consistency with what is happening with Part D, and noted that there are several models for how that consistency might occur. He asked for more clarity on SAFE, whether it is a company offering goods or an actual ANSI-approved standard, and whether there are cost models for it. He also observed that many companies offer PKI solutions.
Mr. Donfried reported that SAFE LLC is a not-for-profit entity, intended to serve as a vehicle for a shared cost model and to be a standards body only for an interim period. SAFE was built on existing industry standards including ANSI standards but SAFE has not yet been submitted to any standard-setting groups. It has for-profit and non-profit subscription models, and it is being determined how government agencies can participate in SAFE. SAFE will accredit issuers through a compliance process and members as they subscribe and participate within the system. He added that it is vendor and solution technology agnostic.
Pointing out the PKI bridging structure problem, Dr. Steindel asked how to determine which bridge to take to if there are multiple certification agencies, and whether to trust a certification from another authority. Mr. Donfried stated that the SAFE bridge certificate policy prevents cross certification with trust domains that do not require hardware protection of private keys. They expect to cross certify with some U.S. federal government PKIs by mid-2005. He added that when policies cannot be mapped between domains, there can be no cross certification.
Mr. Brown clarified to Dr. Harding that front end information means anything that is at the point of care before the prescription is written, including formulary. It can come from health plans, PBMs, consortiums like CAQH, or from formulary aggregators. When the patient goes to the physician, the name or identification number is somehow converted into the plan group, which pulls up the coverage information in an aggregated way, not on an individual patient basis.
Dr. Fitzmaurice suggested that there may be the capability of putting biometrics into a Smart card if a client should want it. He sees authentication and interoperability as keys for success in electronic prescribing. Mr. Donfried agreed, adding that interoperability is a never-ending challenge and requires proactive work on the part of the standards body to provide guidance as people implement more and more sophisticated solutions on top of the infrastructure.
Noting that e-prescribing will help facilitate the transfer of potentially very sensitive prescription information between pharmacists and physicians, Dr. Rippen asked about enabling consumer control. Mr. Brown stated that this relates to transmission of consent and noted that there is no standard in place for identifying the patient and transmitting the request. Mr. Donfried stated that SAFE has not yet focused on consumers as entities within the identity scheme.
E-Prescribing – Panel 2
Alison Rein, M.S., National Consumers League
Ms. Rein provided a patient-oriented perspective on the issue of privacy in the context of e- prescribing. NCL recently initiated the SOS Rx Coalition to promote outpatient medication safety, initially among seniors. The coalition plans to develop a campaign to educate consumers about the e-prescribing concept, what it could mean to them in terms of patient safety and convenience if implemented appropriately, and how their understanding of e-prescribing could facilitate more rapid adoption among providers.
“Launch of such a campaign will not happen until NCL and its coalition partners are convinced that fundamental issues of data security and patient privacy are addressed,” Ms. Rein warned the Subcommittee. The system must be highly attuned to patient needs, must not create tension between patients and providers, and must inspire confidence in the integrity of all transactions.
The core patient-focused criteria for e-prescribing Ms. Rein outlined included a system’s ability to support safe care, use of nationally adopted technology and process standards, compliance with best practices, patient access to information, enhanced patient/provider communications, portability across all systems, and maintained patient privacy and trust.
According to Ms. Rein, data security has technical, physical, and procedural aspects. Technical aspects include data authentication, access and dissemination controls, and authorization control provisions. She encouraged close scrutiny of emerging alternative technologies before their application in the e-prescribing context. Physical security aspects include issues of hardware and software controls, workspace and equipment access controls, and personnel training. Unauthorized access and viruses are the primary concerns in this area, she noted. Procedural security establishes a formalized systemic approach to securing data and relationships based on trust, ownership of responsibility, and acknowledgement of liability. Implementation and maintenance require a significant level of coordination and commitment.
Without a foundation in these three areas, Ms. Rein believes that it is impossible to achieve adequate patient privacy. She added that with this framework, the privacy of patient health information is possible in e-prescribing but not guaranteed. In some cases, she believes that the HIPAA Privacy Rule makes adequate provisions for patient privacy in the context of e-prescribing, but in others it does not.
She advocated four steps in the Subcommittee’s efforts to advance e-prescribing systems that ensure patient privacy: Educate patients about their e-prescribing rights and responsibilities; inform patients up front of privacy policies, permissible data uses, and administrative requirements for data use authorization that are specific to e-prescribing; patients should be able to opt in or out of systems, including receipt of non-point-of-sale messaging; and finally, all communications to patients about their prescription privacy options should be provided in consumer friendly and easy to read formats. (Complete details of her recommendations are available in the hearing transcript.) She added that data security and patient privacy standards should be consistent between and within states.
For improved patient safety and adherence, Ms. Rein suggested that providers or pharmacies provide patients with an optional monthly or quarterly verifiable paper trail of their prescriptions via email or snail mail. This would serve as the basis for a patient-maintained comprehensive list of personal prescriptions and might also encourage patients to review their own data for errors or inconsistencies.
This issue becomes more important as the U.S. health care system becomes more “consumer-driven,” Ms. Rein asserted. Patients cannot and should not be asked to participate in a decision making process unless they have the relevant information at their disposal to do so, she said.
Robin Kaigh, Esq.
An attorney who has extensively tracked medical privacy issues as a matter of personal interest, Ms. Kaigh spoke as a private citizen, calling this Subcommittee “the protector of the privacy of every American citizen.” She emphasized the importance of honoring secrets between a patient and doctor.
Pointing to the more than 50,000 comments when the HIPAA Privacy Rule was proposed, Ms. Kaigh stated that Americans repeatedly said they did not want others to access their medical records without their prior consent, not even another doctor. HIPAA allows access without patient consent to the majority of the entities to which Americans object, she observed, naming the federal government, other doctors, hospitals and health insurers. She added that discussion of e-prescribing or electronic health records must include discussion of HIPAA and believes that the combination will likely give entities even greater access, creating potential for widespread dissemination of the record and for hacking and abuse. Although HIPAA allows the patient to request a restriction on disclosure, Ms. Kaigh noted that providers may refuse and many will not treat a patient who requests a restriction.
Questioning the patient benefits of e-prescribing, Ms. Kaigh pointed out that immediate availability of a complete medical record could be provided with a Smart card at the patient’s discretion. Much information is now readily available, according to doctors, via fax, email, phone and the clinical exam at the time of emergency. Patients should decide whether electronic convenience and immediacy is worth the possibility of privacy invasion, she believes.
Ms. Kaigh stated that no system is fail safe and illustrated that risk by describing incidents of hacking into electronic medical records at numerous universities, hospitals, the FBI, NASA, and the Pentagon. She expressed her opposition to a universal health identifier or ID number in any form. If patients choose to participate, she believes they should be given notice as to how and with whom their information will be shared and given consent and control as to how and to what extent that information will be used.
Noting that phone communication with her doctors has always been effective and efficient, Ms. Kaigh shared her own doctor’s opinions on e-prescribing and electronic medical records. “He said and I quote, ‘too many people would have access to patient data.’ It reminded him of 1984.” He had found that e-mail communication with patients was far more time consuming and that some patients abused the increased access. He believed that big business would get too much power and he feared that patients’ medical problems will be reduced to simplistic cases that do not receive individual care. He was also concerned with ethical implications.
Ms. Kaigh believes she is not alone in her opposition to electronic health records, the HIPAA Privacy Rule and e-prescribing. She shared her concerns about getting an objective second opinion or a fresh start with a new doctor if a second doctor can read the first doctor’s diagnosis and poor prognosis about a patient. In closing she quoted Rep. Jim McDermott, “Many industries stand to make money from the use and misuse of information. For them medical records are a commodity that are bought and sold. The group we should listen to most will be the hardest to hear: patients and their families.”
