- Email: [email protected]
Protecting privacy and confidentiality in a multiple use, multiple user mental health information system
Ewduation and Program Plu~~~~g, Voi. 1, pp. 151-158 Pergamon Press. Printed in the U.S.A.
0149-7189~78/0401-0151~02.00/0 Copyright 0 1978 Pergamon Press
(1978)
PROTECTING PRIVACY AND CONFIDENTIALITY IN A MULTIPLE USE, MULTIPLE USER MENTAL HEALTH INFORMATION SYSTEM
RIIETA EUGENE
Rockland
M. LASKA
Research Institute
The media have encouraged a modern myth - that of the superintelligent, all knowing, all powerful, ruthless computer which stars in movies and television and features prominently in science fiction literature. The public is regaled with fables of computers which take over the world and with spine-chilling dramas of unscrupulous men who use computers to monitor, manipulate, exploit and control others. Such richness of imagination, however entertaining, has put into the public mind a fear of computers and an unrealistic assessment of data processing technology* In keep tional vacy what
BANK
this context, the concept of privacy, the “right” to secret matters of personal concern, takes on emocoloration. Indeed the Canadian Task Force on Priand Computers (1972, p. 183), concludes (in someemotional terms),
“Privacy is too limited a word to encompass all the concerns created by massive and pervasive information systems. Privacy is used in part as a synonym for political grievances about the use of information systems by institutions to enhance their power to the potential detriment of individuals, and for fears that information systems may be used to manipulate individuals or enforce conformity.” Universal concern (IBM Svenska, 1975; Niblett, 1971; Younger, 1972; United Nations, 1974; Pantages and Pipe, 1977), has been voiced about what data are being collected, the uses to which the data are being put, the extent to which accuracy and timeliness are verified and maintained, the nature of the controls over dissemination of the data and the extent to which a person may view and correct data about himself. It must be pointed out that the issues of privacy and confidentiality did not arise with the invention of computers; (Warren and Brandeis, 1890), however, heightened interest can be laid to the ability of the computer to handle vast amounts of data (Davis, 1973). Operators and developers of information systems, many of which use computers, aware of public concern expressed through the media and through legislative and judicial action, have utilized the very technology which created computers as well as expertise in law and management to
develop methods for protecting data and thereby safeguarding privacy. In 1967, the National Institute of Mental Health funded a research and development project (No. MH14934) which led to the creation of the Multi-State Information System (MSIS), a management information system which serves mental health and developmental disabilities programs through several computers, one of which is located at the Rockland Research Institute in Orangeburg, New York, and through terminals located in several states (Laska and Bank, 1975). Because the system is used for day-to-day clinical and administrative/management activities as well as for evaluation, planning and research in a number of legal jurisdictions, general protection for the files was necessary. It was during the course of attempting to create an environment for MSIS which would ensure that patients’ rights were protected, that many of the techniques described below were researched. It must be stressed that no one single technique suffices in a multiple user, multiple use information system such as MSIS; rather, a combination of legal, technological and managerial efforts is necessary and even these may not be foolproof. To begin the discussion of privacy and confidentiality, a clarification of some of the commonly used terms is needed. The following definitions are generally accepted by laymen and apply to the use of the terms in this paper. Terms Privacy Confidentiality
Privileged Communication Data Integrity
Data
Security
the right of a person to keep secret matters of personal concern. a status accorded to data (or information) such that their disclosure are restricted. the “privilege” of a person to prevent another from disclosing communications (in court). the state existing when data or information agree with the source from which they are derived (and when they have not been either accidentally or maliciously altered, disclosed or destroyed). the protection of data from acciden-
Requests for reprints shoufd be sent to Rheta Bank, Director, Educational Technology Department, Information Sciences Division, Rockland Research Institute, Orangeburg, NY 10962. 151
RHETA
152
Information System
BANK
and EUGENE
tal or intentional, but unauthorized, modification, destruction or disclosure. a series of techniques by which information is collected, sorted and stored systematically and used to produce reports. (Information systems may be automated, i.e., utilize computers, or may be manual.)
LEGAL Privacy process,
about other individuals. In reducing the focus of the discussion to medical information (as opposed to other “private” areas of life such as birth control or electronic eavesdropping), there is much agreement and supporting legislation as to who may share such data. The notion of confidential communication between physician and patient can be traced to ancient times, “ with my professional . . Whatever in connection practice or not in connection with it, I see or hear in the life of men which ought not be spoken abroad, I will keep silent thereon, counting such things to be as holy secrets. . .” Hippocratic Oath (approx. 377 B.C) carries
forward
into modern
times.
“A physician may not reveal the confidence entrusted to him in the course of medical attendance, or the deficiencies he may observe in the characters of patients unless he is required to do so by law or unless it becomes necessary in order to protect the welfare of the individual or of the community.” Principles of Medical Ethics - American Medical Association (195 7) Legally United
sanctioned patient-physician States in the form of an 1828
Many service delivery programs are contemplating developing management information systems or joining already existing sytems like MSIS. Scrutiny of privacy protection measures is essential in either case. Three separate arenas where activities of the information system can enhance privacy and confidentiality protection are the legal protection of the system, the technological safeguards it employs and the managerial practices.
PROTECTION
issues usually address questions of who may access, store and disseminate what kinds of information
and the tradition
M. LASKA
privilege came to the New York State law:
“No person duly authorized to practice physic or surgery shall be allowed to disclose any information which he may have acquired in attending any patient in a professional character, and which information was necessary to enable him to prescribe for such patient as a physician, or to do any act for him as a surgeon.” N.Y. Rev. Stat. 1828 II 406; Part III, c.VII, Art. 8, S. 73. Now, most states have laws which provide for a doctorpatient privilege (Perr, 1971); however, in most of those which do not establish a general medical confidential relationship or a privileged testimonial communication, there are statutes prohibiting (and punishing) immoral, unprofessional or dishonorable conduct into which categories violation of patient confidences would certainly fall. While the patient-physician privilege is firmly entrenched in American law and tradition, such is not the case with other medical specialties although some states by law do provide protection for communications to psychologists, nurses, and social workers. Although the professional organizations of these and other medically related specialties apply professional ethics similar to those of physicians, legal enforcement is often difficult. When it comes to patient records kept by mental health facilities, there is general agreement that these are “maintained by the facility for convenience in treating the pa-
tients. These records are owned by the facility and are the property of the facility” (Curran, 1972). Because the records are made up of reports and other documents from medical and other health/mental health professionals, these records are restricted in some states by law and by the professional ethical principles of the potential contributors (Curran, 1968). Although in theory medical records are confidential, in practice often records are seen by many (Matte, 1971). For example: in hospital, nurses, technicians, and other clinicians have access to the record; billing and accounting officers receive data; and insurers (e.g. third party and life insurance companies) receive information as do Workmen’s Compensation Boards, courts (e.g. personal injury suits, divorce and child custody proceedings and psychiatric commitment proceedings) and legally mandated registers (e.g. gunshot wounds and dangerous communicable diseases). A body of tradition and law spells out for most cases the procedures for disclosure of the information in the medical record (Britton, 1975). The modern service delivery organization is now faced with information needs for internal use as well as for satisfying external demands. Most of these needed data come from the admission form and other parts of medical records or individuals served by their programs. For assistance in collecting, storing, sorting and retrieving masses of information for an ever expanding variety of purposes, organizations have turned to computers and to data processing technology. Attendant on these new methods are the uncertainties of the legal status of computer records and of the potential liabilities. For example: facts from the manual medical record are to varying degrees admissible in courts all over America (Matte, 1971). The question of the admissibility of facts from computer records has not yet been settled as the notion that it is analogous to “hearsay” evidence would seem applicable. Computer kept records may be used in many ways not possible with manual systems especially in the area of monitoring standards of care. Questions on the confidentiality of some computer produced reports arise especially when the information on them is derived from patient records. For example: within the Multi-State Information System, prescriptions for psychotropic medications are regularly recorded on forms, and the data are entered into the patient’s computer record. As the prescriptions are received by the computer, they are compared against a set of rules specifying out of bounds dose ranges and inappropriate polypharmacy (Siegel, 1976). Messages detailing “violations” of these rules are distributed to the physicians and to various peer review bodies. The legal status of this type of document has not been fully explored, although if the analogy to Professional Standards Review Organization (PSRO) review records holds, these would also be considered confidential (Matte, 1974). The use of computers as sophisticated filing cabinets
Protecting
Privacy
