the internet and electronic transmission of medical records

Journal of Clinical Monitoring 13: 325^334, 1997.ß 1997 KluwerAcademic Publishers. Printed in the Netherlands.

Medical Intelligence

THE INTERNET AND ELECTRONIC TRANSMISSION OFMEDICAL RECORDSSam G. Campbell, Esq,1 Gordon L. Gibby, MD,2

Susan Collingwood, Esq 3

From 1Townsend and Townsend and Crew, 2 the Departments ofAnesthesiology and Medicine and 3 the College of Medicine, Uni-versity of Florida.

Received Sep 3, 1996. Accepted for publication Jun 4, 1997.

Address correspondence to Sam Campbell,Townsend and Townsendand Crew, 379 Lytton Avenue, Palo Alto, California 94301, U.S.A.

Campbell SG, Gibby GL, Collingwood S. The internet and elec-tronic transmission of medical records.

J Clin Monit 1997; 13: 325^334

ABSTRACT. Objective. To review, from a legal perspective,the potential for using the Internet for inter-institutionaltransfer of patient medical records.Methods. Basic issues andrecent legislation that relate to protection of both medical data,and those transferring that data over public network systemsis reviewed. Results. Many laws already in existence can beapplied to Internet transmission, but questions of jurisdictionremain. Providing signatures on requests for information,which are in essence contracts, is a problem. Signatures mustboth prove the identity of the participants and provide fornon-repudiation of the agreement. Cryptographic digital sig-natures appear secure and e¡ective, but their use is di¤cult toimplement. Simpler methods are fraught with risks, yet aremore easily accomplished. The patient's rights of privacymust be balanced against the need for access by government,physician, or healthcare institutions to con¢dential informa-tion. In general, information holders must put forth reasonablee¡orts to keep information con¢dential. The development ofacknowledged standards will provide guidance. Multiplelaws provide some deterrence and hence some reassurance tohealthcare institutions, for example, by criminalizing acts ofelectronic interception of patient records in transit. Conclu-sion. Some believe the expense of secure transfer of medicalrecords by electronic means is a major obstacle; this is false:such transfers are now technologically quite easy. The greatestobstacle to electronic transfer of medical records at this pointis the development of workable standards for signing agree-ments and protecting transmissions, but the perceived advan-tages will likely drive the necessary developments.

KEY WORDS. Computers, identi¢cation, internet, medicolegal,privacy, records, medical, digital signature, con¢dentiality,cryptography, electronic transfer of medical records.

INTRODUCTION

With increased mobility of patients, records of priormedical situations may be spread across one or moregeographically distinct locations. The existence of theserecords may ¢rst be discovered during an outpatientinterview, and rapid acquisition is required for reviewduring that interview. There are many other situationsthat require inter-institutional exchange of healthcarerecords. At the tertiary care hospital where one of theauthors practices, 32000 external requests for medicalrecords are received annually from healthcare providers,governmental agencies, attorneys, and third party payors(Link M, Director, Health and Information RecordsManagement: Personal communication, 1996). There-fore, the development of inter-institutional communi-cations agreements allowing a patient-authorized elec-tronic transfer of medical records between legitimate

participating healthcare institutions would be a signi¢-cant healthcare informatics advance. Such communica-tions could be transported over a private commercialdata network (for example, Tymnet, IBM InformationNetwork, or GE Information Services Mark*Net [1]),but the accessibility and low cost of the Internet makeit an ideal medium for inter-institutional exchange ofmedical records.

BASIC LEGAL ISSUES REGARDING ELECTRONIC TRANSFER OFMEDICAL RECORDS

Jurisdiction

An ` entity,'' a legally cognizable organization or partythat has responsibility for certain computing facilities,may now easily gain access to the Internet. Existinglaws will be applied in novel ways to the networkedcomputers of such entities. Just as documents may bestolen from an o¤ce, computer ¢les may be electroni-cally stolen. Electronically breaking into a facility andcopying digital information is no di¡erent from physi-cally breaking in and removing paper ¢les. The usualcriminal penalties apply in both such scenarios. But,while the jurisdiction for trying a criminal case oridentifying ownership or control of an entity's facilitiesis easily determined, it is more di¤cult to determinesitus of a crime or tort committed on a network [2, 3].Where results under the laws of di¡erent states ornations di¡er and where it is unclear which law shouldbe applied, a ` con£ict of laws'' issue arises. The questionof which jurisdiction's law will govern in such situa-tions has been and will be continue to be a contentiousissue. Uniform state laws or federal legislation wouldhelp resolve this problem at least within the UnitedStates.

Contracts: Legally valid agreements

The problem of a valid signature is especially di¤cultwhen considering contracts (including patient author-izations) made by using an electronic medium.While itis di¤cult to state with certainty, a court ruling on thevalidity of an electronically communicated release, suchas those discussed herein, might draw from earlierexperiences with verbal telephone contracts (arguablyelectronic in nature) to deal with such releases. In gen-eral, even a verbal agreement (i.e., contract) is legallybinding, subject to limitations such as the Statute ofFrauds, which requires a written contract in certainenumerated cases (such as real property, contracts for

