P1

Core Principles for a Networked Environment

Below, we present nine specific recommendations to ensure privacy. While some of these recommendations reflect and are derived from the Fair Information Practice Principles, they have been updated and designed specifically to protect privacy in a networked environment, keeping in mind the unique and new risks described in the previous section.

1. Openness and Transparency

Perhaps the most important mechanism for privacy protection in the information age, this first principle stipulates that there should be a broad and universal practice of transparency in the way data is handled. Individuals should be able to establish what information exists about them in the data market and in government databases. They should be able to track how that information is used, and by whom, and they should be able to control how that information is disseminated. Individual choice is critical; control of information rests with persons, not with data aggregators or data users.

It is also essential that individuals be aware of how they can exert such control. Having strict laws to ensure transparency and openness serves little purpose if people do not know how they can find out where information about them exists, and how they can control who has access to that information. Ideally, patients should be able to give their informed consent to any use of their information.³⁰ Outreach and education regarding privacy are critical, as is the role of civil society and consumer groups in facilitating such efforts.³¹ One possible policy option is to require all data collectors and aggregators to register with a government agency, probably the Federal Trade Commission (FTC), and for that agency to maintain a secure³² “one-stop” web site where people can view their data shadow.

2. Purpose Specification and Minimization

Data should never be collected without people knowing that it is being collected. Furthermore, they should always be aware of why that information is being collected, and how it will be used. This will allow them to give their informed consent to any act of data collection.

In addition, an important extension exists to this principle of purpose specification: data must be used only for the originally stated reason, or, in rare cases, for other purposes with specific legal sanction: see discussion below regarding “Use Limitation” (Principle 4). Currently, a number of privacy violations occur when data is collected for one legitimate purpose, with individual consent, and then resold and reused in another context, for a very different purpose. For example, clinical data may be collected to treat a patient, but later find its way to the hands of insurers or credit agencies that could use the information to deny coverage. A strict minimization requirement can prevent such unauthorized reuses of data.

3. Collection Limitation

The collection of personal information should be obtained by lawful and fair means and with the knowledge and consent of persons. There should be well-drafted and explicit permissions to ensure that data collectors state their purpose in ways that are clear and easily understood by the population for whom they are intended, without misleading language.

Collection limitation can be seen as an extension of “Purpose Specification and Minimization” (Principle 2). However, it goes beyond the requirement that data collectors specify why they are collecting information and suggests a blanket application of Principle 1 (“Openness”) to all aspects and forms of data collection. For example, the principle of collection limitation requires that information only be gathered in a legal manner, and in a manner that is apparent to patients. This last requirement is particularly important in a networked environment, because technology is often opaque and unclear to average users. Many users, for example, have little idea of the wealth of information that exists on their computers in the form of cookies. They may similarly not be aware of the potential abuses that occur when they submit personal information to a medical or other web site. Thus, in addition to declaring their purpose clearly (Principle 2), data collectors should also be required to declare the very fact that they are collecting information.

4. Use Limitation

As stated, a minimization requirement would strictly limit whether data collected for one purpose could be reused in another context. Generally, we believe that such reuse should not be permissible without explicit consent of individuals.

However, certain legal exceptions may apply, particularly in the case of national security or law enforcement. Such cases should be the exception instead of the norm, and should be controlled by strict laws and sanctions. In addition, when information is reused, it is far preferable that the data in question be non-identifiable (i.e., it may consist of aggregated or demographic data), but to the greatest extent possible should not include information that could identify an individual. This allows data to be reused without representing a gross violation of an individual’s privacy.

5. Individual Participation and Control

An important principle of privacy protection is that an individual has a vital stake in, and thus needs to be a participant in, determining how his or her information is used. Privacy protections should be designed with this principle in mind: individuals should be seen as key participants in processes of information collection and dissemination, and not as mere subjects or passive spectators. At all stages in the information chain, they should be able to inspect and query their information, and to determine who uses that information. In addition, as we shall explore further, they should have clear avenues to correct information.

