American College of Physicians logo

Statement to the National Committee on Vital Health Statistics

Privacy and Confidentiality Issues Related to a

National Health Information Network

March 31, 2005

The American College of Physicians (ACP), representing 116,000 internists and medical students, is pleased to comment to the National Committee on Vital Health Statistics (NCVHS) on privacy and confidentiality issues related to electronic health records and the development of a National Health Information Network (NHIN).

In January 2005, the ACP submitted a comment letter to the Office of the National Coordinator for Health Information Technology (ONCHIT) Request for Information (RFI) on the development and adoption of a NHIN. The ACP letter included comments on major privacy and security issues with regard to health information networks.  In addition, ACP supported a Collaborative Response to the Office of the National Coordinator for Health Information Technology (ONCHIT) Request for Information (RFI) on a NHIN submitted by: American Health Information Management Association (AHIMA), American Medical Informatics Association (AMIA), American National Standards Institute-Healthcare Informatics Standards Board (ANSI HISB), Center for Information Technology Leadership (CITL), Connecting for Health (CFH), eHealth Initiative (eHI), HIMSS EHR Vendor Association (EHRVA), Healthcare Information and Management Systems Society (HIMSS), Health Level Seven, Inc. (HL7), Integrating the Healthcare Enterprise (IHE), Internet2, Liberty Alliance, National Alliance for Health Information Technology (NAHIT).  The Collaborative Response also identifies privacy and security as one of the critical elements of the Health Information Environment—stating that it must be one of the primary design features.  The Collaborative believes that a NHIN should consist of a carefully planned Health Information Environment that meets society’s requirements through widespread adoption of a formal set of technical components, standardized methodologies, and explicit policies for use and governance.

ACP recommends that NCVHS consider the following privacy and confidentiality issues identified in the College and/or Collaborative response to ONCHIT regarding NHIN and that NCVHS work with ACP and other stakeholders to develop privacy protections that will ensure confidentiality of information.   ACP believes that extensive educational programs for both providers and the public should also be included in these plans.

Fostering a Trusting Environment

All activities of the Health Information Environment, including the delivery of care and the conduct of research and public health reporting, must be conducted in an environment of trust, consistent with appropriate requirements for patient privacy, security, confidentiality, integrity, audit and informed consent. All those that generate health information for patients are its stewards. Patients should control access, in partnership with their providers.  Participation in the Health Information Environment by providers, patients, or others must be voluntary; no one must be required to share information.

Patient Control of Information

ACP believes that the specific role of patients in the NHIN environment needs to be defined.  The Health Information Environment, on which an NHIN is predicated, should be built on a model of patient authorization and control. Patients must be able to: choose whether or not to participate in sharing personally identifiable information; exercise their rights under the Health Insurance Portability and Accountability Act (HIPAA); control who has access to their records (whether in whole or in part); see who has accessed their information; review, contribute to and request amendments of their records (without unreasonable fees); receive paper or electronic copies of their information; and reliably and securely share all or portions of their records among institutions. Once patient consent has been granted for a certain type of information access, however, information should be accessible efficiently in a trusted environment. In addition, access to crucial medical information in emergency situations (where patient permission may not be accessible) should not be obstructed.

Physician Role in Managing Patient Information

Clinicians must maintain control over the accuracy, access, and use of data for their patients. The clinician, in conjunction with the patient, must maintain authority to determine who has access to what information and how the information is used.  Clinical data will be managed by those who have a direct relationship with the patient (patients may also keep their own records of their own information).  Physicians are responsible for maintaining the accuracy of patient medical information as well as protecting this information from corruption or loss. In addition, physicians must review and negotiate with patients any requests the patient may have for corrections and amendments to their medical records. A trusted physician is ideally suited to help patients determine appropriate use of their health information.  Collaboration in this area has the potential to enhance the physician-patient relationship.

ACP believes that physicians and patients should also be in charge of decisions on how patient information collected in regional network data repositories may be accessed and used for purposes other than direct patient care.  Multi-stakeholder collaboratives are often formed to financially support regional health information networks. Many of these stakeholders may have desires for access to aggregated information on both patients and physicians for use that may not result in improvement in patient access to quality care.  ACP recommends that patients and their physicians make decisions on this type of data use.

