© Springer-Verlag London 2015
Kathryn J. Hannah, Pamela Hussey, Margaret A. Kennedy and Marion J. Ball (eds.)Introduction to Nursing InformaticsHealth Informatics10.1007/978-1-4471-2999-8_1111. Data Privacy and Security
(1)
Sextant Corporation, Toronto, ON, Canada
Abstract
The concept of privacy is complex and it is common to think of privacy as interchangeable with security. In fact, this is not true and this chapter will introduce readers to the definition of privacy. The concept of personal health information (PHI) is explored in relation to collection, use, disclosure, and retention. Additionally, the rationale for privacy, implicit and deemed consent, and revoking consent are presented. Other approaches to protecting privacy include developing a privacy policy, designating a privacy officer, de-identification and pseudomization, and the list to privacy. The chapter closes by exploring how nurses can contribute to the protection of privacy.
The online version of this chapter (doi:10.1007/978-1-4471-2999-8_11) contains supplementary material, which is available to authorized users.
Keywords
PrivacySecurityConsentHealth information custodianData stewardDe-identificationPseudonymizationUser enrolmentUser authenticationAuditKey Concepts
Privacy
Security
Consent
Health information custodian
Data steward
De-identification
Pseudonymization
User enrolment
User authentication
Audit
Introduction
Informational privacy is best thought of as a human right. While laws and customs in most jurisdictions do not yet afford personal health information the same level of protection as is accorded to rights such as security of the person, freedom from arbitrary search and seizure, or the right to vote, an increasing body of law of law and jurisprudence in western democracies recognizes the importance of ensuring that individuals have basic rights in relation to their own personal information.
As has been discussed in previous chapters, the provision of modern healthcare is a multidisciplinary endeavour. Perforce, such provision therefore requires the exchange of patient information among the members of the patient’s healthcare team (see Chap. 6 for a discussion of document exchange). Nurses ask patients to share information about their health, their work, their home, their social life, their sex life, and their emotional state. Patients comply with the implicit assumption that the information will remain confidential; i.e., that it will be shared with a limited audience and only for certain purposes related to healthcare.
This chapter includes a brief overview of how thinking about privacy has evolved since the 1970s and how societies have come to view privacy and the protection of personal information, including personal health information. It defines some common terms used in contemporary discussions of patient privacy and describes the basic privacy principles that underpin contemporary thinking about informational privacy. Since health records are increasingly stored electronically rather than on paper, we survey the techniques used to secure personal health information and discuss some issues that arise from the computer technology now in use. We also discuss the challenges to healthcare providers in maintaining the privacy and security of personal health information. Finally, we discuss the role of nurses in maintaining the privacy and security of personal health information.
Throughout this chapter, the discussion will focus almost exclusively on the protection of personal information, especially personal health information. This type of protection complements, but is distinct from, maintaining privacy of the person. The latter issue is important to healthcare providers, since the cultural norms that inform a patient about what constitutes invasion of personal privacy may be very different from those informing the healthcare providers treating the patient. While most cultures place special emphasis on privacy of the person in respect to the genitals, there is wider variation in the emphasis given to privacy of buttocks or breasts, and great variation in the cultural significance attached to viewing a woman’s face. Healthcare providers are usually sensitive to such issues—traditional hospital gowns notwithstanding. In any event, the relevant issues are typically dealt with effectively by ensuring that physical examinations are conducted in private and by respecting a patient’s wishes about the gender of the examining healthcare provider or about the additional presence of a person of specified gender to act as witness or chaperone. Protecting the confidentiality of personal health information is a much more complex undertaking than protecting privacy of the person. As we shall see below, the definition of what constitutes personal health information can itself be the subject of debate, the technical challenges involved in maintaining the confidentiality and availability of the information may be daunting, and the information collected may need to be securely protected for decades. The focus of the rest of the chapter will therefore be on informational privacy: i.e., the protection of personal information. Yet the reader must remain aware that however much patients may care about the confidentiality of their records, they care just as much—if not more—about the privacy and sanctity of their own persons.
Why Patient Privacy Matters
For an effective relationship to exist between healthcare providers and their patients, patients must believe that the information they provide will remain confidential. Patients may otherwise withhold information critical to their treatment and care. Ask yourself the following questions:
1.
Given that men with paedophile tendencies make up 4 % or more of the adult male population [1, 2], do you believe that men with paedophilic urges should seek counselling and treatment before those urges overwhelm them? Or are the risks entailed by such secret desires becoming public knowledge so great that such men should never discuss them with a healthcare provider and hence never obtain treatment?
2.
Given that alcohol and drug abuse affects as much as 15 % of the adult workforce [3] and that functioning alcoholics and individuals struggling with drug addiction may hold senior positions in corporations, government, and the military, which society would you feel safer living in: one in which such individuals continue to work and live without recourse to effective treatments because disclosure of their condition might irreparably harm their careers? Or one in which such individuals seek out treatment, secure in the knowledge that their drug or alcohol problems will not become public knowledge?
