Access and Disclosure of Personal Health Information: A Challenging Privacy Landscape in 2016-2018

Linda L. Kloss; Melanie S. Brodnik; Laurie A. Rinehart-Thompson

doi:10.1055/s-0038-1667071

Yearbook of Medical Informatics, Inhaltsverzeichnis

CC BY-NC-ND 4.0 · Yearb Med Inform 2018; 27(01): 060-066
DOI: 10.1055/s-0038-1667071

Section 1: Health Information Management

Survey

Georg Thieme Verlag KG Stuttgart

Access and Disclosure of Personal Health Information: A Challenging Privacy Landscape in 2016-2018

Linda L. Kloss

¹Kloss Strategic Advisors, Vero Beach, FL USA

,

Melanie S. Brodnik

²Emeritus Health Information Management and Systems, The Ohio State University, Columbus, Ohio, USA

,

Laurie A. Rinehart-Thompson

³Health Information Management and Systems, The Ohio State University, Columbus, Ohio, USA

› Institutsangaben

Abstract

Summary

Objectives: To assess the current health data access and disclosure environment for potential privacy-protecting mechanisms that enable legitimate use of personal health information while preserving the rights of individuals. To identify the gaps and challenges between increasing requests and expanding uses of such information and the regulations, technologies, and management practices that permit appropriate access and disclosure while guarding against harmful misuse of such information.

Methods: A scoping literature review focused on (1) regulations affecting access and disclosure of personal health information, (2) the uses of health information that challenge access and disclosure boundaries, and (3) privacy management practices that may help mitigate gaps in protecting patient privacy.

Results: Countries and jurisdictions are developing laws, regulations, and public policies to balance the privacy rights of individuals and the unprecedented opportunities to advance health and health care through expanded uses of health data. Regulations and guidance are evolving, but they are outpaced by the increasing demand for and the challenges of managing access and disclosure. Mechanisms such as consent and authorization may not always be adequate. Mechanisms that advance principled stewardship are more important than ever.

Conclusions: Access and disclosure management are important dimensions of privacy management practices. This is a volatile period in which diverging public policies may reveal how best to balance access and disclosure of personal health information by individuals and by institutional custodians of the information. Approaches to access and disclosure management, including the roles of individuals, should be a focus for research and study in the years ahead.

Keywords

Privacy - health data access - disclosure - Health Information Portability and Accountability Act - General Data Protection Regulation - information governance