greater than a certain value, and contracts in force forlong periods of time). Normally, the use of a telephonewould not preclude such validity (e.g., telephone catalogsales), although various standard defenses to such a con-tract (e.g., fraud) might be more accessible. A parallel towritten contracts, however, is closer. There, a signatureidenti¢es the person entering into an agreement butprimarily serves to prevent repudiation of (herein, de-¢ned as ``²denial of the validity of, and responsibilityfor²'') the agreement. Electronic forms of the signa-ture may not o¡er the same guarantees. The are well-established guidelines for allocating losses resultingfrom a fraudulent physical signature. Because the tech-nology for authenticating various possible electronicforms of signature is still in its infancy, the courts havenot fully addressed the issue of the enforceability ofsuch electronically-signed contracts or the assignmentof loss in the event of discovery of fraud. Although afew states have undertaken to de¢ne what constitutes avalid electronic signature and to provide a regulatoryscheme for validation,1 most states have not. As a result,entities may be reticent to strike an electronic agree-ment. As an alternative to waiting for state courts orlegislatures to address the situation, proposed federallegislation would advance the law in this area by vali-dating the use of electronic signatures on a nationwidebasis [4]. Unfortunately, at the time of writing, thisproposed legislation does not de¢ne ` electronic signa-ture,'' and, thus, still leaves concerns about the trust-worthiness of electronic signatures. An electronic signa-ture may range from a cryptographic digital signatureto a bit-mapped rendition of a physical signature, rang-ing from excellent to very poor in reliability.The cryptographer's digital signature begins with a

positive proof of the person's identity determined bysome reliable method, which is then recorded electroni-cally via encryption into a digital message that cannotbe repudiated and cannot be altered or forged withoutdiscovery. Encryption is the process of reversibly alter-ing the content of a text using some key, usuallyrepresented as a number. Algorithms where the samekey or number is used both for encryption and decryp-tion (and thus must be kept secret) are known as ``pri-vate key'' or ``symmetric'' encryption algorithms, anexample of which is the Data Encryption Standard(DES, Figure 1). If the key can be securely transferred(by an alternate means) between the two parties, suchan encryption method can be used to transfer informa-tion between the parties that cannot be read by aneavesdropper. Futhermore, such encrypted informationcannot be surreptitiously altered; if altered, it will notdecrypt properly. However, it is di¤cult to use such analgorithm to establish the identity of the sender (by

326 Journal of Clinical Monitoring Vol 13 No 5 September 1997

veri¢cation of the ability to decrypt to meaningfultext) because this requires that the secret key be given toevery person to whom secured messages might need tobe sent, compromising the security of the key itself.The development of asymmetric ``public key'' encryp-tion algorithms by Di¤e, Hellman and Merkle in 1976solved this problem. An example is the 1978 RSAalgorithm, named for its inventors, Rivest, Shamir, andAdleman, which can most obviously be broken only bythe di¤cult task of factoring a very large number. Thesender encrypts a standard message using his personalsecret key. Any receiver can decrypt the message using awidely published public key for that sender. If themessage decrypts properly, it proves the identity of thesender. The private key of the sender cannot be deducedfrom the public key, and thus the sender can prove hisidentity repeatedly to many persons. If the sender wishesto send not only proof of his identity, but also a con-¢dential message, he can additionally encrypt the mes-sage with the public key of the intended recipient(Figure 3).Now only the intended recipient can decrypt the

message (¢rst using the recipient's private key); nextdecrypting using the public key of the stated sender, therecipient can receive the secured message and simulta-neously verify the identity of the sender. If the originalproof of the person's identity is trustworthy and theencryption has not been compromised, the digital sig-nature is trustworthy. Because the RSA algorithm de-mands at least 1000 times more processing e¡ort thanthe DES (private key, symmetric) algorithm, it is com-mon to encrypt the con¢dential message with the less-demanding DES algorithm using a one-time key num-ber, send it separately, and then use the RSA algorithmto encrypt the one-time key, allowing the DES key tobe securely transferred to the intended recipient as well

as providing a digital signature. These functions may beintegrated into one seamless secured transmission sys-tem [5].Unfortunately, we do not have a method by which to

guarantee the identi¢cation of 200+ million U.S. citi-zens (let alone the world population), and only withconsiderable di¤culty can we even guarantee the iden-tity of one of a group of physicians at a certain health-care site. The lack of such large-scale identi¢cationsystems has led to the continued use of the handwrittensignature, but the typical means used to electronicallytransport these handwritten signatures are woefullyinsecure.If a patient's records are held by a remote institution,

the requesting organization often transmits the neces-sary requesting documents (signed by the patient andphysician) via facsimile. There appears to be no prohib-ition to this pratice, although both the patient's andphysician's signature have thus been digitized.2 Perhapsthis is because, until recently, there has been no readilyavailable method of forging a facsimile signature duringtransmission. Such forgeries are now well within thecapabilities of many technophiles. Generally, a fax trans-mission presumes the existence of a properly signed,then scanned, original. However, wordprocessors nowroutinely allow insertion of graphical images (includinga surreptitiously scanned signature) and fax transmissionof the resulting combined document.

Other means of electronically conveying a hand-written signature that might be considered for an auto-mated system may be even less secure. There are readilyavailable software packages capable of modifying adigital bitmap saved in a standard format, for example,PCX or TIF. Therefore, the utilization of a bitmapsignature as an ` electronic signature'' will likely requireadditional guarantees of authenticity, such as the morestringent digital signature of a witness to the relativelyunsecure bitmapped signature, and will require protec-tions that electronic alterations beyond the understand-ing of the witness have not occurred. At present, thesepossibilities are untested and would need either legisla-

Fig. 1. Use of a private key symmetric encryption algorithm tosafeguard a message from unintended review.

Fig. 2. Asymmetric public-private key algorithm additionally al-lows the identity of the sender to be veri¢ed.

Fig. 3. Encrypting twice using public/private algorithms allowsproof of sender identity (digital signature) as well as security oftransmission only to intended recipient.