3.
Given that more than 2.7 million people become newly infected with AIDS each year [4], should adults and teens be able to openly discuss HIV/AIDS prevention strategies with their healthcare providers, even if it means discussing intimate details of their sexuality, or should they instead avoid such discussions on the assumption that such details might become publicly known and hope instead that they’ll be able to get all of the information they need from the Internet?
Privacy may not matter to every patient, but as the questions above indicate, it matters a great deal to patients whose treatment and care impact the health of an entire society. How healthcare providers handle patient privacy can therefore play an important role in shaping the kind of society in which we live. As healthcare providers with extended access to patients, nurses have a vital role to play in building trust, encouraging patients to be entirely forthcoming about healthcare issues that concern them, and reassuring those patients that their healthcare information will remain confidential.
While the need to assure patients that their privacy would be protected existed long before the computerization of health records, the introduction of electronic health records has considerably increased public concern about the confidentiality of personal health information. There are several reasons for this. Firstly, there is truth in the old adage that ‘to err is human but to really screw things up requires a computer.’ Computerization has allowed losses of confidentiality to occur on an industrial scale. Whereas loss of paper records rarely involved more than a few thousand records, privacy breaches involving electronic records routinely involve tens of thousands of records in a single breach. The list of incidents over the last two decades is long and dishonourable and the reasons for the breaches are diverse:
Inadvertent loss – dozens of hospitals across the US lost access to electronic medical records for 5 hours during a computer outage in 2012 that was caused by human error [5]. Within minutes of the outage, doctors and nurses reverted to writing orders and notes by hand, but in many cases no longer had access to patient information previously saved in electronic records, potentially compromising patient care.
Technical failures – patient records at the University of Michigan Medical Center were left exposed on the Internet because the center thought that they were on a server protected with a password [6]
Failure to adequately dispose of paper records – the United Kingdom Information Commissioner’s Office (ICO) ordered Belfast Health and Social Care Trust to pay a £225,000 fine after determining that the organization had breached the UK Data Protection Act by closing a hospital in 2006 and leaving behind patient medical records, X-rays, scans, lab results, and unopened payslips; all abandoned in the empty hospital building [7]. On several occasions, trespassers subsequently gained access to the site and took photographs of the records and posted them online.
Failure to adequately dispose of electronic records – The UK ICO fined Brighton and Sussex University Hospitals £325,000 after highly sensitive personal data belonging to tens of thousands of patients and staff was stolen and sold on eBay [8]. The data, including some relating to HIV and genito-urinary patients as well as information referring to criminal convictions and suspected offences, had been stored on hard drives sold on an Internet auction site in October and November 2010.
Failure to comply with established policies – personal health data of tens of thousands, possibly hundreds of thousands of Canadians were accessed without proper authorization, including information on the mental, physical and sexual health of individuals, as well as lifestyle and use of health services. In the most serious cases, the British Columbia provincial government notified 38,486 individuals of the breaches by letter [9]. In three separate instances in 2010 and 2012, health information was saved on USB sticks and shared with researchers at the universities of B.C. and Victoria or with contractors. Proper permissions had not been obtained and suitable procedural protocols had not been devised.
Staff misconduct – a state public health worker in Florida sent the names of 4,000 HIV positive patients to two Florida newspapers [10, 11]
Computer hacking – in 2009, a computer hacker successfully compromised a health database used by pharmacies and doctors to track narcotics and painkiller prescriptions and stole records of more than eight million patients [12]. The hacker then demanded a $10 million ransom from the state of Virginia, which the state government refused to pay. Russian hackers held an Australian medical centre to ransom in 2012 after encrypting thousands of patient health records and then demanding $4,000 to decrypt them [13].
If the recent past is any indication, patient privacy and the confidentiality of personal health records will remain in the news and hence in the public’s awareness for many years to come.
There is a final argument that is sometimes made to minimize the importance of privacy: that inter-generational shifts in attitudes have taken place and young people are not concerned about their privacy (or at least less concerned than their parents’ generation). The evidence for such statements is equivocal. Certainly, societal attitudes shift over time in regard to what one might normally consider confidential. In 1968, Canadian gay men and lesbians were still subject to criminal prosecution for having consensual sex with their partners. Thirty-five years later, such couples could legally marry anywhere in Canada. This shift in societal attitudes in that country has had an obvious impact on the importance placed on the confidentiality of sexual orientation as recorded in personal health records.
Definitions
Some terms are inevitably encountered in any robust discussion of privacy and information security and they are included in the discussion that follows. While nearly all of these terms are also used outside of healthcare, some have special meaning for healthcare providers. Where this is the case, additional discussion is provided on the use of these terms in healthcare settings.
Participants in a nursing informatics conference in Toronto in 2013 were asked to provide a definition of privacy. After much lively discussion, they defined it as the right of individuals and organizations to decide for themselves when, how, and to what extent information about them is transmitted to others. It is as good a definition as can be found in many privacy-related discussions, and more relevant to nursing than most.
