Privacy, Confidentiality, and Security
Although the terms confidential and anonymous are often used in the same way, there is a difference.
A confidential test like the HIV test Michael has requested is not the same thing as an anonymous test.
Authorization:
A document giving a covered entity permission to use protected health information for specified purposes other than treatment, payment, or healthcare operations or to disclose protected health information to a third party specified by the patient.
Minimum Necessary Standard:
A key provision of the HIPAA Privacy Rule requiring that covered entities limit unnecessary or inappropriate access to and disclosure of protected health information. Disclosures should include only the minimum necessary amount of information to accomplish a given purpose.
Business Associates:
A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of a covered entity.
Screen Saver:
A program that displays animation or image on the screen if input (such as a pressing a key) is not received for a given time period.
Audit Trail:
A record that traces a user's electronic footsteps by recording activity and transactions, including unsuccessful attempts to view unauthorized screens, within the EHR system.
Password:
A sequence of characters and sometimes spaces used to prevent unauthorized access to or disclosure of patient information contained in secure electronic files.
Off-Label Indication:
A use for a prescription drug other than that for which the US Food and Drug Administration (FDA) has approved it.
Secondary Use
A use of health information that is not directly related to patient care. Such uses include statistical analysis, research, quality and safety assurance processes, public health monitoring, payment, provider certification or accreditation, and marketing and other business activities.
Despite these obvious benefits, however, a study of patients with a family history of colorectal cancer showed that not only would many of them refuse genetic testing but also that they would not even agree to speak with a healthcare professional about their family history for fear the information would be used against them in employment and insurance coverage decisions.
According to a survey conducted by the Johns Hopkins Genetics and Public Policy Center, 93% of Americans believe that neither their insurance companies nor their employers should have access to the results of genetic tests.
Testing is available for about 1500 genetic disorders, and that figure is continually increasing.
Amniocentesis procedures generally screen for Down syndrome, Tay-Sachs disease, sickle cell disease, cystic fibrosis, neural tube defects, thalassemia, or some combination of those diseases, depending on the parents' risk factors.
Consumer Reporting Agency:
An agency regulated by the Federal Trade Commission (FTC) under the Fair Credit Reporting Act (FCRA) that sells or cooperatively exchanges consumer credit information and history.
If Michael prefers to have an anonymous test, he may be able to get one at a local public health clinic.
Anonymity means that Michael's name will not be linked to the results.
It is important to know the difference between confidentiality and anonymity in order to adequately protect patients' privacy.
Confidentiality refers to how the recipient of the information, such as Michael's physician, handles information that a patient does not wish to have disclosed.
When the EHR screen is being used, it should be positioned so that someone walking by cannot view the information.
Daily schedules should be posted only where visitors to the healthcare facility cannot see them, or they should have a cover sheet over them. Not taking these actions can be considered a violation of HIPAA and leaves the healthcare facility open to a potential lawsuit.
The electronic age has made our lives easier, safer, and more rewarding in many ways, yet it poses problems that were inconceivable just a few years ago.
Drugs that were sold on the streets are now being sold online and delivered right to the purchaser's door. Information stored in an electronic format can be hacked and identities stolen. Citizens and elected officials have struggled to sort out issues like these in every area of our lives, including healthcare and privacy.
Before we define a few more concepts, let us make sure we keep our discussion concrete by seeing how the laws might apply to real patients.
Edmund is a 64-year-old writer of fiction and biography who has made something of a name for himself. Ed has been openly gay for many years and knows he is HIV positive.
Both law and ethics require that patients be treated with respect and dignity and be offered the best care we are capable of providing, including protecting all information in the health record.
Ethics is the set of rules and standards of conduct that grow out of our shared understanding of right and wrong and that govern our professional behavior.
This kind of discrimination occurs when an employer, insurer, or other party discriminates against a patient or family member based on the genetic predisposition to develop a given illness.
For example, an insurer might wish to drop coverage for a family who receives a preterm diagnosis of cystic fibrosis.