Campbell et al: The Internet and ElectronicTransmission of Medical Records 327

tion or case law to establish their legitimacy. Note thatadding the requirement of a digital signature of a wit-ness advances the security well past the now-common-place retail practice of the customer signing a graphicspad to validate a credit card transaction. The customer'ssignature has been captured and can be easily re-used byan unscrupulous individual. In view of such risks, theprudent electronic medical records user will demand amedical records transmission system that is extremelywell-protected against fraudulent use. The standard forthe protection of patient con¢dentiality is, at bottom, a``reasonableness'' standard [6], and in light of today'stechnology, it appears reasonable (despite the di¤cul-ties) to use cryptographic digital signatures for witnessesand members of small administrative groups such asphysicians at one institution who need to sign docu-ments electronically.

Legal implications of network-based practice ofmedicine

In the remainder of this article, we discuss the trans-portation of distant medical records to a local physician(or other provider) who is caring for the local patient. Ifthe transmission of medical records is to a distant physi-cian caring for or making decisions that a¡ect the localpatient (i.e., patient and physician are in di¡erent states),there are additional legal implications, speci¢cally pos-sible accusation of practice of medicine by out-of-statephysicians. State licensure law must be considered on astate-by-state basis, and physicians practicing by tele-medicine may choose to simply obtain licensure in allstates involved [7]. Federal initiatives may eventuallybring some relief to the licensure question; the O¤ce ofRural Health Policy has sought suggestions for ` easinglicensure barriers to physicians and other health pro-fessionals providing telemedicine services across statelines'' [8]. In each recent Congress, there have beenmultiple legislative initiatives directed toward telemedi-cine (most of which did not become law); in the 105thCongress, S. 385 would require the Secretary of Healthand Human Services to report annually to Congress on

``(1) the number, percentage and types of healthcareproviders licensed to provide telehealth servicesacross state lines, including the number andtypes of healthcare providers licensed to providesuch services in more than 3 States;

(2) the status of any reciprocal, mutual recognition,fast-track, or other licensure agreements be-tween or among various States;

(3) the status of any e¡orts to develop uniform na-

tional sets of standards for the licensure ofhealthcare providers to provide telehealth serv-ices across State lines;

(4) a projection of future utilization of telehealthconsultations across State lines;

(5) state e¡orts to increase or reduce licensure as aburden to interstate telehealth practice; and

(6) any State licensure requirements that appear toconstitute unnecessary barriers to the provisionof telehealth services across State lines.''

S. 385 would also require the Secretary of Health andHuman Services to develop recommendations for Con-gress, should the Secretary ¢nd the states are not mov-ing with appropriate speed toward easing telehealthlicensure problems [9].

PERFORMANCE-RELATED LEGAL RISKS OF INTERNET TELECOM-MUNICATIONS PROVIDERS

Entities involved in medical records transmissions canbe divided into two groups: those who provide com-puting services (``hosts'') and those who use such serv-ices (``users''). A system as large as the Internet has amultitude of di¡erent types of hosts, each providingseveral di¡erent services to Internet users. Chief amongthe hosts are telecommunications providers. This beinga relatively new area, the law has little experience withthe problems associated with entrusting packets of datato a third-party (such as a telecommunications provider)for delivery. The standard of care owed by a telecommu-nications provider is therefore unclear as is the recourseagainst them in the event of problems such as mistakencommunications and lost data when users are conduct-ing commercial activity on the Internet. Such trans-actions are sometimes subject to disclaimers by the tele-communications providers, which prefer not to acceptliability for facilitating commercial dealings. Such liabil-ity could amount to billions of dollars [10]. The exis-tence of numerous theories of liability explains thereluctance with which some telecommunications pro-viders approach commercial tra¤c. Common law theo-ries, primarily breach of contract but also intentionaltort, negligence, and statutory causes of action (relatingto unauthorized access and fraud committed with acomputer), are some of the avenues open to those in-jured through mishandling of electronically transmitteddata.


PATIENT CONFIDENTIALITY REQUIREMENTS

Privacy in our society is relative and can be viewed inthe dimensions of freedom from intrusion by govern-ment, by corporations, or by private individuals.

Government

The Fourth Amendment of the United States Con-stitution3 gives us the right of privacy from unreason-able intrusion by the government into our personala¡airs. This right has been a¤rmed by a long line ofSupreme Court case law [11]. Government agency ac-cess to medical records for public health interestsmust protect individual privacy [12], a protectionwhich has been cited as a limited constitutional rightto privacy [13]. Generally, however, issues of medicalrecords con¢dentiality relate not to government re-view but to review by private parties, for example,consulting physicians, subsequent physicians, and third-party payers, and so do not implicate constitutionalconsiderations.

Physicians

The ethical principle of maintaining the con¢dentialityof information given by the patient is embodied in theHippocratic oath. The preservation of the patient's pri-vacy allows the patient to communicate potentiallyembarrassing, highly con¢dential information in a set-ting of trust for the purpose of their health care [14].The physician must therefore ensure that the patient'sprivate information remains con¢dential, and this isexpected under common law.While common law doesnot, per se, bar dissemination of patient information,there are causes of action that can be brought againstanyone who reveals or uses information intended to becon¢dential. Anyone having con¢dential informationabout a person or entity who reveals such informationand, thereby, injures the person or entity may be suedunder one of several common law theories, such asdefamination, tortious interference, trade libel, publica-tion of private facts, false light, and intrusion. There-fore, while there may not be a speci¢c common lawduty requiring physicians to maintain the con¢dential-ity of patient information (not considering the Hippo-cratic oath), these causes of action demonstrate the needto respect such con¢dences.This need for con¢dentiality di¡ers from the ` evi-

dentiary privilege of con¢dentiality'' (attorney/clientprivilege) which protects clients' discussions with their

lawyer from forced revelation by a court, and whichwas recognized at common law. By contrast, no suchprivilege protected communications between patientand doctor from court inquiry at common law. Onlycodi¢cation by the states changed this to provide priv-ilege to doctor^patient communications against courtinquiry [15].4 A balance in law regarding the legalprivilege of such information must be struck betweenparties' right to be ``let alone'' [16] and the perceivedneed of society for information, for example, publichealth authorities and defendants sued based on thepatient's injuries and physical condition.