and as analytic tools is inevitable in our complex society. To try to prevent their use because of possible problems or abuse is hardly sensible. What is needed is a “framework for the protection of the public and the superimposition of that framework on information practices at an early date to minimize misuse of an otherwise socially desirable instrument” (Miller, 1975, p. 104). Further, because of the expense of developing and maintaining automated information systems, it is cost-effective if one system can serve many users. Such is the environment of MSIS which serves many mental health and developmental disabilities programs in many states; therefore seeking protection for the records in MSIS was crucial. An extensive review of the laws in the various user jurisdictions (Curran, Laska, Kaplan and Bank, 1975) was the first step in the effort to place MSIS records into a protected environment. If privacy and confidentiality of the computer files could be protected by statute, then attempts to get data from the medical records would have to take already established, familiar routes with which the users had learned to cope. The manual record and any computer produced parts are at the individual facilities under the control of the director and subject to law in the particular jurisdiction. Because no existing statute was applicable, MSIS had to seek special legislation. In 1972, the New York State Legislature passed section 79j of the Civil Rights Code deeming the records of MSIS private records, not open to inspection by any agency or facility other than the agency submitting them and not subject to subpoena in any court, tribunal or adminishative agency. The argument that computer records are secondary sources of the information and that the best evidence is in the manual records maintained by the facility in the original jurisdiction prevailed, ar idea first suggested by William J. Curran (1969). While this approach did not help to solve existing problems, e.g. the problem of informed consent or of how confidentiality is to be managed within the participating agency (Matte, 1974), at least it did not superimpose new ones on the users of the system (Westin, 1976). Specific praise for the legislative approach appeared in a report prepared by a committee of the National Academy of Sciences (1975) as offering potentially broad and reliable protection for research data, especially in the field of evaluation. The report also mentions other strategies such as adopting professional codes, writing project guidelines which mandate confidentiality, invoking (on a state or federal level) executive privilege and developing acceptable guidelines (with a law enforcement agency) for subpoenaing documents. None of these alternatives is as effective or as reliable as legislation, a tactic also suggested by the American Psychiatric Association Task Force on Automation and Data Processing (1971, p. 22). Indeed, the Mental Health Law Project, received a grant from the NationaI Institute of Mental Health to produce a mental health legislation guide with the aim of strengthening statutory safeguards of patient rights throughout the nation. The guide is to be published in four installments, beginning with the July, 1977 issue, in the Mental Disability Law Reporter, a bi-monthly publication of the American Bar Association Commission on the Mentally Disabled. An apparent salutary effect of the protective legislation has increased public confidence in the organization managing MSIS. Aside from granting MSIS the authority to release aggregate data for research and planning purposes, the statute allowed control of the data to remain where it had always been - in the hands of the originating facility within jurisdictions whose laws and administrative proce-
and Confidentiality
153
dures although not free of problems were at least familiar. Although state, local and private programs such as MSIS are not directly involved with the provisions of federal statutes, these often serve as models for state statutes and certainly have great impact on federal programs such as Veterans Administration hospitals. Concern for privacy and confidentiality on a federal level led to several studies (Wheeler, 1969; Westin and Baker, 1972; The Secretary’s Advisory Committee on Personal Data Systems, 1973; Spingarn, 1975; Westin, 1976), to the Privacy Act of 1974 which establishes individual rights and agency obligations with respect to personal data in systems of records maintained by federal agencies (McCarty, 1975, p. 79--821, and to the creation of the Privacy Protection Study Commission whose mission is to research issues both in the public and private sectors, to hold hearings, and to suggest legislative guidelines. In addition, research data collected on individuals in federally funded drug abuse and alcohol programs is specifically protected in Public Law 93-282 of May, 1974, under Titles I, II and III. A general concensus culled from studies and recommendations seems to have been reached on basic principles regarding health records: 1. There must be no data system whose existence is secret; a person must be informed of the existence of a11 medical records pertaining to him and to his health care. must be able to find out what informa2. Individuals tion is being kept about them and how the information is used; a person should, upon request, be granted access to his medical record in the presence of a professional. 3. Individuals must be assured of accuracy, timeliness and completeness of records; a person should be able to correct, amend and/or supplement the record. 4. Individuals must be aware of the uses to which data are put; a person should be able to prevent information that was obtained for one purpose from being used or made available for other purposes without his consent. 5. It is the responsibility of an organization creating, m~ntaining or disseminating records of identifiable personal data to assure the reliability of the data for their intended use and to take precautions to prevent misuse of the data. Even though the Privacy Act (Public Law 93-579) exemplifies these principles, an exemption to the principle of “no use of data allowed without consent” is in its section 3552a K(4) where statistical and program evaluation use of records need not comply with consent requirements. Also, the Privacy Protection Study Commission has issued a preliminary set of guidelines for research use of data adjusting some of these principles as they apply to statistical work, to evaluation and to other research studies; these suggestions have been circulated nationally for comment and are ultimately to be in a report to the President of the United States along with recommendations for legislation. Under the Privacy Act, each federal agency must publish an annual notice describing any personal record system it has (Federal Personal Data Systems Subject to the Privacy Act of 1974, 1976) and must document all information exchanges. The Act has no provisions that regulate computer systems specifically but rather deals with all federal personal record systems whether manually kept or computerized.
154
RHETA
BANK
and EUGENE
It is interesting to note that the Privacy Act allows an individual to see, copy and correct any records a federal agency may keep on him, whereas in many states, specific legislation prohibits an individual’s access to certain of his records, e.g. medical records from state hospitals (although in practice these records are usually discussed with the patient, his guardian or legal advisor) and in some cases can be subpoenaed. There are other differences between federal and state statutes, but increasingly states are adopting federal standards and redrafting legislation. The Freedom of Information Act (PL 90-23) often mentioned together with the Privacy Act (Alexander, 1976) allows the public to ask for or to copy information from the records of the federal government. One of nine exceptions is for personal records where disclosure would be a clearly unwarranted invasion of personal privacy. For example, if a person were treated in a federal hopsital, he would be permitted access to his own case record; however, he would not have access to the records of others. “Sunshine” laws in various states are analogous; however,
many records of state agencies are protected by other laws which do not permit access. The first step then in protecting an information system is to secure its place in a legal context. Research of the applicable law is essential as federal, state and even local statutes may all apply. In addition, a review of all aspects of the information system should be made by legal counsel. Where existing statutes are adequate to protect individual privacy and confidentiality of the data, then a policy statement based on these can be written. Where existing law is inadequate, legislation should be sought. Legal counsel is crucial for this phase of the effort, and if legislative action is necessary, the support of the local legislative hierarchy, the local bar associations and the American Civil Liberties Union, among others, is essential. The end product of the legal and legislative work should be a statement spelling out in precise terms the policies of the system and the legal framework which supports those policies.
TECHNOLOGICAL Privacy and confidentiality protection presupposes control of the environment so that data integrity is maintained and that access to information is appropriately limited. In -order to meet the demands of this supposition, the managers of an information system need to review both man made and natural threats. Natural hazards include wind, fire, flood and earthquake which can damage equipment and destroy, alter or expose files to unauthorized scrutiny. Human problems include accident, omission, error, fraud, embezzlement, misapplication, theft, mischief, riot and war. Technology then must be applied to minimize the probability of mishap and to have at hand procedures to handle dangerous situations. Protection of the physical plant, both computer room and terminal locations, must begin with careful design. Important here are environmental considerations, such as distance from flammable material; emergency detection systems, such as smoke detectors; and physical access control systems, such as electronic locks, closed circuit television with cameras which can pan, tilt and zoom in low light or in total darkness, badges with identification photographs, and computer monitored voice verification, hand geography recognition and door controls. Computer System security controls operate in three arenas: hardware, software and communications. Hardware protection includes such techniques as locks, switch controls, file protect rings on tapes, verification procedures such as magnetic strip, voice print and hand geography identification, display suppression, print inhibitors and encryption devices. Software protection includes use of passwords, audit trails, sign-on codes, encryption and scrambling techniques and limited access for each application. Communications systems must also be protected. Terminal locations should be designed carefully. Cryptographic and scrambling techniques can protect the signals transmitted over the lines. Other techniques, such as user
MANAGERIAL Because of the sensitivity sonnel including clinical,
of medical data, all levels of peradministrative and data process-
M. LASKA
SAFEGUARDS declared inactive periods, can alert the computer operations staff to illegal transmissions. Much literature (see bibliography) exists on each separate aspect of privacy protection in a computerized setting. These documents are especially useful in planning for computerization where often the security aspects are overlooked and the costs underestimated. Suffice ‘it to say that technological safeguards are available to protect people, space, equipment, communications, master libraries, records and documentation. A well protected information system takes many precautions. One particular example may illustrate how the existence of safeguards can influence the design and use of a system. The question of keeping names and other pieces of data which can identify patients/clients in the computer files inevitably arises when a system is being considered. Certainly a computer output which facilitates day to day operations of a program e.g. a list of patients and their drug regimens for the ward nurse, is more useful when names rather than just case numbers appear. HOWever useful names may be on the system, clinicians and others may be reluctant to supply the information when patient rights might be jeopardized. After all, computer files intrinsically do not need names; identification numbers or, indeed, any code will suffice to separate cases. By providing protection for the system, sensitive information can be safely stored and can be properly used. By advertising the safeguards, user anxieties can be allayed. In the case of MSIS, some programs do store names on the computer files and some do not. Where MSIS is used for gathering data for the purposes of providing aggregate reports on a statewide program, names are frequently not stored. When MSIS is used in treatment settings, names are often included on the file. Each user decides whether or not to put names on the MSIS computer files by taking into account the uses of the output in his setting, the laws in his jurisdiction and his confidence in the protected environment of MSIS.