Laws:
Formal enforceable rules and policies based on community standards of conduct.
Yet the American public does agree that gathering genetic information is important. The same survey found that 91% of respondents said that if effective treatment were available for a particular condition, they would entrust their physicians (but not necessarily anyone else) with the genetic information necessary to diagnose and treat it.
Furthermore, new parents believe it is important to collect genetic health information about their newborns. A 2007 poll conducted by the C. S. Mott Children's Hospital at the University of Michigan found that 54% of parents approve of genetic testing even for diseases for which no effective treatment is available
Those who carry a gene for schizophrenia, for example, have a 50/50 chance of developing the disease, with environmental factors making up the other half of the equation.
Genetic testing has the potential to help patients and providers make sound treatment decisions, aid researchers who are looking for new links between genetic mutations and disease development, lower costs for insurance companies by preventing disease (for example, in patients who undergo preventive mastectomies), and increase worker productivity for employers by reducing days off and leaves of absence for illness.
Disclosure:
Giving access to, releasing, or transferring information to a person or entity.
However, if a stricter state law is in place, the patient's permission must be obtained. To be safe, a patient's written permission to release that information should be obtained.
HIPAA also states that a patient has the right to know who has accessed his or her health record and who has received information from his or her health record. EHR systems allow for the tracking of that information so that a report can be generated and presented to the patient if he or she requests it.
Privacy refers to the patient's right to control how his or her healthcare information is used and shared with others. Before the information can be disclosed to a third party, the healthcare provider must have the patient's permission in writing.
HIPAA does state that if the healthcare provider is disclosing this information for treatment, payment, or operations (TPO), the provider does not need the patient's permission to release this information.
Covered Entities:
Healthcare providers, health plans, and healthcare clearinghouses that transmit health information electronically.
Although it may not be necessary, practical, or cost effective to do so, genes for any of these diseases can be detected while a fetus is still in the womb or even before an embryo fertilized in a laboratory is transferred to a woman's uterus.
However, many genetic tests cannot determine whether a person will definitely develop a given disease—only whether the person is likely to do so.
In addition, 38% of parents said they would allow their child's genetic information to be linked to a nationally interoperable electronic health record system. Such a system would undoubtedly be an invaluable public health resource, but it would have to address the valid privacy concerns we have just discussed.
In an effort to begin addressing such concerns, in 2008 Congress passed the Genetic Information Nondiscrimination Act (GINA). Individuals who have group health insurance were already protected, but GINA extends protection to those who own individual insurance policies.
In times past, only a small number of medical personnel had access to patients' paper charts, but when electronic transmission of data became possible, more people had much easier access to health information, and this information could just as easily be shared inappropriately.
In response, Congress passed the HIPAA of 1996. The portability section of HIPAA was designed to protect individuals from being denied insurance due to preexisting conditions and to allow employees to keep insurability when moving from one job to another.
Protected Health Information (PHI):
Individually identifiable health information (for example, demographic information, billing information, medical record numbers, account numbers, physical or mental condition, etc.) that is stored, maintained, or transmitted electronically.
The accountability section was designed in part to protect patient information and also to standardize the process of data submission.
It is important to understand some of the terms used in HIPAA.
Keeping patient information confidential means that you have to be diligent in what information is shared verbally in the healthcare facility.
It is inappropriate to talk about a patient where other patients, family members, delivery people, pharmaceutical reps, or others could possibly overhear.
Safeguards:
Measures taken to prevent interference with computer network operations and to avert security breaches involving the unauthorized use, disclosure, modification, erasure, or destruction of PHI; these measures are specified by the HIPAA Security Rule, which applies only to data in electronic form.
Ed's partner, a 51-year-old electrical engineer named Michael, has chosen to share his sexual orientation with the couple's wide circle of friends but not with his elderly parents.
Michael would like to be tested periodically for HIV, but he is concerned about his privacy. In other words, Michael would like to decide when, how much, and with whom his medical information can be shared.
Can Patients' Genetic Profiles Be Used Against Them?