Consent is an agreement, approval, or permission given voluntarily by a competent person that permits some act(s) for some stated purpose(s) [14]. For example, a patient may consent to having their personal health information collected by a clinic or consent to its disclosure to a third party (e.g., an insurance provider). Note that in this chapter, consent will always be used to refer to informational consent (i.e., consent to share or disclose information) as opposed to consent to treatment and care. Although consent for treatment and consent to collect, use or disclose health information are sometimes bundled together on the same patient consent form, they are distinct concepts. A patient may consent to an abortion but not consent to her personal health information being disclosed or used outside the clinic: indeed, she may insist that it not be. Conversely, a patient may consent to participation in a medical research project on sexual practices and sexually transmitted diseases without consenting to (or having any expectation of receiving) treatment.
Patient consent can take one of several forms. Express consent is an explicit (usually written) instruction from the patient – a voluntary agreement regarding what is being done or proposed that is unequivocal and does not require any inference or assumptions on the part of the healthcare organization or healthcare provider seeking consent. Implied consent is a voluntary agreement that can be reasonably determined through the actions or inactions of the patient. For example, if a patient voluntarily provides a urine sample to a diagnostic laboratory for the purpose of performing a lab test requested by the patient’s healthcare provider, it can reasonably be inferred that the patient has consented to information related to the test being disclosed by the lab to the healthcare provider (otherwise, why bother to provide the urine sample and perform the tests?) In most jurisdictions, implied consent is sufficient for the collection, use and (limited) disclosure of personal health information.
Some jurisdictions have statutory provisions for deemed consent: under certain stated conditions, the law permits organizations to act as if the patient has consented, regardless of whether or not the patient has actually done so; the patient has no right to withdraw or withhold consent. This may include disclosures of personal health information for the purpose of mandatory reporting of certain infectious diseases, or to allow healthcare providers to comply with certain professional ethical practices.
A patient may withhold consent by expressly stating that s/he does not consent to a particular activity. A patient may also withdraw consent previously given (also referred to as a patient revoking consent). Withholding consent occurs when a patient indicates that s/he does not consent to the sharing of personal health information previously collected. Withdrawing or revoking consent occurs when a patient who has expressly provided consent or where consent has previously been implied revokes that consent at some later date.
A patient’s circle of care refers to the persons participating in, and the activities related to, the provision of health care to the patient. This includes healthcare providers involved with necessary but incidental activities such as laboratory work or professional consultation. The term is sometimes used in privacy discussions and even privacy policies of healthcare organizations; e.g., when promising not to share a patient’s personal information outside their circle of care without the patient’s express consent.
A health information custodian (sometimes called a data steward) is an individual or organization that collects, uses, or discloses personal health information for the purposes of patient treatment and care, medical billing, health system planning and management, or health research. Depending on a jurisdiction’s law or policy, any of the following entities may be considered a health information custodian:
healthcare providers, i.e., professionals licensed or registered to provide health services
Ministries or Departments of Health for a country, state, province, municipality or other governmental jurisdiction
regional health authorities (where such entities exist)
hospitals, nursing homes or other identified health care facilities
pharmacies (and pharmacists, who are included above under healthcare providers)
boards of health, agencies, committees and other organisations identified in jurisdictional regulations (e.g., a mental health board, cancer care board, etc.) and
ambulance operators and paramedics.
Not every jurisdiction has privacy laws protecting personal health information. Where law and policy do not clearly outline custodial responsibilities in the collection, use and disclosure of personal health information, healthcare providers may need to look to their professional associations, licencing bodies, or colleges for guidance about their professional responsibilities.
A privacy officer is an individual who oversees activities related to the development, implementation, maintenance of, and adherence to an organization’s policies and procedures covering the privacy, confidentiality and sometimes security of personal information. In many jurisdictions, it is now standard practice for large healthcare organizations such as hospitals to have a designated privacy officer. Privacy officers oversee access to personal health information by patients and their families. They also ensure patients are notified of their privacy rights. They educate staff about privacy responsibilities and provide privacy oversight and review of the organisation’s information handling practices. They also respond to questions and complaints from patients and the public concerning the organization’s information privacy practices. Privacy officers may also be required to periodically review and revise organizational privacy policies and practices in order to ensure currency with industry best practices and legislative developments.
Anonymity allows the subjects in a database to remain nameless and unidentified. Patient anonymity is frequently found in research databases and in data that consists of statistical summaries.
If data is anonymised, the data subject(s) cannot be identified by the recipients of the data. The process of anonymising data involves removing any information that identifies the patient or any information that could be utilized, either alone or with other information, to identify the patient. This process of de–identification is typically a non-trivial undertaking: it consists of taking steps necessary to ensure that the anonymised data cannot be utilized, either alone or with other information, to identify a patient. A variety of statistical techniques may need to be employed to ensure successful de-identification: i.e., to ensure that the risk of re-identification has been reduced to an acceptably low level.
Stay updated, free articles. Join our Telegram channel
Full access? Get Clinical Tree
