Health Information System Privacy

Chapter 9 of 11

 

“Privacy” is a widely used term with deep historical roots, but its definition remains shrouded in ambiguity. Sociologists, scholars, and philosophers find it difficult to define because the concept is complex and open to interpretation. Some believe that privacy is the right to bodily integrity, whereas others define it as the condition of being free from intrusive searches or surveillance. Most health information professionals believe that health information system privacy is closely intertwined with “confidentiality” and “security”, but these words have distinct meanings.

9.1. DEFINITION
9.1.1. PRIVACY

In the context of health information systems, privacy answers who has the right to access personal information and under what conditions. It is mainly concerned with the process of collecting, storing, and using personal information while examining whether the data should be collected in the first place.

9.1.2. CONFIDENTIALITY

Confidentiality safeguards the collected information. It aims to protect the information exchange. It also prevents doctors from revealing private information shared with them by a patient throughout the physician-patient relationship. Unauthorized disclosure of this information is a breach of confidentiality.

9.1.3. SECURITY

Security is the technical and procedural step required to prevent unauthorized access, use, dissemination, and modification of data processed or stored within the computer system. Security protects the health information system from any physical hard drive and prevents any deliberate denial of server within the system. Hacking a computer system is a breach of security. Even those who are authorized to access patient records can intentionally or unintentionally invade the patient’s right to privacy.

9.1.2. CONFIDENTIALITY

Confidentiality safeguards the collected information. It aims to protect the information exchange. It also prevents doctors from revealing private information shared with them by a patient throughout the physician-patient relationship. Unauthorized disclosure of this information is a breach of confidentiality.

9.1.4. PRIVACY AND SECURITY GAPS IN THE HEALTH INFORMATION SYSTEM

The patient-centered health information system ensures patients’ effective healthcare delivery and access to personal health records. This mass collection of patient information has great economic value to pharmaceutical and insurance companies. Nevertheless, the ease of access to patient health information may not be in harmony with patients’ interests. Today’s health information systems have several privacy and security gaps, including:

Regulatory Issues

Sharing of Protected Health Information (PHI) has several legal implications. Therefore, health information organizations and their stakeholders need to seek appropriate legal advice as to how they should manage the consequences of sharing PHI. The Health Insurance Portability and Accountability Act (HIPAA) aims to define and control the access needed to protect healthcare information. Guidelines, policies, and agreements should be developed in such a way that access to information is only given to users who have a specific need for certain information. A healthcare organization that is aiming to adopt Health Information Exchange (HIE) must consider its impact on the privacy of their healthcare information as well as their need to seek separate legal counsel because of their initiative. Organizations and users engaged in exchanging PHI should enter into a mutual data sharing agreement. Common access standards should serve as the foundation for these agreements. The decision to make data accessible to parties involved should be based on their own organization’s policies that are consistent with the basic legal requirements.

Administrative Security Issues

Users, stakeholders, and consumers need assurance that the access to and accuracy of entered data is managed and controlled effectively in an auditable way. As stated in HIPAA, administrative procedures, actions, and policies should safeguard the management of selection, development, maintenance, and implementation to preserve PHI.

Technical and Physical Security Issues

Technical and physical security are essential elements of a strong security foundation that protects and enforces the integrity, confidentiality, and availability of health information. The technological standards, up-to-date knowledge, and right equipment help provide and maintain the ideal environment crucial for ensuring the privacy of participants involved while preserving the trust of its users. In 2010, HIMSS Analytics Report Security of Patient Data reported that breaches of PHI have increased from 6 percent to 19 percent. 87 percent of the respondents had policies in place to continually monitor the access and share of health information. Other studies show that 84 percent of these breaches were due to incidents such as improper disposal of documents, stolen and lost laptops, stolen backup tapes, etc.

Access Management Issues

Authorization is the ability to accurately identify and confirm that a user or patient is who they claim to be. This practice ensures that the right people are given access to applications and information. Authorization is the primary mechanism that aims to give users access to only the PHI and other applications that they can view or use. Access privileges may vary based on the type of organization and the sensitivity of the data a person is trying to access. This is called the Attribute-Based Authorization Control (ABAC). It is one of the most common methods of authorization for HIE. It has been frequently criticized for its inflexibility in setting up initial role structures in a rapidly changing domain. Many experts believe that it provides inadequate support for dynamic attributes when determining user permissions. However, the introduction of ABAC has made rules and attributes simpler and more flexible, making it the preferred access control in more recent health information designs and workflows.

