Security and Privacy of Health Information
Importance
The security and privacy of an individual’s health information are both very important and often go hand-in-hand. However, it is necessary to define and understand the difference between the two and realize that they both have their own distinct meanings. In this case, security is defined as “the procedural and technical measures required (a) to prevent unauthorized access, modification, use, and dissemination of data stored or processed in a computer system, (b) to prevent any deliberate denial of service, and (c) to protect the system in its entirety from physical harm” whereas privacy addresses who has access to the personal information, whether it be just the doctor or the patient, or if there are other conditions in which someone else can view it as well.
Every individual has a different idea of privacy or at least holds it to a different standard. What may be considered private to one person, may not be a big deal to someone else. For this reason, it is important to respect every person’s wishes. This is another reason that certain health information is kept private for everyone, as a way to keep things equal and to refrain from any discrimination. Breaches of health information that may release the identity of an individual can lead to harm, embarrassment, and lack of trust between the patient and doctor. Without trust, a patient may withhold important information from their doctor which can lead to possible mistreatment or poor-quality care. Privacy or the lack thereof, also impacts health research efforts. If a person is confident that their information is being protected, they will be more willing to participate in surveys and experiments to provide data for research which institutions use to gain knowledge on the public and current health trends.
The security of health information is extremely important because a security breach can escalate very quickly and has the potential to cause economic, social, and psychological harm to the individual involved. For instance, if a person has a sexually transmitted disease, and that information becomes public, it can lead to isolation which may cause depression, anxiety, or other personal harm for the patient. Another type of security breach can be a stolen or hacked computer. This would allow someone access to not only health records, but also to personal records, which includes financial information and social security numbers, ultimately leading to identity theft. This is another factor that leads to lack of trust from the general public which will harm research efforts as well.
History
Laws and regulations have been created to aid in the protection and security of personal health information. Before it became such a vocal and serious concern due to the rapid growth of technology, people’s information was protected by was a combination of federal and state constitutional law. This wasn’t enough though, because individuals cannot rely solely on state constitutions to protect them from breaches of protection of their health information. The constitution doesn’t directly state a right to privacy, however it is usually implied. An implication will not always be enough. As the internet and computer technology grew however, people began to realize that their information was being put in much more vulnerable conditions. Unwarranted people could potentially have access to it and it could be used for undisclosed purposes. With this realization, the Health Insurance Portability and Accountability Act (HIPAA) was written.
HIPAA
HIPAA is the Health Insurance Portability and Accountability Act. It was enacted by Congress and signed by President Bill Clinton in 1996. The act required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations to protect the privacy and security of certain health information. To do so, the HHS developed a Privacy rule and a Security rule. The Privacy Rule “establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form” whereas the Security Rule” operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI)”. To put into simpler terms, the Privacy Rule protects the privacy of individually identifiable health information of all kinds, and the Security Rule protects the electronic information, not information that is transmitted orally or written. The following are personal identifiers that constitute as personal health information and if shared, is considered a violation of HIPAA.
Names or part of names
Any other unique identifying characteristic
Geographical identifiers
Dates directly related to an individual
Phone numbers
Fax numbers
Email addresses
Social Security numbers
Medical record numbers
Health insurance beneficiary numbers
Account numbers
Certificate or license numbers
Vehicle license plate numbers
Device identifiers and serial numbers
Web URLs
IP addresses
Fingerprints, retinal and voice prints
Full face or any comparable photographic images
As patients, it is important to know what our role is when it comes to HIPAA. The following is a list of the rights of the patient.
♣ They have the right to request their medical records whenever they like.
♣ They have the right to request you amend their medical records when appropriate.
♣ They have the right to limit who has access to their personal health information.
♣ They have to right to choose how healthcare providers communicate with them.
♣ They also have the right to complain about the unauthorized disclosure of their PHI.
Compliance to HIPAA
A common misconception surrounding HIPAA is that it only applies to major institutions. However, any business despite the size, that deals with any kind of medical data must comply to HIPAA. To do so, employees must be informed and aware, and policies should be in place to make the process feasible. Whether it be that its difficult to not publicly say a name or phone number due to a small office space, or it be that paper work is facing up and the small desk space is visible to other patients, there must be policies in place to prevent these things from happening. If a patient sees these breaches it will result in lack of trust leading to potential harm to the patient or institution, as I mentioned previously. Another concern with HIPAA is that it could interfere with or hinder valuable research efforts. Since the Privacy Rule is has so many identifiers under its wing, many research organizations have requested that for the purpose of research, the Rule be revised to be less strict on some of the information.