Access and Disclosure of Personal Health Information: A Challenging Privacy Landscape in 2016-2018

 

 Lizenzen und Reprints

Summary

Objectives: To assess the current health data access and disclosure environment for potential privacy-protecting mechanisms that enable legitimate use of personal health information while preserving the rights of individuals. To identify the gaps and challenges between increasing requests and expanding uses of such information and the regulations, technologies, and management practices that permit appropriate access and disclosure while guarding against harmful misuse of such information.

Methods: A scoping literature review focused on (1) regulations affecting access and disclosure of personal health information, (2) the uses of health information that challenge access and disclosure boundaries, and (3) privacy management practices that may help mitigate gaps in protecting patient privacy.

Results: Countries and jurisdictions are developing laws, regulations, and public policies to balance the privacy rights of individuals and the unprecedented opportunities to advance health and health care through expanded uses of health data. Regulations and guidance are evolving, but they are outpaced by the increasing demand for and the challenges of managing access and disclosure. Mechanisms such as consent and authorization may not always be adequate. Mechanisms that advance principled stewardship are more important than ever.

Conclusions: Access and disclosure management are important dimensions of privacy management practices. This is a volatile period in which diverging public policies may reveal how best to balance access and disclosure of personal health information by individuals and by institutional custodians of the information. Approaches to access and disclosure management, including the roles of individuals, should be a focus for research and study in the years ahead.