Laura Van Tosh, Consultant
A mental health consumer advocate and policy consultant, Ms. Van Tosh focused on e-prescribing for people with mental illness. She believes that enabling consumers to easily access medications through the use of e-prescribing can support and sustain consumers in the community and avoid relapse or interruptions in care. However, she warned that the Subcommittee and other groups must ensure that privacy is protected and that strategies to monitor the technology are discussed, implemented, and overseen by external organizations that do not have a financial interest in the technology.
Ms. Van Tosh asked what provisions are in place to ensure that the systems are free from hackers and viruses. How will consumers know for certain that their personal information will be protected? She feels that the Subcommittee’s work appears inadequate in this regard and encouraged the Subcommittee to actively seek out consumer perspectives on ways to market e-prescribing so consumers have confidence in the new technology and how it is used. She also raised the issue of opting out.
Prevention of adverse effects through e-prescribing and its associated technology would be a welcome change for consumers, Ms. Van Tosh stated. She emphasized that physicians must receive proper training to prevent medical errors and that the Subcommittee should increase its understanding and sensitivity to the clinical information exchanged between patients and physicians, which is often not done on email.
Consumer concerns must be balanced with other needs, Ms. Van Tosh insisted, and electronic technology should support all partners, especially the end user. She pointed out that consumers have a lot at stake. Particularly for consumers who take psychotropic medications, any inappropriate disclosure could destroy careers or even lives. She encouraged the Subcommittee to recommend that the industry implement patient education programs and receive regular input from consumers on e-prescribing technology. She strongly recommended that more than one token consumer be appointed for a group.
DISCUSSION
To clarify her comment about inadequacy, Ms. Van Tosh stated the importance of repeatedly making sure that the HIPAA structure is commensurate with a new technology like e-prescribing. She also pointed to the density of HIPAA information provided in waiting rooms, adding that it is often not read, especially by patients with mental illness. It is essential that HIPAA provisions are very easily adaptable to a methodology like e-prescribing, she stated. She felt that privacy was not “a profound issue of importance and I really think it needs to be.”
Mr. Houston stated that he hears from physicians about privacy, but also a loud cry for information because it makes a huge difference in patient care. Noting exploding health care costs and medical error rates, he asked Ms. Kaigh to estimate the willingness of people to recognize that if they opt out of allowing their information to be electronically available, they may forego some rights as to level of care, and maybe medical errors and liability. Ms. Kaigh questioned whether there should be a one size fits all system. If the new norm would result in people who opt out being the minority, she felt there then could be discussion of releases of liability or limited liability for physicians who do not get 100 percent of the information. Currently, she noted, choice does exist and she does not feel the public should be asked to release from liability because of lack of information. “We’re overturning how many years of medical practice by even suggesting such a thing,” she added.
Hearing concern about information going beyond the doctor/patient relationship, Dr. Cohn asked whether patients might take issue with their own physicians knowing more about them, such as if prescriptions were actually filled. Ms. Kaigh felt such instances could occur, based on testimony from another NHVHS panel. Ms. Rein felt that answer would be highly variable and suggested that the patient should be allowed to share or block information at the individual provider level.
“Patients fail to recognize that a lot of entities out there already know where and what their data are,” Ms. Rein observed. “If the physician wanted it right now, they could probably get it. So part of it is just bringing people up to speed with the reality.” People must be educated that this is a new, faster way of exchanging data with efficiency and health care benefits, she said.
Ms. Van Tosh pointed out that the millions of mental health and substance abuse consumers in this country generally want their physician’s support and practice integrated treatment. She added that the public needs to realize that e-prescribing will increase health care costs over time. Mr. Houston pointed out that there will also be inherent savings, by avoiding duplicate tests, for example. He thinks that some of those savings are lost as soon as patients opt out.
Describing two senses of the phrase e-prescribing, Mr. Rothstein asked whether panelists object to both. In the narrowest sense, a computer is used instead of paper to deliver a prescription to a pharmacy. The broader sense is a system in which electronic health record information, including prescription history and usage, is available between at least the pharmacy and the prescribing physician but maybe other physicians as well. The eventual electronic data repository that would result from any definition concerned Ms. Rein. Her organization advocates for patients’ ability to determine how their data is used. She added, “I think that the value derived from the fully integrated electronic health record is really incredible,” assuming processes are in place to ensure patients’ privacy wishes
All three panelists had recommended patient opt out for any e-prescribing system, Mr. Rothstein observed. Ms. Rein clarified that she meant only that patients should be able to control where their data goes once the e-prescription is written. Ms. Van Tosh stated that she had simply raised the question, not taken a position. Ms. Kaigh did want patients to have the ability to decide whether they want their prescriptions done electronically, and if that choice is not possible, she would want the patient to have some control over the further dissemination of that information.
Mr. Rothstein then requested opinions on other approaches to protect patient privacy, including time limits on electronic prescription information remaining in the system, limits on classes of diagnostic or prescription information and limits on the scope and the nature of the providers or pharmacists with access. Ms. Kaigh felt that this would require all citizens to accept the risks inherent in electronic transmission whether they want to or not, and no system is fail safe. Ms. Van Tosh felt it was hard to say that a process would be fine when consumers do not know what the alternatives are. She again recommended that this committee actively involve consumers.
Explaining that the Subcommittee and Committee must raise concerns and present options to explore regarding privacy protections, Mr. Rothstein told the panelists that “it would not be a good thing if we just said this is terrible and that’s it.” In response, Ms. Rein stated that the time limit approach seemed completely inadequate to retain the benefits of having information available to providers and patients over a longer timeframe. While the data was available, it could also be used for a variety of purposes. She is in favor of consumer-driven processes.
Mr. Houston noted that the Subcommittee members are also consumers and must balance all the different needs in what they are doing. He strongly encouraged the panelists’ organizations to respond at least to the patient privacy sections of Dr. Brailer’s RFI with substantive recommendations for designing a system to ensure appropriate patient protections. Specific input for architecture to support the areas they find important would be most helpful, he added, not just expressions of concern.
Responding to Mr. Houston’s request for opinions on a national patient identifier, Ms. Van Tosh stated that she was primarily opposed to use of names as identifiers. Ms. Rein believes that it depends on the transaction level and declined to make a general comment.
E-Prescribing – Panel 3
Suzanne Gelber, MSW, Ph.D., The Avisa Group
Dr. Gelber explained the issues that are unique to the field of substance abuse treatment and mental health, such as its intersection with criminal justice. Substance abuse treatment is “quietly undergoing a medical revolution” that makes the subject of e-prescribing very pertinent. New medications are emerging and existing medications being tested to treat drug dependence in conjunction with other therapies. At the same time, e-prescribing, e-transactions and e-therapy are increasing, creating opportunity and major challenges for the field. Unique privacy and confidentiality laws apply in the field of substance abuse and in the transmission of any related records. She reminded the group that this information is protected because of the significant stigma in substance abuse diagnoses and mental health diagnoses.
Dr. Gelber stated that the field of substance abuse treatment is seeing major changes in services and medication, but that the infrastructure has not kept up. She noted that it has taken tremendous effort to educate substance abuse providers, programs and policymakers about HIPAA, and e-prescribing might be another major and fairly complicated issue. Some of the medications are controlled substances, subject to special DEA requirements about paper prescriptions and audits that may conflict with HIPAA and other information standards. She reported that the DEA is working on a new policy, but it is not clear when it will be completed or how those standards will intersect with HIPAA standards.
Dr. Gelber gave the example of the issue of redisclosure of protected information about diagnosis. PHI could be redisclosed to utilization management entities, PBMs, health plans and health plan sponsors, software technology developers, pharmacies and pharmacists. All might become aware of the protected diagnosis of substance abuse. She advocated consumer releases of information that are very specific to the substance abuse client.