RESPONSIBILITY ing staff must be committed to the principles of privacy and confidentiality. The premier tasks of administration
Protecting
Privacy
are to enunciate and emphasize these principles and to create an appropriate climate in which practices reflect respect for them. Recognizing that a substantial technology for protecting information systems has been developed, the administrator, with the advice and assistance of data processing personnel, will pick those techniques which are appropriate for his installation. A commitment to a secure system does not come without cost (Goldstein, 1975). Estimates indicate that at least a 5-10% cost increase at the computer level is expected (Gabrieli, 1970). The cost for protection may aIso in&de salaries, equipment purchase or rental, physical plant rennovation and/or design and computer time. For example, additional computer time is needed for user identification techniques such as access control, audit trails and testing, for detecting and correcting errors and other human failings and for making protective file copies. There will certainly be increases in the costs of training and educating personnel in protection policies, procedures and attitudes (Twin and Ware, 1975). Costs may be particularly high in medical, especially psychiatric, information systems because individual dossiers are full of confidential material and because different portions of this dossier need to be available to the many different people involved in the care process. It is thus encumbent upon the administrator to recognize the costs, to understand the necessity for the expenditures, to advertise the benefits and to provide the funds to carry out the program. Management is also responsible for creating individual job specifications in such a way that each employee’s duties and responsibilities are distinctive. This makes inappropriate behavior immediately noticeable. For example, if only operators are allowed in the computer room, then the presence in the computer room of another employee who is not an operator will attract the attention of the Computer Room Supervisor and trigger a predetermined procedure for dealing with the intrusion. These and all other emergency procedures should be in writing and personnel shouid be thoroughly famihar with them. Further, once these responsibilities are defined, individual accountability established and the procedures implemented, managerial review to insure compliance must be constant and
and Confidentiality
155
consistent. In the face of a previously unrecognized problem, management must be prepared to take immediate corrective action. Employees must be protected from undue temptation. Separating responsibilities, dividing total system knowledge among many in the responsible unit and limiting access to sensitive resources are effective management techniques for creating a pleasant, secure environment where employees are safe from unjustified suspicion. Further, those protective procedures which are implemented must make the cost of misappropriation and misuse very high, make the chance of success low and make detection certain. Knowledge of the existence of security procedures may in and of itself be a deterrent to mischief. In addition, it must be recognized that inadvertant error will be the major cause of loss of data integrity. Mechanisms which make it easier for employees to keep files accurate are essential: key verifiers, exception reports and error analysis techniques can all be used. In reviewing data protection needs, it is often helpful to develop a sensitivity scale for personal information (Turn, 1974) which can serve as a guide to dissemination control. In a system which deals with medical and psychiatric information, such a classification system can spell out exactly what data may be viewed by the various categories of personnel involved in the patient care delivery system. Despite emotionalism and often cynicism which accompanies discussions of security measures, computerized psychiatric records are difficult to obtain. Simple burglary (e.g. Daniel Ellsberg’s records were stolen from Dr. Fielding’s office) of information in a computer is not easily accomplished. Computers though ~thropomorphized in cartoon, in rhetoric and in other media are tools; they function only as commanded by their human masters and must be protected by them. Growing dependence on computers makes it imperative that security problems be tackled effectively through adequate planning and management attention so that confidence in the ability to protect privacy and confidentiality allows maximum use to be made of data processing technology.
REFERENCES ALEXANDER, L. dom of information the Association for ary Conference on
Recent LegisEat~on affecting privacy and freein federal agelzcy records, a paper presented at Health Records, Seventh Annual InterdisciplinHealth Records, Chicago, June 8, 1976
Automation and data pwcessing #3, Washington DC.: American ber, 1970, 21-2‘2.
in psychiatry, Task Force Report Psychiatric Association, Decem-
BRITTON, A. H., Rights to privacy in medical records, nal of Legal Medicine, July/August, 1975, 24-31.
The Jour-
CURRAN, W. J. Legal Consideration in the establishment of a health information system in Greater Boston and the State of Massachusetts, U.S. Public Health Service Contract PH 110-234, December, 1968. CURRAN, W. J., Privacy, confidentiality and other legal considerations in the establishment of a centralized health - data-system, Neut England Journal of Medicine, 1969, 281, 241. CURRAN, W. J., Memoranda tiality and privacy of mental mont, Massachusetts, Hawaii
on legal issues concerning confidenhealth records in New York, Verand the District of Columbia, Pre-
pared for the M&i-State published).
Information
System,
January,
1972 (un-
CURRAN, W. J., LASKA, E. M., KAPLAN, H. and BANK, Protection of privacy and confidentiality, Science, November 1973,182:797-802.
R., 23,
Data Secun‘ty - threats and deficiencies in computer operations, A Report on a completed study, a translation from an IBM Svenska Publication, #G320-5646, White Plains, New York. DAVIS, R. M., Government looks at: privacy puter systems, Washington, DC.: Computer ment Manufacturers Association, 1973.
and secun‘ty in comand Business Equip
Federal pe?son& data systems subject td the Privacy Act of 1974, First Annual Report of the President for Calendar Year 197.5, Washington, D.C.: U.S. Government Printing Office, 1976. GABRIELI, E. R., Right of privacy mation, April, 1970, 173-178.
and medical
GOLDSTEIN, R. C., The cost of privacy, Systems, Vancouver, Canada, 1975.
computing,
Honeywell
Data-
Information
156
RHETA
Human rights and technological which may affect the rights of should be placed on such uses sion on Human Rights, United tion No. E/CN. 4/142-English).
BANK and EUGENE
developments: uses of electronics the person and the limits which in a democratic society, CommisNations, January, 1974 (Publica-
LASKA, E. and BANK, puter systems and their 1975.
R., Protecting psychiatric privacy: comuses, New York: John Wiley and Sons,
MCCARTHY, A., Privacy Privacy, a public concern: U.S. Government Printing
- a perspective, in Larson, K. S. (Ed.), a resource document, Washington, D.C.: Office, August, 1975, 79-82.
MATTE, P. J., Legal implications of the patient’s Legal Medicine Annual, 1971, 343-375. MATTE, P. J., Legal Medicine
Medicolegal aspects of automated Annual, 1974, 325-349.
medical
medical
record,
records,
MILLER, A., The dossier society, in Larson, K. S. (Ed.), Pnvacy, a public concern: a resource document, Washington, D.C.: U.S. Government Printing Office, August, 1975, 102-l 11.
M. LASKA
Records, computers and the rights o+f citizens, Report on the Secretary’s Advisory Committee on Automated Personal Data Systems, U.S. Department of Health, Education and Welfare, Washington, D.C.: U.S. Government Printing Office, No. 1700-00116, July, 1973 (reprinted by M.I.T. Press). SIEGEL, C. Monitoring the care process, emerging developments in mental health program evaluation, Proceedings of the HEWNIMH Region II - Program Evaluation Conference, Washington, D.C.: U.S. Government Printing Office, May, 1976, 253-268. SPINGARN, N. Confidentiality, report of the conference on confidentiality of health records, Key Biscayne, Florida, November 6-9, 1974, Washington, D.C.: American Psychiatric Association, 1975. TURN, R., Privacy and security in personal information, Prepared for the National Science Foundation, Santa Monica, California: Rand Corporation, March, 1974. TURN, R. and WARE, W. H., Privacy and security in computer systems, American Scientist, March/April, 1975, 63, 196-203.
NIBLETT, G. B. F., Digital information and the privacy problem, Paris: Organization for Economic Cooperation and Development, 1971.
WARREN, S. D. and BRANDEIS, L. D., The right Harvard Law Review, December, 1890, IV:5, 193-219.
PANTAGES, A. and PIPE, G. R., A new headache al DP, Datamation, June, 1977, 23:6, 115-126.
WESTIN, A. F. and BAKER, computers, record keeping Science, Chicago: Quadrangle
PERR, cations
for internation-
I. N., Problems of confidentiality and privileged communiin psychiatry, Legal Medicine Annual, 1971, 327-341.
Privacy and computers, A Report of a Task force established jointly by the Departments of Communications and Justice, Ottawa, Canada: Information Canada, Catalogue No. CO21-3/1972. Protecting individual privacy in evaluation research, The Committee on Federal Agency Evaluation Research, Assembly of Behavioral and Social Sciences, National Research Council, National Academy of Sciences, Washington, D.C., 1975.
to privacy,
M. A., Data banks in a free society and privacy, National Academy of Books, 1972.
WESTIN, A. F., Computers, health records and citizen rights, National Bureau of Standards Monograph 157, Washington, D.C.: U.S. Government Printing Office, 1976, 187-200 WHEELER, R. (Ed.), On record: files life, New York: Russel Sage Foundation, YOUNGER, Her Majesty’s
K., Report Stationery
and dossiers 1969.
of the committee Office, 1972.
in American
on privacy,
London:
BIBLIOGRAPHY A data security procedure vacy Committee, National tems, 1974.
checklist, The NASIS Association of State
Security and PriInformation Sys-
Automation and data processing in psychiatry, Task American Psychiatric Association, March, 197 1.
