Chapter 26 privacy and security
Personal health information (PHI)
A primary responsibility of healthcare providers and their business associates ensure that health data of clients is held in the strictest confidence Protecting personal health information (PHI) even more important with the popularity of health-related devices- i.e. mobile devices, EHR, sensors, biomedical devices, telehealth, personal health devices, and HIEs Increased risk for data breach *PHI contains name, birthdate, social security, past and future appointments*
Code of Ethics
Code of Ethics for Health Informatics Professionals International Medical Informatics Association
De-identification of Data
De-identification: removing all personal information that could connect a patient to health information- the remaining information neither identifies Health data used for marketing (and some research) is de-identified HIPAA has no the use or disclosure of de-identified health information
Information Security
HIPAA Security Rule requires safeguards to be in place to ensure the confidentiality, integrity, and availability of PHI Confidentiality- data or information is not made available or disclosed to unauthorized persons or processes Integrity- data or information have not been altered or destroyed in an unauthorized manner Availability- data or information is accessible and useable on demand by an authorized person As health data increasingly move from paper to electronic storage, they can become more vulnerable to unauthorized disclosure and modification- accidentally or intentionally Controls or countermeasures are used as safeguards for electronic PHI 3 areas emphasize the importance of health information security: 1. The public trust 2. Legal requirements and fines 3. Increasing security threats to healthcare data
Security Challenges
Healthcare data have become the leading target for hackers due to ease of availability Healthcare data can be used for financial information, identity theft, insurance fraud, exploiting personal details about individuals, etc) Challenges in 3 main areas: 1. Competing goals of gaining access to patient data to support care and limiting access to patient data to support security 2. Competing institutional priorities and competition for institutional resources 3. Multiple and evolving regulations
Principles, Laws, and Regulations Guiding Practice
Healthcare professionals have always maintained patient confidentiality through ethical practices and codes of conduct After the introduction of technology in healthcare, the U. S. federal recognized the need for legislation to protect privacy in an electronic environment Passed the Privacy Act in 1974- only protected certain personal information held by federal agencies in computerized data bases- but set a standard for protecting personal health information HIPAA began in 1996- subsequent revisions
Legal and historical context
Hippocratic Oath (4th Century)- privacy of communications between patients and their healthcare providers Florence Nightingale (1800's)- addressed various uses of health information, including the importance of proper acquisition for the benefit of the patient
Security Threats
Increasing due to: expanding volume of health data stored electronically, more EHRs interconnected by HIEs, sensors/mobile devices connected to the internet & exchanging data The use of mobile devices increase opportunities for interception of health data and loss
Fair Information Practice Principles
Internationally recognized practices for addressing privacy of information Provide a framework for privacy laws and can form the foundation for an organization's privacy policy
Technical safeguards
Involve protecting the confidentiality, integrity and availability of PHI Common technical security controls for technology: -Authentication -Access management and control -Encryption -Protection from malware and hacking attacks -Disaster recovery planning -Privacy-enhancing technologies
International Laws
Many countries instituted privacy laws prior to HIPAA Privacy of health data is increasingly being recognized as an international value (although there are differences in how privacy is conceived and the value placed on privacy) We must be aware of these laws if practicing on an international level
Legal Requirements and Fines
Organizations are subject to large fines and legal issues for information security compromises The average cost of a health record breach in 2015- $363 per record- a single breach can include thousands or millions of records
Accountability and auditing
Organizations should be accountable for complying with these principles, providing training to all employees and contractors who use PII and auditing the actual use of PII to demonstrate compliance with these principles and all applicable privacy protection requirements.
Transparency
Organizations should be transparent and notify individuals regarding collection, use, dissemination, and maintenance of personally identifiable information (PII).
Individual participation
Organizations should involve the individual in the process of using PII and, to the extent practicable, seek individual consent for the collection, use, dissemination, and maintenance of PII. Organizations should also provide mechanisms for appropriate access, correction, and redress regarding use of PII.
Data minimization
Organizations should only collect PII that is directly relevant and necessary to accomplish the specified purpose(s) and only retain PII for as long as is necessary to fulfill the specified purpose(s).
Security definition
Organizations should protect PII in all media through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure.
Purpose specification
Organizations should specifically articulate the authority that permits the collection of PII and specifically articulate the purposes for which PII is intended to be used.
Use limitation
Organizations should use PII solely for the purposes specific in the notice. Sharing PII should be for a purpose compatible with the purpose for which the PII was collected.
Data quality and integrity
Organizations should, to the extent practicable, ensure that PII is accurate, relevant, timely, and complete.
