Mount Sinai-NYU Health includes two schools of medicine, and medical residents are heavy users of its information systems at a half-dozen hospital sites. But when the New York-based healthcare system began rolling out an Internet-based network of access to those information sources, a committee decided there was no valid argument for residents to have remote-access privileges.
Attending and consulting doctors, however, get the green light after the system checks a database of credentials and determines what information the physicians have authority to see according to their roles in the healthcare system-as primary-care doctors, for example, or according to the needs of specific specialties.
Other healthcare professionals with a legitimate need to access information-such as home healthcare nurses and certain administrative or technology support staff-are granted selective access to the Mount Sinai-NYU network according to role-based security policies.
Those technical enhancements and policy decisions are examples of what hospital organizations will be expected to do as they comply with security and privacy provisions of the Health Insurance Portability and Accountability Act of 1996. The topic of HIPAA compliance conjures up challenges of cost, cultural change and operational restructuring in the rush to secure health information.
But managers with a track record say such HIPAA-related challenges usually are addressed in the process of tackling desired improvements to a healthcare information network.
"The psychology is that it's just part of the project, not something separate from the rest of it," says Judith Miller, director of decision support and regulatory compliance at Advocate Health Care, a nine-hospital healthcare system based in Oak Brook, Ill.
At Mount Sinai-NYU, for example, the process of working through the issues of remote access to internally stored information moved the idea of selective access to a more public forum, says Fred Eisenberg, director of information security.
"There's more emphasis on what the end user should be accessing," he says. "And the fact that HIPAA is emphasizing role-based access fits in nicely with what we're doing."
Another important initiative on the project docket for improved information access involves standardizing the computer networks working behind the scenes to process and transmit data around the healthcare system, says Dan Weegar, Advocate's director of technology services. During the past five years, Advocate has built a common network architecture and also reduced the number of data centers to two from the original seven.
Although computer operation and performance issues were the main drivers of the standardization and consolidation initiatives, another benefit was increased security because now there are fewer access points to make secure, Weegar says. On top of that, Advocate's developing network for Web-based clinical information access provides a single and controllable entry point for transfer of information in and out of multiple software applications (See related article, p. 16).
"Inherently it has made security a lot less complex for us," he says.
Decisions on variable access to records
Although technology can be brought in to handle role-based authentication and access, it's just an empty shell until healthcare executives make a host of decisions about who should get access to what information, experts say.
And once those policy questions are answered, a healthcare system has to be able to manage almost daily decisions governing additional users, changes in access as users change duties, and exceptions to the rules about what a clinician should be able to access as situations come up.
The internal reflection and debate required just to launch such a system of access management will go far to set up the type of foundation for security and privacy required for HIPAA compliance, says Sylvia Bernstein, a systems consultant and acting data security administrator at North Broward Hospital District in Fort Lauderdale, Fla. "We've been doing that before HIPAA was everybody's thought," she says.
Policy considerations include:
* Defining the basis for determining the categories of access. Should doctors be authorized to see information according to the needs of their specialty, or should it be according to their relationship with a patient? Or a combination of both?
* Balancing sensitivity of patient information against the need to get at medical records immediately in certain situations.
* Deciding whether to make access more restrictive at the outset or to ease up on the access controls while emphasizing that the electronic trail left by computer users will be monitored for inappropriate perusing.
* Determining access privileges for medical office staff, who do much of the billing, scheduling and test result-monitoring on behalf of physicians.
At Aurora Health Care in Milwaukee, an information systems deployment team approached managers of facilities for job information on each employee slated to use its computers, says Bob Schommer, senior analyst in Aurora's clinical information systems department.
The healthcare system has installed a sophisticated clinical database capable of providing selective access to nearly every bit of data collected on a patient, Schommer says. That enables security specialists to program access according to the specifics of each job function, he says.
In addition, a wider scope of security regulates access to certain sensitive information by event code, such as psychiatric reports or results of HIV tests. Instead of locking out access to such information person by person, Aurora can do it by job category, such as clerks, Schommer says.
The access controls are maintained from the database's Milwaukee location, but information professionals have to maintain connections with managers at each facility to stay aware of special situations, says Michael Gorczynski, director of medical informatics.
For example, a receptionist at an outlying facility might double as a medical assistant on days when the regular assistant calls in sick, which calls for more expansive access than normally assumed, Gorczynski says.
Aurora is installing a central directory that allows it to store in one place all the information about a computer user necessary to compile access privileges, says Gary Fritz, director of the Aurora unit responsible for providing security at the computer application level. "It solves a huge number of problems that get raised by HIPAA," Fritz says. The directory also includes details that authenticate the identity of each user, he says.
Restrictions upfront, audits later
At PinnacleHealth System, Harrisburg, Pa., an attending physician can gain access to information in a central data repository on all patients for whom he or his physician group is responsible, says Richard Bagby, chief information officer. But in the course of care, additional doctors need to gain access to patient information, so the healthcare system is developing rules for access to information based on one of four relationships to a patient: attending, admitting, primary-care and consulting.
Those security boundaries are further enforced by a computerized tracking system that records access activity of any kind, says Greg Baugh, information systems director and site manager representing Siemens Medical Solutions Health Services Corp., which manages PinnacleHealth's information systems department.