Such control can be facilitated through the principles of transparency and the various limitations we have outlined above. In addition, whenever possible, personal information should be collected directly from the individual rather than from a third-party. This enhances patient control over personal information. Finally, control means that people should have meaningful opt-out clauses when they do not want their information to be reused, or when they want to “reclaim” their information. Currently, many opt-out procedures administered by web sites and others are complicated and cumbersome, making it near-impossible for people to exert real control. In addition, opt-out provisions can be diluted when they represent all-or-nothing choices, forcing people to choose, for example, between privacy and inefficient service.³³ For such reasons, “opt-in” is often regarded as providing more control to the patient: it allows patients explicitly to determine when, by whom, and for what purpose information is used. In the event patients do not understand the conditions under which their information is being used, they can choose to request more information, or refuse permission. 

It is also important to note that greater individual control may confuse existing methods of determining and allocating liability for privacy violations and medical errors. For example, practitioners may be blamed for errors stemming from an individual’s refusal to release medical information. Similarly, an individual could accidentally “leak” his or her own data through a “phishing” attack or other online breach. Overall, there will certainly be new and unforeseeable liability issues raised by greater use of EMRs and greater patient control. To the extent possible, these need to be addressed beforehand, in a systematic manner, as part of any Fair Information Practice Principles.

6. Data Integrity and Quality

We have seen that data corruption is a key—and new—source of privacy violation in the information age. It follows that mechanisms need to be developed to address this violation, and for establishing accountability among those who maintain records. Such mechanisms can include technical tools for quality control, as well as regular backups and redundancy in systems and databases. In addition, individuals should have clear avenues to view all information that has been collected on them, and to ensure that the information is accurate, complete, and timely. The tools could include laws drafted along the lines of the Fair Credit Reporting Act, which permits people to correct mistakes in their credit report.

Individuals should also be able to ensure that information is being used for the originally stated purpose—they should be able to correct errors in context as well as content. This requires that people be able to view not only what information exists on them, but how it is being used. A discrepancy in either can be viewed as a form of data corruption, requiring clearly-articulated and publicized avenues for redress.

7. Security Safeguards and Controls

Security breaches, discussed above, represent another potential source of privacy violation, and so security safeguards represent another important principle for privacy protections. Given the increasing frequency of hacking and other forms of cyber-crime, it is imperative that reasonable security safeguards be built against loss, unauthorized access, destruction, use, modification, or disclosure of personal information. In addition, all data collectors and disseminators should be mandated to immediately disclose any security breach through a direct communication to those consumers affected (i.e., not just by releasing the news to the media). Such laws, similar to California's information security breach law (Civil Code § 1798.29), will allow individuals to protect themselves through post-fact remedies.

Security represents an important example of how protections can be built into the design of technology. By implementing the right technologies, and by consulting security experts at the outset, key precautions can be taken at the design stage to increase the robustness of network security. For example, networks can be designed and built with enhanced identity management tools to ensure that access to information is limited to those with a specific need and authorization to see it. In addition, data scrubbing, hashing techniques, real-time auditing mechanisms, and a range of other technical tools can be deployed to ensure security. The key is to supplement legal protections with technical protections. That is the only way to ensure true data privacy.

8. Accountability and Oversight

It is essential that mechanisms be built to ensure that the responsibility for privacy violations is identifiable, and that remedial action can be taken. Boards of directors and senior management must be held accountable for any violations. It is their responsibility to ensure steps are taken to instigate, review, or modify their organization’s risk management strategy as it relates to handling patients’ information. 

Several specific steps can be taken to enhance accountability and oversight. Organizations could be mandated to create a post for chief privacy officers (CPOs), who would fulfill the same duties with regard to privacy as CFOs and CTOs do with regard to finance and technology, respectively. In addition, organizations should hold regular employee training programs as well as privacy audits to monitor organizational compliance. These audits can be facilitated by technical tools that ensure clear audit trails and reveal patterns of use and potential abuse.

9. Remedies

This principle is closely related to Principle 8, with the exception that it probably entails greater participation by the state in the form of legal sanctions. One of the key challenges with enforcement of privacy rights is the difficulty (often impossibility) of clearly pinning blame, or even of tracing the source of a privacy violation. Solove and Hoofnagle (2005, 13) point out that approximately 50 percent of identity theft victims do not know how their information was accessed. Similarly, it is likely to be extremely difficult for a patient to monitor and identify violations of information contained in their EMRs. Without such information, it obviously becomes very difficult to seek remedies.

Some of the strategies described above (e.g., audit trails) can help pin the blame more accurately. In addition, internal controls such as those described in Principle 8 are also important to monitor uses and abuses of information. While such remedies are not foolproof, they do help identify a data trail.