Many physicians are becoming more involved in this field and will be involved in e-prescribing. Dr. Gelber explained provider business process and policy issues. Office- or clinic-based physicians currently write paper prescriptions as required, which can be easily audited, then nurses make the actual calls to a pharmacy. These practices tend to lack computer infrastructure or use very outdated systems. Physicians are concerned that e-prescribing might require them to substantially change office workflows, to obtain legal and technological assistance, and to move to costly medical record systems. She explained that out in the field, counselors who sometimes work with physicians or treatment programs likely have no computer access at all.
This process must consider the delivery of information about treatment plans and progress for court-involved patients, including parolees, back to the criminal justice system, Dr. Gelber stated. She also expressed concern about refills and frequent dosage changes of such prescriptions and whether or not the required DEA standards would coincide with what this Subcommittee is developing. Other issues are the potential interaction between e-prescribing and state prescription drug monitoring programs and capturing court referred clients’ ambulatory prescriptions in an information system.
Unintentional disclosure of criminal substance abuse would be tremendously damaging, Dr. Gelber asserted. Many of the individuals with substance abuse diagnoses also have more or less severe psychiatric and physical health diagnoses and their treatment involves conveying very complicated sets of prescriptions and prescribing information and medical history. Drug/drug interactions and drug/allergy interactions are very big issues. Other challenges arise from clients who do not speak English as the primary language or have various difficulties in comprehending instructions, much less giving informed consent.
Dr. Gelber presented e-prescribing as a process with different interactions at different points. She described the series of stages in substance abuse treatment and noted the special communications that are required for each. Although e-prescribing can be a very positive step forward in avoidance of medical errors, she believes it also bears very careful consideration with respect to substance abuse and criminal justice issues.
Anita Marton, Legal Action Center
Ms. Marton’s public interest organization specializes in legal and policy issues concerning alcohol and drug addiction, HIV and AIDS, and the criminal justice system. They have published the sixth edition of a book on the laws and regulations concerning confidentiality of drug and alcohol records, Confidentiality and Community: A Guide to the Federal Drug and Alcohol Confidentiality Law and Regulations. She offered to leave a copy for the Subcommittee.
Many of Ms. Marton’s concerns were already introduced by Dr. Gelber, she stated. She explained that e-prescribing for people with drug and alcohol addiction raises a host of specific and sometimes difficult issues that warrant special attention, particularly confidentiality issues. Records pertaining to alcohol and drug treatment are covered by HIPAA and by a much earlier and sometimes stricter law, 42 C.F.R. Part 2.
Ms. Marton stated that while her organization supports the development of new technologies such as e-prescribing that have the potential to improve the delivery of medical care, they advise great forethought regarding confidentiality implications. They urge that HHS take into account and comply with the special confidentiality requirements set forth in federal law.
HIPAA allows almost all of the disclosures that would be necessary to implement e-prescribing without the consent of the patient, Ms. Marton reminded the group. However, 42 C.F.R. Part 2 does require written patient consent for disclosures, utilizing a very specific form and the treating professional must transmit a notice prohibiting redisclosure. Unlike HIPAA, 42 C.F.R. Part 2 also requires written patient consent for any redisclosure. These rules apply to all prescriptions, not just those for the drug or alcohol treatment.
For e-prescribing Ms. Marton recommends the development of model implementation policies and forms, including model consent forms that authorize the necessary disclosures. The software and technology for e-prescribing must provide for the required consent forms, notices prohibiting disclosure, and redisclosure limitations in the absence of written consent. These steps are critically important to ensure that e-prescribing honors and complies with the federal requirements, Ms. Marton stated, adding that it will take time and concerted effort but it is not impossible. Confidentiality is a very valuable right and must be protected but need not be an insurmountable barrier to new technologies. Her organization would be happy to assist.
DISCUSSION
Regarding implementation, Ms. Marton testified that mechanisms exist for the electronic communication of information between treatment providers and the public welfare system. She pointed out that systems do have electronic consent forms in place so that both parties have copies. E-prescribing would need such a system, she stated, with redisclosure notification forms sent with any transmission. She emphasized that patients and providers must be notified of all parties that might have access to information disclosed from a program that is covered under the drug and alcohol laws. She felt that a standardized consent form might assist in this area.
Ms. Marton agreed with earlier panelists that individuals should have the opportunity to opt out. She noted that one premise of the federal confidentiality regulations is to empower the individual to decide to whom and how information about them gets disclosed.
Mr. Rothstein asked whether the panelists consider the consent mechanisms sufficient to protect the privacy interests of individuals who are in alcohol and drug addiction treatment programs and raised the issue of coerced or required consent in order to receive services. He asked for feedback on how the system should work and whether the Subcommittee should recommend that no drug or alcohol abuse treatment information may be disclosed via electronic records.
The whole issue of implied or coerced consent is a major issue, even with a paper system, stated Dr. Gelber. She suggested that e-prescribing match the HIPAA provisions for people to direct the entities with whom they would permit disclosures. Consent forms might include a range of disclosure options and offer the option to change permitted disclosures over time. In this treatment there is a wider range of entities with which information might be exchanged, she explained, and some entities are required to collect information. But a patient might want to prohibit disclosure to other entities such as schools, housing, welfare, etc. She added that this architecture might be different from one for more routine chronic illnesses.
Ms. Marton confirmed that, under 42 C.F.R. Part 2, patients currently have the ability to have a tiered consent. She added that there are ten very specific elements that have to be included, but patients can consent to disclose certain information to a certain party for one purpose and have disclosure to another party for a different purpose. Dr. Gelber felt infrastructure issues for this would be a real problem.
Ms. McAndrew clarified for the group that the Privacy Rule specifies the areas where it is proper to condition treatment or payment upon obtaining an authorization. It is not allowable to condition the provision of treatment or payment for it on getting the individual’s authorization for some other non-critical use and non-permitted use of the information.
Noting that many groups have testified about special sensitivities, Dr. Harding advocated setting the bar high enough that every group could fit under it in a uniform way. This requires considering special sensitivities in an electronic health record and how to make information available when necessary and protect it when it is not. To define “necessary,” he asked, “When should a primary care doctor know that this individual with an acute abdomen is taking bupinorphine or not? It’s that kind of safety versus optimal treatment versus safety versus privacy thing that drives everybody wild.” He asked the panelists for their thoughts about the idea of a black box with patient control of information via a special e-key. Dr. Gelber stated that an IT person is needed to be able to tell the group whether a black box or other options are feasible as part of a system.
Ms. Marton reminded the Subcommittee that her field struggles with the issue that raising 42 C.F.R. Part 2 itself makes the kind of disclosure that it is intended to protect. Also, under this law, a consent form expires after a certain point. Mr. Rothstein noted that records on the same condition, at different times and with different providers or situations, could fall under different privacy protections.
Panelists were asked to consider the patient option to exclude from their electronic prescription records whatever class of treatment records and medications they deemed to be significantly stigmatizing. Ms. Marton felt this would be interesting to explore. However, Dr. Gelber thought that this exclusion would at some point conflict with the doctor’s desire to know everything relevant before providing treatment. She added that now, people are able to keep their substance abuse diagnoses to themselves unless there is a prescription. Mr. Rothstein reported that the Subcommittee would address in February 2005 the overall question of the degree to which patients should have control over their longitudinal electronic health records.
In response to the issue of how to protect old records in a way similar to Part 2 protection, Ms. Wattenberg stated that she did not think it was possible. She suggested that, under HIPAA, patients could ask providers to restrict their records as a reasonable accommodation. Mr. Rothstein warned that this would create a class of restrictions that providers must agree to if requested, which would be a change from the way the rule currently reads.
Commentary: Anne Canfield, Rx Benefits Coalition
Ms. Canfield described the existing e-prescribing process in the marketplace and corrected what she felt were misconceptions. The NCPDP Script standard is used with software for physicians to transmit prescriptions to the pharmacy, she explained. RxHub is a router that enables the payer and PBM information to be accessed by doctors at the point of care. When the physician is prescribing, he or she can pull up the formulary, see the other drugs the patient is using, and make an appropriate prescription. That prescription is then transmitted to the pharmacy and prevents the call backs relating to formularies and prescription conflicts.