Physical safeguards
Physical methods to protect inappropriate access to PHI Controlled access to buildings Workstation security Securing portable devices with a cable and locking them to a desk Requiring 2 forms of identification for access Security guards Alarm systems/fire detection and suppression systems Redundancy for power and network connections Securing output from devices Logging access to secured equipment
Public Health Monitoring or Surveillance
Public health departments monitor communicable diseases and conduct surveillance Some communicable diseases require investigations that require the patient's health information to be shared (e.g. STDs, HIV, Hepatitis, TB, etc)
Conducting Risk Assessments or Risk Analysis
Risk assessment/risk analysis- required by the HIPAA Security Rule and by Meaningful Use Identify gaps/weaknesses that could lead to security breaches Security risks are assessed by examining vulnerabilities and threats: -Risk- the likelihood that something adverse will happen to cause harm to an informational asset (or its loss) -Vulnerability- a weakness in the information system, device, or environment that could endanger or cause harm to an informational asset -Threat- a human act or act of nature that has the potential to cause harm to an informational asset Risk assessments should be conducted regularly- at least one complete assessment annually Can cost $10,000- $100,000 Includes and evaluation of how and where PHI is stored within the organization, who is managing these data, how these data are being used, and where data are transmitted Includes a review of the security measures and technical architecture
Managing Security Risks
Risk management- an ongoing effort to maintain a system in the most secure state possible Administrative controls: establishing and adhering to security policies and procedures and dedicating resources to security Internal policies- installing software service packs, installing antivirus software, and testing Organizations should also have policies and procedures for intrusion protection- to avoid malware and malicious attacks such as ransomware Encryption for mobile devices used for PHI
HIPAA Omnibus Final Rule of 2013
Strengthens and expands patient rights as well as enforcement Business associates who receive PHI are also liable for noncompliance based on the level of negligence up to a maximum penalty of $1.5 million Clarifies when breaches of unsecured health information must be reported to the Department of Health and Human Services Individual rights expanded: patients can ask for a copy of their electronic medical record in an electronic form; if they pay cash for health services, they can ask the provider NOT to share information about their treatment with their health plan. New limits on how information is used and disclosed for marketing and fundraising purposes
HIPAA & Secondary Uses of Electronic Health Data
The use of PHI for other activities: Public health monitoring/surveillance Research- must de-identify patient then you can use for research Marketing
Public trust
We must balance the patients' requirements for privacy and society's need for improved efficiency and reduced costs Increased connectivity = sharing highly sensitive data as well as social and political pressure to prevent inappropriate sharing Healthcare institutions and providers earn patients' trust by guaranteeing the privacy and security of their health information Breaches of privacy and security undermine patients' confidence in their healthcare institutions and providers
Security
the administrative, technical, and physical safeguards implemented to prevent privacy and confidentiality breaches- also to ensure integrity and availability of information
Confidentiality
the responsibility of the healthcare provider to protect and safeguard health information from inappropriate access, use, and disclosure (about the information)
Privacy
the right of individuals to control access to their person or information about themselves (about the person)
Security vulnerabilities
*External events (someone trying to get in from the outside)* -Attempts to access an organization's network (hacking) -Intrusions through firewall -Installing malicious code/sending malicious messages via email *Internal vulnerabilities (someone from the inside)* -Unintentional or intentional- mostly lapses in judgement -Lacking policies/procedures in organizations or low priority of -HIPAA *Medical devices* -Interface directly with patients and may cause immediate harm -A growing number of life-sustaining devices are implanted into patients and controlled externally via wireless communications
National Privacy and Security
*HIPAA only applies to personal health information (PHI)* *Personal health information- individually identifiable health information (e. g. demographics, health and mental conditions, and their treatments, as well as payment info) transferred in any medium*
HIPAA
*Health Insurance Portability and Accountability Act: restricts access to individuals' private medical information except for the people involved* U. S. Federal law *Applies to "covered entities": healthcare providers, health plans, and healthcare clearinghouses and their "business associates": an individual or organization supporting the work of a covered entity who has access to PHI*
HITECH Act
*The Health Information Technology for Economic and Clinical Health Act (HITECH Act)* legislation was created in 2009 to stimulate the adoption of electronic health records (EHR) and supporting technology in the United States Included requirements for privacy breaches by covered entities and/or business associates- -individuals must be notified of a breach within a specified amount of time -If the breach affects 500 residents of a state or jurisdiction, the covered entity or business associate must provide notice to prominent media in addition to notification to those affected- the secretary of the HHS must also be notified