Perspectives on Information Technology
for the Health Care Industry
Home | HIPAA | Health Care PKI | Internet | EDI | Email | Editorials | Contact Tunitas
|
|
Perspectives on Information Technology |
|
Home | HIPAA | Health Care PKI | Internet | EDI | Email | Editorials | Contact Tunitas |
Physicians At Risk in the Information
Age
by Dr. Terry Fotre and Ann Geyer
Physicians are at risk of becoming the most isolated segment of the health care industry. The current system of using phone, mail, and fax is no longer sufficient to keep us in touch with our patients, peers, and the wide range of clinical and administrative data we need to support thriving practices and offer the best care possible. Most physicians are aware of the need to adopt electronic communications systems, but haven't done so because those available to us so far have been prohibitively expensive, complicated, and cumbersome to use.
New developments in inexpensive Internet connectivity, however, can now provide physicians with secure, efficient, and cost-effective information management access, enabling us to transmit confidential peer-to-peer and physician-to-patient messages as well as communicate speedily with plans, payers, and other health care personnel. For the past two years, CMA has been analyzing e-commerce and security technologies to determine how physicians can use them to maintain and promote the highest quality patient care. By taking advantage of these new technologies, physicians can take back control and ownership of patient care information and manage their operations the way other successful businesses manage theirs. We have a plan for a CMA-directed information system that meets those needs.
Who owns medical information?
To date, physicians' use of electronic information technology has depended on investing -- both money and significant time -- in vendor-designed technologies or information networks and equipment controlled by another party, such as a health plan or a hospital. Health plans and Medicare, want physicians to provide information about patients and business practices according to their particular requirements, sometimes via specific hardware or software.
Such proprietary systems may give physicians limited ability to evaluate patient eligibility, obtain treatment authorization, and check the status of claims. But they don't allow physicians to discuss and analyze capitation agreements, negotiate equitable risk-based contracts, nor defend themselves against incorrect utilization reviews and profiling. Proprietary systems benefit others' business needs, such as their competitive status in the market, their rules for treatment decisions and reimbursement, and their access to physicians' performance data and patients' records. Proprietary systems give others the ability to dictate the flow of information into and out of your practice.
The first step in regaining control of information is to cut the multitude of proprietary connections and replace them with a single Internet connection over which physicians can communicate when, where, and with whom they need to. The Internet, by its nature an open and nonproprietary system, offers the very universal access that physicians have long wanted. But is it safe? Can you really expect to communicate patient information over the Internet?
Is the Internet safe?
Internet security problems are no longer the limiting factors they once were, thanks to the development of powerful security tools that utilize a public key infrastructure (PKI). A PKI is the linchpin of Internet security solutions. It works by issuing each person a pair of encryption keys and a digital certificate. Digital certificates (also referred to as digital IDs) act like electronic passports to the Internet, allowing individuals who may not otherwise know each other to verify their identities and determine whether they should be allowed to receive or give access to restricted information.
In combination with the encryption keys, certificates provide a universal basis for encrypting data, authenticating individual health care stakeholders, locating health care information sources, managing information-access privileges, delegating authority to staff, and auditing information privacy and confidentiality provisions. Public key encryption and infrastructure together have been recognized by the Health Care Financing Administration (HCFA) as one of the technologies needed to comply with the new health information security and electronic regulations published in August 1998.
CMA and the Tunitas Group are working with several other California health care organizations to create a Health Care PKI for physicians so that they can safely use the Internet for patient information. The Health Care PKI will give physicians back the control they need to manage patients' data and third-party access to it. All patient information can be easily and cost-effectively encrypted for privacy. Just as importantly, physicians can assure their patients that their medical data is closely guarded and disclosed only to those who have a need and a right to know.
For communicating with patients, hypersensitive patient information can be routed for physician-eyes only, rather than via the more exposed office fax or voice-mail. Routine use of secure e-mail can help reduce the time delays that frustrate patients while staff are hunting down records, verifying eligibility, obtaining lab reports, calling in prescriptions, setting up referrals, and tending to all the other office processes that occur in the course of a patient visit.