Under tort theories a physician is no di¡erent froman organization, but indeed is di¡erent as concernsprivileged communications. In those states where doc-tor^patient communications have been protected fromcourt inquiry, that protection would likely extend toprotect the information when physically held by ahealthcare organization.

The healthcare organization

Healthcare organizations' duty to keep patients' recordscon¢dential may be found in several sources: commonlaw theories, state licensure laws, standards of the JointCommission for the Accreditation of Healthcare Or-ganizations, Medicare rules, and speci¢c statutes andregulations with respect to certain patient records deal-ing with, for example, substance abuse, AIDS, andpsychiatric records. Without the proper security meas-ures, computer-based record systems thus become asource of enormous liability for the healthcare organ-ization. Breach of con¢dentiality may give rise to com-mon law causes of action under theories of invasion ofprivacy, betrayal of professional secrets, breach of con-tract, and negligent or intentional in£iction of emo-tional distress. Sanctions from accreditation bodies andstate entities may also result. State statutory law pro-vides for actionable wrongs in situations concerningpatients' rights [17], substance abuse [18], mental health[19], con¢dentiality of hospital records [20], con¢den-tiality of records generally [21], physical abuse [22], andAIDS/communicable diseases [23]. Causes of actionmay also exist under federal law, for example, for thedissemination of information contained in con¢dentialpatient records of patients su¡ering from drug andalcohol abuse problems [24].While the legal standards for con¢dentiality of pa-

tient records are the same whether the system is paper-based or computer-based, physical security of paperrecords would appear easier to maintain than electronicsecurity, particularly in the case where the system stor-


ing the electronic records is accessible from o¡-sitelocations via a network connection or dial-up line.Unauthorized release of patients' medical records mayoccur either spontaneously (by accident or computererror) or by deliberate action on the part of an employeeor intruder. Furthermore, because the magnitude ofpossible damage is far greater due to the ease with whichlarge amounts of data may be quickly accessed, a securitybreach in a computer-based records system can becatastrophic, both in terms of information lost and thepossibility of unwitting use of modi¢ed data. Thesefactors justify substantial e¡ort to protect the electronicmedical record. However, electronic records o¡er thepossibility of complete electronic access control (viapasswords, tokens, and biometric measurement devi-ces), intricately strati¢ed levels of access to di¡erentportions of the record, and complete audit of all personsaccessing the record. Paper medical records, in practicalsettings, cannot achieve these protections. Indeed, thesecurity of paper medical records in practical settings isremarkably poor. In medical records departments or onthe ward, it is often quite easy for anyone who appearso¤cial to obtain a desired record for review. Further-more, the incidence of inability to obtain desired infor-mation is legendary.

Reasonable measures required

While extreme security measures may be unacceptablyburdensome or expensive, information systems, health-care organizations, and physicians must provide a rea-sonable degree of protection because of their duty tomaintain the con¢dentiality of a patient's records [25].In questions of the acceptability of care given to pre-serve the privacy of medical records, one of the chieffactors is the originating party's reasonable expectations.The legal standard applied in determining what expect-ations are reasonable in a given situation is a¡ected bythe nature of the information transmitted, the precau-tions taken to ensure con¢dentiality, and the circum-stances under which the information was transmitted[26]. The law recognizes that complete security in anysetting is di¤cult, if not impossible, to achieve. In thecurrent paper-based system, measures which appearreasonable in the given situation are all that can beexpected of the healthcare organization. In a networkenvironment, the same ``reasonable measures'' standardshould apply.Unfortunately, at present, what constitutes ``reason-

able measures'' has not been clearly de¢ned regardingthe use of medical records in a distributed computingenvironment. Although various groups have promul-

gated standards for computer security (e.g., the DefenseDepartment's ``Orange Book'' of computer securitystandards [27]), such standards are designed to protecthighly sensitive data with enormous ¢nancial and stra-tegic value, and are likely to be tested by the attempts ofactual data thieves. The situation involving medicalrecords would not appear to be comparably temptingto a data thief; therefore, there is a good reason to arguethat ``reasonable measures'' are generally less stringent inthe medical ¢eld. On possible solution is for institutionsto investigate the healthcare area and agree with otherinstitutions on appropriate standards. At present, theeconomic impact of implementing comprehensive anti-theft systems and converting legacy systems is probablymore than most healthcare organizations are willing toshoulder. This is because many legacy systems havebeen written in low-level or older computer languagessuch as assembly code or COBOL, often hand-codedspeci¢cally for one institution, and often without su¤-cient ``modularity'' to the code. To add the user authen-tication, user authorization, encryption of all networktransmissions, and journalling of all changes that wouldbe required to make these systems provide appropriatesecurity would not only require substantial hardwaremodi¢cations, but would also require vast changes toproduction software. It is likely that programmerswould have to alter or rewrite virtually the entire appli-cation suite of each institution. The risks of introducingnew errors or of causing these older-technology pro-duction systems to slow to the point that they can nolonger function appropriately ^ and hence drasticallyinterfere with the delivery of health care ^ are large. It ismuch more likely that newly designed systems ^ builtwith component or modularized software using up-to-date languages such as C++ and based on toolkits suchas the Common Object Request Broker Architecture ^will be able to provide security economically.