When it is possible to identify the source or perpetrator of a privacy violation, the next step is to ensure that clear legal remedies exist to address the situation. Minimum statutory punishments must be clearly articulated, as must damages for any violations.³⁴ Solove and Hoofnagle have also suggested that ways must be developed to avoid extensive class action litigation, e.g., by allowing state authorities to fine companies and disburse remedies to victims of privacy violations from a state-administered fund. Whatever the specific steps adopted, the important point is that enforcing sanctions and remedies is as important as establishing the protections themselves.

V. Current Laws and Guidelines and How They Integrate an Architectural Approach

The above describes a template for privacy protections. We have seen nine key steps required to protect medical data in the information age. In this section, we provide an overview of existing policies, both at the state and federal levels. In addition, we discuss the emergence of community-based or other health sub-networks and describe the challenges and opportunities they pose to the integration of federal and state provisions.

The overview provided in this section is somewhat limited. The variety and patchwork of laws that exist, particularly in the states, makes it near-impossible to present a comprehensive overview in this backgrounder. We have therefore chosen to focus on the most important and relevant laws and statutes and, within those laws, to focus on key themes. Throughout the text, we have provided links where more detailed information can be found.

A. Federal: HIPAA Privacy Regulation

In 1996, the United States Congress passed the Health Insurance Portability and Accountability Act (HIPAA), which governed how medical information could be collected and shared. HIPAA’s privacy protections, contained in the HIPAA Privacy Rule, became effective for most organizations in 2003. These marked the first (and, thus far, only) federal-level protections for privacy of medical data.

Among the more significant measures introduced by the Privacy Rule were a guarantee of patient access to medical records; provisions to protect personal health information from misuse; provisions to ensure notice of use to patients; the right to file a complaint; and a requirement for health providers to provide patients with information on their privacy practices. Below we provide an overview of these and other key privacy protections. It also includes a discussion of HIPAA’s related Security Rule, which governs how electronic information can be used, stored, and shared.³⁵

Protected Health Information (PHI): One of the initial functions performed by HIPAA’s Privacy Rule is to define the notion of protected health information (PHI). PHI covers a variety of information and data that could be used to identify a patient, including names, addresses, Social Security numbers, license numbers, medical record numbers, and so on. Under HIPAA, all PHI is subject to the limits on use and disclosure described below.

Limits on Use and Disclosure: Generally, PHI can only be used or disclosed for a person’s medical treatment, payment-related activities, or routine operations of a health care provider. Other than forthese three purposes, known as TPO, information can be disclosed only when it is considered in the public interest, or when it forms part of a de-identified data set (see discussion below). Under HIPAA, all other uses or disclosures of information must receive written authorization from the patient. In addition, patients have the right to access and view how their information has been used and disclosed.

Reasonable Safeguards: HIPAA also requires health care providers and businesses to ensure “reasonable safeguards” to protect PHI. Such safeguards could include shredding documents, ensuring that medical records are safely locked, using curtains or other dividers in treatment rooms, and a variety of measures to protect electronic health information (or ePHI; see the discussion below). While the range of possible safeguards is broad, the law clearly puts the burden of protection on providers, in the process establishing clear lines of responsibility and liability.

Providing Notice of Privacy Practices: As mentioned above, HIPAA requires providers to ensure that patients are aware of their privacy rights and of providers’ privacy practices. Under the law, a “Notice of Privacy Practices” must be provided to patients in written form. In addition, the law also requires providers either to obtain written acknowledgement from the patient that he or she has received such notice; or at a minimum, providers must document that reasonable efforts have been made to obtain such acknowledgement.

Limited Data Set: One exception to the strict disclosure restrictions mentioned above is in the case of de-identified information and what the HIPAA law calls “limited data sets.” In the case of such information, no explicit written authorization is required for sharing. Information is considered de-identified when it does not contain PHI identifiers, and when it is stored using standard statistical and scientific methods (e.g., for research purposes). Even when PHI identifiers are removed, a Data Use Agreement must exist between the provider and user of the information.

Mimimum Necessary Information: Although HIPAA permits providers to share information without patient authorization for TPO purposes, it nonetheless requires them to share the minimum amount of information. This concept of “minimum necessary” information is central to HIPAA’s privacy protections. In practice, it means that providers need to have standards and codes in place that define the extent of information necessary for certain practices. It also generally means that providers or other entities can request a patient’s full medical record only in exceptional circumstances.

