Comments on Security and Electronic Signature Standards

October 13, 1998

Citizens for Choice in Health Care
1954 University Ave. W., Suite 8
St. Paul, MN 55104
Health Care Financing Administration
Department of Health and Human Services
Attention: HCFA-0049P
P.O. Box 26585
Baltimore, MD 21207-0519
Re: Proposed Rule HCFA-0049P
To Whom It May Concern:
In response to HCFA's request for public comment, Citizens for Choice in Health Care is submitting the following comments on the proposed rule for Security and Electronic Signature Standards: HCFA-0049-P.
Citizens for Choice in Health Care (CCHC) is a non-profit organization which was founded in 1995 to support individual choice and privacy in health care decisions for all citizens. Supported by members and contributors across the nation CCHC seeks to protect patient and medical record confidentiality, to safeguard the critical patient-doctor relationship, and to support individual freedom and responsibility in all health care decisions.
CCHC cannot support the proposed security standard because it does not establish a security standard as mandated, nor is it enforceable. Rather the Secretary of DHHS has proposed to allow each organization to create a system based on its own prioritization of risk, cost, confidentiality and security.
The proposed rule permits health care entities to determine their own security needs and write their own security standards: "we would require that each affected entity assess is own security needs and risks and devise, implement, and maintain appropriate security to address its business requirements. How individual security requirements would be satisfied and which technology to use would be business decisions that each organization would have to make." This, along with the federal pre-emption, leaves the protection of individually-identifiable patient information in a tenuous position.
This proposal leaves the average, individual citizen at the mercy of health care corporations which will be allowed to assess security needs according to business and financial considerations. Such considerations may or may not place emphasis on the patient's need, and the doctor's responsibility, for medical confidentiality and the security of medical records information.
In opposition to Shalala's 1997 public statement introducing her privacy recommendations ("We still have a golden opportunity to safeguard our age-old right to privacy in a brave new world of computers and biology." September 11, 1997, Senate Committee on Labor and Human Resource), the proposed rules states, "The federal government should work with industry to promote and encourage an informed public debate to determine an appropriate balance between the primary concerns of patients and the information needs of various users of health care information.
The Secretary has already moved to implement national identifiers as required by HIPAA and universal code sets leading to computerized medical records are in process, but no reliable security standard to protect citizens made vulnerable by plans for national IDs and computerized medical records has been introduced. Simply stated, there is no security in this "security standard."
We do not believe this type of proposed standard was the intent of Congress when Administrative Simplification was enacted. The security standard was to be reliable and enforceable enough to assure every concerned citizen that information under unique health care identifiers would be secure.
The Corporate Entity exemption seems broad-reaching. Entities which are wholly owned rarely occupy the same physical space or boundaries. In fact, many entities own other health care organizations, clearinghouses, hospitals, or clinics which are miles, if not states away from each other. As health care is further consolidated as in Minnesota, there may eventually be little need to interact with other non-corporate entities. This exemption would leave increasing amounts of medical information open to interception. The rules could be an exemption for information shared within the same physical/building boundaries, but the exemption should not go beyond that.
In addition, the exemption for Federal and State agencies and their contractors leaves the medical information of a growing population (Medicare, Medicaid, KidCare) vulnerable to access. We would recommend that this exemption be deleted. Private networks owned by public entities are not invincible to hackers or interception as history has recently shown at the Pentagon, the IRS and the Department of Defense.
The new (14th) definition of health plan ("any other individual or group health plan, or combination thereof, that provides or pays for the cost of medical care") could inhibit the small groups that pool individual money together to pay for the medical needs of the members of the group (religion-based organizations) This addition should either be deleted or should specifically exempt those types of groups. DHHS has not been given authority to expand the Act.
It appears that the definition of standard as defined by the Act has been changed significantly, and if so, the Secretary should be limited to the statutory definition.
According to the Act there are nine transactions. The proposed rule adds "coordination of benefits" and "other transactions as the Secretary may prescribe by regulation." This expands beyond the statute. No other transactions should be added without public comment. Coordination of benefits could be interpreted as totally inclusive for all communications. Coordination of benefits should be deleted from the rules, unless it is more strictly defined.
