The ONC’s HIT Privacy & Security Tiger Team

healthitgovToday, the ONC’s Privacy and Security Tiger Team will be presenting recommendations to the to the ONC’s Health IT Policy Committee regarding  the Accounting of Disclosures provision of the HIPAA Privacy Rule. For those not familiar with this proposed rule, it states that a patient has the right to request a report which would list all caregivers who had viewed their medical records. Not surprisingly, this new rule has sharply divided the healthcare community – putting EHR vendors on one side and patient privacy and data access advocates on the other.   When the rule was first proposed there was a huge response by the healthcare community. Predictably, EHR vendor and health provider groups moaned and groaned about how onerous this rule was and how much money it was going to cost them to comply.  Meanwhile, patient data advocates continued the mantra of “give me my damn data!” and stated that the rule did not go far enough.

The Privacy and Security Tiger Team, which has Epic CEO Judy Faulkner and Cerner VP David McCallie as members, is proposing a “less is more” approach for the administration of this rule.   Their logic, which you can read here, is based in part upon key testimony points brought up in hearings on the subject.

Some quotes from the presentation:

  • “In responding to the HITECH requirement to account for disclosures for TPO, HHS should focus, at least initially, on disclosures from an EHR outside the CE or OHCA”
  • “The accounting of disclosures should require only an entity name rather than the specific individual as proposed”
  • “No testimony supported that the proposed access report was do-able, at least with current technologies. Audit trail technologies are frequently mentioned as a tool for offering greater transparency to individuals, but audit logs, when they are deployed, are designed to track security-relevant system events, not user activity, and do not easily produce reports designed to be understandable to individuals.”
  • “Today, patients rarely ask for accounting reports. Patient advocates testified that this is because the reports available today do not include much valuable information and patients are not aware of their right to ask for such a report; providers and payers testified that the historic lack of requests  indicates this is not a priority for patients.”
  • “It seems unwise to impose a new access report mandate, given the potential cost and how little evidence we have of whether patients would ask for such reports.”
  • “Questions were raised about the potentially significant costs of the NPRM access report.”
  • “All seemed to agree that patients should have the right to a full investigation of complaints about inappropriate access; such an episodic response could be more effective at addressing patient concerns versus building in expensive technology to produce a report that (1) may be less helpful in ferreting out inappropriate access (buried in reams of material) and (2) would be expensive to build for the few occasions where it is needed.”

Essentially, the Tiger Team advised that the HHS should focus on disclosures of ePHI outside the covered entity versus all of the accesses performed within the healthcare entity in the performance of its treatment of the patient.  They also recommended that the disclosure should only detail the entity name instead of the individual actually accessing the records.

So what’s wrong with this recommendation?

Let’s first look at the team’s assertion that a report which details out all access of ePHI by internal personnel is not necessary or would not be particular useful to the patient.  The team basically believes that once your data is safe inside the healthcare institution’s fortress walls that everything is A-OK. The friendly and helpful medical staff will look after you and your data’s best interest.  The staff can be perfectly trusted, and it’s only when your data leaves the protection of the castle that you have cause for concern.  Well frankly, I think that George Clooney would disagree with that premise.

Back in 2007, forty Palisades Medical Center staff were suspended for accessing George’s medical records and handing the information over to the media.  And George is not the only high profile patient to have their medical records spied upon by healthcare staff with no valid reason.   Kim Kardashian, Maria Shriver, Britney Spears, and Farrah Fawcett all had their medical records inappropriately accessed by healthcare staff.  Farrah went as far to institute a sting operation to catch the inappropriate access so that she could actually prove to the UCLA Medical Center that there was indeed a leak.  Ultimately, the UCLA Hospital System paid an $865,000 dollar fine to resolve the allegations of employee misconduct. All this, despite supposedly having auditing and controls in place for HIPAA compliance. Not a great example of data stewardship or management response in my opinion.   Had Farrah had access to an accounting of disclosures report, she would not have had to resort to such measures.

But you’re not a famous Hollywood star, so you don’t have to worry about all that, right?  Wrong.  Identity theft is reaching epic proportions and we are now seeing gang members and even meth dealers after your data. To quote the web site HIPAA Security Now, “If you get a job as an administrator or data person, you have access to all of this information. And with medical it’s a double hit—it’s not only about the money, but also the health insurance. That is a valuable commodity in the marketplace—it’s big dollars.”   With this type of activity, identity theft could be happening right underneath the noses of healthcare organizations.  Audit logs are key to catching and stopping this type of crime, but only if someone is actually LOOKING at them.   And, from a security perspective, the more eyes on audit logs the better in my opinion, so why not let patients help?  Studies have shown that monitoring employees can not only reduce theft, but can change overall behavior as well.  It’s one thing to know the administration is monitoring your medical record access with some type of statistical sampling syslog analyzer, it’s an entirely different level of scrutiny if you think the patient is also watching you.