Ms. Canfield reported that there is no centralized database of this information. A company like RxHub pulls data across the Web-based network from the payer and PBM to the point of care, and the router never sees the information. She expects that this system would continue rather than there ever being a centralized database.
The e-prescribing process does not currently use Social Security number or a single identifier, Ms. Canfield explained. Instead, five different identifiers are used: name, address, zip code, date of birth and one other. This drastically reduces chances of identity theft, she noted, adding that RxHub is virtually error free.
Ms. Canfield called “frightening” some of the panelist’s comments that people do not want doctors and hospitals, who are liable for treating the patients, to have access to the most appropriate information for proper treatment, yet want them to be liable if treatment is inappropriate due to lack of good information. She feels that there is a balance, but that it was not presented at today’s hearing.
“The prospect from our perspective is that technology in this area has the real benefit of potentially saving hundreds of billions of dollars…in the health care system while at the same time dramatically improving the quality of care for patients,” Ms. Canfield stated.
Dr. Rippen asked for suggestions on a system or process in which an individual consumer could indicate that he or she does not want a particular piece of information flowing down a router. Ms. Canfield replied that information today resides with the PBM or insurers. She believes there is a tradeoff if consumers want claims paid, adding that she did not hear many solutions today to this very difficult question. PBMs, health plans, and consumers will all contribute information ten years from now, Ms. Canfield believes, adding that “there’s a flip side to the information flow and it’s a tremendous benefit to the society at large.”
DISCUSSION
Mr. Rothstein listed six items of business for the Subcommittee: determining follow-up actions for this hearing on e-prescribing and the security issues hearing tomorrow, November 19, 2004; planning for the one day RFID hearing on January 11, 2005, the January 12, 2005 hearings on decedent and archival health information and on disclosures to third parties, and two days of hearings on the NHII system and privacy.
Regarding e-prescribing hearings, Mr. Rothstein emphasized fitting with the work of the Subcommittee on Standards and Security, which was echoed by Dr. Cohn. Hearing planners had approached numerous individuals and entities to testify on e-prescribing, but were turned down because the topic is not on their radar screens yet, Mr. Rothstein stated. That includes provider groups and organizations that eventually will have very strong views on this topic.
The full Committee will look at a letter about e-prescribing for the next full meeting in March, Dr. Cohn commented. He feels that privacy and confidentiality in e-prescribing should be part of that letter but the topic needs more thought from Subcommittee members. As e-prescribing further evolves and actually begins to roll out, he believes the group will need to see if there are further interpretations or suggested modifications needed to the HIPAA Final Rule. The issues around e-prescribing are also the issues of the NHII, Dr. Cohn believes.
Mr. Rothstein proposed that the Subcommittee give examples of the kinds of issues and possible solutions that have been suggested in hearings. He and Dr. Cohn agreed that this group could not come up with concrete recommendations. Dr. Cohn is opposed to letters that spin off big concerns and issues without suggesting actions. Mr. Rothstein suggested holding privacy blank, saying just that there are many emerging privacy issues that will be considered under NHII.
Dr. Fitzmaurice proposed listing the issues raised and emphasizing that they are important enough to be considered in the pilots. He summarized the issues and suggestions of the panelists: make sure that e-prescribing complies with the Privacy Rule and all other existing privacy laws; patients should be educated and have access to all security and privacy policies, and communication should be in a friendly manner; there should be required consistency within and across states in the security and privacy standards; and patients should have the ability to opt out of e-prescribing use of their data, possibly even pick and choose who can see it. The group does not yet know the value or harm in the panelists’ suggestions, Dr. Fitzmaurice noted. He feels that pilots may show whether the software is sophisticated enough for a particular process, whether it is of value to the patient, and whether that value is greater than the potential harm from the physician not knowing enough.
Ms. Wattenberg changed the focus of the discussion, saying that the large majority of Americans are “woefully clueless” about these issues. “Consumers don’t understand who really gets the information now, who’s going to get it in the future, and how they can have an impact on that, and what the pros and cons are of opting in or out.” Getting informed information from consumers is essential, she stated, and will require changes in how the information is collected. She advocated establishing initiatives to ensure a dialogue with the right people so that people know what it is they’re supposed to be helping the Subcommittee consider.
Mr. Rothstein felt this was an excellent point, and wondered whether the e-prescribing public input should be a part of the public input on the NHII. He suggested the possibility of going on the road around the country with fact-finding hearings on NHII, like those on the Privacy Rule. Ms. Wattenberg noted that people must know what this is about before those hearings.
Mr. Houston emphasized that e-prescribing must be looked at in context to avoid gaps. Dr. Cohn pointed out that there is nothing yet for people to react to in the NHII, but e-prescribing is a little closer. He suggested considering a fair information practices approach as opposed to trying to educate the entire electorate.
The role of NCVHS versus the role of HHS was raised by Mr. Rothstein, who observed that NCVHS does not have resources to direct a national health information public awareness campaign. He noted that they are charged with obtaining information relevant to their recommendations. Ms. Friedman stated that people do not know that e-prescribing and electronic medical records are being fast tracked in the government. Pilots for Part D e-prescribing go live January 1, 2006, she added. She believes that education both inside and outside the industry is very important, even at HHS.
Regarding collection of meaningful data, Mr. Houston suggested structuring hearings and testimony so that people provide detail as to how to solve the problem and suggestions on NHII structure from a security and privacy perspective.
Before that point, Mr. Rothstein wants to have a sense of providers’ and public feelings on these issues. He believes groups that declined to participate on e-prescribing would contribute on electronic health records and privacy implications and implications for quality of care. From these broader hearings, the Subcommittee could distill a sense of what level of consumer control over the health record is reasonable and, if people want some level of additional privacy, what level of increased cost and decreased efficiency of care will be accepted. From there the group could approach the details Mr. Houston suggested.
Dr. Rippen suggested the Subcommittee begin by considering principles for EHRs in general and for e-prescribing. She feels that articulating the problem will show the requirements for the system. Principles also frame the issues and context, and might be useful in the future.
For the Subcommittee’s next action, Mr. Rothstein suggested including in the Standards and Security letter a concrete recommendation of privacy issues to be considered in e-prescribing pilots. This will support development of principles and possibly implementation strategies for the broader issue of electronic health records. He noted that he would draft text once he saw language from the Standards and Security letter.
Beginning discussion of the upcoming January and February hearings, Mr. Rothstein noted that he and Catherine Lorraine would work on the RFID hearing scheduled for January 11, 2005. For the next half-day hearing on decedent and archival information on January 12, 2005, Mr. Houston volunteered to take the lead, working with Ms. Wattenberg.
With its existing publicity, the RFID could raise the profile of these hearings, possibly attracting CSPAN with a demonstration of how it works, Dr. Harding suggested. He felt “a little bit of showmanship,” would make it generally interesting so that CSPAN might want to cover it and he encouraged any chance to raise public awareness. Ms. Lorraine concurred, and Mr. Rothstein added that such meetings are the only avenue for the public to have input into what is happening.
Mr. Rothstein reported that he and Dr. Rippen would develop the half-day on compelled disclosures to third parties for life insurance, employment and many other uses, and the implications for employee and consumer privacy. The first hearing that day would be on decedent and archival uses. Mr. Rothstein stated that the compelled authorization issue originated with him and is not a HIPAA privacy issue but does involve the non-discrimination title. After discussion of the scale of this topic it was agreed that it should be extended to a full day and RFID shortened to a half day. This would complete the initial foray into these areas by January, so that in February the group can move to NHII in earnest. Mr. Rothstein reported that he would work with Ms. Fyffe and Mary Jo Deering for the two day NHII hearing on February 23-24, 2005.