"First Report of Injury" has been defined by the proposed rules to allow access to individually-identifiable information for statistical, legal, claims, and risk management processing. This category should have been defined in the Act, as we believe that DHHS has taken liberty to allow law enforcement, researchers, state and federal agencies, health plans, and others to access information without the consent of the patient. We would advise a much more restricted definition which includes only health plans when a person presents for care using the card/resources of the health plan. Or we would suggest that the Secretary return to Congress for specific definition of the term.
DHHS should not be allowed to adopt a modification without public comment, and only after the comment period should effective dates be specified. These dates should be at least 180 days, depending on the comments solicited.
As we stated in the General Comments section, the Secretary, because there is currently no single standard, has opted not to create one, but to let individual businesses create their own using a set of requirements which they can determine to what degree they will follow. The providers and the patients, who are vulnerable to the interests and financial strength of large health care entities are left unprotected by this proposed standard. The financial bottomline in 'business decisions' would likely determine the extent to which specific features were implemented. A 'general set of practices' does little to assure implementation of a secure system. And finally, the statement "Inherent in this approach is a balance between the need to secure health data against risk and the economic cost of doing so" is understood by the average citizen to mean that security procedures will be minimal.
Health care entities will find it justifiably difficult to ascertain the meaning of compliance with this standard. This, coupled for the threat of penalties for non-compliance, will put undue stress on smaller entities which have more to lose and fewer resources to comply.
Although there are no enforcement mechanisms included in the proposed rule, health care entities can enforce security standards on others. This could mean that smaller entities would be required to follow the mandates of larger entities without knowing whether or not the larger entity even follows its own requirements. These could be considered anti-competitive regulations in that they may eventually force smaller entities either out of business or under the umbrella of the larger entity due to the financial burden and administrative hassle. Such result would only increase the reach and size of corporate entities, further diminishing the protection of patient information.
The proposed rule states, "The proposed security standard consists of the requirements that a health care entity must address... and the implementation features that must be present." Far better to have said that the requirements were actually required, not just required to be addressed. Then the rule states, "The relative importance of the requirements and implementation features would depend on the characteristics of each organization." Such vague requirements would not pass the muster of typical contractual agreements, but will allow health care entities to engage in minimal protection of patient information.
While the implementation category of the matrix certainly highlights mechanisms necessary for security of confidential information, each individual person/employee is a weak link in the system. Whether there is internal or external certification, information is never secure as long as any person has access to it. Therefore the more people with access, the less secure it is.
In addition, one needs to question the ability of individual organizations to adequate self-police their own security systems as there can be a conflict of interest between costs, time constraints, administrative hassle, and ethical obligations.
The Chain of Trust requires trust, something that cannot be easily validated, and is less trustworthy under the pressure of competition. We do not find this to be a viable security feature. There is no enforcement actions or penalties for broken agreements.
Personnel Clearances may be highly invasive to individuals, and may or may not reveal a trustworthy character within the individual.
Security Incident Procedures and Security Management Process: Clearly, breaches of security are anticipated. Still there are no penalties prescribed. While a sanctions policy would be mandatory there are no guidelines for the severity of the sanction. The sanction could be a demotion, a slap on the hand, a small fine, an extraordinary fine, a move out of the department, a docking of privileges, a warning, or any other small or severe sanction. However, because the sanction could be insignificant, there is little security within this security requirement.
Awareness Training is ineffective for people who prefer to snoop into the affairs of others or to profit through access. The IRS has a great deal of experience (1300 employees caught in 1993) in the fact that information is only as secure as the integrity of individuals.
It is suffice to say that physical safeguards can be helpful against intrusion, although the latest Department of Defense incident (hackers changed the blood types of soldiers in the DOD medical record database) shows the skills of determined intruders. However, again the integrity of the individuals with certified access is a vital key to the security of information.
CCHC is not an expert in technical security, but we have some comments about certain provisions of the proposed rule.
Under "Access Control," the words "limit access to health information to those employees who have a business need to access it" is rather broad-based. What constitutes a "business need?"
Some experts say encryption is necessary for security, but interestingly enough, in this standard, it is optional.
Under "Authorization Control" mechanisms for obtaining consent are to be put in place, which seems like a valuable security feature, but leaves the door open for others to decide how and who gets access, without patient approval.