Force
Report,
CBEMA Privacy Series (Computer and Business Equipment Manufacturers Association, 1828 1, Street, N.W. Washington, D.C. 20036). No. 1 - The role of computers in . . . Privacy, confidentiality data security. No. 2 ~ Government looks at privacy and security in computer systems, a speech by Dr. Ruth M. Davis. No. 3 - Privacy legislation (statements by Sen. Sam J. Ervin, Elliott L. Richardson, Dr. Alan Westin, Philip W. Buchen, and Dr. Ruth M. Davis). No. 4 ~ Privacy: the private sector and society’s needs (keynote address by Dr. Willis H. Ware of the Rand Corp. before SHARE XLIV, March 5, 1975). No. 5 - Information technology and individual privacy (AAAS Symposium with statements by Dr. Alan Westin, Norman Cousins, Russell Fenwick, Aryeh Neier, Carole Parsons and Thomas J. Watson, Jr., January, 1975). Confidentiality and privileged communication in the practice of psychiatry, Group for the Advancement of Psychiatry, Committee on Psychiatry and Law, Report No. 45, May 1966 (Revision).
DUGGAN, New York: FREED, Peabody,
M. A., Law and the computer: MacMillan & Co., 1973.
a KWIC
bibliography,
R. N., Computers and law - a reference work, Brown, Rowley and Storey, 1973 (4th Ed.).
Boston:
GOLDBERG, R. P., How to implement systems which comply with the Privacy Act of 1974, Proceedings of COMPCON Fall 1975, Eleventh IBEE Computer Society Conference, Washington, D.C., September 1975. GOLDSTEIN, R. C., The cost of privacy, Honeywell Information Systems, 1975.
Brighton,
Massachusetts:
Guidelines establishing requirements for security and confidentiality of information systems, Intergovernmental Board of Electronic Data Processing, State of California, Sacramento, 1974. HARRISON, A., The problem annotated bibliography, The California, 1967.
of privacy in the computer Rand Corporation, Santa
age: an Monica,
HELLMAN, J. J., Privacy and information systems: an argument and an implementation, P-4298, The Rand Corporation, Santa Monica, California, May 1970. Human rights and scientific and technological developments: uses of electronics which may affect the rights of the person and the limits which should be placed on such uses in a democratic society,
Protecting
Commission Publication
on Human Rights, United No. E/CN.4/1142-English.
Nations,
Privacy
January
1974,
and
Confidentiality
privacy
157
requirements,
June
1976 (SD Catalog
Number
C13.46:
906). NBS
IBM Data Security
Publications
(May be ordered through any IBM Branch Office or through IBM Marketing Representative. These are usuallv free.) An executive’sguide to data security Auditability information catalog Considerations of data secun’ty in a computer environment Considerations of phy.sical security in a computer environment Data security control book Data security control book inserts Data security controls and procedures Data security seminars
Data Security Volume 1, Volume 2, Volume 3,
Study
Special Publication 469 - Westin, A. F., with Isbcll, F. A policy analysis of citizen rights isssues in health data systems, January 1977 (SD Catalog Number C13.10:469). NBS Special Publication 404 - Approaches to privacy and security in computer systems, September 1974 (SD Catalog
(Ed.),
any
&320-5647-O
Number
GB21-9883 G520-2169
Technical
June
1973 (SD Catalog
Number
M. and
Ann Arbor:
National
Bureau
the
of Standards
only
guide
to privacy,
to computer
the Institute for Computer Washington, D.C. 20234).
security
FIPS PUB 41 - Computer secun‘ty the Privacy Act of 1974, May
C13.46:735).
Index of automated design requirements as den’ued from the OMB Privacy Act implementation guidelines, No. NBS IR-75-
909, December 1975. Ware, W. H., Data banks, privacy and society, The Rand Corp., Santa Monica, California, November 1973, No. AD-786.
G520-2797 G520-2965 G520-2838 G520-2741 G520-2540 G520-2627
Privacy,
secun’ty and the information processing industry, Thr Ombudsman Committee on Privacy, Los Angeles Chapter, Association for Computing Machinery, 1976.
a case
and
University
of
Datama-
Datum&ion,
(available directly and Technology,
of
electronic
computer/data
from NBS,
guidelines for implementing 1975 (SD Catalog Number
processing
equipment
(NFPA No. 75), (National Fire Protection Association, march Street, Boston, Massachusetts 02110).
60 Battery-
Psychiatric
Spectator, Vol. IX, No. 11, Sandoz Pharmaceuticals, East Hanover, New Jersey, March 1975 (Abstracts of American Psychiatric Association Conference on the Confidentiality of
Health
Records.)
ROSENBERG, House.
J. M., The death
The privacy mandate: planning Commerce and Mitre Corporation shop, April 2-4, 1975).
of Documents, U.S. GovernD.C. 20402, using SD Catalog
Sciences
bibliography,
G320-5646-O
G320-1374 G320-1375
Publications
(Available from the Superintendent ment Printing Office, Washington, Numbers shown.) Executive
means
access
C13.46:780).
G320-1376
G320-1373
MYERS, E., Costs, codes, people and the constitution, tion, May 1976, Vol. 22, No. 5, 180-182. MYERS, E., Security: May 1977, 240-242.
Controlled
National Technical Information Service, U.S. Department of Commerce, Springfield, Virginia 22 15 1. Craig, D. M., and Harrison, E. A., Computer information secun’ty and protection: a bibliography with abstracts, No. NTISWIN-74-044, 1974. Hsiao, D. K., Kerr, D., and McCauley, E. J., A Modelfordata secure systems, The Computer and Information Science Research Center of the Ohio State University, No. AD-778657, 1974.
G320-1372
RUBENSTEIN, B. (Eds.), Orthopsychiatry Wayne State University Press, 1968.
MILLER, A. R., The assault on privacy, Michigan Press, 1971.
~
Number
C13.10:809).
alog Number
Protection
LEVITT,
780
NBS Technical Note 735 - The effects of magnetic fields 01z magnetic storage media used in computers, July 1972 (SD Cat-
G320-1370 G320-1371
LORD, J. R. and KENNISTON, W., Data center security: for the private eye, Infosystems, December 1976, 30-33.
the law, Detroit:
Note
NBS Technical Note 827 ~ Controlled accessibility workshop report, May 1974 (SD Catalog Number C13.46:827). . NBS Technical Note 809 - Government looks at privacy and secutity in computer systems, February 1974 (SD Catalog
G520-2700 G320-1248 G320-1249 G320-5649 G520-2882
Site Publications:
Introduction and overview Study summary Part 1, State of Illinois: Executive Overview Volume 3, Part 2, Study results: State of Illinois Volume 4, Study results: Massachusetts Institute of Technology Volume 5, Study Results: TRW Systems, Inc. Volume 6, Evaluations and study experiences: resource secun’ty systems Data security ~ threats and deficiencies in computer operations 42 suggestions for improving security in data processing operations IBM data secun’ty forum, September 1974 IBM data security symposium. April 1973 The fire and after the fire The IBM controlled access system Sample operator identification card
C13.10:404).
NBS
TURN, Science 1974.
R., Privacy Foundation
and security
and
Rand
of privacy,
New York:
Random
for
action, U.S. Department of (Report of a Symposium/Work-
in personal
Corp.,
information,
Santa
Monica,
National California,
What every executive should know about privacy in information systems, SAFE (Secure Automated Facility Environment Project),
State of Illinois, Department of Finance Building, Springfield, Illinois 62706. WEISS, H., Computer 1974, 42-47.
security:
(MID) 604 State
an overview,
Datamation,
Office
January,
C13.52:41). FIPS PUB 31 ~ Guidelines for ADP Physical Security and Risk Management, June 1974 (SD Catalog Number C13.52:31). Westin, A. F., NBS Monograph 157: Computers Health Records and Citizens Rights, December 1976 (SD Catalog Number
C13.44:157). NBS Technical Note 906 - A methodology for evaluating ternative technical and information management approaches
alto
WESTIN, A. F. (Ed.), Information Harvard University Press, Cambridge,
technology
in a democracy,
Massachusetts,
1971.
WESTIN, A. F., MARTIN, D. B. H., and LUFKIN, D. H., The impact of computer-based information systems on citizen liberties in advanced industrial nations, A Report to the German Marshall Fund of the United
States,
Washington,
D.C., October
1973.