Regarding strategy for those hearings, Dr. Cohn advocated considering both a consent mechanism and a fair information practice model. The issue of differentiating between data in motion and data at rest was raised by Dr. Steindel, meaning data in an electronic health record or derivatives of that, which is usually associated with institutional or provider based care, versus the type of data transmitted between two institutions and the associated privacy implications and use at other institutions. Mr. Rothstein agreed that this is an important area to consider.
Mr. Houston expressed his belief that fair information practices should be used with a floor on acceptable use and clear patient’s rights. He feels that there will be fundamental questions about the use of data in the NHII for things like public health and research activities. Dr. Steindel added that the group should project ahead and consider what may exist in the future.
Taking a broad view, including not only NHII but personal health records, electronic medical records, email and other types of automation, was suggested by Ms. Fyffe. A discussion followed of the privacy pros and cons of paper systems.
For starting a major look at the NHII and privacy and confidentiality, Dr. Cohn felt it would be valuable to take at least a day for education from experts with different perspectives. Mr. Rothstein recalled a suggestion to broaden the type of witnesses to testify about NHII, such as an anthropologist, a sociologist, psychologists and bioethicists. He suggested putting that group at the beginning to provide an overview. Dr. Rippen suggested a grounding session to learn from thought leaders what privacy principles to consider with an NHII. She also felt it important to identify the point at which there is enough justification to reveal information, then see how technology can help set that point to make information available when it is truly beneficial. She argued that 95 percent of the time, having that information will not make treatment better per se.
Mr. Rothstein expressed interest in getting a sense from Dr. Brailer of public views and comments to his RFI, but these comments would not be returned in time for the hearings. Ms. Fyffe explained that Dr. Brailer is looking to the NCVHS for expert help to surface issues and provide recommendations, particularly in the area of privacy. Mr. Rothstein added that Dr. Brailer strongly believes consumers will require some control of the health record.
In considering whether to ask for testimony from the usual group: the AMA, specialty colleges, hospitals, privacy groups, etc., Ms. Fyffe suggested that the financial services industry has in some ways been down this path before and might share lessons from their experiences. Dr. Cohn felt that this could be applicable to implementation and consumer attitudes. Dr. Steindel agreed and emphasized that industry’s experience of initial visceral reactions to problems.
Mr. Rothstein felt that a sociologist of privacy might include experiences of other sectors in his or her presentation. Mr. Houston suggested contacting someone from a research project on attitudes towards privacy and availability of information for research purposes. Mr. Rothstein indicated that Vickie Mays would provide a population health perspective.
For the February 23-24, 2005 hearings, Mr. Rothstein proposed discussing the value of hearings on the topic around the country to get input from different groups. He confirmed that March dates are being held for topics to be determined. It was also noted that MPI is on the Subcommittee’s agenda but has been bumped back.
DAY TWO
Mr. Houston provided background on the issue of medical equipment security issues. Providers have concerns that the HIPAA Security Rule will have an impact on compliance as it relates to medical equipment, software and other items that are in some way regulated by the FDA. In order to comply with HIPAA, providers need to be able to do things such as manage and patch devices but feel they are not able to because of the FDA regulations.
Quality assurance typically needs to be performed prior to a patch being installed on a regulated piece of equipment, Mr. Houston reported. He gave the example of medication administration carts that have an embedded NT operating system. He raised the issue of whether this necessarily runs afoul of HIPAA and what its impact may be on HIPAA compliance.
Medical Equipment – Panel 1
C. David McDaniel, Veterans Health Administration
The Department of Veterans Affairs, Veterans Health Administration, uses the same advanced technologies as other health care providers, Mr. McDaniel stated, and purchases scores of medical devices that are critical to their operations. He noted that medical devices have inherent limitations related to the recently identified security capabilities. There are cases when adding security to a device renders it ineffective to operate appropriately.
The cycle for new medical devices to be delivered to the market takes about three to five years. The vast majority of products now available and the legacy inventory of medical devices in hospitals today still have limitations for security capabilities, Mr. McDaniel explained. With the enforcement of the Security Rule, he believes that additional requirements will have to be considered for PHI held in medical devices and in other systems used by health care providers.
Medical device capabilities and their lack of security capabilities have become a major stumbling block to VHA, Mr. McDaniel reported. He feels it is unlikely that these changes will be developed and certainly will not be in place in U.S. hospitals by April 2005.
VHA is taking precautions to secure medical devices where possible. Mr. McDaniel explained that, to minimize access, they have already isolated medical devices from other systems containing PHI. They are looking for ways to make their devices inaccessible to people who do not have a need for those devices or the PHI they contain. He stated that protecting this information is not negotiable and acknowledged that there are limitations to many devices currently used in VA medical centers.
Mr. McDaniel outlined VHA’s options for complying with HIPAA by April 2005. First, they are making this issue of deficits in medical device security known to HHS. VHA is looking to the NCVHS to convey this issue to the Centers for Medicare and Medicaid Services. He emphasized that they do not intend to blame device manufacturers or to proclaim that this is an insurmountable issue. With the right amount of time and effort, he stated, this can be resolved.
The second option is to assess the information security risk of each medical device and mitigate that risk as much as possible. This includes using any existing access controls and minimizing access to devices themselves where possible. He believes that the optimum solution for this option would be to partner with other health care providers and develop a strategy to divide this process of assessing the risk of the many medical devices in use. He found the third option, simply waiting, a cause for serious concern.
John Murray, FDA
The software and electronic records compliance expert in the USDA Compliance and Center for Devices at the FDA, Mr. Murray spoke about cyber security as it relates to medical devices.
The majority of medical devices today function only in the present, Mr. Murray observed, delivering therapy or providing timely diagnostic information to a clinician. Some may record limited past performance for archival purposes. Increasingly, medical devices are being connected into networks with a variety of communication media and protocols available to medical system developers. Network connectivity has made great inroads in in vitro diagnostic devices for medical laboratories and image processing storage and display systems for radiology. Bedside and operating room devices are also increasingly being attached to a network.
Mr. Murray called this connectivity “both a blessing and a curse.” Benefits include remote process and display, real-time patient information, and collection and storage of information. Networked systems can aggregate information from multiple sources to aid diagnosis and treatment. These communications reduce the potential for data corruption and operator error. However, security threats multiply when medical devices are connected to an internal network or the Internet. The emerging threats require sustained effort to maintain the integrity of the data.
A specific targeted attack on a specific medical device would be exceedingly rare, Mr. Murray believes, but cannot be discounted. He explained that MAWARE, malicious software, can be incorporated into a commercial off the shelf (COTS) software product or a network component. Most MAWARE targets COTS software because these products are generally not designed for high risk applications. Medical device manufacturers must be very cautious when applying COTS software to their products, he noted, because network outages may impact patient care.
Mr. Murray described the challenge to the FDA: to ensure that network-connected medical devices are adequately safeguarded, working within the required regulatory framework. The FDA’s principal concern is risks to health, he stated, adding that other stakeholders are also concerned with protecting information privacy and minimizing economic risk. He asserted that risks must be balanced against costs and benefits.
The FDA feels that responsibility for cyber security must be shared by health care organizations, suppliers of network infrastructure, and the manufacturers of medical devices, whom the FDA directly regulates. Mr. Murray explained the FDA focus as properly leading and motivating the technical and scientific experts, and he noted that the software engineering community, not the FDA, will dictate the solutions to these threats.
Mr. Murray suggested that accepted practices and techniques currently in use in the IT community can also mitigate cyber security threats. The FDA is working to clarify how existing rules and regulations apply to breaches in cyber security and to the maintenance of COTS software to address cyber security concerns. He stated that a formal policy statement on cyber security patches for the medical device industry has been drafted and is currently being vetted.