Public Health and Population Health Issues

The policies to determine the usefulness of public health data for the improvement of population health is now a significant emerging criterion for Meaningful Use. The use of health information initiatives for public health purposes is still under development. With this rapidly changing dimension in the exchange of public health information, privacy and security concerns are also rapidly emerging. Patient consent issues and de-identification still need to be addressed by organizations of interest and at the national level. The development of appropriate de-identified data and the process of re-identification are still underway.

Consumer Privacy Issues

Additional authorization, such as patient consent, is still in its infancy stage in the expanded opportunity to share health information and other data via HIE. Patient consent was not a major issue before the birth of electronic records and HIE. The patient implied consent when he or she accepts treatment or sign the consent for treatment or services in a healthcare facility.

9.2. PURPOSE

The purpose of health information system privacy covers four basic human values: personal autonomy, respect, dignity, and worth as human beings. The principle of non-maleficence states that people should only act in ways that do not inflict damage or harm to others. The bioethics of non-maleficence requires safeguarding of patient privacy in the healthcare practice. Unintentional disclosure of personally identifiable health information to an insurer, family member, or even an employer can sometimes result in discrimination, embarrassment, and stigma. Without proper guidelines, patients may be reluctant to disclose their sensitive information fully and accurately to physicians, which may compromise the quality of care they deserve.

9.3. HISTORY

The medical community recognizes the importance of protecting privacy to maintain public trust in patient-doctor relationships and to secure PHI for research purposes. Since the time of Hippocrates, physicians have pledged to keep patient information confidential.

The value of privacy in securing healthcare information is recognized by law and the context of privacy in healthcare research, protected by federal privacy regulations of HIPAA. The framework of privacy in healthcare services was first formulated in the 1973 report of an advisory committee of the United States Department of Health, Education, and Welfare. The basic principle underlying the report was based on the federal government’s aim of establishing procedures that guarantee an individual’s right to have a say in what goes into his or her personal health record and what information record shall be used. Guiding principles have been formulated and have been adopted at the federal and state levels to varying degrees.

The Privacy Act of 1974 incorporated the fair information practices at the federal level. It aims to govern the collection, use, and disclosure of identifiable patient data held by the federal government and its contractors. Hospitals and research institutions operating under the umbrella of the federal government became subjects to the Privacy Act, while other healthcare institutions remained outside its scope. The Privacy Act of 1974 served as the broadest protection for patient health information until the proclamation of the HIPAA Privacy Rule.

9.4. COMPONENTS

The health information system privacy protocol has six important components aimed at gaining the trust of users, they include:

Correction

Patients need time to check the accuracy and integrity of their electronic health information. The Privacy Rule gives patients the right to amend their PHI is consistent with the Correction Principle in the Privacy and Security Framework. The Privacy Rule recognizes that patients have a critical stake in their individual health information. Patients hold an important role in preserving the integrity of that data.

Openness and Transparency

Openness and transparency are important when formulating technologies, policies, and procedures that directly or indirectly affect individuals or their identifiable health information. Trust can only be achieved by establishing openness and transparency about the technologies, policies, and procedures that affect the way individuals use their health information. Health information organizations and other concerned entities should provide clear notice of their processes and policies and should explain how they use their user’s identifiable information and how they disclose this information while protecting their privacy.

Individual Choice

Individuals should have the opportunity to make informed decisions about how their identifiable health information is collected, used, and disclosed. This emphasizes individual’s ability to make choices about the electronic exchange of their identifiable health information as an essential component of having their trust.

Safety

Health information organizations should implement measures to protect the confidentiality of the patient’s identifiable health information. These might entail using reasonable technical, administrative, and physical safeguards to prevent possible inappropriate and unauthorized access, use, or disclosure.

Accountability

Health information organizations should have appropriate monitoring and other methods in place to report and mitigate breaches and non-adherence. Accountability is important to build trust in the electronic exchange of individually identifiable health information. It is the foundation on which the environment of electronic HIE complies with the administrative requirements and business obligations. It addresses potential non-compliance to the privacy standards through the organization’s voluntary compliance, resolution agreement, corrective actions plan, or imposition of civil penalties.

9.5. TOOLS AND TECHNIQUES

The HIPAA Privacy Rule

HIPAA’s Privacy Rule aims to establish the national standard needed to protect individuals’ medical records and their other personal health information. The Privacy Rule covers healthcare providers that conduct electronic healthcare transactions, health plans, and healthcare clearinghouses. Entities should set limits and conditions on the use and disclosure that can be performed without appropriate patient authorization. This rule also gives patients certain rights to their health information, including the right to obtain a copy of their health records and to request the correction, if necessary.