Also, as a security person, I take exception to this statement from the Tiger Team: “…but audit logs, when they are deployed, are designed to track security-relevant system events, not user activity…”  Audit logs better darn well track user activity, as this is where the majority of the problems arise from a security standpoint.  This is highlighted by a survey from Veriphyr which shows that the majority of EHR security breeches are inside jobs, which means that auditing user level activity is critical.

With all these indiscretions as examples it’s pretty difficult to buy the argument from the Tiger Team that it is only necessary to disclose access outside the covered entity and trust the organization’s internal controls wholeheartedly.

It’s too hard, too costly, and current technology can’t do it.

As a 25+ year IT professional who has designed, developed and deployed large scale applications with audit logging capabilities, I disagree with the notion that this requirement will create some huge burden on EHR vendors and/or covered entities.  One of the clearest HIPAA requirements was that organizations had to keep an audit log of who did what in the application, and the logging of user access for HIPAA compliance has been known to software developers for many years.  Software vendors have known that they need to be able to keep track of who accessed which record  on what day, and whether the user viewed it, updated it, or deleted it.  If you look at this information, it tracks pretty close to the data required to be reported by the NPRM.  So theoretically, all of these HIPAA compliant solutions (if they truly are compliant) would have audit logs containing this information that could easily be parsed and disseminated to patients in the same way that they SHOULD be providing similar reports to internal auditors.

Most modern software is developed using Object Oriented Programming techniques. To quote the Mozilla Developer Network, “Object-oriented programming may be seen as the design of software using a collection of cooperating objects, as opposed to a traditional view in which a program may be seen as a collection of functions, or simply as a list of instructions to the computer. In OOP, each object is capable of receiving messages, processing data, and sending messages to other objects. Each object can be viewed as an independent little machine with a distinct role or responsibility.”  This basically means that the auditing functions of an EHR should be defined as a series of objects which could be called from various other parts of the system when required to log an event.  Query Google for “audit logging Java objects” and you’ll find a tremendous amount of source code examples.  EHR’s typically have graphical user interface components which are primarily event driven – meaning that some piece of code will be executed when an event occurs, such as a mouse click. So programs know when read events happen and could simply call an audit object to write data in a prescribed pattern to a an audit log table.  It seems to me that it is far more of a complex technical challenge to encrypt the data – which can be argued is also a HIPAA requirement – than it is to simply write log records when a user accesses a patient’s record.  But again, this is something the systems should really be doing anyway.

oracle-privacy-security-bookBack in the day, I was not only an IT Director and software architect, I was also the backup Oracle DBA.  Even back then we had specific guidance and technology tools to accomplish HIPAA compliance.  One of my key reference books was Oracle Privacy Security Auditing by Arup Nanda and Donald K. Burleson. (Picture of the book, which I still posses. And, yes, that IS a pizza stain in the upper right corner!)  The fact is that the majority of database vendors have auditing and triggers which could create data for such a report. Oracle, SQL/Server, and even Intersystems Cache already have mechanisms to deal with HIPAA access logging requirements.  So if these EHR vendors use one of these modern database systems, they could leverage their power to perform audit logging without changing the internal source code of the application.  These audit functions could also be available to the healthcare organization as well. In fact, we did this regularly to vendor developed systems where we did not have access to the source code to comply with Sarbanes-Oxley requirements.

So the current technology DOES support the requirements in the NPRM.  Now whether the current technology in some of these EHR systems are up-to-snuff is an entirely different matter.

But it seems to me that what is really missing here is an audit record STANDARD.  The current audit framework is not standardized, which appears to be creating the most difficulty in the creation of the accounting of disclosures reports.  From what I glean from the report, it appears that every EHR vendor implemented its own flavor of auditing based upon their own interpretation of HIPAA requirement.  Here again, interoperability raises its ugly head.  So let’s develop a standard for patient audit data.

There is no demand from the patient.

There is an economic theory developed in the 19th century by Jean Baptiste Say, which states that “supply creates its own demand.”  Say’s Law as it is commonly referred to, postulated that when supply was increased of a product, the price decreased.  A decrease in price leads to an increase in demand, which translates to “supply creates its own demand.”  However, this theory has some implications on innovation and invention as well.