0149-7189~78/0401-0151~02.00/0 Copyright 0 1978 Pergamon Press
(1978)
PROTECTING PRIVACY AND CONFIDENTIALITY IN A MULTIPLE USE, MULTIPLE USER MENTAL HEALTH INFORMATION SYSTEM
RIIETA EUGENE
Rockland
M. LASKA
Research Institute
The media have encouraged a modern myth - that of the superintelligent, all knowing, all powerful, ruthless computer which stars in movies and television and features prominently in science fiction literature. The public is regaled with fables of computers which take over the world and with spine-chilling dramas of unscrupulous men who use computers to monitor, manipulate, exploit and control others. Such richness of imagination, however entertaining, has put into the public mind a fear of computers and an unrealistic assessment of data processing technology* In keep tional vacy what
BANK
this context, the concept of privacy, the “right” to secret matters of personal concern, takes on emocoloration. Indeed the Canadian Task Force on Priand Computers (1972, p. 183), concludes (in someemotional terms),
“Privacy is too limited a word to encompass all the concerns created by massive and pervasive information systems. Privacy is used in part as a synonym for political grievances about the use of information systems by institutions to enhance their power to the potential detriment of individuals, and for fears that information systems may be used to manipulate individuals or enforce conformity.” Universal concern (IBM Svenska, 1975; Niblett, 1971; Younger, 1972; United Nations, 1974; Pantages and Pipe, 1977), has been voiced about what data are being collected, the uses to which the data are being put, the extent to which accuracy and timeliness are verified and maintained, the nature of the controls over dissemination of the data and the extent to which a person may view and correct data about himself. It must be pointed out that the issues of privacy and confidentiality did not arise with the invention of computers; (Warren and Brandeis, 1890), however, heightened interest can be laid to the ability of the computer to handle vast amounts of data (Davis, 1973). Operators and developers of information systems, many of which use computers, aware of public concern expressed through the media and through legislative and judicial action, have utilized the very technology which created computers as well as expertise in law and management to
develop methods for protecting data and thereby safeguarding privacy. In 1967, the National Institute of Mental Health funded a research and development project (No. MH14934) which led to the creation of the Multi-State Information System (MSIS), a management information system which serves mental health and developmental disabilities programs through several computers, one of which is located at the Rockland Research Institute in Orangeburg, New York, and through terminals located in several states (Laska and Bank, 1975). Because the system is used for day-to-day clinical and administrative/management activities as well as for evaluation, planning and research in a number of legal jurisdictions, general protection for the files was necessary. It was during the course of attempting to create an environment for MSIS which would ensure that patients’ rights were protected, that many of the techniques described below were researched. It must be stressed that no one single technique suffices in a multiple user, multiple use information system such as MSIS; rather, a combination of legal, technological and managerial efforts is necessary and even these may not be foolproof. To begin the discussion of privacy and confidentiality, a clarification of some of the commonly used terms is needed. The following definitions are generally accepted by laymen and apply to the use of the terms in this paper. Terms Privacy Confidentiality
Privileged Communication Data Integrity
Data
Security
the right of a person to keep secret matters of personal concern. a status accorded to data (or information) such that their disclosure are restricted. the “privilege” of a person to prevent another from disclosing communications (in court). the state existing when data or information agree with the source from which they are derived (and when they have not been either accidentally or maliciously altered, disclosed or destroyed). the protection of data from acciden-
Requests for reprints shoufd be sent to Rheta Bank, Director, Educational Technology Department, Information Sciences Division, Rockland Research Institute, Orangeburg, NY 10962. 151
RHETA
152
Information System
BANK
and EUGENE
tal or intentional, but unauthorized, modification, destruction or disclosure. a series of techniques by which information is collected, sorted and stored systematically and used to produce reports. (Information systems may be automated, i.e., utilize computers, or may be manual.)
LEGAL Privacy process,
about other individuals. In reducing the focus of the discussion to medical information (as opposed to other “private” areas of life such as birth control or electronic eavesdropping), there is much agreement and supporting legislation as to who may share such data. The notion of confidential communication between physician and patient can be traced to ancient times, “ with my professional . . Whatever in connection practice or not in connection with it, I see or hear in the life of men which ought not be spoken abroad, I will keep silent thereon, counting such things to be as holy secrets. . .” Hippocratic Oath (approx. 377 B.C) carries
forward
into modern
times.
“A physician may not reveal the confidence entrusted to him in the course of medical attendance, or the deficiencies he may observe in the characters of patients unless he is required to do so by law or unless it becomes necessary in order to protect the welfare of the individual or of the community.” Principles of Medical Ethics - American Medical Association (195 7) Legally United
sanctioned patient-physician States in the form of an 1828
Many service delivery programs are contemplating developing management information systems or joining already existing sytems like MSIS. Scrutiny of privacy protection measures is essential in either case. Three separate arenas where activities of the information system can enhance privacy and confidentiality protection are the legal protection of the system, the technological safeguards it employs and the managerial practices.
PROTECTION
issues usually address questions of who may access, store and disseminate what kinds of information
and the tradition
M. LASKA
privilege came to the New York State law:
“No person duly authorized to practice physic or surgery shall be allowed to disclose any information which he may have acquired in attending any patient in a professional character, and which information was necessary to enable him to prescribe for such patient as a physician, or to do any act for him as a surgeon.” N.Y. Rev. Stat. 1828 II 406; Part III, c.VII, Art. 8, S. 73. Now, most states have laws which provide for a doctorpatient privilege (Perr, 1971); however, in most of those which do not establish a general medical confidential relationship or a privileged testimonial communication, there are statutes prohibiting (and punishing) immoral, unprofessional or dishonorable conduct into which categories violation of patient confidences would certainly fall. While the patient-physician privilege is firmly entrenched in American law and tradition, such is not the case with other medical specialties although some states by law do provide protection for communications to psychologists, nurses, and social workers. Although the professional organizations of these and other medically related specialties apply professional ethics similar to those of physicians, legal enforcement is often difficult. When it comes to patient records kept by mental health facilities, there is general agreement that these are “maintained by the facility for convenience in treating the pa-
tients. These records are owned by the facility and are the property of the facility” (Curran, 1972). Because the records are made up of reports and other documents from medical and other health/mental health professionals, these records are restricted in some states by law and by the professional ethical principles of the potential contributors (Curran, 1968). Although in theory medical records are confidential, in practice often records are seen by many (Matte, 1971). For example: in hospital, nurses, technicians, and other clinicians have access to the record; billing and accounting officers receive data; and insurers (e.g. third party and life insurance companies) receive information as do Workmen’s Compensation Boards, courts (e.g. personal injury suits, divorce and child custody proceedings and psychiatric commitment proceedings) and legally mandated registers (e.g. gunshot wounds and dangerous communicable diseases). A body of tradition and law spells out for most cases the procedures for disclosure of the information in the medical record (Britton, 1975). The modern service delivery organization is now faced with information needs for internal use as well as for satisfying external demands. Most of these needed data come from the admission form and other parts of medical records or individuals served by their programs. For assistance in collecting, storing, sorting and retrieving masses of information for an ever expanding variety of purposes, organizations have turned to computers and to data processing technology. Attendant on these new methods are the uncertainties of the legal status of computer records and of the potential liabilities. For example: facts from the manual medical record are to varying degrees admissible in courts all over America (Matte, 1971). The question of the admissibility of facts from computer records has not yet been settled as the notion that it is analogous to “hearsay” evidence would seem applicable. Computer kept records may be used in many ways not possible with manual systems especially in the area of monitoring standards of care. Questions on the confidentiality of some computer produced reports arise especially when the information on them is derived from patient records. For example: within the Multi-State Information System, prescriptions for psychotropic medications are regularly recorded on forms, and the data are entered into the patient’s computer record. As the prescriptions are received by the computer, they are compared against a set of rules specifying out of bounds dose ranges and inappropriate polypharmacy (Siegel, 1976). Messages detailing “violations” of these rules are distributed to the physicians and to various peer review bodies. The legal status of this type of document has not been fully explored, although if the analogy to Professional Standards Review Organization (PSRO) review records holds, these would also be considered confidential (Matte, 1974). The use of computers as sophisticated filing cabinets
Protecting
Privacy