Security measures may also substantially interferewith healthcare delivery if not appropriately designed.Unconscious patients in the emergency room with noidenti¢cation must still be treated even though theycannot give consent and cannot identify themselves.Frustrating password systems that require physiciansto recall long strings of meaningless characters inemergency situations ^ and then demand that they bechanged at 30-day intervals ^ will not work in the realworld of healthcare delivery. A ``break-glass'' emergencymode of information access must be provided, and thenappropriately audited and examined. Athentication sys-tems that are far easier to use ^ such as smartcards,hermetically-sealed smart ``buttons'' [28] or biometricrecognition of the palm, iris or face [29] ^ must befurther developed and deployed.


Healthcare institutions and contracted services

Healthcare institutions would be wise to spread therisk, liability and responsibility for breaches of con¢-dentiality to others, thus ensuring that others work toprevent breaches. An agreement that clearly and fullyde¢nes the rights and responsibilities of both the usersof a system and the telecommunications providers ismandatory. In a private network setting, issues thatwould be addressed by the agreement include accuracyof data, timeliness of delivery, guaranteed delivery tothe proper parties, a guarantee of privacy and securityin transmission, and restricted access to the substance ofthe transmissions. In the public Internet, however, mostof these parameters are not fully under the control ofthe telecommunications provider (e.g., lack of routingcontrol due to the packet-switching techniques used bythe Internet's communication protocols), so that thecarrier cannot provide determinative delivery times orde¢nitive levels of privacy. As a result, it is unlikely thattelecommunications providers will sign more than min-imally reassuring agreements. Nevertheless, healthcareorganizations should request that the providers agree toreasonable standards of procedures that will ensure ahigh degree of performance. For Internet providers,this should include the maintenance of redundant con-nections from the supplier to di¡erent distant hubs ofthe Internet, adequate guarenteed bandwidth provision(` committed information rate'') for the healthcare or-ganization, adequate maintenance of the supplier'srouters and equipment, privacy of their communica-tions at least within the supplier's o¤ce, and a guaran-teed response time to outages of service. Because therouting protocols utilized on the Internet allow thesystem to ``heal'' after loss of a link, the Internet isrelatively robust. However, if the supplier has only oneoutward bound link, or redundant links that do notconnect to adequately di¡erent distant points on theInternet, the supplier is vulnerable to a long outagefrom a simple telecommunications circuit failure.

LEGAL PROTECTION OF INTERNET TELECOMMUNICATIONS

While potentially liable for their own actions in usingthe Internet, telecommunications providers bene¢t fromlaws criminalizing purposeful external attacks on theircommunications. While these laws do not protect thehealthcare organizations directly, they provide a justi¢-cation for government investigation and punishment oftransgressors, and that fact may tend to deter intruders.

Communications over the Internet are not materiallydi¡erent from other forms of telecommunication. As

we approach a uni¢ed means of transmitting voice,data, and video information (such as Integrated ServicesDigital Network (ISDN)), any distinctions that mayexist will be obliterated. Therefore, the law as it pertainsto privacy in the more usual means of telecommunica-tions should apply with equal force to digital commu-nications systems such as the Internet.5

The following laws may help make healthcare use ofthe Internet more secure: The Communications Act of1934, the Electronic Communications Privacy Act of1986, the Computer Fraud and Abuse Act, and variousstate laws. Such laws may give rise to criminal prosecu-tions by the state or federal government, civil action byhospitals, and/or civil actions by patients.First, the Communications Act of 1934 establishes

additional legal privacy, by prohibiting any intercep-tion or disclosure of interstate communications bymeans of wire or radio frequency [30]. As noted, theright to freedom from unauthorized access is providedby both federal and state law. This right is, in essence, aright to privacy (at least in application) and can providea private cause of action against parties invading the``privacy'' of ``stationary'' digital information. It may beargued, however, that there is no right to privacy insuch situations due to the lowered expectation of pri-vacy that attends an unsecured public network. Onlythe courts can answer this question de¢nitively.The Electronic Communications Privacy Act (ECPA)

de¢nes another set of statutory protections, prohibitingunauthorized interception and/or dissemination of oralor electronic communication that is ``in transit'' [31].Acts that are covered by the ECPA include unauthorizedaccess to a facility through which electronic communi-cation service is provided (or access exceeding accessauthorization thereto). This makes breaking into a com-puter system such as a hospital's information system(``hacking'') a federal crime, no matter what avenue ofaccess the perpetrator takes. Also, due to the ` exceedingauthorization'' language in the statute, this applies toemployees and other personnel having limited author-ization. This is e¡ective because, in the usual hospitalinformation system or computerized patient recordenvironment, nearly all users will have their access lim-ited in several meaningful ways. Loss of security viamisplaced passwords or usernames is also addressed bythe statute, which provides for the situation where abona ¢de user of the system loses such information or hastheir account used surreptitiously. Whether this lawwould cover information that has been stored at atemporary location (such as a store-and-forward site onthe Internet) is unclear.Additional federal legislation currently allows hosts

to take action against an intruder in a variety of ways.


The Computer Fraud and Abuse Act (CFAA) dealsprimarily with computers operated by the federal gov-ernment and those computer systems that cross statelines6 [32] and has been vigorously enforced in the past[33]. Subsection (5)(A) is particularly applicable toInternet medical records communications by statingthat action may be taken under the CFAA against aperson who:

Through means of a computer used in interstatecommerce²knowingly causes the transmission of aprogram, information, code, or command to a com-puter²if [the person intends to harm (or ``withreckless disregard of a substantial and unjusti¢ablerisk that the transmission will'' cause harm) and]²thetransmission of the harmful component²occurredwithout the authorization²and²modi¢es or im-pairs, or potentially modi¢es or impairs, the medicalexamination, medical diagnosis, medical treatment,or medical care of one or more individuals.

