Beginning April 14, 2003, under federal regulations called HIPAA (Health Insurance Portability and Accountability Act), an individual patient's electronic medical record must, under penalty of law, be kept private. The new rules present a challenge to medical researchers, who need to be able to identify individual patients in clinical studies and to track them over time.
"HIPAA regulations are a wake-up call for clinical researchers who now need to modernize their approach to managing private clinical information," said Eran Bellin, MD, a medical researcher who is also the head of Montefiore Medical Center's HIPAA security subcommittee. HIPAA specifically requires hospitals to "implement a mechanixm to encrypt and decrypt electronic protected health information."
Dr. Bellin, who could find no existing computer software to meet both privacy rules under HIPAA and his own research needs, built one. The innovative program encrypts "identifiers" (such as a social security number) on a clinical trial patient's electronic medical record. The "key" or code to the encryption system, and therefore access to the patient's medical record, is then stored in a separate database on another computer.
"The software is significant for Montefiore, because, as the university hospital and academic medical center for the Albert Einstein College of Medicine, we conduct trials involving hundreds of patients and tens of millions of dollars annually," said Dr. Bellin, who hopes that the software will become a national model for other medical centers. The software is believed to be the first of its kind.
Patient privacy can be further protected, said Dr. Bellin, if the encryption key becomes the property of a research institution's institutional review board (IRB) - generally composed of ethicists, researchers and community members, who review and monitor clinical research and whose job it is to guard against access to patient records.
Researchers have historically been permitted to review patients' medical records and then physically lock up the information in a drawer, file or within a computer database. When research findings are released, the data is aggregated, so no individual is identified. HIPAA restricts the ways in which researchers may use or disclose "protected health information" in a patient's medical record and this requires more modern methods to access and use the patient information.
The new software is called FieldEncrypt. Additional information on the software is available at http://fieldencrypt.devguru.com.
RSS