and as analytic tools is inevitable in our complex society. To try to prevent their use because of possible problems or abuse is hardly sensible. What is needed is a “framework for the protection of the public and the superimposition of that framework on information practices at an early date to minimize misuse of an otherwise socially desirable instrument” (Miller, 1975, p. 104). Further, because of the expense of developing and maintaining automated information systems, it is cost-effective if one system can serve many users. Such is the environment of MSIS which serves many mental health and developmental disabilities programs in many states; therefore seeking protection for the records in MSIS was crucial. An extensive review of the laws in the various user jurisdictions (Curran, Laska, Kaplan and Bank, 1975) was the first step in the effort to place MSIS records into a protected environment. If privacy and confidentiality of the computer files could be protected by statute, then attempts to get data from the medical records would have to take already established, familiar routes with which the users had learned to cope. The manual record and any computer produced parts are at the individual facilities under the control of the director and subject to law in the particular jurisdiction. Because no existing statute was applicable, MSIS had to seek special legislation. In 1972, the New York State Legislature passed section 79j of the Civil Rights Code deeming the records of MSIS private records, not open to inspection by any agency or facility other than the agency submitting them and not subject to subpoena in any court, tribunal or adminishative agency. The argument that computer records are secondary sources of the information and that the best evidence is in the manual records maintained by the facility in the original jurisdiction prevailed, ar idea first suggested by William J. Curran (1969). While this approach did not help to solve existing problems, e.g. the problem of informed consent or of how confidentiality is to be managed within the participating agency (Matte, 1974), at least it did not superimpose new ones on the users of the system (Westin, 1976). Specific praise for the legislative approach appeared in a report prepared by a committee of the National Academy of Sciences (1975) as offering potentially broad and reliable protection for research data, especially in the field of evaluation. The report also mentions other strategies such as adopting professional codes, writing project guidelines which mandate confidentiality, invoking (on a state or federal level) executive privilege and developing acceptable guidelines (with a law enforcement agency) for subpoenaing documents. None of these alternatives is as effective or as reliable as legislation, a tactic also suggested by the American Psychiatric Association Task Force on Automation and Data Processing (1971, p. 22). Indeed, the Mental Health Law Project, received a grant from the NationaI Institute of Mental Health to produce a mental health legislation guide with the aim of strengthening statutory safeguards of patient rights throughout the nation. The guide is to be published in four installments, beginning with the July, 1977 issue, in the Mental Disability Law Reporter, a bi-monthly publication of the American Bar Association Commission on the Mentally Disabled. An apparent salutary effect of the protective legislation has increased public confidence in the organization managing MSIS. Aside from granting MSIS the authority to release aggregate data for research and planning purposes, the statute allowed control of the data to remain where it had always been - in the hands of the originating facility within jurisdictions whose laws and administrative proce-
and Confidentiality
153
dures although not free of problems were at least familiar. Although state, local and private programs such as MSIS are not directly involved with the provisions of federal statutes, these often serve as models for state statutes and certainly have great impact on federal programs such as Veterans Administration hospitals. Concern for privacy and confidentiality on a federal level led to several studies (Wheeler, 1969; Westin and Baker, 1972; The Secretary’s Advisory Committee on Personal Data Systems, 1973; Spingarn, 1975; Westin, 1976), to the Privacy Act of 1974 which establishes individual rights and agency obligations with respect to personal data in systems of records maintained by federal agencies (McCarty, 1975, p. 79--821, and to the creation of the Privacy Protection Study Commission whose mission is to research issues both in the public and private sectors, to hold hearings, and to suggest legislative guidelines. In addition, research data collected on individuals in federally funded drug abuse and alcohol programs is specifically protected in Public Law 93-282 of May, 1974, under Titles I, II and III. A general concensus culled from studies and recommendations seems to have been reached on basic principles regarding health records: 1. There must be no data system whose existence is secret; a person must be informed of the existence of a11 medical records pertaining to him and to his health care. must be able to find out what informa2. Individuals tion is being kept about them and how the information is used; a person should, upon request, be granted access to his medical record in the presence of a professional. 3. Individuals must be assured of accuracy, timeliness and completeness of records; a person should be able to correct, amend and/or supplement the record. 4. Individuals must be aware of the uses to which data are put; a person should be able to prevent information that was obtained for one purpose from being used or made available for other purposes without his consent. 5. It is the responsibility of an organization creating, m~ntaining or disseminating records of identifiable personal data to assure the reliability of the data for their intended use and to take precautions to prevent misuse of the data. Even though the Privacy Act (Public Law 93-579) exemplifies these principles, an exemption to the principle of “no use of data allowed without consent” is in its section 3552a K(4) where statistical and program evaluation use of records need not comply with consent requirements. Also, the Privacy Protection Study Commission has issued a preliminary set of guidelines for research use of data adjusting some of these principles as they apply to statistical work, to evaluation and to other research studies; these suggestions have been circulated nationally for comment and are ultimately to be in a report to the President of the United States along with recommendations for legislation. Under the Privacy Act, each federal agency must publish an annual notice describing any personal record system it has (Federal Personal Data Systems Subject to the Privacy Act of 1974, 1976) and must document all information exchanges. The Act has no provisions that regulate computer systems specifically but rather deals with all federal personal record systems whether manually kept or computerized.
154
RHETA
BANK
and EUGENE
It is interesting to note that the Privacy Act allows an individual to see, copy and correct any records a federal agency may keep on him, whereas in many states, specific legislation prohibits an individual’s access to certain of his records, e.g. medical records from state hospitals (although in practice these records are usually discussed with the patient, his guardian or legal advisor) and in some cases can be subpoenaed. There are other differences between federal and state statutes, but increasingly states are adopting federal standards and redrafting legislation. The Freedom of Information Act (PL 90-23) often mentioned together with the Privacy Act (Alexander, 1976) allows the public to ask for or to copy information from the records of the federal government. One of nine exceptions is for personal records where disclosure would be a clearly unwarranted invasion of personal privacy. For example, if a person were treated in a federal hopsital, he would be permitted access to his own case record; however, he would not have access to the records of others. “Sunshine” laws in various states are analogous; however,
many records of state agencies are protected by other laws which do not permit access. The first step then in protecting an information system is to secure its place in a legal context. Research of the applicable law is essential as federal, state and even local statutes may all apply. In addition, a review of all aspects of the information system should be made by legal counsel. Where existing statutes are adequate to protect individual privacy and confidentiality of the data, then a policy statement based on these can be written. Where existing law is inadequate, legislation should be sought. Legal counsel is crucial for this phase of the effort, and if legislative action is necessary, the support of the local legislative hierarchy, the local bar associations and the American Civil Liberties Union, among others, is essential. The end product of the legal and legislative work should be a statement spelling out in precise terms the policies of the system and the legal framework which supports those policies.
TECHNOLOGICAL Privacy and confidentiality protection presupposes control of the environment so that data integrity is maintained and that access to information is appropriately limited. In -order to meet the demands of this supposition, the managers of an information system need to review both man made and natural threats. Natural hazards include wind, fire, flood and earthquake which can damage equipment and destroy, alter or expose files to unauthorized scrutiny. Human problems include accident, omission, error, fraud, embezzlement, misapplication, theft, mischief, riot and war. Technology then must be applied to minimize the probability of mishap and to have at hand procedures to handle dangerous situations. Protection of the physical plant, both computer room and terminal locations, must begin with careful design. Important here are environmental considerations, such as distance from flammable material; emergency detection systems, such as smoke detectors; and physical access control systems, such as electronic locks, closed circuit television with cameras which can pan, tilt and zoom in low light or in total darkness, badges with identification photographs, and computer monitored voice verification, hand geography recognition and door controls. Computer System security controls operate in three arenas: hardware, software and communications. Hardware protection includes such techniques as locks, switch controls, file protect rings on tapes, verification procedures such as magnetic strip, voice print and hand geography identification, display suppression, print inhibitors and encryption devices. Software protection includes use of passwords, audit trails, sign-on codes, encryption and scrambling techniques and limited access for each application. Communications systems must also be protected. Terminal locations should be designed carefully. Cryptographic and scrambling techniques can protect the signals transmitted over the lines. Other techniques, such as user
MANAGERIAL Because of the sensitivity sonnel including clinical,
of medical data, all levels of peradministrative and data process-
M. LASKA
SAFEGUARDS declared inactive periods, can alert the computer operations staff to illegal transmissions. Much literature (see bibliography) exists on each separate aspect of privacy protection in a computerized setting. These documents are especially useful in planning for computerization where often the security aspects are overlooked and the costs underestimated. Suffice ‘it to say that technological safeguards are available to protect people, space, equipment, communications, master libraries, records and documentation. A well protected information system takes many precautions. One particular example may illustrate how the existence of safeguards can influence the design and use of a system. The question of keeping names and other pieces of data which can identify patients/clients in the computer files inevitably arises when a system is being considered. Certainly a computer output which facilitates day to day operations of a program e.g. a list of patients and their drug regimens for the ward nurse, is more useful when names rather than just case numbers appear. HOWever useful names may be on the system, clinicians and others may be reluctant to supply the information when patient rights might be jeopardized. After all, computer files intrinsically do not need names; identification numbers or, indeed, any code will suffice to separate cases. By providing protection for the system, sensitive information can be safely stored and can be properly used. By advertising the safeguards, user anxieties can be allayed. In the case of MSIS, some programs do store names on the computer files and some do not. Where MSIS is used for gathering data for the purposes of providing aggregate reports on a statewide program, names are frequently not stored. When MSIS is used in treatment settings, names are often included on the file. Each user decides whether or not to put names on the MSIS computer files by taking into account the uses of the output in his setting, the laws in his jurisdiction and his confidence in the protected environment of MSIS.