Compliance and Enforcement: In addition to these central provisions, HIPAA includes a variety of provisions to ensure compliance and enforcement. These include stronger civil and criminal penalties for improper disclosures of PHI, as well as measures to train and provide information for health care providers to ensure that they are in compliance with HIPAA’s privacy standards. The law also gives patients the right to monitor how their information is accessed and used, and to seek redress in cases where violations have occurred.

Security Rule: Although technically separate from the law’s privacy provisions, HIPAA’s Security Rule is closely related. While the Privacy Rule covers all forms of data (including paper-based information), the Security Rule applies specifically to electronic protected health information (ePHI). Under the Security Rule, entities are required to protect ePHI from reasonably anticipated threats, institute appropriate technical protections to defend networks, ensure the integrity of data and physical infrastructure, and limit access to authorized individuals. The Security Rule is technology-neutral, meaning that it does not prescribe particular technologies or standards for protecting ePHI, but it is nonetheless, quite specific in its requirements.

B. State Laws

In addition to the above designed federal laws, a patchwork of state laws exists to provide privacy protections. Indeed, in the absence of a national set of privacy standards, individual states have historically taken the lead in protecting medical privacy in the United States. This has offered certain benefits, particularly in those states where protections are strong, but many also feel that it represents a weakness in the US system, which lacks an over-arching approach to privacy.

A comprehensive overview of state laws is not possible here. In an extensive report on state statutes, the Health Privacy Project noted the difficulty of the task, pointing out that the terrain was uneven (Pritts et al 2003). That report, The State of Health Privacy, Second Edition, A Survey of State Health Privacy Statutes, remains the best resource for state protections.³⁶ In addition, Pritts presents a conceptual discussion of many of the most important issues raised by state laws, including their relationship to federal laws like the HIPAA Privacy Act.³⁷ Other key issues include thefederal pre-emption and the floor v. ceiling debate, and the way in which state laws are condition specific/circumstance specific and may be more stringent than HIPAA (Pritts 2002, 343, 335-36).

Pritts (2002, 330) notes that states can protect privacy through three legal avenues: constitutions, common law, and statute. The following summary of each of these avenues owes significantly to her discussion.

Constitutional Protections

State constitutional protections have recently been in the news due to alleged violations of Rush Limbaugh’s medical privacy in Florida. In fact, state constitutions generally offer only limited protection. Most states contain an implied right to privacy similar to that in the US Constitution, and some explicitly protect medical privacy. Yet, as Pritts notes, those protections are generally designed to limit only state action, and are easily outweighed by disclosure requirements.

Only two states, California and Hawaii, stand out for their strong, constitutional protections of medical privacy. These protections apply both to violations by the state, and by the private sector. In addition, they are explicitly written to cover medical information, providing a strong bulwark against the lack of adequate federal protections.

Common Law Protections

State common law is somewhat more robust in its protections than state constitutions. Here, too, state law is fragmented and varied, but a growing number of courts have found grounds for two privacy rights in particular: the right to maintain confidentiality of information and a patient’s right to access his or her medical information. These rights are important because many states do not grant a statutory right to access (Pritts 2002, 333, 349-50).

Despite the steady expansion of these rights, Pritts (2002, 332) notes at least two shortcomings in existing common law protections:

1. In cases involving disclosure of information, courts are increasingly finding legal grounds to accept cases,³⁸ but patients have had trouble proving the guilt of those who have allegedly “leaked” their information. There exists, in short, a high burden of proof for many patients, and court decisions in general have led to the conclusion that “the underlying duty of confidentiality is not absolute” (Pritts 2002, 332).
2. In cases allowing patients access to their information, courts have found numerous legal grounds on which to consider patients’ complaints (e.g., adopting property principles). At the same time, there exists some disagreement on what “reasonable access” requirements would imply, and to what extent health care providers have discretion in deciding what information to make available to patients.

Statutory Protections

For some decades now, the main protections for patient medical privacy have come not through constitutional or common law, but rather through specially enacted statutory protections. Statutory protections have become so important that the previously mentioned Health Privacy Project reports focus almost entirely on this category of legal protection.

The scope of privacy laws is particularly diverse and uneven in this category of protections. Each state has its own principles and standards, and sometimes these principles clash. In addition, state laws are often highly specific, applying differently to various conditions, contexts, and participants.