Given that the Internet is by its very nature a medium ofinterstate commerce, and that any tampering with com-puterized patient records would indeed a¡ect the as-pects of health care mentioned in the statute, a personaccessing Internet communications of patient medicalrecords without authorization would be liable underthe statute. This law, however, speaks in terms of theparty knowingly exceeding their authorization (``with-out authorization or exceeding authorized access''). Thisrequires those operating the system to make known thepolicies and procedures for gaining access to the systemand the limits of that access as they apply to eachindividual accessing the computer in question. This isnecessary for the entity to protect its cause of action in acourt of law, should unauthorized access (from withinor without) occur.Finally, state laws also provide a variety of protec-

tions in situations of unauthorized access and acts thatprohibit the modi¢cation of data [34]. This appliesequally to ``trespass'' onto computer ``property'' (basi-cally accessing a computer without authorization orbeyond the authorization granted) [35]. These lawsprovide not only for civil actions against perpetrators,but also for criminal penalties. Additionally, many ofthe more familiar crimes described in state criminalstatutes are applicable to unauthorized access of hospitalinformation systems. For example, ``forgery'' of elec-tronic signatures might give rise to a cause of action(depending on the technology employed). Other com-mon-law theories advanced above may also be applica-ble. Additionally, patients may generally bring theabove-described actions in their own right.

CONCLUSIONS

The likely advantages of economy and e¤ciency ofrapid electronic access to medical records will drive thedevelopment of inter-institutional methods of auto-mated access. Systems developed to provide this serviceoperate in poorly-de¢ned legal marshes in certain areasInternet-connected computer providing routing of, buton ¢rmer footing in other areas where the courts havealready given direction. While basic questions such asjurisdiction have not been de¢nitively answered, thereare guiding principles in the areas of electronic signa-tures and data con¢dentiality that pioneer developersshould heed. There are several organizations whichprovide updated information on key issues, includingthe Center for Democracy and Technology [36], theAmerican Health Information Management Associa-tion [37], and the Electronic Frontier Foundation [38].In the absence of applicable legislation, the enforce-

ability of electronic authorizations for transfer of medi-cal records (now routinely accepted by facsimile) willdepend on demonstrating the security of the meansused to ``sign'' the authorization. The security of fac-simile signatures is questionable. Digitized physical sig-natures in standard formats, easily altered by popularsoftware packages, likely will not prove acceptable foruse by physicians. The development of password, token,or biometric identi¢cation systems to allow secure elec-tronic signatures will therefore be vital to the growth ofInternet usage by hospitals.

Patient con¢dentiality must be maintained in theethical practice of medicine and, indeed, by law inmany respects. Reasonable e¡orts to maintain con¢-dentiality are therefore required if the healthcare insti-tution is to avoid excessive liability, particularly againstspontaneous unauthorized data release. This risk may beameliorated by purchasing systems from the vendorswilling to agree to share liability via contract. Whiledetermined intruders may be capable of breaching mostcommercially available security systems, severe penal-ties may be levied against such individuals. Software-based encryption algorithms will allow inexpensivesafeguards to protect con¢dentiality. By following thetenets reviewed herein, responsible developers of inter-institutional systems for medical record transport canconstruct systems that are not just faster and moree¤cient than current paper-based techniques, but alsomore secure and more legally defensible, by virtue ofthe intricate control and audit capabilities electronicsystems can provide.


NOTES1For example, the Washington Electronic AuthenticationAct, which creates ``digital signature certi¢cate authorities''similar to notaries, will become e¡ective January 1, 1998. 1996Washington Laws 6423 (to be designated Chapter 250,pp. 101^605).2 In fact, this process can be performed with an image scannerand computer with facsimile capabilities. The documents,including signatures, are scanned into an image ¢le on thecomputer. The facsimile hardware and software on the com-puter are then used to transmit information as a standard ClassIII (or other class) facsimile transmission.3 Fourth Amendment to the Constitution of the United Statesof America, which reads:` Amendment IV. Searches and SeizuresThe right of the people to be secure in their persons, houses,papers, and e¡ects, against unreasonable searches and seizures,shall not be violated, and no Warrants shall issue, but uponprobable cause, supported by Oath or a¤rmation, and partic-ularly describing the place to be searched, and the persons orthings to be seized.''4 As Florida Jurisprudence notes:``The Florida Evidence Code does not recognize any generalphysician^patient privilege. Nor did this privilege exist atcommon law or by virtue of the Hippocratic oath. Althoughinformation disclosed to a healthcare practitioner by a patientin the course of care and treatment is not privileged and maybe compelled by subpoena, such information is nonethelessconsidered con¢dential and cannot generally be disclosed,except to other healthcare providers, without the patient'swritten authorization.''The source of the last statement is Florida Statutes x 445.241(2) which states that:``Except as otherwise provided in x 440.13 (2) [regardingindependent medical examiners and worker's compensationinsurance], such [patient] records may not be furnished to,and the medical condition of a patient may not be discussedwith, any person other than the patient or the patient's legalrepresentative or other healthcare providers involved in thecare or treatment of the patient, except upon written author-ization of the patient.''5 ``Any person who uses a computer or computer networkwith the intention of examining any employment, medical ,salary, credit or any other ¢nancial or personal data relating toany other person with knowledge that such examination iswithout authority shall be guilty of the crime of computerinvasion of privacy [22].'' [emphasis added]6 The pertinent part of the legislation reads:(2) The term ``Federal interest computer'' means a computer(A) exclusively for the use of a ¢nancial institution or theUnited States Government, or, in the case of a computer notexclusively for such use, used by or for a ¢nancial institutionor the United States Government and the conduct constitut-ing the o¡ense a¡ects the use of the ¢nancial institution'soperation or the Government's operation of such computer;or (B) which is one of two or more computers used incommitting the o¡ense, not all of which are located in thesame State.