The HIPAA Security Rule

The HIPAA Security Rule outlines the appropriate national standards needed to protect the patients’ electronic health information when received, created, used, and maintained by a covered entity. These will help in maintaining the integrity, security, and confidentiality of the electronically PHI.

HIPAA Enforcement Rule

This is concerned with the investigation of companies for violations of set rules. This is done in compliance with the provisions of the law, using the appropriate parameters.

National Provider Identifier (NPI)

There is a standard 10-digit NPI number assigned to all healthcare bodies.

The Breach Notification Rule

The HIPAA’s Breach Notification Rules are guidelines that require entities covered by HIPAA and their associates to provide appropriate notifications following a possible breach in their unsecured PHI. A breach is an impermissible use or disclosure of PHI. The unsecured PHI is not rendered unreadable, undecipherable, and unusable PHI to unauthorized individuals.

Risk Assessment Tools

Conducting a risk assessment is very challenging. The Office of the National Coordinator for Health Information Technology, in collaboration with the Health and Human Services (HHS) Office for Civil Rights and HHS Office for the General Counsel, developed a risk assessment tool. The assessment tool can help assist providers and health information technology professionals as they perform risk assessments within their respective organizations. The risk assessment tool is an operating system independent application that takes the user through each HIPAA requirement through a “question and answer” presentation. A “no” answer shows the user the corrective action for that item. Overall, the risk assessment tool has 156 questions.

HIPAA’s Disclosure for Emergency Preparedness

HIPAA’s Disclosure for Emergency Preparedness is an interactive tool. It aims to assist in emergency preparedness and recovery planning. The tool determines how to gain access to and use the health information of patients with disabilities in a manner that is consistent with the Privacy Rule. The Disclosure for Emergency Preparedness is designed for covered entities at the local, state, and federal levels.

Protected Health Information (PHI) Management Tools

The PHI Management tool is a web-based application that aims to assist healthcare information organizations with the HIPAA’s Privacy Disclosure Accounting requirements.

9.5.1. HIPAA REGULATIONS

HIPAA regulations ensure that the rights granted to patients by the law for the protection of their healthcare records are strictly followed. HIPAA is primarily concerned with the Privacy Rule, Security Rule, and Breach Notification Rule that covers all healthcare bodies subject to HIPAA regulations. This is done by computing the responsibilities of Covered Entities and Business Associates who handle Patient Health Information.

Understanding HIPAA Compliance for Covered Healthcare Bodies Versus Business Associates

Entities covered by HIPAA could mean a healthcare plan, healthcare provider, or healthcare data clearinghouse that send and receive electronically PHI as described by HIPAA and HHS standards. While HIPAA business associate could be an individual or an organization – under no employment by a healthcare plan, provider, or clearinghouse. But the associate completes tasks related to individually identifiable health information, as overseen by the HIPAA Administrative Simplification Rules, which includes the essential Privacy Rule and Security Rule. A typical example HIPAA associate is a HIPAA-compliant hosting company that handles ePHI (electronic PHI) on behalf of a client.

When it comes to HIPAA Compliance, healthcare entity or business associate is examined based on its parameters of compliance as established by law. However, the difference between these two parties in terms of compliance is at present less significant to healthcare law as the HIPAA Final Omnibus Rule moved to treat business associates as directly responsible for meeting all HIPAA requirements as healthcare entities.

HIPAA Compliance Privacy Rule

Under the HIPAA Privacy Rule, the patient has the right to receive a Notice of Privacy Practices (NPP). This is a document that shows the measures put in place by their healthcare providers and plans towards protecting their privacy. Healthcare providers are responsive to patients’ when they ask questions regarding:

  • Access to their health records
  • Doctor-patient communications
  • Limitations to apply to data use and disclosure.
  • Changes to be made to their PHI (in the case of any error)
  • Records of disclosure

The HIPAA Omnibus Rule

In January 2013, the introduction of the Omnibus Rule for HIPAA by HHS was enacted. The rule directed healthcare providers to meet certain additional security requirements by September 23 of that same year. The principal aspect of the change was to increase the penalties for healthcare providers who violate the rules. That saw the raising of the maximum fee for a single violation to $1.5 million. According to Kathleen Sebelius, the former United States HHS Secretary, “The new rule will help protect patient privacy and safeguard patients’ health information in an ever-expanding digital age,”