In an attempt to enforce some cohesion on the patchwork of laws, Pritts (2002, 332) identifies the following six principles that are upheld to a greater or lesser degree across states:

1.     Access to Information

2.     Right to Amend Health Records

3.     Restrictions on Use and Disclosure of Information

4.     Notice of Information Practices

5.     Security Safeguards

6.     Accountability

As noted, these principles are upheld unevenly, and in different ways, across states. In addition, the situation is fragmented within individual states, where a patchwork of laws often means that privacy is protected in a somewhat piecemeal fashion. However, Pritts (2002, 339) notes a recent trend towards “uniformity” in at least some states. She cites California, Maine, and Hawaii as notable examples. Hawaii, in particular, has a “truly comprehensive health privacy law,” which was adopted in 1999, and California has similarly inched towards such a comprehensive approach with a series of consumer- and patient-protective statutes.

A General Observation

Finally, while the above has highlighted the diversity of state laws, it is worth emphasizing one key and crosscutting finding of the original 1999 version of the Health Privacy Project overview of state laws. In one of the three main conclusions presented in its executive summary, the 1999 report indicates that, in general, “state laws have not kept pace with changes in health care delivery and technology” (Pritts 1999, 9). The report points out, for instance, that individual and institutional access to medical data will increase substantially as new technologies are adopted, and that state laws often fail to acknowledge this fact.

In addition, the patchwork and unevenness of state laws poses evident challenges to any attempt to adopt national EMRs or to protect privacy at the national level. This landscape of often robust but uneven protections is a critical factor that needs to be taken into account when designing privacy protection principles. Ultimately, both the technologies and the policies deployed will need to be flexible and forward-looking enough to adapt to this unevenness.

C. Health Information Sub-Networks: Emerging Rules

In addition to the above discussion of federal- and state-level protections, it is important to briefly consider the tremendous and exciting growth of community based or non-geographic sub-network health information organizations. Such organizations, which provide care at a community-level, are increasingly seen as an effective grassroots way to facilitate information sharing.³⁹

As envisioned, these sub-networks would act as “nodes” on an eventual information-sharing platform. The urgency and importance of information sharing to transform health care is widely understood. Unacceptable rates of avoidable medical errors, as much as $300 billion in unnecessary expenses, and continuing disparities in health care quality constitute a call to action to the health care system and to policymakers. An information-sharing environment has the potential to enable decision support anywhere at any time, improving public and individual health and reducing cost.⁴⁰

However, the US health care system is highly fragmented. Many types of organizations exist as part of the current health care network, from giant hospital systems and insurance agencies to individual practices, with all manner of specialists, clinics, and agencies in between. In addition, and perhaps more importantly, sharing patient’s information will only succeed and be beneficial when it happens within a strong radius of trust.

Towards those ends, we must assume that any information sharing improvement will have to happen through a decentralized approach, where decisions about sharing are made by participating institutions and providers at the edges of the network. The system proposed, for instance, by the Markle Connecting for Health Working Group on Accurately Linking Information for Health Care Quality and Safety,⁴¹ would leave it to the providers to determine locally with their patients what to link, share, and disclose, building upon their existing foundation of trust.

By leaving these decisions at the edges or local sub-networks, it is assumed that the information-sharing environment can grow incrementally, if based upon interoperable standards, and provide for the necessary security and trust. However, multiple challenges remain to be solved for those local and regional entities from the outset. In particular, as they grow beyond their regional origins, they will require coordination between existing state, federal, and local protections. 

In addition, networking health information poses certain practical challenges to the sharing of patient information. For example, when data is shared between a larger provider and a small, regional provider, assurances will need to be built into the system to ensure that both adhere to the same privacy safeguards. Without such assurances, both the smaller and the larger provider might be reluctant to share information due to liability concerns. Similarly, concerns have been raised that the proliferation of these community-based networks could overload existing organizations that need to comply with HIPAA and other statutes. The paperwork required to ensure privacy requirements have been met at every step could simply prove overwhelming.

These and other obstacles do not suggest that health information networks at the community level do not provide immense potential to realize a national health information environment; nor are they meant to imply that they should be exempt from existing and emerging privacy protections. Rather, the above discussion is intended to suggest the range of issues raised by the creation of a health information network, and that need to be addressed by technology and policy. Both avenues—technology and law—offer potential solutions, but it is important that we acknowledge the problems from the outset.