REFERENCES

1. Der£er FJ Jr. PC magazine guide to linking LANs.Emeryville, California: Zi¡-Davis Press, 1992: 163^182

2. Resuscitation Technologies, Inc. v. Continental HealthCare Corp., 1997 U.S. Dist. Lexis 3523

3. U.S. v. Robert Alan Thomas and Carleen Thomas , 74F.3d 701 (6th Cir. 1996)

4. Senate Bill 1360, Medical Records Con¢dentialityAct of1995, 104th Congress

5. Schneier B. Public-key algorithms, Chapter 12, pp. 273^296, Applied Cryptography. New York: John Wiley &Sons, c. 1994

6. Florida Board of bar Examiners Re: Applicant , 443 S0.2d71,75 (Fla. 1984)

7. Waters RJ. Shotwell Lynn Frendt, Licensure laws poseinterstate tug-of-war. http://www.arentfox.com/tele-med/articles/interslicense.html

8. Federal register: August 9, 1996 (Volume 61, Number155), Notices, page 41640

9. Senate Bill 385, The Comprehensive Telehealth Act of1977, 105th Congress, available throughhttp://thomas.loc.gov/home/c105query.html

10. Kutten AJ, Reams BD, Strehle AE. Electronic contract-ing law EDI in business transactions. New York: ClarkeBoardman Callaghan, 1993

11. Griswald v. Connecticut , 381U.S. 479 (1965)12. Whalen v. Roe , 429U.S. 589 (1977)13. United States v. Westinghouse Elec. Corp. , 638 F. 2d 570

(3rd Cir. 1980)14. Murray JP. New concepts of con¢dentiality in family

practice. J Fam Pract 1986; 23: 229^23215. FLA. STAT. ch. 445.241 (2) (1995)16. Olmstead v. United States , 277U.S. 438, 478 (1928) (Bran-

deis, J., dissenting); Cooley,Torts, 2d ed. 1888, 2917. 20 ILCS 301/30-5 (1994); Mass. Ann. Laws ch. 111B, x11

(1994); Minn. Stat. x144.651 (1994)18. Alaska Stat. x47.37.210 (1994); C.R.S. 25-1-312 (1994);

Conn. Gen. Stat. x17a-630 (1992); 16 Del. C. x2214 (1994);HRS x334B-1 (1994); Idaho Code x39-308 (1994); IowaCode x125.15 (1993); K.S.A. x65-4050 (1993); 5 M.R.S.x20047 (1994); Md. Health-General Code Ann. x8-601(1994); Nev. Rev. Stat. Ann. x458.280 (1993); N.M. Stat.Ann. x43-2-11 (1994); ORCAnn. x3793.14 (1994); 71P.S.x1690.108 (1994); Tenn. Code Ann. x68-24-508 (1994);Rev. CodeWash. (ARCW) x70.96A.150 (1994)

19. Code of Ala. x22-11A-22 (1994); Code of Ala. x34-26-2(1994); Alaska Stat. x47.30.590 (1994); C.R.S. 27-10-120.5 (1994); Conn. Gen. Stat. x17a-451 (1992); Fla.Stat. x394.459 (1994); 740 ILCS 110/5 (1994); BurnsInd. Code Ann. x16-39-2-3 (1994); K.S.A. x59-2929(1993); x630.110 R.S.Mo. (1993); Title XL; x630.140R.S.Mo. (1993), Title XL; NY CLS Men Hyg x23.05(1994); NY CLS Men Hyg x33.13 (1994); N.C. Gen.Stat. x122C-53 (1994); ORC Ann. x5122.31; 24 L.P.R.A.x5003 (1991); R.I. Gen. Laws x40.1-4-13 (1994); R.I.Gen. Laws x40.1-5-5 (1994); Tenn. Code Ann. x33-3-104(1994); Tex. Health & Safety Code x611.002 (1995);Utah Code Ann. x62A-12-247 (1994); Rev. Code Wash.(ACRW) x71.05.630 (1994);W.Va. Code x27-3-1 (1994)


20. Code of Ala. x22-21-30 (1994); Ark. Stat. Ann. x20-13-806 (1994); Fla. Stat. x395.3025 (1994); Fla. Stat.x395.0193 (1994); Fla. Stat. x400.605 (1994); Idaho Codex39-1392b (1994); Miss. Code Ann. x41-9-67 (1993);Wyo. Stat. x35-2-601 (1994)

21. Cal. Civ. Code x56.11 (1995); La. R.S. 37: 1278.1 (1993);5 M.R.S. x19203-D (1994); MSA x14.15 (5131) & (6112)(1993); R.R.S. Neb. x81-668 (1994); N.C. Gen. Stat.x130A-12 (1994); R.I. Gen. Laws x5-37.3-4 (1994); S.C.Code Ann. x44-6-180 (1993); S.C. Code Ann. x44-115-10 (1993); Tenn. Code Ann. x63-2-101 (1994); Wis. Stat.x146.82 (1993)

22. 410 ILCS 70/6.1 (1994)23. C.R.S. 25-1-122 (1994); Fla. Stat. x381.004 (1994); Fla.