Henry Ford is famously quoted as saying, “If I had asked people what they wanted, they would have said faster horses.”  Asking the consumer what they want is often an exercise in innovation futility.  Did consumers ask for a Weed Eater – a whirling piece of string on a motor?  How about an iPhone?  You are depending upon their current needs and their ability to imagine what is possible – all which tend to be very tactical and will generally yield only incremental changes. We can see this in healthcare as digital health data is still new to everyone and patients really don’t know what they want.  Do they want a patient portal?  Maybe.  Do they want cost and quality data? Maybe.  For us to pretend that EHR vendors or healthcare providers have any clue as to what patients want is totally off base right now. We’re going to be spending lots of money trying to figure out what patients want and need over the next few years, though.

But one thing we have seen from patients is an appetite for DATA.  Just look at the applications and tools which have sprung up in the wake of the Federal Government’s Open Data Initiative – all created to better use, analyze, and present the information to patients.  How about Project Bluebutton?  Same thing. The availability of the data has spurred demand and has also spurred innovation. I believe this is an effect similar to Say’s Law, in that, supply of data creates demand for data, and innovation happens to satisfy that demand.  So let’s give them data!

I fight for the users!

i-fight-for-the-usersLet’s look at your credit report. (Well, not YOUR credit report as that information is protected!)  Let’s look at the format of a credit report. Within the credit report is a credit inquiries section that contains a list of everyone who accessed your credit report within the last two years. The report lists both voluntary inquiries, which were created by your own requests for credit, and involuntary inquires, such as when credit card companies want to send you a pre-approved credit offers.  When the Fair Credit and Reporting Act (FCRA) was proposed, the current credit bureaus were being questioned about their intrusiveness, and their mishandling of consumer credit data.  The observation at the time was that it appeared everyone had access to the data EXCEPT the consumer.  (Sound a little familiar?)  So to rectify this, the FCRA instituted sharp provisions about access and transparency of the information to allow the consumer to properly manage the information within.  Sunshine laws and transparency provisions are typically enacted to provide an additional level of scrutiny around important proceedings and transactions to help minimize wrong-doing or negligence.  I believe this is the intent of the NPRM.

Today, banks and credit card companies have sophisticated fraud detection systems that do an excellent job, but still things get through the net.  This is why we as consumers are still encouraged and even expected to monitor our credit report for signs of fraud today.  And any security professional will tell you that the best secured systems have multiple layers of security with different personnel responsible for each layer – the idea is that if the threat is not caught in the first level, then it will be caught in the second, or even the third.   Healthcare is still in its infancy when it comes to digital data and only the most sophisticated organizations have created fraud detection systems with the capabilities of the financial sector.  I also think that some of the examples I’ve shared earlier demonstrates that the healthcare industry cannot be absolutely trusted to monitor itself when it comes to data access.  So again, why not bring the stakeholder in with the most at stake – the patient?

One of the Tiger Team observations was that “…no one offered a specific technical path forward toward accomplishing the scope of the what was proposed in the NPRM…”   So let me rectify that right now.  Let’s use the Bluebutton initiative as a baseline for the NPRM reporting.  Develop a standard Bluebutton audit record and allow patients to download it just as they do their clinical information.  This would create a standard way of creating the audit information and would also provide a standard, and easy way for patients to download the data.  This would also alleviate a lot of the complexity on the healthcare provider and EHR vendor side in terms of report formatting and presentation of the data .

At this point, the marketplace could create many different applications to parse and report the data to patients in a meaningful way, just as it is doing now with clinical data distributed by Bluebutton.  I’ve even got my own little personal use case for this:

  • Set up If This Then That (IFTTT) or Zapier to go out on a prescribed schedule and download the audit data
  • Use some Bluebutton / log file parser to read the audit data, pulling out unique access dates and providers (probably a new app)
  • Compare these unique access dates to Physician visits in my Google Calendar (another new app)
  • E-mail me an alert if there are accesses of the information which are some delta – specified by me – away from the visit dates

Voilà!  I’ve created my own little auditing and monitoring app.  I’m sure the marketplace will create something WAY better than this though, if given the data.

Apparently, I fight for the users, as I don’t believe the Tiger Team is on target with several of their recommendations.  I believe that patients need to know who is handling their data within an organization – not just when it leaves – because of the facts surrounding insider threats and the mishandling of data.  I think that the technology to create an accounting of disclosures dataset is already in existence and that the costs of developing such a system would be lessened if based upon Bluebutton and the adoption of Bluebutton standards.  And the fact that patients haven’t stormed the castle walls at this point demanding accounting of disclosures information is not enough of a reason to not provide it to them. And lastly, I believe that – armed with data and tools – the patient can be a valuable asset in the protection of their own information – just as they are with their credit information today.   So if we are going to err, let’s err on the side of the patient, and provide the data in detail and let them decide what is and is not meaningful.

The opinions posted here are mine and do not necessarily represent KRM Associates.