Health Information Technology for Economic and Clinical Health (HITECH) Act

HITECH Act of 2009 was signed into law by President Barak Obama on February 17, 2009. The primary aim was to fast-track the move to Electronic Health Records (EHRs). The Office of the National Coordinator for Health Information Technology (ONC) is responsible for administering and creating standards associated with HITECH. HITECH states that from 2011 healthcare providers would be offered financial incentives for demonstrating meaningful use of EHRs until 2015, after which there would be penalties for failing to demonstrate such use. HIPAA is centered on digital systems, making it a more typical point of focus when looking for digital systems. Nevertheless, many HIPAA hosting providers and similar entities get certified for compliance with HITECH and HIPAA to validate their knowledge of adherence to all federal healthcare laws.

HIPAA Compliance – Further Clarifications

HITECH serves as a supplement to HIPAA and any standards for technology arising from HITECH must meet the HIPAA Privacy and Security Rules. HIPAA requires healthcare providers to submit their systems to a HIPAA risk assessment to complete their meaningful use attestation. It is where the healthcare provider confirms if they meaningfully use an EHR system.

9.5.2. IMPORTANT HIPAA COMPLIANCE TIPS

Strengthen Security with Logins: Keeping data in the right hands is a good way of strengthening security with logins. Raj Chaudhary, leader of the security and privacy services group at consultancy Crowe Horwath stressed the importance of assigning user accounts to individuals that their role matches the access they are provided to the systems. This aligns with the HIPAA requirement to ensure that user ID or a user account is assigned to only those who legitimately need access to that information.

Controls Monitoring: This involves the monitoring of controls and making sure that logging is working correctly. Paying close attention to PHI is a key element of the HIPAA Security Rule. The IT personnel should ensure that the logging feature is active for all systems. For logging, one should directly monitor through a system of rules to examine data buildup process and be sure that everything is continuously meeting your access controls.

Examine Your Access Controls: Access controls should be measured at all layers. This includes the network and your software. The network consists of user IDs and passwords and this security level is not problematic as it is managed by IT. Maintaining control of this layer is crucial. According to Raj Chaudhary, software should be configured to lock-out a user after a couple of failed attempts to login to prevent possible hacking.

Pay Close Attention to Your Business Associate Handling PHI: It is important to pay close attention to any of your business associates handling any PHI. One way to do this, according to Chaudhury, is to “review carefully your Business Associate Agreement (BAA) that controls your data relationship with each vendor who is handling your data.” This means less burden for healthcare entities as vendors bear some burdens as well. However, due diligence is still necessary.

Post-Omnibus HIPAA Compliance Recommendations

Along with HIPAA compliance procedures, it is also important to understand the Post-Omnibus HIPAA compliance. Below are recommendations to consider:

  • Your business associate agreement should reflect the Omnibus Rule, which widens responsibility for HIPAA compliance to include business associates. With the Omnibus Rule, all business associates are legally directed to follow HIPAA laws.
  • When the Omnibus Rule was introduced, revision of privacy requirements was a significant part of the rule. The rule made several changes in the treatment of deceased patients, data distribution, immunizations, patient access rights, response to ePHI requests, disclosure to insurance and Medicare, how to handle data for marketing, fundraising, and research purposes.
  • It is essential to train staff on current trends in the healthcare law as required by the Omnibus Rule. This will also keep your business free of fines and lawsuits.
  • Protocols and Expectations for Breaches and HIPAA Violations

The Breach Notification Rule requires all healthcare providers and plans to report any conceivable disclosure of PHI whenever data is stolen, lost, or compromised. If the data of over 500 persons are disclosed, the HIPAA CE must rapidly contact the HHS Secretary. Local media must be alerted in a state or jurisdiction where affected individuals reside. If the affected are fewer than 500, the individuals must be notified, and a report is sent to the HHS Secretary within 60 days following the end of the calendar year. All covered healthcare entities and business associates that fail to comply with HIPAA are discovered via random audits, investigations, breach notifications, other government agencies, as well as the press. Below are four levels of violations and fine per incident as prescribed by the HIPAA Enforcement Rule:

  • If the covered entity is not aware and would have remained unaware based on reasonable measures (Fine between $100 and $50,000)
  • Where a violation occurs as a result of “Reasonable Cause”, that would prompt action in an ordinary person (Fine between $1,000 and $50,000)
  • Where there is a “willful neglect” such violation is caused by intentional avoidance but rectified within three days (Fine between $10,000 and $50,000)
  • Where there is willful neglect but not mitigated within 30 days (Fine $50,000)