Mr. Murray shared the five key points of that guidance. One, FDA regulations require that medical device manufacturers systematically examine all sources of quality data and implement actions needed to correct or prevent quality problems. Two, FDA pre-market review or prior approval is rarely required prior to the implementation of a software patch. Three, FDA regulations require that design changes be verified and/or validated, reviewed and approved prior to implementation. Four, medical device manufacturers should maintain formal business relationships with their software vendors to ensure timely receipt of information and recommended corrective actions. These regulatory requirements can be satisfied by establishing a documented software maintenance plan. Five, under some circumstances, FDA will consider a software patch to a medical device to be a recall. FDA recognizes that routine cyber security patches are a fact of life for COTS software today. When the software patch affects either the function or the performance of the medical device, the corrections should be reported to the FDA even if a software maintenance plan is in place.
To develop a shared understanding of this problem and find consensus solutions, FDA software engineers are meeting with members of the health care community, device manufacturers, trade associations, standards developing organizations and other stakeholders. Mr. Murray reported that they see no need for new, burdensome FDA regulations concerning cyber security, but feel that the established principles of the quality and risk management systems should provide adequate guidance. FDA views the HIPAA Security Rule as one more element in the medical device manufacturers’ environment. He noted that measures to safeguard privacy are often important for the safety and effectiveness of medical devices. He added that FDA regrets that resource limitations have impeded outreach to other operating divisions in the HHS family.
DISCUSSION
Mr. Rothstein raised the issue of giving an additional time period to comply with the Security regulations. In response, Mr. McDaniel stated that a projected compliance date would be relative to when they could have devices with those security capabilities.
Mr. Wexler explained that the difficulty with legacy medical devices especially is that they may be running on commercial operating systems. Devices were designed for safe, efficacious patient treatment, not for security. They cannot be reengineered and may lack even simple password protection. He felt that a minimum time estimate is five years for new, compliant products and that it would be necessary to grandfather other devices until they are out of the inventory. Mr. McDaniel added that a five-year timeline makes the assumption that all old devices would immediately be replaced, which would be a catastrophic cost to the VA. This is an industry wide problem that affects everyone in health care, Mr. Wexler observed.
A typical general hospital would have less risk than the VA, Mr. Wexler agreed with Dr. Harding, because the VA makes extensive use of electronic health records. The benefit of networking more devices is the immediate transfer of information to the electronic record and to the clinicians, but connection does increase cyber security threats. Mr. McDaniel added that other health care providers will face the same issues with regard to access controls.
Mr. Wexler described how the VA is protecting their networked medical devices. They have closed unnecessary access ports on devices and require that all devices be connected to their networks in a virtual LAN configuration, providing some isolation from the network and from outside accessibility via e-mail and Internet. This also requires an access control list allowing a given device to speak only to certain ports or protocols based on need. For example, a CT scanner built on a commercial operating system might previously have had more than 130,000 ports open. A CT scanner only needs to speak to a laser printer and to the hospital information system, so all the other ports have been closed. The VA has produced a document on how to do this and shared it with other health care organizations.
Mr. Murray pointed out that another growth issue at the FDA is in electronic records and signatures. They are trying to get to the point at which computers can actually do all that is wanted of them, and he explained that compliance deadline pressure is necessary to keep progress moving. “This is true for the Sarbanes-Oxley bill, or HIPAA, or Part 11, all are a matter of transforming computer technology and it’s going to take some time,” he stated.
Responding to Dr. Cohn, Mr. Wexler described the operating system update process for medical devices. When a patch is released from a COTS operating system such as Microsoft Windows, it is part of the quality maintenance plan. End users are accustomed to getting updates to correct potential errors in a device. This is out of the direct control of the medical device manufacturer because they license an operating system from someone else, he explained. The VA expects manufacturers to continue to analyze and test patches and make them available, legacy systems or not, for the life of the equipment. He noted that the Security Rule requires all kinds of actions on these systems that were never designed in them originally and stated that users cannot require manufacturers to redesign the way an operating system works. They also will not switch operating systems on those devices because that would also require a redesign.
Mr. Murray explained the FDA pre-market review process in response to questions from Mr. Houston. For an existing device that already has pre-market approval, if there is no change in the intended use and no new elements of risk, then further pre-market approval is not required. He noted that this is addressed in detail on the FDA website. He provided the example that changing from a Pentium three to a Pentium four, or Windows 3.1 to 3.2, would not generally be considered new introductions of risk, so no pre-market approval was required. However, change from a digital alpha process to a Pentium would be a significant change with risk requiring further evaluation. He added that they have become more comfortable with the changes in software technology and have focused on more in the medical technology.
By April 1, 2005, Mr. Reynolds observed, institutions where existing equipment is not going to meet the letter of the Security Rule must do an assessment, put their plan together and update their policies and procedures. They should work with the vendors on an upgrade schedule and evaluate any new equipment against the rule prior to purchase. He asked presenters to confirm whether those approaches would be worthwhile for all providers to take.
Mr. McDaniel expressed the VA’s concern in the number of devices and the fairly short time to assess level of risk. He added that once a determination is made, they cannot simply choose to accept that risk for every legacy device. They must decide how to mitigate it, which may mean that the device becomes difficult to use. “Just because the Security Rule asks you to assess, it does not absolve you of the requirement to do something about high risks,” he observed.
FDA regulations do not address security, Mr. Murray explained. Instead, their focus is on patient and operator safety. A security problem may come up as a possible root cause of a safety issue or a risk issue to patients. Mr. Houston asked whether, as HIPAA is a federal law and Security Rule implementation is required by providers, the FDA could recognize that as a requirement and include in its evaluation. He added that a virus or cyber security problem could cause risk to a patient, and Mr. Murray felt this would fall within the FDA domain.
With AdvaMed, Mr. Murray and Mr. Wexler are putting together a two day workshop beginning Monday, Nov. 22, 2004 on cyber security breaches and patches, with Microsoft and IBM presenting. Mr. Murray expressed the problem as “how do you meet the Rule and meet the safety requirements of the FDA in an effective way.”
Mr. Houston asked whether the technical HIPAA Security Rule on appropriate authentication or authorization on a computer system is a bigger issue for the VA than the cyber threat. He also asked what technical area has the greatest non-compliance. The VA is concerned with both threat aspects, Mr. McDaniel stated, noting that many devices cannot limit access. Employees know to follow the minimum necessary standard. Mr. Wexler, however, felt that cyber security is the bigger concern because the health care industry is one of the first responders in a terrorist attack, and Mr. McDaniel concurred with this position.
Regarding vendor responsiveness to these issues, Mr. Wexler stated that manufacturers, end users and regulators have all needed to study and understand the issue and are still in the awareness phase. The global manufacturers with whom they work regularly have made an effort to come up with new technical solutions, but patching is still a source of frustration. He has never excluded a vendor from further consideration due to lack of response to these issues.
Observing that, with worms and viruses, a device in theory is only vulnerable because of the network’s vulnerability, Dr. Rippen asked about responsibility for ensuring the safety of the network, which is difficult, versus hardening a device to minimize or prevent an attack from occurring if the network fails.
The risk model is evolving, Mr. Murray stated, and medical device companies must deal with this and learn quickly about systems from Microsoft, Oracle and HP. He noted that they are trying to balance the real risks against the cost and efficacy benefits of using COTS software and networks. He feels that manufacturers will begin to address security, in part because of the legal liability of not doing so. He also noted that he participates on an HIMSS (Medical Device Security Subgroup) workgroup that has developed a consensus standard form called the manufactured disclosure statement for medical device security, MDSMDS or MDS-2.
Medical Equipment – Panel 2
Robert MacNeil, McKesson Provider Technologies
McKesson believes that the protection from malicious software clause in the HIPAA Security Requirements is effectively a required implementation, Mr. MacNeil noted. He described possible consequences of malicious software, including disabled systems, compromised or missing patient data, and unauthorized disclosures of patient information.
