Markle | P1

Blog | Feeds | Publications

CONNECTING PROFESSIONALS

P1: The Architecture for Privacy in a Networked Health Environment

« Return to Markle Common Framework

Related Practice Areas

Additional Resources

Download P1: The Architecture for Privacy in a Networked Health Environment

VI. Conclusion

The preceding discussion has made clear the complexity of the topic at hand. Protecting medical privacy and confidentiality in a networked era involves a wide range of issues, and requires the cooperation and involvement of a similar range of actors. Practitioners and patients are, of course, critical to the effective deployment of EMRs, or indeed any other successful use of technology in health care. But the involvement of public health authorities, insurance companies, data marketers, civil society organizations, and a variety of other entities is also essential. In addition, governments and others at different jurisdictions—municipal, county, state, national, and international—will have to be considered.

Each of these actors brings different perspectives to the table. These differences can be productive, representing a wealth of knowledge and experience. But they can also be problematic. The range of experiences is accompanied by a variety of agendas, and—put more charitably—a variety of priorities. Harmonizing and doing justice to all these priorities is one of the key tasks confronting advocates of medical privacy.

Success, essentially a balancing act, will require more than the somewhat piecemeal approach to privacy that currently exists and that has been reviewed in this backgrounder. This underscores the need for a systematic and architectural solution. The foundations of this solution are the nine principles described in Section IV. Considered and applied together, these principles add up to an integrated and comprehensive approach to privacy that can help overcome the current fragmentation. It is critical that the nine principles be considered as part of one package. Elevating certain principles over others will simply weaken the overall architectural solution this backgrounder has proposed.

Of course, the principles remain just that—principles—and their precise manifestation will vary from state to state, and from country to country. Yet while they are broad enough to apply across organizations, stakeholders, and jurisdictions, they are also specific and tangible enough to have real significance and practical effect. The key is to apply them in a thorough and comprehensive manner before creating any new information network, not as an afterthought, and not as an after-the-fact band-aid solution.