RESPONSIBILITY ing staff must be committed to the principles of privacy and confidentiality. The premier tasks of administration
Protecting
Privacy
are to enunciate and emphasize these principles and to create an appropriate climate in which practices reflect respect for them. Recognizing that a substantial technology for protecting information systems has been developed, the administrator, with the advice and assistance of data processing personnel, will pick those techniques which are appropriate for his installation. A commitment to a secure system does not come without cost (Goldstein, 1975). Estimates indicate that at least a 5-10% cost increase at the computer level is expected (Gabrieli, 1970). The cost for protection may aIso in&de salaries, equipment purchase or rental, physical plant rennovation and/or design and computer time. For example, additional computer time is needed for user identification techniques such as access control, audit trails and testing, for detecting and correcting errors and other human failings and for making protective file copies. There will certainly be increases in the costs of training and educating personnel in protection policies, procedures and attitudes (Twin and Ware, 1975). Costs may be particularly high in medical, especially psychiatric, information systems because individual dossiers are full of confidential material and because different portions of this dossier need to be available to the many different people involved in the care process. It is thus encumbent upon the administrator to recognize the costs, to understand the necessity for the expenditures, to advertise the benefits and to provide the funds to carry out the program. Management is also responsible for creating individual job specifications in such a way that each employee’s duties and responsibilities are distinctive. This makes inappropriate behavior immediately noticeable. For example, if only operators are allowed in the computer room, then the presence in the computer room of another employee who is not an operator will attract the attention of the Computer Room Supervisor and trigger a predetermined procedure for dealing with the intrusion. These and all other emergency procedures should be in writing and personnel shouid be thoroughly famihar with them. Further, once these responsibilities are defined, individual accountability established and the procedures implemented, managerial review to insure compliance must be constant and
and Confidentiality
155
consistent. In the face of a previously unrecognized problem, management must be prepared to take immediate corrective action. Employees must be protected from undue temptation. Separating responsibilities, dividing total system knowledge among many in the responsible unit and limiting access to sensitive resources are effective management techniques for creating a pleasant, secure environment where employees are safe from unjustified suspicion. Further, those protective procedures which are implemented must make the cost of misappropriation and misuse very high, make the chance of success low and make detection certain. Knowledge of the existence of security procedures may in and of itself be a deterrent to mischief. In addition, it must be recognized that inadvertant error will be the major cause of loss of data integrity. Mechanisms which make it easier for employees to keep files accurate are essential: key verifiers, exception reports and error analysis techniques can all be used. In reviewing data protection needs, it is often helpful to develop a sensitivity scale for personal information (Turn, 1974) which can serve as a guide to dissemination control. In a system which deals with medical and psychiatric information, such a classification system can spell out exactly what data may be viewed by the various categories of personnel involved in the patient care delivery system. Despite emotionalism and often cynicism which accompanies discussions of security measures, computerized psychiatric records are difficult to obtain. Simple burglary (e.g. Daniel Ellsberg’s records were stolen from Dr. Fielding’s office) of information in a computer is not easily accomplished. Computers though ~thropomorphized in cartoon, in rhetoric and in other media are tools; they function only as commanded by their human masters and must be protected by them. Growing dependence on computers makes it imperative that security problems be tackled effectively through adequate planning and management attention so that confidence in the ability to protect privacy and confidentiality allows maximum use to be made of data processing technology.
REFERENCES ALEXANDER, L. dom of information the Association for ary Conference on
Recent LegisEat~on affecting privacy and freein federal agelzcy records, a paper presented at Health Records, Seventh Annual InterdisciplinHealth Records, Chicago, June 8, 1976
Automation and data pwcessing #3, Washington DC.: American ber, 1970, 21-2‘2.
in psychiatry, Task Force Report Psychiatric Association, Decem-
BRITTON, A. H., Rights to privacy in medical records, nal of Legal Medicine, July/August, 1975, 24-31.
The Jour-
CURRAN, W. J. Legal Consideration in the establishment of a health information system in Greater Boston and the State of Massachusetts, U.S. Public Health Service Contract PH 110-234, December, 1968. CURRAN, W. J., Privacy, confidentiality and other legal considerations in the establishment of a centralized health - data-system, Neut England Journal of Medicine, 1969, 281, 241. CURRAN, W. J., Memoranda tiality and privacy of mental mont, Massachusetts, Hawaii
on legal issues concerning confidenhealth records in New York, Verand the District of Columbia, Pre-
pared for the M&i-State published).
Information
System,
January,
1972 (un-
CURRAN, W. J., LASKA, E. M., KAPLAN, H. and BANK, Protection of privacy and confidentiality, Science, November 1973,182:797-802.
R., 23,
Data Secun‘ty - threats and deficiencies in computer operations, A Report on a completed study, a translation from an IBM Svenska Publication, #G320-5646, White Plains, New York. DAVIS, R. M., Government looks at: privacy puter systems, Washington, DC.: Computer ment Manufacturers Association, 1973.
and secun‘ty in comand Business Equip
Federal pe?son& data systems subject td the Privacy Act of 1974, First Annual Report of the President for Calendar Year 197.5, Washington, D.C.: U.S. Government Printing Office, 1976. GABRIELI, E. R., Right of privacy mation, April, 1970, 173-178.
and medical
GOLDSTEIN, R. C., The cost of privacy, Systems, Vancouver, Canada, 1975.
computing,
Honeywell
Data-
Information
156
RHETA
Human rights and technological which may affect the rights of should be placed on such uses sion on Human Rights, United tion No. E/CN. 4/142-English).
BANK and EUGENE
developments: uses of electronics the person and the limits which in a democratic society, CommisNations, January, 1974 (Publica-
LASKA, E. and BANK, puter systems and their 1975.
R., Protecting psychiatric privacy: comuses, New York: John Wiley and Sons,
MCCARTHY, A., Privacy Privacy, a public concern: U.S. Government Printing
- a perspective, in Larson, K. S. (Ed.), a resource document, Washington, D.C.: Office, August, 1975, 79-82.
MATTE, P. J., Legal implications of the patient’s Legal Medicine Annual, 1971, 343-375. MATTE, P. J., Legal Medicine
Medicolegal aspects of automated Annual, 1974, 325-349.
medical
medical
record,
records,
MILLER, A., The dossier society, in Larson, K. S. (Ed.), Pnvacy, a public concern: a resource document, Washington, D.C.: U.S. Government Printing Office, August, 1975, 102-l 11.
M. LASKA
Records, computers and the rights o+f citizens, Report on the Secretary’s Advisory Committee on Automated Personal Data Systems, U.S. Department of Health, Education and Welfare, Washington, D.C.: U.S. Government Printing Office, No. 1700-00116, July, 1973 (reprinted by M.I.T. Press). SIEGEL, C. Monitoring the care process, emerging developments in mental health program evaluation, Proceedings of the HEWNIMH Region II - Program Evaluation Conference, Washington, D.C.: U.S. Government Printing Office, May, 1976, 253-268. SPINGARN, N. Confidentiality, report of the conference on confidentiality of health records, Key Biscayne, Florida, November 6-9, 1974, Washington, D.C.: American Psychiatric Association, 1975. TURN, R., Privacy and security in personal information, Prepared for the National Science Foundation, Santa Monica, California: Rand Corporation, March, 1974. TURN, R. and WARE, W. H., Privacy and security in computer systems, American Scientist, March/April, 1975, 63, 196-203.
NIBLETT, G. B. F., Digital information and the privacy problem, Paris: Organization for Economic Cooperation and Development, 1971.
WARREN, S. D. and BRANDEIS, L. D., The right Harvard Law Review, December, 1890, IV:5, 193-219.
PANTAGES, A. and PIPE, G. R., A new headache al DP, Datamation, June, 1977, 23:6, 115-126.
WESTIN, A. F. and BAKER, computers, record keeping Science, Chicago: Quadrangle
PERR, cations
for internation-
I. N., Problems of confidentiality and privileged communiin psychiatry, Legal Medicine Annual, 1971, 327-341.
Privacy and computers, A Report of a Task force established jointly by the Departments of Communications and Justice, Ottawa, Canada: Information Canada, Catalogue No. CO21-3/1972. Protecting individual privacy in evaluation research, The Committee on Federal Agency Evaluation Research, Assembly of Behavioral and Social Sciences, National Research Council, National Academy of Sciences, Washington, D.C., 1975.
to privacy,
M. A., Data banks in a free society and privacy, National Academy of Books, 1972.
WESTIN, A. F., Computers, health records and citizen rights, National Bureau of Standards Monograph 157, Washington, D.C.: U.S. Government Printing Office, 1976, 187-200 WHEELER, R. (Ed.), On record: files life, New York: Russel Sage Foundation, YOUNGER, Her Majesty’s
K., Report Stationery
and dossiers 1969.
of the committee Office, 1972.
in American
on privacy,
London:
BIBLIOGRAPHY A data security procedure vacy Committee, National tems, 1974.
checklist, The NASIS Association of State
Security and PriInformation Sys-
Automation and data processing in psychiatry, Task American Psychiatric Association, March, 197 1.