Volltext

Referenzen

References
1 Van Staa T-P, Goldacre B, Buchan I, Smeeth L. Big health data: the need to earn public trust. BMJ 2016 July 14; 354 Available from: http://www.bmj.com/content/354/bmj.i3636
2 Wang Y, Kung L, Byrd T. Big data analytics: Un-derstanding its capabilities and potential benefits for healthcare organizations. Technological Fore-casting and Social Change. 2018 Jan 126; 3-13. Available from: https://www.sciencedirect.com/science/article/pii/S0040162516000500
3 45 CFR 164.524. Security and Privacy; Access of individuals to protected health information. 2013. Available from https://www.gpo.gov/fdsys/pkg/CFR-2011-title45-vol1/pdf/CFR-2011-title45-vol1-sec164-524.pdf
4 45 CFR 160.103. General Administrative Require-ments; Definitions. 2013. Available from https://www.gpo.gov/fdsys/pkg/CFR-2013-title45-vol1/pdf/CFR-2013-title45-vol1-sec160-103.pdf
5 Regulation (EU) 2016/679 of the European Parlia-ment and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free move-ment of such data, and repealing Directive 95/46/ EC (General Data Protection Regulation) Available from: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENGwww.eugdpr.org
6 Robertson SK. Calls grow for Canada to mod-ernize privacy laws amid EU changes. The Globe and Mail. July 12, 2017. Available from: https://www.theglobeandmail.com/report-on-business/industry-news/marketing/calls-grow-for-canada-to-modernize-privacy-laws-amid-eu-changes/article35778176/
7 US Department of Health and Human Services, Office for Civil Rights. Individuals' Right under HIPAA to Access their Health Information 45 CFR § 164.524, February 25, 2016. Available from: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html
8 US Department of Health and Human Services, Office for Civil Rights. Guidance on HIPAA & Cloud Computing, June 16, 2017. Available from: https://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html
9 US Department of Health and Human Services, Office for Civil Rights. Guidance on HIPAA & Cloud Computing, June 16, 2017. Available from: https://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html
10 US Department of Health and Human Services, Office for Civil Rights, How HIPAA Allows Doctors to Respond to the Opioid Crisis. Available from: https://www.hhs.gov/sites/default/files/hipaa-opioid-crisis.pdfprofessionals/privacy/guidance/access/index.html
11 US Department of Health and Human Services. Individuals' Right under HIPAA to Access their Health Information. 45 CFR 164.524, February 25, 2016. Available from: https://www.hhs.gov/hipaa/for-
12 Public Law 114-255. Available from: https://www.congress.gov/114/plaws/publ255/PLAW-114publ255.pdf
13 Steinhauer J, Tavernise S. $6.3 Billion Measure Aims to Cure Ailing Health Care Policies. November 28, 2016. Available from: https://www.nytimes.com/2016/11/28/us/politics/congress-cures-cancer-moonshot-alzheimers.html
14 Majunder M, Guerrini C, Bollinger J, Cook-Deegan R, McGuire A. Sharing Data under the 21st Century Cures Act. Genet Med 2017; 19 (12) 1289-94
15 H.R. 34 21st Century Cures Act. Section 2063. Available from: https://www.congress.gov/bill/114th-congress/house-bill/34/
16 Federal Policy for the Protection of Human Subjects. Federal Register. 82 FR 7149. Jan. 19, 2018. https://www.federalregister.gov/doc-uments/2017/01/19/2017-01058/federal-policy-for-protection-of-human-subjects
17 42 CFR Part 2, Confidentiality of Alcohol and Drug Abuse Patient Records. Available from: https://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&sid=b7e8d29be-4a2b815c404988e29c06a3e&rgn=div5&view=-text&node=42:1.0.1.1.2&idno=
18 Substance Abuse and Mental Health Services Administration. 42 CFR Part 2 Confidentiality of Substance Use Disorder Patient Records. January 9, 2018. Available from: https://www.samhsa.gov/health-information-technology/laws-regula-tions-guidelines
19 National Institutes of Health Certificates of Confi-dentiality (CoC) Kiosk. Certificates of Confidentiality for Research Funded by Non-HHS Federal Agencies. December 29, 2017. Available from: https://www.samhsa.gov/health-information-tech-nology/laws-regulations-guidelines
20 Fradidis L, Chatzoglou P. Development of Nationwide Electronic Health Record (NEHR): An international study. Health Policy and Technology 2017; 6: 124-133
21 Schmit C, Wetter S, Kash B. Falling short: how state laws can address health information exchange barriers and enablers. J Am Med Inform Assoc 2018; 25 (06) 635-44
22 Moon L. Factors influencing health data sharing preferences of consumers: A critical review. Health Policy Technol 2017; 6: 169-87
23 HealthIT.gov. Computable Privacy. 2016. Available from: https://www.healthit.gov/policy-researchers-implementers/computable-privacy
24 Nohr C, Parv L, Kink P, Cummings E, Almong H, Norgarrd J. , et al. Nationwide citizen access to their health data: analyzing and comparing experiences in Denmark, Estonia and Australia. BMC Health Serv Res 2017; 17: 534 . Available from: https://bmchealthservres.biomedcentral.com/articles/10.1186/s12913-017-2482-y
25 Pietro C, Francetic I. E-health in Switzerland: The laborious adoption of the federal law on electronic health records (EHR) and health information exchange (HIE) networks. Health Policy 2018; Feb; 122 (02) 69-74 . Available from: http://www.healthpolicyjrnl.com/article/S0168-8510(17)30317-2/pdf
26 Séroussi B, Bouaud J. Adoption of a Nationwide Shared Medical Record in France: Lessons Learnt after 5 Years of Deployment. AMIA Annu Sym Proc 2016; 2016: 1100-9
27 National Committee on Vital and Health Statis-tics (NCVHS). Recommendation on the HIPAA Minimum Necessary Standard. 2016. Available from: https://www.ncvhs.hhs.gov/wp-content/uploads/2013/12/2016-Ltr-Privacy-Minimum-Necessary-formatted-on-ltrhead-Nov-9-FINAL-w-sig.pdf
28 Health Information Technology for Economic and Clinical Health Act. 2009. PubLaw 111-5(123 STAT. 226, et seq.) Feb. 17, 2009. Available from: https://www.healthit.gov/policy-researchers-im-plementers/select-portions-hitech-act-and-rela-tionship-onc-work
29 Office of the National Coordinator for Health Information Technology. Draft U.S. Core Data for Interoperability (USCDI) and Proposed Ex-pansion Process. January 2018. Available from: https://www.healthit.gov/sites/default/files/draft-uscdi.pdf