Once clinicians were granted access to the patient database from a Web-style remote connection, "we made it apparent that whenever someone viewed a record, their log-on is stamped with date and time so we can tell that someone read it," Baugh says.
At Michiana Health Information Network, a South Bend, Ind.-based company that manages a clinical database for several hospital systems and ancillary healthcare facilities, emergency-department physicians are granted access to all information, unlike doctors in practices who are able to see only their group's patient data, says Frank Smith, vice president of information services and CIO of St. Joseph's Regional Medical Center, one of the participating systems.
That access, says Smith, is supervised electronically by the manager of the emergency-physician group, who wants to make sure ER doctors are not viewing information they shouldn't-such as details about patients not admitted through the emergency department.
Electronic access-tracking methods are used in tandem with restrictive access to provide the proper balance of availability and privacy protection depending on the work function the information supports. At North Broward, for example, emergency department nurses have access privileges at any facility throughout the four-hospital system, but that access is monitored by an "audit trail" of the files called up, Bernstein says. Clinical nurses, by contrast, have access only to patients on the floor of the hospital to which they're assigned.
Information professionals at North Broward tend to grant broad access to physicians and depend on an audit to make sure privileges aren't being abused. Access controls "can be very restrictive and make them jump through hoops for information they need to know," says Glenn Fall, director of systems development.
Marshfield (Wis.) Clinic, a multispecialty physician practice organization with 39 locations, shows zero tolerance for violations of access authorization by any of the clinic's 4,700 employees when documented in an audit trail, says CIO Carl Christensen. The policy is especially important because the clinic's employees are likely to seek care at Marshfield for illnesses or sensitive medical conditions.
Violators are fired on the first offense for malicious breaches. "If you sneak a peek at your neighbor's medical record and you get caught, you're canned," Christensen says. A Marshfield representative says about 10 people were dismissed during the past two years.
The tough stance is necessary to support an access policy that favors availability of information when needed, and Marshfield managers don't want to have to tighten that policy because of abuses. "We don't want to get into a position of sacrificing patient care because of this," he says.
The problem of employee as patient, in fact, is turning up as one of the first security fears brought to the attention of information professionals, Eye on Info has found. "That's the single most common concern I hear voiced," says Schommer of Aurora.
Interestingly, it's most sensitive when someone from the same family might be catching glances at a medical history, especially in cases of divorce or other family trouble. Aurora is programming its audit trail to flag instances in which a file of anyone older than 21 years old is accessed by someone with the same family name, Schommer says.
St. Joseph's in South Bend has uncovered a few instances of family-member snooping, Smith says. The hospital hasn't fired anyone, but the regional laboratory has, he says.
In South Bend, the stakes are high for inappropriate access because local hospitals treat athletes from the University of Notre Dame, Smith adds. Information on injuries could influence everything from professional sports contract negotiations to gambling odds, he says.
Sharing computers, preserving security
The access/security balancing act extends to computer workstations that are used by many clinicians during the normal workday, Christensen says. With shared access to the same terminals, there has to be a quick and easy way for one doctor or nurse to sign in, find or input the information, and sign out so the next person can use it, he says.
On busy days, clinicians might not want to wait the time it takes to access the system under their individual accounts, and that leads to using each other's access privileges. "If you have a minute or two-minute process, people will cheat," Christensen says.
Marshfield addressed that problem by developing a sign-on process that reduces the switch time from one person to another to "a couple of seconds," he says. When one user finishes, a single keystroke logs the person out and displays a user/password log-in screen for the next user.
The ease of use is combined with another policy of zero tolerance for failing to secure a computer terminal before walking away from it. Unlike the inappropriate-access infraction, employees aren't dismissed for the first offense, but people have been dismissed for a pattern of not complying, Christensen says.
Once signed in, a computer user is immediately connected to all the applications available according to the person's role assignment. As the clinician uses one application, all the others run in the background and can be accessed immediately as needed.
Marshfield last year agreed to purchase a commercial version of this "single sign-on" access management approach from Sentillion of Andover, Mass. The product allows users to switch back and forth among all authorized applications directly to information on the same patient, a computer technique called context management (See related article, p. 30).
North Broward has tested a single-sign-on capability in laboratory areas and plans to introduce it to the first business area this month, says Dennis Cheek, manager of Microsoft- and Novell-based information systems.
The provider organization's information strategy involves integrating access to clinical, patient-accounting, insurance and e-mail applications, says Karen Ondo, vice president and CIO. "It seems to be much easier if all that information is in one place," she says.
But that also raises the issue of managing access to multiple computer applications, with their particular computer syntax differences, sign-on rituals and intervals of time to leave one and enter another, Cheek says. "Most of our users end up with eight passwords, so they write them down on a piece of paper and keep it under their desk," he says. The new sign-on process will take a minute in and a minute out, encouraging the next user to use the same computer without sneaking onto the previous person's access, he says.
The single-sign-on concept has been marketed in the healthcare industry for several years but it was too expensive to consider until recently, Cheek adds. For 3,000 computers and 6,000 users, the price tag initially was in the $3 million range. But today the same coverage costs about $300,000, he says.