Tuesday, 29 October 2002 - 3:30 PM
74

This presentation is part of C6: Grow: Privacy and Confidentiality

Internet Interfaces: Provider Access to Confidential Patient Information

Angel R. Aponte1, Amy E. Metroka1, Alison E. Chi2, and Noam Arzt3. (1) Citywide Immunization Registry, New York City Department of Health, 2 Lafayette St., 19th Floor, New York, NY, USA, (2) Citywide Immunization Registry, Medical & Health Research Assn, 2 Lafayette Street, 19th Floor, New York, NY, USA, (3) HLN Consulting, LLC, 7072 Santa Fe Canyon Place, San Diego, CA, USA


KEYWORDS:
Privacy, Confidentiality, Internet, Immunization Registry, Healthcare Providers

BACKGROUND:
In June 2002, the NYC Citywide Immunization Registry will launch a web-based interface for healthcare providers. Patient privacy and confidentiality concerns regarding inappropriate provider searches and information disseminated were addressed by surveying all of the states on the CDC?s list of Internet-enabled Immunization Registries.

OBJECTIVE(S):
To understand the methods employed across states to protect patient privacy in Internet-enabled applications.

METHOD(S):
The CIR surveyed twenty-seven state registries and received feedback from eleven organizations, via E-mail and telephone.

RESULT(S):
All respondents employ laws (local health code, state privacy/confidentiality laws, and federal HIPAA regulations) and policies to determine the requirements for a patient search. Signed confidentiality agreements with providers, along with user training, make the laws and policies explicit. Six have restrictive search criteria (minimum three fields requiring an exact match), while five allow flexible searches (approximate matches, incomplete fields, etc.). Eight disseminate all patient demographics, while three return less than seven fields from the patient record. Ten employ provider activity logging, inspection, and enforcement (including application administrator follow-up, provider warnings, account inactivation/deletion, and legal action) to protect patients from inappropriate use. The eleventh is considering logging/monitoring.

CONCLUSIONS(S):
Differences in search restrictions and disseminated information between registries reflect the variation in privacy and confidentiality laws/policies across jurisdictions. Logging of provider activity is used to detect inappropriate patient searches. Standards for provider searches and results are suggested.

LEARNING OBJECTIVES:
To understand the methods employed to protect patient privacy by Internet accessible registries and the need for minimum standards.

Back to Grow: Privacy and Confidentiality
Back to Contributed Papers
Back to The 2002 Immunization Registry Conference of CDC