9.6. BEST PRACTICES

To achieve the best practices in safeguarding health information system privacy, providers and healthcare organizations must follow the Health IT’s Health Information Privacy and Security 10-step plan which is the most crucial step in implementing health information system privacy in managing PHI. The 10 steps are as follows:

  1. The healthcare provider must confirm himself or herself as a covered entity.
  2. Provide leadership: Providing leadership in protecting patient health information. The administration should choose a privacy and security officer who will be designated as the leader in safeguarding privacy and security of the patient data received, collected, and used by the organization.
  3. Document the processes, finding, and actions: Documenting is important to have a clear record of security measures, the reasons for creating such measures, and the procedure to monitor each of them. These records are essential in auditing for compliance with HIPAA and claiming the incentives HEHR program.
  4. Conduct security analysis: Conducting a risk analysis is vital to compare the organization’s current security measures regarding what is legally required to protect patient healthcare information. This step ensures proper identification of high-risk threats and other loopholes in the process of handling PHI.
  5. Develop an action plan for addressing threats and vulnerabilities: Using the necessary security measures is often an affordable yet highly effective strategy to mitigate identified risks, including administrative, policies and procedures, technical and physical safeguards, and lastly, organizational standards.
  6. Manage and mitigate risks: This step is the implementation of the action plan. Up-to-date policies and procedures are developed through this practice.
  7. Prevent risk development through workforce training and education: The organization’s workforce must know how to implement procedures, policies, and security audits. They should also have training in breach notification.
  8. Communicate with patients: Most patients are concerned about the confidentiality and security of their health information using an EHR. Openly communicating with patients and providing them with educational materials is important to retain the confidence and trust of patients availing the organization’s services.
  9. Update the business compliance agreement of the organization: The organization should ensure the compliance of its business agreement to HIPAA and the Breach Notification requirements.
  10. Attest for the security risk analysis Meaningful Use objective: Eligible providers and healthcare organizations should “attest” that they have met the needed requirements for the privacy and security of their EHRs. They should attest only after they have successfully conducted their security risk assessment and corrected any deficiencies identified during their analysis. They should document corrections and changes and submit them for auditing for the EHR incentive program.

9.7. OUTCOMES

The future promises new directions for the security and privacy of the health information systems. The American healthcare delivery system has transformed from a patient-physician centered relationship to a complex network linking patients to multiple parties such as insurance providers, researchers, and other stakeholders. Although beneficial to most patients, this transformation increases the potential for information security risk and violation of patients’ privacy.

By conducting research about the characteristics of the risks, health information experts may help healthcare providers develop effective information security risk monitoring, procedures, and policies. Health information researchers may explore the privacy preferences and variance of different users such as senior citizens, working population, etc. Health information researchers may gain a deeper understanding of the factors that influence consumers to disclose their personal health information. With the proper implementation of Health Information System Privacy in healthcare organizations and other healthcare establishments, information integrity within healthcare systems can be preserved.

9.8. CITATIONS

  1. National Center for Biotechnology Information (2009). Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research
  2. AHIMA HIMSS (2011, April). The Privacy and Security Gaps in Health Information Exchanges.
  3. National Center for Biotechnology Information (2009). Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research
  4. Ibid.
  5. Ibid.
  6. Ibid.
  7. U.S. Department of Health & Human Services (n.d.). Health Information Technology. Retrieved August 3, 2015.
  8. Op. Cit. AHIMA HIMSS
  9. U.S. Department of Health & Human Services (n.d.). The Security Rule. Retrieved August 3, 2015.
  10. U.S. Department of Health & Human Services (n.d.). The Breach Notification Rule. Retrieved August 3, 2015.
  11. ONC (2015, June 26). Security Risk Assessment Tool. HealthIT.
  12. U.S. Department of Health & Human Services (n.d.). Emergency Situations: Preparedness, Planning, and Response. Retrieved August 3, 2015.
  13. Health.mil (n.d.). Privacy and Civil Liberties. Retrieved August 3, 2015.
  14. ONC (2015, January 19). Health Information Privacy and Security: A 10 Step Plan. HealthIT.
  15. Appari, A., & Johnson, E. (n.d.). Information Security and Privacy in Healthcare: Current State of Research.
  16. Ibid.