National Committee on Vital and Health Statistics
Subcommittee on Privacy
Hearings on Privacy and Health Information Technology
August 17, 2005

Testimony of William R. “Bill” Braithwaite, MD, PhD, FACMI
Chief Medical Officer, eHealth Initiative, Washington, DC

My name is Bill Braithwaite, Chief Medical Officer of the eHealth Initiative (eHI) based in Washington, DC, a non-profit organization dedicated to driving improvement in the quality, safety, and efficiency of healthcare through information technology.  I’m sorry I could not be there to testify in person but I’m happy to join you by phone to be part of the discussion of privacy issues related to health information technology (HIT) and the development of a national health information network (NHIN).  As many of you know, I was the main author of the Administrative Simplification Subtitle of HIPAA and during my 7 years at HHS I was a major contributor to the subsequent regulations setting the federal standards for transactions, code sets, identifiers, security, and privacy of personal health information.  I also staffed the President’s Information Technology Advisory Committee (PITAC) to produce their June 2004 Report, “Revolutionizing Health Care Through Information Technology”.  My view of the privacy issues around HIT and the NHIN is informed by that background and my subsequent broader experiences as a consultant and as an employee of eHI.

While working to drive the adoption of standards, interoperable healthcare systems, and connectivity to mobilize information within the healthcare system, we at eHI focus on improving consumer trust and confidence by bolstering the quality, privacy, and security of electronic health information.  As communities across the country mobilize information across organizations through multi-stakeholder collaboratives, eHI funds pilot projects and works to develop, share, and disseminate knowledge, resources, and tools to facilitate and support these community-based health information exchange efforts.

When I make on-site visits to such collaboratives, the most frequent questions I get are about privacy and security.  They are very concerned about whether the HIPAA Privacy Rule allows them to share information in the way they plan.  They are very anxious to get HIPAA compliant model policies, procedures, and agreements that can be adapted to their particular circumstances and state laws.  These are products expected of the Markle Foundation’s Connecting for Health Project that Mr. Hinkley talked about.

In eHI’s June 2005 electronic survey of over 100 communities that have implemented or are trying to implement health information exchange projects, one of the questions we asked was, “What are your most pressing challenges related to your health information exchange effort?”  Of the 93 respondents that answered that question, the selection, “Addressing privacy and security issues – HIPAA and other” was rated by 13 as a “Very difficult challenge”, by 49 as a “Moderately difficult challenge”, and by 31 as “Not a challenge”.  Fifty nine percent of the respondents who identified themselves as well underway with implementation or fully operational cite that their policies regarding privacy go beyond HIPAA requirements.  Since 2/3 of these communities still consider privacy and security issues to be a significant challenge to their health information exchange efforts, my experience and these results both support your efforts to gather information on this topic and make further recommendations to the Secretary of HHS.  These communities need guidance and technical assistance on sometimes complex privacy and security issues before they will feel comfortable moving ahead.

Having said that, I tend to view the principles underlying privacy issues at a basic level, and I find the following approach very understandable when I explain it to patients, healthcare providers, and administrators.  I relate all of the provisions of the HIPAA Privacy Rule to the following distillation of internationally accepted codes of fair information practices into five principles: Notice, Choice, Access, Security, and Enforcement.

  1. Notice: the existence and purpose of record-keeping systems must be known to the subjects of the information.
  2. Choice: information must be collected only with knowledge and permission of the subject; used only in ways relevant to the purpose for which the data was collected and about which the subject was informed; and disclosed only with permission of the subject or in accordance with overriding legal authority.
  3. Access: the right of a subject to see the content of records about them and propose corrections to the information through a due process that assures the accuracy, completeness, and timeliness of the information.
  4. Security: reasonable safeguards must be in place for the confidentiality, integrity, and availability of the information for its intended purposes.
  5. Enforcement: assurances must be in place that violations of the above principles will result in reasonable penalties to deter such violations and force mitigation of the effects of the inevitable, but hopefully rare, breaches.

Don’t misunderstand me.  Despite the simple nature of these 5 principles, applying them to the most complex human endeavor in history (our healthcare system) is not at all simple, and many of the privacy and security questions that arise are not answered directly in either the HIPAA Privacy Rule or the guidance available from HHS.  In this situation, one can use the basic principles to make a reasonable judgment about what is the right thing to do.  I think the experiences of the Connecting for Health Reference Implementation Project that Mr. Hinkley has talked about point out how every design and implementation decision connected with health information exchange must be examined carefully for alignment with these principles and all decisions must be documented along with their rationale.

Since Mr. Hinkley talked about the practical aspects of how privacy issues covering the first 3 principles are being handled in the Connecting for Health project, I want to talk in some detail about the last two principles, because you can’t have privacy without appropriate security and enforcement.

Security

The HIPAA security rule sets very general principles in place that apply to covered entities holding protected health information (PHI).  However, because HIPAA gives each organization the flexibility to implement security in a different way, implementing security when exchanging PHI between organizations on the NHIN requires a more well-defined, standard set of mechanisms than when you are sharing it among known and understood electronic systems under the control of a single organization.  Sharing PHI between institutions requires a degree of trust in the technology (and in the other organizations) that is mostly not there today.

I think the NHIN will fail miserably if we don’t solve the trust issue around Internet communications.  I believe that the NHIN must be built on top of the Internet and that eventually, every communication on the NHIN must be secured.  Mr. Hinkley has discussed the contractual approach to building that trust between organizations; I am going to talk about the standard security mechanisms that must be in place to support that trust: authentication, authorization, non-repudiation, auditing, encryption, and transportation.