Stat. x384.22 (1994); 410 ILCS 310/7 (1994); La. R.S. 40:1300.14 (1993); 5 M.R.S. x19203 (1994); x191.656R.S.Mo. (1993); N.J. Stat. x26: 5C-10 (1993); N.D. Cent.Code, x23-07.5-02 (1993); 35 P.S. x7606 (1994); Rev.CodeWash. (ARCW) x70.24.105 (1994)

24. U.S.C. x7332; 42 U.S.C. x242 (a) (1994); 42 U.S.C. x254(c) (1994); 42 U.S.C. x290dd-2 (1994)

25. Florida Board of Bar Examiners Re: Applicant , 443So.2d 71,75 (Fla. 1984)

26. Frawley KA. The computerized patient record and con-¢dentiality. In Con¢dence (Newsletter of the AmericanHealth Information Management Association), March1993; 1 (2): 1^3

27. Department of Defense, US Government. Automatedinformation systems security program handbook. IRMManual, Part 6 (also known as the ORANGE BOOK).Washington DC: Government Printing O¤ce, 1989

28. Dallas Semiconductor: http://www.dalsemi.com/Prod_info/AutoID/index.html

29. Phillips K. In-your-face security: Innovative TrueFaceCyberWatch uses a neural network approach to recognizeauthorized users and reject the rest. PC-WEEK. March26, 1997.http://www.pcweek.com/reviews/0324/24face.html

30. 47 U.S.C. x605 (as amended in 1988)31. 18 U.S.C. xx2510 et seq (1994)32. 18 U.S.C. x1030 (2)(A) & (B) (1994)33. United States v. Morris , 928 F2d 504 (2d Cir. 1991)34. Code of Ala. 13A-8-100 (1994), Title 13A, Criminal

Code, Ch. 8, O¡enses Involving Theft, Art. 5, AlabamaComputer Crime Act, 13A-8-100; Ark. Stat. 5-41-101(1994), Title 5, Criminal O¡enses, Subtitle 4, O¡ensesAgainst Property, Ch. 41, Computer-Related Crimes,5-41-101; C.R.S. 18-5.5-101 (1994), Title 18, CriminalCode, Art 5.5, Computer Crime, 18-5.5-101; Fla. Stat.815.01 (1994), Title XLVI, Crimes, Ch. 815 Computer-Related Crimes, 815.01; HRS 708-890 (1994); Div. 5,Crimes and Criminal Proceedings,Title 37, Hawaii PenalCode, Ch. 708, O¡enses Against Property Rights, [PartIX], Computer Crime, 708-890; Idaho Code 18-2201(1994), Penal Code, Title 18, Crimes and Punishments,Ch. 22, Computer Crime, 18-2201; 720 ILCS 5/16D-1(1994), Ch. 720, Criminal O¡enses, Criminal Code,Criminal Code of 1961, Title III, Speci¢c O¡enses, PartC, O¡enses Directed Against Property, Art. 16D, Com-puter Crime, 720 ILCS5/16D-1 (Illinois); Iowa Code

716A.1 (1993), Title XVI, Criminal Law and Procedure,Subtitle 1, Crime Control and Criminal Acts, Ch. 716A,Computer Crime, 716A.1; La. R.S. 14: 73.1 (1993), Loui-siana Revised Statutes, Title 14, Criminal Law, Ch. 1,Criminal Code, Part III, O¡enses Against Property, Sub-part D, Computer Related Crime, 73.1; 17-A M.R.S. 431(1994), Title 17-A, Maine Criminal Code, Part 2, Sub-stantive O¡enses, Ch. 18, Computer Crimes, 431; Miss.Code Ann. 97-45-1 (1993), Title 97 Crimes, Ch. 45,Computer Crimes, 97-45-1; RSA 638: 16 (1993), TitleLXII, Criminal Code, Ch. 638, Fraud, Computer Crime,638: 16 (New Hampshire); N.J. Stat. 2C: 20-23 (1993),Title 2C, The New Jersey Code of Criminal Justice,Subtitle 2, De¢nition of Speci¢c O¡enses, Part 2, O¡en-ces Against Property, Ch. 20,Theft and Related O¡enses,II, Computer-Related Crimes, 2C: 20-23; N.M. Stat.Ann. 30-45-1 (1994), Ch. 30, Criminal O¡enses, Art. 45,Computer Crimes, 30-45-1; N.C. Gen. Stat. 14-453(1994), Ch. 14, Criminal Law, Subch. XI, General PoliceRegulations, Art. 60, Computer-Related Crime, 14-453;21 Okl. St. 1951 (1994), Title 21, Crimes and Punish-ments, Part VII, Crimes Against Property, Ch. 70, OtherO¡enses Against Property Rights, Computer CrimesAct, 1951; R.I. Gen Laws 11-52-1 (1994), Title 11, Crim-inal O¡enses, Ch. 52, Computer Crime, 11-52-1; S.C.Code Ann. 16-16-10 (1993), Title 16, Crimes and Of-fenses, Ch. 16, Computer Crime Act, 16-16-10; Tex.Penal Code 33.01 (1995), Penal Code, Title 7, O¡ensesAgainst Property, Ch. 33, Computer Crimes, 33.01; UtahCode Ann. 76-6-701 (1994), Title 76, Criminal Code,Ch. 6, O¡enses Against Property, Part 7. ComputerCrimes, 76-6-701; Va. Code Ann. 18.2-152.1 (1994),Title18.2, Crimes and O¡enses Generally, Ch. 5, CrimesAgainst Property, Art. 7.1, Computer Crimes, 18.2-152.1;W. Va. Code 61-3C-1 (1994), Ch. 61, Crimes and TheirPunishment, Art. 3C. West Virginia Computer Crimeand Abuse Act, 61-3C-1;Wyo. Stat. 6-3-501 (1994),Title6, Crimes and O¡enses, Ch. 3, O¡enses against Property,Art. 5, Computer Crimes, 6-3-501

35. Ark. Stat. Ann. x5-41-104 (1994); Ind. Code Ann. @ 35-43-2-3 (1994); NY CLS Penal x156.10 (1994); Va. CodeAnn. x18.2-152.4 (1994); Rev. Code Wash. (ARCW)x9A.52.110, 9A.52.120, 9A.52.130 (1994)

36. http://www.cdt.org37. http://www.ahima.org38. http://www.e¡.org


the internet and electronic transmission of medical records

Documents