The description of the proposed rule says, "Some form of encryption should be employed" when using open networks. However, the rule itself says nothing about such a requirement. Rather, it states that either access controls OR encryption must be used (p. 43268). There is no mandate for encryption within this rule. This seems rather inadequate to ensure security. CCHC has been informed that at least 128 byte encryption should be employed.
In addition, there is no encryption requirement on stored records in databases and the system of health care entities, yet it is far easier to access this information by using someone else's password, accidental access, or other modes of transmission.
Even with security standards and penalties, IRS employees have violated confidentiality standards. Without penalties, what stands in the way of violation? In addition, no organization or individual entity will know whether or not they are in violation because the entire rule is nebulous. There are no actual violations listed, only the threat of penalties for violating a standard that cannot be interpreted.
Three quotes from page 43259 with CCHC comments:
1)"We are not proposing any enforcement procedures at this time, but we plan to do so
in a future Federal Register document once the industry has some experience with using
the standards."
Comment: Since there are no real standards in this document, enforcement would be arbitrary.
2) "We envision the monitoring and enforcement process as a partnership between the
Federal government and the private sector."
Public Comments by CCHC
Comments: In reading Sec 1175-1177 of the Act, no such public-private partnership is included in the enforcement provision. Given the fact that accreditation bodies may have their own agendas, or affiliations, and their decisions and inspections are not under the federal government's constitutional limitations and due process requirements, this intent on the part of the Secretary should be DISMISSED from the proposed rule. The delegation of power to private entities under government contract is not authorized by the statute.
3) "HHS would likely retain the final responsibility for determining violations and
imposing the penalties specified by the statute."
Comments: DHHS does not, even here, take final responsibility for determining violations and penalties, but uses the word LIKELY and thereby gives itself the ability to remain unaccountable for decisions. The Act bestows full responsibility on the DHHS because the federal government is under Constitutional restrictions and due process, and therefore accountable to Congress. The DHHS should fulfill its statutory obligation and take full responsibility and accountability.
Sec. 1178 of the Act states that all state medical record privacy laws are pre-empted by the federal standards. Since no single standard is evident in this proposed rule, and because the Secretary has not provided for patient protection through the proposed rule, we believe that the privacy of patient medical records is in jeopardy if this rule is implemented as written. Since there are 50 states and the Act supersedes all state medical record privacy laws unless the Secretary grants an exception "to prevent fraud...ensure appropriate State regulation of insurance and health plans...State reporting on health care delivery or costs...or...for other purposes...or addresses controlled substances," we believe that the exceptions should be spelled out clearly in the rule as a clarification for patients, providers, and all health care entities. In addition, until Congress enacts clearly defined federal privacy protections, no implementation, or preparation for implementation, of security standards should occur based on this proposed rule.
Clearly DHHS has no idea of the enormity of the implementation of the standard required. The proposed rule says that DHHS is "unable to estimate...the number of entities that would require security system," or to estimate "the number of entities that neither conduct electronic transactions nor maintain electronic health information but may choose to do so at some future time" and that they cannot therefore estimate "the cost to the entities that will process electronic transactions" The only cost-related item they claim to know is that "small entities that currently process claims electronically or maintain electronic health information may not be able to continue to do so due to the cost of establishing security systems to meet the requirements of the proposed security standard."
The DHHS solution to this problem is data clearinghouses--an additional cost beyond mandatory compliance with the security mechanisms, physical safeguards, and administrative procedures. These additional costs may cause these small entities, who are able to protect health care information better than large corporate entities, to close their doors.
This could occur in spite of the fact that corporate entities may choose to implement the standards according to their business needs, and if later found to be in violation, may use their sizable profit margins to pay the penalty. This is a luxury small providers and health care entities cannot afford.
There is no standard, nor security, in this rule; there is no enforcement mechanism nor requirement for encryption; federal preemption over state privacy laws is declared without privacy protections in place; the costs cannot be estimated but will likely hurt small providers most severely; and the DHHS has placed its own operations outside the security standard, and itself in an unaccountable position to Congress for security. If implemented, Administrative Simplification may move the country further away from individualized medical care toward impersonal corporate care while doing nothing to guarantee the security and confidentiality of medical information.
Thank you for your consideration of our comments.
Twila Brase, R.N.
President, Citizens for Choice in Health Care