Authentication: requires face to face interaction and documentation presentation with someone who can authenticate identity and to whom it is an enforceable offense to lie.  At the moment, the only person who can do that with any authority nationwide is a Notary Public; totally paper based, difficult to verify, and currently not capable of issuing the verifiable electronic certificate that is required in implementing the NHIN.

Authorization: requires secure, digital evidence that credentials a specific entity with certain professional capabilities, roles, and relationships, such as physician, nurse, or employee of an authorized institution.  Licensing boards only provide a partial solution for part of the healthcare workforce.

Non-repudiation: a secure mechanism that identifies an individual as the source of a communication in a way that cannot be denied.  An electronic signature can be used to provide non-repudiation and guarantee that a message has not been altered in transit, but this requires a trusted source for keys tied to the authentication mechanism and a standard algorithm that everyone agrees to use.

Auditing: a record of what information about whom was sent by whom, and to whom, and when, is critical to the enforcement of privacy and security principles.  It is not enough to record an audit trail; it must be regularly analyzed by software and humans to detect and investigate anomalies.  This is required now under HIPAA security rules, but is poorly implemented in most healthcare environments.

Encryption: a mechanism used to assure senders and receivers of a communication that the communication could not reasonably have been intercepted by others and was not altered in transmission.  Again, a trusted source for keys and a standard algorithm are needed.

Transport: the Internet is the obvious mechanism to tie all of healthcare together; even rural, single office practices can get access through dial-up or satellite.  Cost is an issue for some but could be mollified by using the same connectivity for other purposes such as telephone and television, or perhaps some reimbursable telemedicine.

Getting authenticated and getting keys and getting security software to use are each relatively trivial, but they can be expensive, can come from many sources, and can be used in many different ways that are incompatible if specific standards are not followed.  We need a single set of standards to use and an inexpensive, consistent way of getting and implementing these security elements that can be trusted; technically, fiscally, and philosophically.  The standardization, creation, and maintenance of this relatively complex constellation of services are critical to the future functioning of the NHIN in a way that protects the privacy and security of health information.

Enforcement

As I have said, you cannot maintain the trust level necessary to feel comfortable about exchanging PHI if breaches in privacy and security are not dealt with appropriately by enforcing the rules and contracts against those who intentionally or negligently ignore them, including requiring actions that mitigate, as much as reasonably possible, the negative results of breaches.  Privacy and security can never be perfect and breaches will happen.  It is important to plan ahead for what we will do when they do happen.

HIPAA was written with significant civil fines for privacy breaches, but with enough leeway that the primary push was for mitigation of accidental breaches that happened and for resolution of system problems to prevent them from happening again.  As they finally passed in law (with smaller fines) and have been interpreted and implemented in practice by HHS, the civil enforcement process is a mild deterrent.  The moderate HHS resources dedicated to enforcement and the lack of enforcement actions resulting in civil penalties may be reasonable, but only time will tell if these are effective.

HIPAA also instituted severe criminal penalties to deter individuals from making knowing decisions to violate a patient’s privacy for their own purposes or gain.  The fear that resulted in the healthcare industry made people pay great attention to the Privacy Rule and probably led some in the industry to take steps that are more conservative than intended.  For example, I often hear from frustrated providers who asked a hospital for a copy of the records on a patient that they were seeing in the emergency room and who were met with a ‘stone wall’ denying them access to the record without a signed release from the patient “as required by HIPAA!”  The HIPAA Privacy Rule has made it very clear that HIPAA does not impose any such requirement or restriction on a providers’ ability to share or get information on a patient for treatment purposes.  There is much education still to do in this area.

As I am sure you are aware, the June 1, 2005 Department of Justice opinion on the scope of criminal enforcement under HIPAA may have made these criminal penalties ineffective.  Clarification or a new law may be required to remake “the punishment fit the crime.”

Conclusion

While organizations like Connecting for Health are coming up with the technical and contractual means for implementing a reasonable model for federated health information exchange mechanisms nationwide, I believe the federal government, and especially HHS, must take action soon to support these efforts with appropriate infrastructure.  Only the federal government has the breadth and authority to set national privacy and security standards for health information exchange and to either implement or cause to be implemented the Internet services described above in a sufficiently robust and trusted manner that they will be adopted and used by healthcare organizations nationwide.  Leadership by CMS in adopting the Internet and this interoperable communications infrastructure for the purposes of administrative and clinical data for Medicare and Medicaid claims processing, claims attachments, and pay for performance programs would start the ball rolling.  However, in the same way that DoD’s Defense Advanced Research Projects Agency (DARPA) seeded the early Internet and enabled the World Wide Web by setting standards and implementing basic services, it will take a larger, longer vision for the federal government to seed the necessary infrastructure to assure the growth and prosperity of the NHIN.

The Secretary of HHS has a large role to play in getting this right.  Many communities are now going through the growing pains to discover and implement the sustainable business models necessary to support regional health information exchange with the expectation that the results of their efforts will be higher quality, more efficient healthcare that results in fewer medical errors.  Privacy and security concerns, however, can overwhelm such efforts if they are not addressed fully, and it is clear that incomplete and fragmented security will not satisfy anyone with privacy concerns.  I believe that the NHIN that will connect these communities to amplify the value of their efforts will die on the vine if not nourished by rapid and decisive action by the federal government in the very near future to establish and maintain the required secure infrastructure services.

I hope I have been able to contribute constructively to the discussion and look forward to your feedback.