CFP'93 - Confidentiality of the Computer-Based Patient Record
by Laura Feste, RRA
Reviewed by: Legislative Committee, AHIMA members on WEDI Task Groups, AHIMA members on CPRI Work Group on Confidentiality, Privacy & Security, AHIMA Board of Directors, AHIMA HIM Professional Practice (c) American Health Information Management Association. Permission must be obtained from the American Health Information Management Association before duplicating. July 1992.
Summary of the Issue
In the 1991 Institute of Medicine (IOM) report, "The Computer-based Patient Record: An Essential Technology for Health Care," the IOM recommends the prompt development and implementation of a computer-based patient record to "improve the care of both individual patients and populations and, concurrently, to reduce waste through continuous quality improvement." The American Health Information Management Association (AHIMA) supports the recommendations in this report as stated in the AHIMA position statement, "The Computer-based Patient Record: An Essential Technology for Health Care." However, as the IOM report notes, there are several challenges to overcome during the evolution of the paper medical record into the computer-based patient record (CPR).
The confidentiality of the CPR is one such challenge healthcare professionals are facing. Today's current mechanisms to safeguard patient health data challenge the collection and storage of large amounts of data, the use of computer networking, the increased number of data users, and the lack of standards to ensure that data are released only to authorized users. Patients have a right to privacy which means being able to keep their personal affairs private and control dissemination of personal information. Patients, however, must balance their right to privacy in exchange for effective healthcare and its payment. The success of the CPR depends in part on patients' trust that their personal health information will be kept confidential.
AHIMA believes that confidentiality does not have to be compromised with the advent of the computer-based patient record. Safeguards for data security, privacy, and confidentiality must be in place to protect against unauthorized access to patient health information.
It is understood the CPR will improve the provision of patient care for both the individual patient and patient populations. However, the implementation of the CPR requires the following issues be resolved:
- development of standards for health-data exchange,
- establishment of data ownership,
- definition of responsibility for maintaining the confidentiality of patient health information in a network system,
- development of security safeguards in a network system, and
- development of sanctions and penalties for data misuse.
To protect patients' right to privacy and the confidential nature of health information, AHIMA recommends simultaneous development, enactment, and enforcement of standards and safeguards to ensure the protection of patient confidentiality with computerized patient records. These standards and safeguards must be developed in the areas of data security, privacy, and confidentiality by both the public and private sectors.
Safeguards concerning privacy and confidentiality address the healthcare providers' duty to protect patients from unnecessary intrusion into their private lives, and to safeguard the health information entrusted to them. Recommended safeguards include:
- confidentiality standards and ramifications for violating these standards;
- a standard policy describing data user responsibility for confidentiality;
- education on confidentiality for all data users;
- confidentiality agreements with all authorized users, including outside computer vendors; and
- policy for patient access, including guidelines for information requests.
- physical controls over access to the system inputs and outputs such as unique passwords for identification numbers, fingerprints, or voiceprint; audit trails and automatic monitoring of computer transactions; automatic log-off; and the use of locks and badges;
- a security system which controls access by defining authorized users, and defining data access on a need to know basis;
- 24-hour-a-day user support;
- strict policies prohibiting sharing of access code;
- system ability to recognize access beyond the usual course of business;
- vendor contract which identifies specific protections and when they will be initiated;
- documented maintenance requirements, procedures, and maintenance logs;
- back-up systems such as an alternate power source, or off-line data storage;
- documented instructions to users describing what to do during scheduled and unscheduled down-time; and
- documented recovery procedures.
The computer-based patient record will allow for the collection and storage of more complete and accurate data that will improve the provision of healthcare for both the individual patient and patient populations. The success of the CPR, however, is due in part to the application of mechanisms to safeguard the privacy and confidentiality of patient information. Some of these safeguards, such as standards for health-data exchange, still require resolution. Both the public and private sectors have a responsibility to develop these safeguards. AHIMA is assuming a leadership role in investigating and resolving these issues, and is developing standards to protect patient health information within the scope of the evolving CPR.
Return to CPSR conferences page.
Return to the CPSR home page.
Send mail to webmaster.
Created before October 2004