Mr. MacNeil stated that detecting and guarding against malicious software requires the regular application of current technologies in security software, such as anti-virus programs, software firewalls, spyware detection, etc., and their updates. He reviewed the HIPAA Security Requirements on the manufacturers of Picture Archiving and Communication Systems (PACS). PACS contain PHI and are medical devices regulated by the FDA under 21 CFR part 892.2050. (Wording of that section is included in the meeting transcript.) He also noted that, unless specifically exempted, all firms designing, manufacturing, installing and servicing medical devices are required to be compliant with Quality System Regulation, QSR.
PACS typically utilize custom software created by the PACS manufacturer running on an operating system plus third party support applications such as anti-virus programs, software firewalls, workstation control and monitoring programs, etc., plus software updates.
For each medical device, Mr. MacNeil reported, the QSR requires manufacturers to maintain a device master record with all the specifications used to manufacture, test, install and service the device, including software. Firms must perform design validation and document the results. They must also report to the FDA corrections to medical devices, including software updates or patches, when the correction was initiated to reduce a risk to health posed by the device. Whenever the software configuration of a device changes, the device firm must maintain records of and validate the revised device configuration, possibly with a report on the correction to FDA.
Mr. MacNeil explained McKesson’s experience with security software updates from third parties. Almost all involve weekly virus definition updates and monthly updates on Windows operating system components and utilities. There are also non-periodic updates of such components based on the severity of the risk. For McKesson PACS, one person-day is required to assess, validate, document and disseminate in full on a single software update from Microsoft. McKesson receives zero to three days lead time on the details of the updates, the vast majority of which can be installed without customization by McKesson and do not negatively affect McKesson PACS. Less than five percent involve some customization. Virus definitions updates typically do not affect the McKesson PACS configurations, he noted.
Through testing, McKesson has found that Windows XP Service Pack 2 (SP2) negatively affects McKesson PACS configurations, Mr. MacNeil stated. However, McKesson has validated most of the individual patches that form SP2 and recommends their individual installation.
Mr. MacNeil emphasized the importance of balance in implementing protection from malicious software. If the health care provider waits on the medical device firm to provide assurance that the software update is validated, then his or her only risk is running an unpatched system during the “vulnerable period.” However, if the provider does not wait and instead installs the software updates before validation assurance is given, he or she risks running a modified product not approved by the medical device firm, possibly negatively affecting the operation of the device.
McKesson’s position is that the HIPAA Security Regulation is not in conflict with the FDA quality system regulation or the corrections and removal regulation. The requirements on medical device firms to validate software updates provides greater assurance to health care providers, Mr. MacNeil asserted.
Dave Kizner, Stentor
Mr. Kizner noted that Kaiser Permanente, University of Pittsburgh, and the VA medical system are all current customers of Stentor. He added that much of his presentation is taken from the NEMA paper on patching COTS software.
Use of COTS software is particularly prevalent in medical devices in part because of cost savings to manufacturers and end users, Mr. Kizner stated. Stentor’s iSite PACS is a networked medical device that incorporates COTS software. It enables clinicians throughout a health care enterprise to view and manipulate digital medical images and related patient data using a Windows-based client server architecture. The Windows Server operating system and the SQL server database are incorporated as components of the Stentor iSite PACS. Clinicians can log in to the Stentor server using “clients,” which are standard Windows based computers. The Stentor user interface on each client computer is a plugin to the Internet Explorer browser.
Unfortunately, hackers and computer viruses often target widely used commercial software because weaknesses are known and the impact is widespread, Mr. Kizner explained. Another disadvantage is that COTS software vendors do not design their products to the same quality standards used by medical device manufacturers, and bugs are common.
COTS software vendors issue patches or updates to fix a variety of security, privacy, or stability problems. The COTS software vendors’ procedures for testing or updating do not address the safety and effectiveness requirements mandated by the FDA for medical devices. The QSR helps ensure that medical devices are safe and effective for their intended use, Mr. Kizner stated, but COTS software is not subject to the QSR. Current FDA policy is to rely upon the finished device manufacturer to ensure that components are acceptable for use. Like Mr. MacNeil, Mr. Kizner emphasized the dilemma between the desire to rapidly patch software and the need to rigorously test component patches for device safety and effectiveness.
It is impossible for a medical device manufacturer to guarantee a turnaround time for patching COTS software, Mr. Kizner stated, adding that manufacturers and providers can develop procedures to better manage the patching process. He recommended the patch deployment outline set forth in the joint NEMA/COCIR/JIRA Security and Privacy Committee white paper titled “Patching Off the Shelf Software Used in Medical Information Systems.”
Mr. Kizner described the steps in the outline: availability awareness by manufacturers and providers; vulnerability risk and impact assessment by the medical device manufacturer; patch impact analysis by the manufacturer; patch validation to assure proper functionality; patch delivery and installation, which may involve system down time; and finally, confirmation of successful installation and device performance. He commented that the process involves cooperation between vendors and health care providers.
In some cases, Mr. Kizner stated, the impact of a patch can be worse than the impact of the vulnerability. In these instances, the device manufacturer should define and implement risk mitigation measures and provide guidance. He emphasized that providers should not be patching systems on their own without input from the vendor, adding that patch management is only one small aspect of ultimate network security. Health care providers should implement a strategy that includes firewalls, intrusion detection systems, virus protection, auditing and authentication.
Jim Keese, Eastman Kodak
Mr. Keese spoke on behalf of NEMA and also discussed what Eastman Kodak is doing to transition from legacy systems. He noted that, although COTS software lowers costs and provides rapid system development, it has created concerns and challenges for the industry.
To address the transition from legacy to current, Mr. Keese explained, NEMA and other industry groups have been working since 2001 to collectively bring best practices, thoughts and resources together from medical manufacturers to provide guidance, technology, solutions and services. He stated that the group has considered that there is “an enormous cost associated with compliance.” The scope of the group addresses all system components and accessories used in IT systems for clinical devices used for diagnostic purposes in patient care.
Mr. Keese reported that the Security and Privacy Committee (SPC), founded by NEMA, COCIR and JIRA, has developed white papers that are available at www.nema.org/medical. They have also provided security architectures for patching, remove access and digital certificates. He emphasized that medical devices cannot be treated the same as desktops; a number of steps need to happen to ensure patient safety and safe continuing operation.
NEMA is working with the VA on developing the best practice for risk management to address and comply with the Security Rule and to assure uninterrupted patient care. Mr. Keese stated that in several instances, his company has been unable to deliver systems, operate systems, or provide services because of interpretation and enforcement of the Security Rule. NEMA is also working with the HIMSS, the Medical Security Device Workgroup, on the MDS-2 form, a standard template for customers to evaluate a technology’s security compliance before purchase.
White papers and guidance documents have been developed to help educate the industry, Mr. Keese stated, adding that one of the biggest issues is the confusion of how to interpret these regulations and rules. NEMA has been working with AdvaMed to bring the manufacturer form together with regulatory requirements. He explained that the medical manufacturing community, payers and providers, and industry trade groups have united to provide consistent message, consistent technology and consistent practices. NEMA has the support of the FDA and the VA in this area. He closed by asking how NEMA can assist HHS and NCVHS in educating, communicating, and providing consistent information from the medical device industry.
Peggy Hanney, Phillips Medical Systems
Ms. Hanney included Phillips Medical Systems in the group that is supporting NEMA’s efforts. She noted that DOD health care was not represented at the hearings but is very important. Mr. Houston reported that they were supposed to participate but had to cancel at the last minute.
All of the manufacturers have tried to go to the contract acquisition side for language, Ms. Hanney stated, but there are no requirements in writing in the language. She explained that the industry is looking for consistency in some of these requirements and looking for language in the contracts that providers use for purchasing. The contracts have an average life span of three to five years and none have been up for negotiation since the HIPAA regulation began more than three years ago. She strongly encouraged acquisitions to be involved in the process.
Ms. Hanney reported that her company has had many work stoppages, impacting not just the manufacturer but the patient, when a product is not delivered to a facility. She explained that most manufactures have at least 110 products, so companies are faced with other issues. Should engineers focus on legacy products from five or six years ago, or on engineering new technologies for the health care environment?