Force
Report,
CBEMA Privacy Series (Computer and Business Equipment Manufacturers Association, 1828 1, Street, N.W. Washington, D.C. 20036). No. 1 - The role of computers in . . . Privacy, confidentiality data security. No. 2 ~ Government looks at privacy and security in computer systems, a speech by Dr. Ruth M. Davis. No. 3 - Privacy legislation (statements by Sen. Sam J. Ervin, Elliott L. Richardson, Dr. Alan Westin, Philip W. Buchen, and Dr. Ruth M. Davis). No. 4 ~ Privacy: the private sector and society’s needs (keynote address by Dr. Willis H. Ware of the Rand Corp. before SHARE XLIV, March 5, 1975). No. 5 - Information technology and individual privacy (AAAS Symposium with statements by Dr. Alan Westin, Norman Cousins, Russell Fenwick, Aryeh Neier, Carole Parsons and Thomas J. Watson, Jr., January, 1975). Confidentiality and privileged communication in the practice of psychiatry, Group for the Advancement of Psychiatry, Committee on Psychiatry and Law, Report No. 45, May 1966 (Revision).
DUGGAN, New York: FREED, Peabody,
M. A., Law and the computer: MacMillan & Co., 1973.
a KWIC
bibliography,
R. N., Computers and law - a reference work, Brown, Rowley and Storey, 1973 (4th Ed.).
Boston:
GOLDBERG, R. P., How to implement systems which comply with the Privacy Act of 1974, Proceedings of COMPCON Fall 1975, Eleventh IBEE Computer Society Conference, Washington, D.C., September 1975. GOLDSTEIN, R. C., The cost of privacy, Honeywell Information Systems, 1975.
Brighton,
Massachusetts:
Guidelines establishing requirements for security and confidentiality of information systems, Intergovernmental Board of Electronic Data Processing, State of California, Sacramento, 1974. HARRISON, A., The problem annotated bibliography, The California, 1967.
of privacy in the computer Rand Corporation, Santa
age: an Monica,
HELLMAN, J. J., Privacy and information systems: an argument and an implementation, P-4298, The Rand Corporation, Santa Monica, California, May 1970. Human rights and scientific and technological developments: uses of electronics which may affect the rights of the person and the limits which should be placed on such uses in a democratic society,
Protecting
Commission Publication
on Human Rights, United No. E/CN.4/1142-English.
Nations,
Privacy
January
1974,
and
Confidentiality
privacy
157
requirements,
June
1976 (SD Catalog
Number
C13.46:
906). NBS
IBM Data Security
Publications
(May be ordered through any IBM Branch Office or through IBM Marketing Representative. These are usuallv free.) An executive’sguide to data security Auditability information catalog Considerations of data secun’ty in a computer environment Considerations of phy.sical security in a computer environment Data security control book Data security control book inserts Data security controls and procedures Data security seminars
Data Security Volume 1, Volume 2, Volume 3,
Study
Special Publication 469 - Westin, A. F., with Isbcll, F. A policy analysis of citizen rights isssues in health data systems, January 1977 (SD Catalog Number C13.10:469). NBS Special Publication 404 - Approaches to privacy and security in computer systems, September 1974 (SD Catalog
(Ed.),
any
&320-5647-O
Number
GB21-9883 G520-2169
Technical
June
1973 (SD Catalog
Number
M. and
Ann Arbor:
National
Bureau
the
of Standards
only
guide
to privacy,
to computer
the Institute for Computer Washington, D.C. 20234).
security
FIPS PUB 41 - Computer secun‘ty the Privacy Act of 1974, May
C13.46:735).
Index of automated design requirements as den’ued from the OMB Privacy Act implementation guidelines, No. NBS IR-75-
909, December 1975. Ware, W. H., Data banks, privacy and society, The Rand Corp., Santa Monica, California, November 1973, No. AD-786.
G520-2797 G520-2965 G520-2838 G520-2741 G520-2540 G520-2627
Privacy,
secun’ty and the information processing industry, Thr Ombudsman Committee on Privacy, Los Angeles Chapter, Association for Computing Machinery, 1976.
a case
and
University
of
Datama-
Datum&ion,
(available directly and Technology,
of
electronic
computer/data
from NBS,
guidelines for implementing 1975 (SD Catalog Number
processing
equipment
(NFPA No. 75), (National Fire Protection Association, march Street, Boston, Massachusetts 02110).
60 Battery-
Psychiatric
Spectator, Vol. IX, No. 11, Sandoz Pharmaceuticals, East Hanover, New Jersey, March 1975 (Abstracts of American Psychiatric Association Conference on the Confidentiality of
Health
Records.)
ROSENBERG, House.
J. M., The death
The privacy mandate: planning Commerce and Mitre Corporation shop, April 2-4, 1975).
of Documents, U.S. GovernD.C. 20402, using SD Catalog
Sciences
bibliography,
G320-5646-O
G320-1374 G320-1375
Publications
(Available from the Superintendent ment Printing Office, Washington, Numbers shown.) Executive
means
access
C13.46:780).
G320-1376
G320-1373
MYERS, E., Costs, codes, people and the constitution, tion, May 1976, Vol. 22, No. 5, 180-182. MYERS, E., Security: May 1977, 240-242.
Controlled
National Technical Information Service, U.S. Department of Commerce, Springfield, Virginia 22 15 1. Craig, D. M., and Harrison, E. A., Computer information secun’ty and protection: a bibliography with abstracts, No. NTISWIN-74-044, 1974. Hsiao, D. K., Kerr, D., and McCauley, E. J., A Modelfordata secure systems, The Computer and Information Science Research Center of the Ohio State University, No. AD-778657, 1974.
G320-1372
RUBENSTEIN, B. (Eds.), Orthopsychiatry Wayne State University Press, 1968.
MILLER, A. R., The assault on privacy, Michigan Press, 1971.
~
Number
C13.10:809).
alog Number
Protection
LEVITT,
780
NBS Technical Note 735 - The effects of magnetic fields 01z magnetic storage media used in computers, July 1972 (SD Cat-
G320-1370 G320-1371
LORD, J. R. and KENNISTON, W., Data center security: for the private eye, Infosystems, December 1976, 30-33.
the law, Detroit:
Note
NBS Technical Note 827 ~ Controlled accessibility workshop report, May 1974 (SD Catalog Number C13.46:827). . NBS Technical Note 809 - Government looks at privacy and secutity in computer systems, February 1974 (SD Catalog
G520-2700 G320-1248 G320-1249 G320-5649 G520-2882
Site Publications:
Introduction and overview Study summary Part 1, State of Illinois: Executive Overview Volume 3, Part 2, Study results: State of Illinois Volume 4, Study results: Massachusetts Institute of Technology Volume 5, Study Results: TRW Systems, Inc. Volume 6, Evaluations and study experiences: resource secun’ty systems Data security ~ threats and deficiencies in computer operations 42 suggestions for improving security in data processing operations IBM data secun’ty forum, September 1974 IBM data security symposium. April 1973 The fire and after the fire The IBM controlled access system Sample operator identification card
C13.10:404).
NBS
TURN, Science 1974.
R., Privacy Foundation
and security
and
Rand
of privacy,
New York:
Random
for
action, U.S. Department of (Report of a Symposium/Work-
in personal
Corp.,
information,
Santa
Monica,
National California,
What every executive should know about privacy in information systems, SAFE (Secure Automated Facility Environment Project),
State of Illinois, Department of Finance Building, Springfield, Illinois 62706. WEISS, H., Computer 1974, 42-47.
security:
(MID) 604 State
an overview,
Datamation,
Office
January,
C13.52:41). FIPS PUB 31 ~ Guidelines for ADP Physical Security and Risk Management, June 1974 (SD Catalog Number C13.52:31). Westin, A. F., NBS Monograph 157: Computers Health Records and Citizens Rights, December 1976 (SD Catalog Number
C13.44:157). NBS Technical Note 906 - A methodology for evaluating ternative technical and information management approaches
alto
WESTIN, A. F. (Ed.), Information Harvard University Press, Cambridge,
technology
in a democracy,
Massachusetts,
1971.
WESTIN, A. F., MARTIN, D. B. H., and LUFKIN, D. H., The impact of computer-based information systems on citizen liberties in advanced industrial nations, A Report to the German Marshall Fund of the United
States,
Washington,
D.C., October
1973.