Putting the PKI to the test
Later this year, CMA is planning to inaugurate a pilot project that will issue MEDePass (a trademarked name that is short for medical passport) certificates to 1,000 California physicians in all modes of practice, with special emphasis on solo and small-group practitioners. Those physicians will use MEDePass certificates to send and receive secure e-mail and authenticate themselves to the health care organizations participating in the pilot. Organizations expected to participate include Blue Shield of California, Los Angeles County Department of Health Services, Pacific Foundation for Medical Care (PFMC), and St. Joseph Health System. CMA's role is to establish and govern the process for issuing MEDePass certificates. CMA and PFMC to be the issuing agents for the pilot.
The pilot project's logistics are fairly simple. A physician applies to CMA for a MEDePass and supplies his or her medical license and e-mail address. CMA verifies that information and issues the physician a certificate and encryption keys. Physicians can also obtain MEDePass certificates for their office staffs.
The certificate and key are stored in the doctor's web browser, and from then on the physician can use MEDePass whenever authentication is needed to communicate, gain access to restricted web sites, and encrypt, decrypt, or sign e-mail messages. No additional proprietary software, hardware, or network connections are needed. MEDePass also ensures that physicians and their staff comply with the e-mail privacy guidelines already issued by the American Health Information Management Association and HCFA.
Keeping the PKI under control
By supporting MEDePass and educating yourselves on the benefits of the Health Care PKI, physicians soon can put plans and provider organizations on notice that the current arcane methods of data management using cumbersome access and authentication methods are unsatisfactory, inhibit physician practices, and inadequately protect patient privacy. The power of a PKI, however, lies in its role as a key component of an industrywide security solution. Physicians must be ready to guard against the development of proprietary PKIs that would require them to obtain multiple certificates -- one for each organization they do business with. Physicians must not let that happen.
MEDePass is the first step to promoting a nonproprietary health care PKI that can be the standard for securing the privacy and confidentiality of health information. With it, physicians can oversee exchange of medical information and regain control of medical care.
The Internet will put physician back in touch
A recent U.S. Department of Commerce report entitled, The Emerging Digital Economy, confirms that the Internet is being adopted more quickly than was any previous communications technology, including telephone, radio, and television. According to the report , Internet traffic doubles every 100 days and Internet commerce is growing twice as fast as any other area of U.S. commerce. Among businesses, the government expects e-commerce to surpass $300 billion by the year 2002. Between 1994 and 1997, the number of people with Internet accounts grew 3,400 percent, to more than 100 million from 3 million.
Consumers are increasingly comfortable making on-line credit-card purchases: By the end of 1997, 10 million people in the United States and Canada had made purchases on the Web, an increase from 4.7 million people six months earlier. Enhanced security has allowed major industries to deploy their routine business-to-business information infrastructure to the Web. For example, today, 8,000 auto industry suppliers and 20,000 car dealers communicate via the Internet. Trading over the Internet has become a major force in the equity markets with billions of dollars exchanged daily. For its customers, Federal Express communicates real-time delivery status information.
To a great extent, physicians have resisted the Internet revolution as it applies to their business. A survey conducted early this year by the CMA Foundation and the National IPA Coalition found that about 30 percent of physician offices are connected to the Internet, yet fewer than one in four use their computers for researching medical information, accessing clinical medical records, or communicating by e-mail.
For its clinical research purposes alone, it is essential that physicians acknowledge and embrace this trend. Peer-reviewed medical information doubles every two years, and physicians cannot hope to stay current in this environment using the traditional information tools to which they are accustomed. And because motivated patients have also discovered "the Net" it will become increasingly more difficult for physicians to maintain their authority and credibility unless they incorporate the technology into their everyday practice of medicine.
Terry Fotre, a San Francisco emergency physician, chairs the California Medical Association's Information Technology Committee and is a clinical associate professor in surgery at Stanford University Medical School.
Ann Geyer is a partner at Tunitas Group, a consulting firm that assists clients in planning and implementing electronic business and communications initiatives. This article is based on a white paper that they submitted to, and that was approved by, California Medical Association Board of Trustees in July 1998.
Copyright © 1998 Tunitas Group. All rights reserved.