One public concern that has delayed the transition to a nationwide EHR system is the fear of genetic discrimination.
Confidentiality refers to the duty of all who have access to healthcare information to keep that information private. Those who work in healthcare are ethically bound to keep the patient's information confidential.
Only those people directly involved in the care and treatment of the patient should be viewing or receiving this information.
Privacy concerns about patients' genetic information are pitting patients and physicians against insurers and employers.
Patients want to keep genetic information private, but insurers do not want to shoulder the burden of policyholders who are likely to become ill, and employers want to hire healthy employees who could help keep health insurance premiums low.
Consent:
Permission given to a covered entity for uses and disclosures of protected health information for treatment, payment, and healthcare operations.
His blood sample will be submitted to the laboratory using only an identification number.
Results may be given to the patient by a counselor by phone or he may be able to login into a secure server to access the results of the test.
Ethics:
Rules and standards of conduct that govern professional behavior and arise from our shared understanding of morality.
Certain types of genetic discrimination are merely theoretic. Some patients and privacy advocates worry that testing could be used to discriminate against people in employment and other matters.
Tens of thousands of genetic paternity tests have already been done without consent, points out the American Civil Liberties Union (ACLU), and it is impossible to tell what other kinds of "genetic spying," medical or otherwise, might be possible in the future.
Confidentiality:
The obligation of professionals to keep a patient's information in confidence. Anyone entrusted with health information has a duty to keep that information private. Confidentiality is protected by law to varying degrees.
Privacy:
The patient's freedom to determine when, how much, and under what circumstances his or her medical information may be disclosed. The patient's right and expectation that individually identifiable health information will be kept private and not disclosed without the patient's permission.
Anonymity:
The patient's right to have private health data collected in a way that can never be linked or traced back to him or her.
Authentication:
The process of determining whether the person attempting to access a given network or EHR system has authorization. User authentication can include password entry or use of biometric data (such as a digital fingerprint or voice signature) or a smart card (a data-laden microchip).
The increased use of electronic technology in the healthcare facility, including the electronic health record (EHR), has changed the way patients' confidentiality and privacy are maintained
The terms privacy and confidentiality are often used interchangeably, but in healthcare, specifically in relation to HIPAA, there is a difference. Now that everything from bank card numbers to patient test results are stored electronically, maintaining privacy has become even more difficult.
Health insurers will be prohibited from raising premiums or denying coverage based on a person's genetic risk profile, and employers may not fire an employee or discriminate in hiring, promotion, or compensation on that basis.
There is also an increase in the use of the direct-to-consumer testing. With this type of testing the patient provides a sample to a laboratory, and it does the testing requested by the patient.
The notion of confidentiality is that the patient is entitled to keep the information to himself or herself and that the provider or other person with whom the information is shared is obligated to hold it in confidence.
This is often not the case. For instance, suspected child abuse must be reported to law enforcement. Sexual assault and other crimes may also be subject to reporting requirements. In some states, minors who seek family planning advice or services may be reported to parents or guardians.
Confidential information may be disclosed to other parties besides public health and law enforcement officials. If Michael agrees to disclose his test results to his physician, who would then enter the information into the EHR, his test results would undoubtedly reach Michael's health insurance company.
Why? Because to obtain health insurance, even for a group plan, he would have had to sign a document permitting them access to his health records.
HIV and certain other communicable diseases, as in Michael's case,
are subject to state reporting requirements so that partners can be notified, and disease incidence can be tracked for public health purposes.
Anyone who has access to Michael's medical information has a duty to keep that information
confidential by not discussing it with anyone other than those to whom Michael has given permission.
Although privacy, confidentiality, and security have always been important in the world of healthcare,
it was the Health Insurance Portability and Accountability Act (HIPAA) that made it mandatory to have measures in place to protect all three. HIPAA was brought about to address the issues of protecting healthcare information in the electronic age.
When we formalize (codify) these ethical principles and determine criminal or civil penalties for violating them,
we call them laws, such as HIPAA.