Authorized Access to Information  

In a national health information network, no single repository is intended to hold all of a patient’s clinical data.  Authorization and authentication of users takes place at the regional, sub-network or local institution level.  Sub-networks will be required to participate in some form of validation process.  The National Health Information Environment is a network of networks, linked only by registries through which authorized information about how to find the locations of records can be found, not any of the actual content of the health records. Thereby, the registry system knows only where records are, not what is in them.

The National Health Information Environment requires the addition of one new piece of infrastructure at the sub-network level based on an architecture that separates the function of locating authorized records from the function of transferring them to authorized users. This piece of infrastructure is the Record Locator Service (RLS) and is operated by a multi-stakeholder collaborative at the regional or non-geographic sub-network level and built on the current enterprise use of Master Patient Indices. The RLS itself is subject to privacy and security requirements, and is based on open standards set by the Standards and Policy Entity (SPE), which identifies and recommends standards for a common framework to facilitate interoperability.  The system supports:

  • Linking of records via a registry of names and record location information, and sharing among users participating in the system;
  • Linking without sharing, or sharing pursuant only to higher authorization; and
  • The ability to choose not to link information in certain sensitive treatment situations determined by users.

By leaving these decisions at the edges (e.g., with patients and the clinicians that support them), the architecture supports a range of approaches. It also allows higher levels of approval to be set locally for sharing some records. This obviates the need to have “one size fits all” policies as would be necessary for centrally controlled approaches. The Record Locator Service needs to enable a care professional looking for a specific piece of information (PCP visit or ER record) to find it rapidly. An open design question is how and where in the model this capability can best be accomplished.

ACP recommends that NCVHS consider the following Privacy and Security Principles developed by Connecting for Health for the sub-networks and the broader Health Information


  • Confidentiality: Material existing within the system will only be disclosed to those authorized to have it.
  • Authentication: The system will require identification for use by all authorized individuals, thus both deflecting unauthorized use and enabling auditing for monitoring of compliance with policy guidelines.
  • Integrity: Material in the system will be defended against loss or unauthorized alteration, and all alterations will be logged.
  • Non-repudiation: Transactions undertaken in the system will be acknowledged by both parties, and cannot be unilaterally revoked or altered.

In addition, ACP recommends that NCVHS consider the Security Standards included in the Connecting for Health report: “Linking Healthcare Information: Proposed Methods for Improving Care and Protecting Privacy”:

  • Wire Security: Securing material “on the wire” means making sure that in its transit from point A to point B it is defended from eavesdropping, copying, or other interception. In practice, this can mean encrypting all the material passing over that connection, and ensuring that it is effectively delivered to the desired recipient.
  • Perimeter Security: Perimeter security involves requiring some form of authorization credentials for anyone using the system for any reason, as well as an auditing program that allows use of the system to be evaluated later.
  • Content Security: Sometimes a user is both authorized to use the system and a malefactor, as with the hypothetical examples of a file clerk searching for his girlfriend’s records, or the intern looking at the records of a famous patient. This type of attack can be limited by restricting what can be done with the data, even by authorized personnel, and by making sure that physical access to the equipment does not translate directly to access to its contents.

Data Integration from Disparate Sources

Models that delineate the responsibility for a new type of patient record containing information from multiple resources will need to be developed; this model must address error correction and reconciliation of conflicting data (e.g., different problem lists). When multiple physicians and other clinicians are caring for patients with multiple complex problems, it will be necessary to develop new models for who will be responsible for maintaining and correcting the patient record.  In addition, what responsibilities clinicians have for searching for, obtaining, reviewing and validating information from other sources must be determined.

Consideration of a Unique Patient Identifier

Patient identifier issues also need to be addressed.  ACP recommends that a voluntary national patient identifier should be considered   The College believes that there may be patient safety benefits in the use of a unique patient identifier that outweigh any reasonable privacy or government intrusion concerns.  However, federal privacy protections need to be in place before implementing a national system of unique identifiers. If unique patient identifiers are created, security of this information must be guaranteed.  To help furnish the necessary protections, patient identifiers should not be linked to Social Security numbers.

ACP thanks NCVHS for the opportunity to comment on privacy and confidentiality issues related to electronic health records and the development of a NHIN.