DISCUSSION
The panelists agreed that about 80 percent of medical devices are run on a Microsoft platform. Mr. Keese noted that there are also exploitations and vulnerabilities in other operating systems including Solaris, HP Unix platforms and Linux. Regarding time requirements for testing patches, Mr. Mac Neil reported that it required nearly a full week to confirm that SP-2 would break McKesson’s system and to look for other options. Ultimately, they focused on SP-2’s individual patches. Mr. Kizner added that SP-2 also broke some of the links to other products.
Mr. Houston asked whether there is general customer awareness that they should not simply be patching systems. The panelists stated that manufacturers have been aggressively promoting education. Ms. Hanney stated that the IT community has widely varying interpretation of a 1997 memo, 6210, that was deployed to all the veterans hospitals. Industry groups have made great headway in amending it, she noted, but it impacts education. Mr. Wexler felt that a bigger issue is the disconnect between those familiar with medical device operations—the biomedical engineering community and manufacturer service representatives—and the IT world. Education in this area is also crucial, he believes, because medical devices do not work like desktops.
For a recommendation to the Secretary, Mr. Rothstein saw one option as saying that legacy devices should not be regulated until they are replaced. Another option could be that, in enforcing the Security Rule, the department needs to be more flexible in terms of some legacy devices in moving towards full compliance. But in the interim there must be reasonable steps taken by providers. This would be a vague standard to apply, he felt, and asked the panelists to recommend more concrete steps for inclusion in a revised rule or guidance to help covered entities and manufacturers during this transition period.
Mr. Keese reiterated his opposition to removing the pressure with an extension to this rule because the same predicament will arise as a new deadline approaches. He recommends that each of the organizations does a gap analysis and identify the high risks, then develop guidelines that assist customers in identifying the high, moderate and low risks. Phillips would support that risk mitigation approach, Ms. Hanney stated.
To define high vs. low risk, Mr. Keese recommended reviewing existing guidance on risk levels and looking for ways to apply current industry standard practices. For lower risk conditions, Mr. Rothstein proposed satisfying the Security Rule with administrative controls rather than engineering controls, such as keeping equipment in a locked room, used only under supervision. Mr. Wexler supported this approach and emphasized that risk cannot be completely eliminated. He added that health care requires a somewhat open environment in order to operate effectively and agreed that the bigger issue is cyber security for all devices. He advocated securing devices as much as possible and managing the risk to the networks.
These devices risk inadvertent release of PHI and risk patient safety when a medical device ceases to function properly, Dr. Steindel observed. He believes there are different solutions to the two, and Mr. Keese felt the practical application of those solutions is probably the same. He feels vendors must make sure that products have built in capabilities and functionalities to enable compliance and start to reduce this risk. However, he expressed his concern about antivirus programs harming patients by utilizing too much of a medical device’s capacity.
Mr. Keese advocated the VA’s approach: contain, isolate and layer, and provide depth and defense. Medical manufacturers have been hardening devices and many device vulnerabilities cannot be exploited because those sockets, ports and services have been removed. “That’s the best practical approach: harden the systems, reduce the risk, and patch in appropriate time period once validated,” he explained.
Panelists further explained the situations in which customers were not implementing systems due to misunderstanding of the Security Rule. Ms. Hanney described being on site with trainers and systems, but being halted from installation because they “had not ‘met with their security environments.’” She believes this is a matter of educating the more than 150,000 IT providers in the health care network, versus the medical/biomedical people. She suggested working in conjunction with the FDA and providing education via their website.
Mr. Houston asked about the standard manufacturer device security disclosure form, and Mr. Keese confirmed that it is an evaluation form to enable customers to use a checklist to compare the Security requirements and the products before procuring and installing. He added that it was released ten days prior to the hearing (November 9, 2004) and has already been downloaded more than 448 times. The form was developed by a committee that included providers as well as medical manufacturers. Panelists confirmed that the form was intended to have all the required functionality necessary to comply with the HIPAA Security Rule.
In response to Mr. Houston’s inquiry as to whether that information could be warehoused online for customers, Mr. MacNeil stated that McKesson has a HIPAA readiness disclosure form online for all of their products, but customers still request completion of their own form. He expressed concern over whether numerous hospitals and providers would agree to one generic form. Mr. Houston believed that a form that can track the required elements of the HIPAA Security Rule and relevant Privacy Rule requirements would be a good avenue for readiness in the industry.
In discussing the compliance date and turnaround time frame for action by the full Committee, Mr. MacNeil observed that manufacturers are well aware of the HIPAA Security Regulation and its time frame. All of the panelists’ companies have put in effort to make sure that they will have compliant products by the deadline, and have evaluated their own legacy systems and indicated to customers where updates can be provided, he stated, so some legacy products will be ready, but some will not. These older legacy products would require evaluation by providers, he explained.
Mr. Wexler felt that something must be put forth by the Subcommittee, because if not, all the legacy systems will be technically non-compliant. Mr. Rothstein summarized what the Subcommittee might state: in this transition period, some legacy devices and equipment cannot be fixed in time and some cannot at all. The Subcommittee is trying to determine what combination of steps can provide the optimum feasible protection. They have discussed risk analysis to focus greater effort on high risk devices and have explored prioritization and back up administrative controls.
With legacy systems, patient safety should take priority over PHI, Mr. Reynolds emphasized. He added that virus situations impact patient safety and should be dealt with regardless of whether a device is legacy or new, because a virus is really an institutional problem.
Dr. Harding clarified that they were recommending scalability of enforcement based on risk assessment, and Mr. Murray agreed. He described the flexibility of the FDA regulations.
Non-compliant providers might be required to provide RFPs and RFQs they have submitted to vendors, their records, their analysis, what they have done about this, how they are addressing that, Mr. Murray stated, adding “You want them proactively involved in this problem.” He suggested that the Subcommittee say that it wants providers to meet the rule but realizes that may not be possible. In that case, providers should use risk analysis engineering methods and keep good records about what steps were taken. “Show us your best effort, and then people can make a decision about whether…they’re actually moving forward,” he proposed.
DISCUSSION
Mr. Houston observed that education and practical compliance guidance for legacy devices are most needed and that it really is not just a medical equipment problem. He believes the Subcommittee can recommend to CMS that educational materials need to be posted online like the FAQs. These would explain how to effectively address legacy equipment and give specifics based on panelist information. Excessive detail should be avoided in the recommendation.
Mr. Rothstein suggested sending a factual summary of the hearing’s key points without incorporating those into the recommendation itself. They would recommend only that the department issue guidance on the issue of legacy equipment and devices. Mr. Houston observed the need to provide this information soon, and Mr. Reynolds noted the mechanism on the CMS website for frequently asked questions.
To take up the issue before the March 2005 meeting, the Subcommittee would have to approve a letter and recommendation and then go through the executive committee for approval with the assumption and the explanation that time is of the essence.
Mr. Wexler noted that he would like to see many toolsets in terms of guidance material provided to the using community. He suggested that the form developed by HIMSS could be used not only for new devices but also to analyze risk in legacy systems. For legacy systems, he suggested recommending to the using community that they come up with a formal process to document compliance and then record what they are doing to mitigate outstanding risks.
An urgent letter should be very specific, Dr. Cohn reminded the Subcommittee, suggesting that less-urgent subjects be deferred to March. It was agreed that Mr. Houston would draft the letter by the second or third week of December 2004, circulate the draft via email, gain consensus and move forward. A conference call could be scheduled if necessary. Dr. Cohn suggested that news from the December 8-10, 2004 Standards and Security hearings could be communicated to Mr. Houston for inclusion in the letter.
I hereby certify that, to the best of my knowledge, the foregoing summary of minutes is accurate and complete.
/s/ 5/10/2005
Chairman Date