Appendix

Privacy Architectural Principles¹	Policies and Procedures in a Networked Health Information Environment	Use of Technology for Privacy Protection²	HIPPA Baseline Provisions³
Openness and Transparency There should be a general policy of openness about developments, practices, and policies with respect to personal data. Individuals should be able to know what information exists about them, the purpose of its use, who can access and use it, and where it resides	- Transparency and tracking policies; - Collection and uses of personal data; - Adequate proper notice of privacy practices; - Disclosure procedures to individuals of security breaches; - Outreach and public education efforts to enhance awareness of privacy issues and privacy rights, as well as the risks and benefits of a networked environment.	- Standards and technologies for expressing policies; - Standards and technologies for discovering policies once an institution’s HIPAA provider number is known; - Defenses against people using transparency as an opportunity for phishing.⁴	Notice of Privacy Practices. Under HIPAA, patient information can be used or disclosed for treatment, payment, and health care operations without specific patient consent or authorization. The term health care operation includes quality assessment, outcomes evaluation, underwriting, legal services, auditing, business planning, customer service, and numerous other functions. The rules give each patient the right to request that a covered entity modify the standard terms. However, the covered entity has no duty to agree to a patient’s request.
Purpose Specification and Minimization The purposes for which personal data are collected should be specified at the time of collection, and the subsequent use should be limited to those purposes or others that are specified on each occasion of change of purpose.	- Define acceptable uses of the system; - Define purposes of collection and of access for separate users such as: health care provider; health plan; public health authority; other government agency (law enforcement); researchers; individuals accessing their own health information; contractors and vendors (these might have a separate agreement); - Develop policies requiring that data collected for one purpose should not be used for another; - Implement a minimization requirement.	- Audit and logging technologies (including versioning); - Standards for expressing uses.	Authorization for use of protected health information for marketing and fundraising and minimum necessary rule. Treatment cannot be conditioned on an individual giving authorization to disclose to other parties.
Collection Limitation Personal health information should only be collected for specified purposes, should be obtained by lawful and fair means and, where possible, with the knowledge or consent of the data subject.	Define purposes of collection and of access for separate users such as: health care provider; health plan; public health authority; other government agency (law enforcement); researchers; individuals accessing their own health information; contractors and vendors (these might have a separate agreement).	Separation of clinical and demographic information.	Authorization for use of protected health information for marketing and fundraising and minimum necessary rule.
Use Limitation Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified.	- Define acceptable uses of the system; - Decisions about linking and sharing are to be made by the participating institutions and providers at the edges of the network; - “User” limitation: different categories of users to be governed by different rules based upon separate use agreements; - Some data may not be shared because of special sensitivity (e.g., alcohol/drug abuse history, psychiatric treatment); - Patient authorization procedures need to be clarified and streamlined; - Permitted disclosures need to be clarified (e.g., disclosure to health care providers for purposes of treatment, disclosure to health plans for payment); - Define reuse exceptions in cases of national security or law enforcement; - Use and disclosure for management and administration of Sub-Network Organizations (SNOs).	- Technologies for de-identification; - Technologies for data aggregation; - Security to prevent unintended disclosures; - Limiting queries.	Use and disclosure controls and business associate provisions, including minimum necessary rule. Note: The rule creates specific standards for uses and disclosures for purposes such as public health, research, law enforcement, health oversight, abuse reporting, judicial proceedings, emergencies, organ donations, and other purposes.
Individual Participation and Control Individuals should control access to their personal information; Individuals should be able to obtain from each entity that controls personal health data, information about whether or not the entity has data relating to them. Individuals should have the right to: - Have personal data relating to them communicated within a reasonable time (at an affordable charge, if any), and in a form that is readily understandable; - Be given reasons if a request (as described above) is denied, and be able to challenge such denial; and - Challenge data relating to them and have it rectified, completed, or amended.	- Patient authorization procedures; - Patient access to information procedures when information is: • Maintained by provider • Maintained by third party vendor; - User’s responsibility w/r/t consent prior to sharing data; - Need for meaningful and clear patient control clauses that do not present “all or nothing” choices; - Consider ways to enhance patient control; - Clarify new liability issues arising from greater individual control; - Policies by which data may be withheld at direction of patient; - Requirement to draft consent and authorization forms in clear language, easily understandable to users.	- Differing degrees of control should be built into technology; - Users should be able to choose the level of control and necessary tradeoffs that are acceptable to them; - Defenses against phishing and data theft (through user authentication).	Right to access. Note: Authorization is required before disclosure to third parties other than for treatment, payment, operations, and other specified purposes.
Data Integrity and Quality All personal data collected should be relevant to the purposes for which they are to be used and should be accurate, complete, and current.	- Policies to ensure accuracy, consistency, and completeness of data; Check their information and correct any errors (possibly model on Fair Credit Reporting Act); - Patient should be able to correct context of data use as well as content of data (i.e., they should be able to correct any misuse of data); - Clarify the SNO’s liability in the case of: • Failure of the system to operate as expected or at all; • Loss or corruption of data within the system; • Incomplete or inaccurate data; • Misuse of the system by others, including other users; • Breach of security of the system.	- Practices to ensure quality, accuracy, and availability, including backups, integrity checks, and periodic sampling; - Technical methods for allowing an individual to access and review his/her health record.	HIPAA Security Regulation and Privacy Regulation each require physical, technical, and administrative safeguards.
Security Safeguards and Controls Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure.	- Authorizing, managing, and policing access to information in the system by all categories of users; - Clear security policies (User’s responsibility to implement reasonable and appropriate measures to maintain the security of the system and to notify the SNO of breaches in security, including any specific measures required by the SNO’s policies and procedures); - Policies to handle intra- and extra-community matching issues.	- Matching algorithm and thresholds; -Authentication of users; - Encryption technologies; - Auditing, service management, and logging.	HIPAA Security and Privacy Rules each require physical, technical, and administrative safeguards. Note: The general Security Rule requires covered entities to: - Ensure the confidentiality, integrity, and availability of all electronic protected health information (EPHI) the covered entity creates, receives, maintains, or transmits; - Protect against any reasonably anticipated threats or hazards to the security or integrity of such information; - Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule; and - Ensure compliance by its workforce.
Accountability and Oversight Entities in control of personal health data must be held accountable for implementing these information practices.	- Contract administration; - Policies by which the user has clear and sole responsibility for use of the system and actions taken in reliance on data in the system; - Consider mandating a position of Chief Privacy Officer (CPO) in organizations; - Clear user enrollment and termination procedures; - Designate someone responsible for ensuring patients’ rights, such as access and amendment.	- Logging tools; - Auditing tools (including versioning); - Tracking systems; - Standards and technologies for allowing remote institutions to identify those accessing data at the individual level.	Enforcement by United States Department of Health & Human Services (HHS) of Security and Privacy rules. Note: HIPAA imposes on each covered entity a series of administrative requirements. These include: 1) designating a privacy official responsible for development and implementation of privacy policies and procedures; 2) training staff in privacy; 3) establishing appropriate administrative, technical, and physical safeguards to protect the privacy of information; 4) establishing a compliance process for individuals; and 5) developing and maintaining written policies and procedures for implementing the privacy rules.
Remedies Legal and financial remedies must exist to address any security breaches or privacy violations.	- Policy and remedies for unauthorized disclosures.	- Web site with information about how patients can identify and pursue possible remedies.	HIPAA provides no private right of action, although state law may permit such suits. The Secretary of HHS accepts complaints and can investigate and seek civil penalties against covered entities that violate the privacy rules. Criminal enforcement may be available.