The patient-centered health information system ensures patients’ effective healthcare delivery and access to personal health records. This mass collection of patient information has great economic value to pharmaceutical and insurance companies. Nevertheless, the ease of access to patient health information may not be in harmony with patients’ interests. Today’s health information systems have several privacy and security gaps, including:
Sharing of Protected Health Information (PHI) has several legal implications. Therefore, health information organizations and their stakeholders need to seek appropriate legal advice as to how they should manage the consequences of sharing PHI. The Health Insurance Portability and Accountability Act (HIPAA) aims to define and control the access needed to protect healthcare information. Guidelines, policies, and agreements should be developed in such a way that access to information is only given to users who have a specific need for certain information. A healthcare organization that is aiming to adopt Health Information Exchange (HIE) must consider its impact on the privacy of their healthcare information as well as their need to seek separate legal counsel because of their initiative. Organizations and users engaged in exchanging PHI should enter into a mutual data sharing agreement. Common access standards should serve as the foundation for these agreements. The decision to make data accessible to parties involved should be based on their own organization’s policies that are consistent with the basic legal requirements.
Administrative Security Issues
Users, stakeholders, and consumers need assurance that the access to and accuracy of entered data is managed and controlled effectively in an auditable way. As stated in HIPAA, administrative procedures, actions, and policies should safeguard the management of selection, development, maintenance, and implementation to preserve PHI.
Technical and Physical Security Issues
Technical and physical security are essential elements of a strong security foundation that protects and enforces the integrity, confidentiality, and availability of health information. The technological standards, up-to-date knowledge, and right equipment help provide and maintain the ideal environment crucial for ensuring the privacy of participants involved while preserving the trust of its users. In 2010, HIMSS Analytics Report Security of Patient Data reported that breaches of PHI have increased from 6 percent to 19 percent. 87 percent of the respondents had policies in place to continually monitor the access and share of health information. Other studies show that 84 percent of these breaches were due to incidents such as improper disposal of documents, stolen and lost laptops, stolen backup tapes, etc.
Access Management Issues
Authorization is the ability to accurately identify and confirm that a user or patient is who they claim to be. This practice ensures that the right people are given access to applications and information. Authorization is the primary mechanism that aims to give users access to only the PHI and other applications that they can view or use. Access privileges may vary based on the type of organization and the sensitivity of the data a person is trying to access. This is called the Attribute-Based Authorization Control (ABAC). It is one of the most common methods of authorization for HIE. It has been frequently criticized for its inflexibility in setting up initial role structures in a rapidly changing domain. Many experts believe that it provides inadequate support for dynamic attributes when determining user permissions. However, the introduction of ABAC has made rules and attributes simpler and more flexible, making it the preferred access control in more recent health information designs and workflows.
Public Health and Population Health Issues
The policies to determine the usefulness of public health data for the improvement of population health is now a significant emerging criterion for Meaningful Use. The use of health information initiatives for public health purposes is still under development. With this rapidly changing dimension in the exchange of public health information, privacy and security concerns are also rapidly emerging. Patient consent issues and de-identification still need to be addressed by organizations of interest and at the national level. The development of appropriate de-identified data and the process of re-identification are still underway.
Consumer Privacy Issues
Additional authorization, such as patient consent, is still in its infancy stage in the expanded opportunity to share health information and other data via HIE. Patient consent was not a major issue before the birth of electronic records and HIE. The patient implied consent when he or she accepts treatment or sign the consent for treatment or services in a healthcare facility.