30 Office of the National Coordinator for Health Information Technology Connecting Health and Care for the Nation A Shared Nationwide Interop-erability Roadmap. 2015. Available from: https://www.healthit.gov/sites/default/files/hie-interoperability/nationwide-interoperability-roadmap-final-version-1.0.pdf
31 Office of the National Coordinator for Health Information Technology. Proposed Interopera-bility Standards Measurement Framework. 2017. Available from: https://www.healthit.gov/sites/default/files/ONCProposedIOStandardsMeas-FrameworkREV.pdf
32 Office of the National Coordinator for Health Information Technology. Draft Trusted Exchange Framework. 2018. Available from: https://www.healthit.gov/sites/default/files/draft-trusted-ex-change-framework.pdf
33 Morris G. Trusted Exchange Framework and Common Agreement: A Common Sense Approach to Achieving Health Information Interoperability. 2018. Health IT Buzz. Available from: https://www.healthit.gov/buzz-blog/interoperability/trusted-ex-change-framework-common-agreement-com-mon-sense-approach-achieving-health-information-interoperability/
34 President's Council of Advisors on Science and Technology. Big Data and Privacy: A Technolog-ical Perspective. 2014. Available from: https://bigdatawg.nist.gov/pdf/pcast_big_data_and_privacy_-_may_2014.pdf
35 Pasquale F. Virtual hearing of the NCVHS Privacy, Confidentiality, and Security Subcommittee. Nov. 28, 2017. Available from: https://www.ncvhs.hhs.gov/transcripts-minutes/transcript-of-the-november-28-2017-meeting-of-the-privacy-confidentiality-and-security-subcommittee/
36 European Commission Data Protection Working Party. Statement on Statement of the WP29 on the Impact of the development of big data on the protection of individuals with regard to the processing of their personal data in the EU. Sept 2014. Available from: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp221_en.pdf
37 Federal Trade Commission. Big Data A Tool for Inclusion or Exclusion? Understanding the Issues. 2016. Available from: https://www.ftc.gov/system/files/documents/reports/big-data-tool-inclusion-or-exclusion-understanding-issues/160106big-data-rpt.pdf
38 Garfinkel S. De-identifying Government Datasets, National Institute of Standards and Technology 800-188 (2d DRAFT)(Dec. 2016), p. 8. Available from: https://csrc.nist.gov/CSRC/media/Publications/sp/800-188/draft/documents/sp800_188_draft2.pdf
39 European Patients Forum. The New EU Regula-tions on the protection of personal data: what does it mean for patients? A guide for patients and patients' organizations. 2016; Available from: http://www.eu-patient.eu/globalassets/policy/data-protection/data-protection-guide-for-patients-organisations.pdf
40 Hale H. St. Luke's Health System: Transforming ROI From Siloed to Enterprise-Wide Function. AHIMA Annual Convention and Exhibit; 2017 October 8-12; Los Angeles CA
41 Vayena E, Gasser U, Wood A, O'Brien DR, Altman M. Elements of a New Ethical Framework for Big Data Research. Washington and Lee Law Review [Internet] 2016; 72(3) Available from: http://openscholar.mit.edu/sites/default/files/dept/files/elements_of_a_new_ethical_framework_for_big_data_research.pdf
42 Organization for Economic Cooperation and De-velopment. OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. 1980. Available from: theprotectionofpriva-cyandtransborderflowsofpersonaldata.htm
43 US Department of Health and Human Ser-vices, National Committee on Vital and Health Statistics (NCVHS) 2018. Health Information Privacy Beyond HIPAA: An Environmental Scan of Major Trends and Challenges. Available from: https://www.ncvhs.hhs.gov/wp-content/uploads/2018/02/NCVHS-Beyond-HIPAA_Re-port-Final-02-08-18.pdf
44 American Health Information Management Association. Awareness and Use Growing with Information Governance AHIMA's third IG survey showcases key recommendations for organizations seeking to transform through IG. AHIMA News Oct 17, 2017. Available from: http://www.ahima.org/topics/infogovernance/ignews
45 National Health Service. Information Governance Toolkit. Available from: https://www.igt.hscic.gov.uk
46 American Health Information Management Association. Information Governance Toolkit 3.0. 2017. Available from: http://bok.ahima.org/doc?oid = 302242#.WjAUOEuQxgc
47 Integrating the Healthcare Enterprise (IHE). Health IT Standards for Health Information Management Practices. September 18, 2015. http://ihe.net/uploadedFiles/Documents/ITI/IHE_ITI_WP_HIT-StdsforHIMPratices_Rev1.1_2015-09-18.pdf
48 Canadian Health Information Management As-sociation. Information Governance for Canadian Healthcare. May, 2017. Available from: https://www.echima.ca/uploaded/pdf/reports/IG_Pa-per_summary_Short_Final.pdf
49 International Federation of Health Information Management Associations. 2017. Available from: https://ifhima.files.wordpress.com/2017/10/ifhi-ma-ig-whitepaper-final.pdf
50 Regulation (EU) 2016/679 of the European Parlia-ment and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free move-ment of such data, and repealing Directive 95/46/ EC (General Data Protection Regulation) Available from: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC
51 Rubinstein IS, Hartzog W. Anonymization and Risk. New York University Law School, Public Law & Legal Theory Research Paper Series, Working Paper No 15-36
52 National Committee on Vital and Health Statis-tics (NCVHS), 2017 Letter to the Secretary on De-identification of Protected Health Information. Available from: https://www.ncvhs.hhs.gov/wp-content/uploads/2013/12/2017-Ltr-Privacy-DeIdentification-Feb-23-Final-w-sig.pdf
53 National Institute for Science and Technology An Introduction to Privacy Engineering and Risk Management in Federal Systems. NISTIR 8062 Available from: https://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf
54 Australian Government. Federal Register of Legislation. 2017. Available from: https://www.legislation.gov.au/Details/C2017A00012
55 NHS, Information Governance Toolkit. https://www.igt.hscic.gov.uk/
56 Kloss L. Implementing Information Governance, Lessons from the Field. AHIMA Press; 2015: 111-113
57 Rubinstein IS, Hartzog W. Anonymization and Risk. New York University Law School, Public Law & Legal Theory Research Paper Series, Working Paper No 15-36