• References

• 1 Van Staa T-P, Goldacre B, Buchan I, Smeeth L. Big health data: the need to earn public trust. BMJ 2016 July 14; 354 Available from: http://www.bmj.com/content/354/bmj.i3636
  PubMedGoogle Scholar
• 2 Wang Y, Kung L, Byrd T. Big data analytics: Un-derstanding its capabilities and potential benefits for healthcare organizations. Technological Fore-casting and Social Change. 2018 Jan 126; 3-13. Available from: https://www.sciencedirect.com/science/article/pii/S0040162516000500
  PubMedGoogle Scholar
• 3 45 CFR 164.524. Security and Privacy; Access of individuals to protected health information. 2013. Available from https://www.gpo.gov/fdsys/pkg/CFR-2011-title45-vol1/pdf/CFR-2011-title45-vol1-sec164-524.pdf
  PubMedGoogle Scholar
• 4 45 CFR 160.103. General Administrative Require-ments; Definitions. 2013. Available from https://www.gpo.gov/fdsys/pkg/CFR-2013-title45-vol1/pdf/CFR-2013-title45-vol1-sec160-103.pdf
  PubMedGoogle Scholar
• 5 Regulation (EU) 2016/679 of the European Parlia-ment and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free move-ment of such data, and repealing Directive 95/46/ EC (General Data Protection Regulation) Available from: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENGwww.eugdpr.org
  PubMed
• 6 Robertson SK. Calls grow for Canada to mod-ernize privacy laws amid EU changes. The Globe and Mail. July 12, 2017. Available from: https://www.theglobeandmail.com/report-on-business/industry-news/marketing/calls-grow-for-canada-to-modernize-privacy-laws-amid-eu-changes/article35778176/
  PubMedGoogle Scholar
• 7 US Department of Health and Human Services, Office for Civil Rights. Individuals' Right under HIPAA to Access their Health Information 45 CFR § 164.524, February 25, 2016. Available from: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html
  PubMedGoogle Scholar
• 8 US Department of Health and Human Services, Office for Civil Rights. Guidance on HIPAA & Cloud Computing, June 16, 2017. Available from: https://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html
  PubMedGoogle Scholar
• 9 US Department of Health and Human Services, Office for Civil Rights. Guidance on HIPAA & Cloud Computing, June 16, 2017. Available from: https://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html
  PubMedGoogle Scholar
• 10 US Department of Health and Human Services, Office for Civil Rights, How HIPAA Allows Doctors to Respond to the Opioid Crisis. Available from: https://www.hhs.gov/sites/default/files/hipaa-opioid-crisis.pdfprofessionals/privacy/guidance/access/index.html
  PubMedGoogle Scholar
• 11 US Department of Health and Human Services. Individuals' Right under HIPAA to Access their Health Information. 45 CFR 164.524, February 25, 2016. Available from: https://www.hhs.gov/hipaa/for-
  PubMedGoogle Scholar
• 12 Public Law 114-255. Available from: https://www.congress.gov/114/plaws/publ255/PLAW-114publ255.pdf
  PubMedGoogle Scholar
• 13 Steinhauer J, Tavernise S. $6.3 Billion Measure Aims to Cure Ailing Health Care Policies. November 28, 2016. Available from: https://www.nytimes.com/2016/11/28/us/politics/congress-cures-cancer-moonshot-alzheimers.html
  PubMedGoogle Scholar
• 14 Majunder M, Guerrini C, Bollinger J, Cook-Deegan R, McGuire A. Sharing Data under the 21st Century Cures Act. Genet Med 2017; 19 (12) 1289-94
  CrossrefPubMedGoogle Scholar
• 15 H.R. 34 21st Century Cures Act. Section 2063. Available from: https://www.congress.gov/bill/114th-congress/house-bill/34/
  PubMedGoogle Scholar
• 16 Federal Policy for the Protection of Human Subjects. Federal Register. 82 FR 7149. Jan. 19, 2018. https://www.federalregister.gov/doc-uments/2017/01/19/2017-01058/federal-policy-for-protection-of-human-subjects
  PubMedGoogle Scholar
• 17 42 CFR Part 2, Confidentiality of Alcohol and Drug Abuse Patient Records. Available from: https://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&sid=b7e8d29be-4a2b815c404988e29c06a3e&rgn=div5&view=-text&node=42:1.0.1.1.2&idno=
  PubMed
• 18 Substance Abuse and Mental Health Services Administration. 42 CFR Part 2 Confidentiality of Substance Use Disorder Patient Records. January 9, 2018. Available from: https://www.samhsa.gov/health-information-technology/laws-regula-tions-guidelines
  PubMedGoogle Scholar
• 19 National Institutes of Health Certificates of Confi-dentiality (CoC) Kiosk. Certificates of Confidentiality for Research Funded by Non-HHS Federal Agencies. December 29, 2017. Available from: https://www.samhsa.gov/health-information-tech-nology/laws-regulations-guidelines
  PubMedGoogle Scholar
• 20 Fradidis L, Chatzoglou P. Development of Nationwide Electronic Health Record (NEHR): An international study. Health Policy and Technology 2017; 6: 124-133
  CrossrefPubMedGoogle Scholar
• 21 Schmit C, Wetter S, Kash B. Falling short: how state laws can address health information exchange barriers and enablers. J Am Med Inform Assoc 2018; 25 (06) 635-44
  CrossrefPubMedGoogle Scholar
• 22 Moon L. Factors influencing health data sharing preferences of consumers: A critical review. Health Policy Technol 2017; 6: 169-87
  PubMedGoogle Scholar
• 23 HealthIT.gov. Computable Privacy. 2016. Available from: https://www.healthit.gov/policy-researchers-implementers/computable-privacy
  PubMed
• 24 Nohr C, Parv L, Kink P, Cummings E, Almong H, Norgarrd J. , et al. Nationwide citizen access to their health data: analyzing and comparing experiences in Denmark, Estonia and Australia. BMC Health Serv Res 2017; 17: 534 . Available from: https://bmchealthservres.biomedcentral.com/articles/10.1186/s12913-017-2482-y
  CrossrefPubMedGoogle Scholar
• 25 Pietro C, Francetic I. E-health in Switzerland: The laborious adoption of the federal law on electronic health records (EHR) and health information exchange (HIE) networks. Health Policy 2018; Feb; 122 (02) 69-74 . Available from: http://www.healthpolicyjrnl.com/article/S0168-8510(17)30317-2/pdf
  CrossrefPubMedGoogle Scholar
• 26 Séroussi B, Bouaud J. Adoption of a Nationwide Shared Medical Record in France: Lessons Learnt after 5 Years of Deployment. AMIA Annu Sym Proc 2016; 2016: 1100-9
  PubMedGoogle Scholar
• 27 National Committee on Vital and Health Statis-tics (NCVHS). Recommendation on the HIPAA Minimum Necessary Standard. 2016. Available from: https://www.ncvhs.hhs.gov/wp-content/uploads/2013/12/2016-Ltr-Privacy-Minimum-Necessary-formatted-on-ltrhead-Nov-9-FINAL-w-sig.pdf
  PubMedGoogle Scholar
• 28 Health Information Technology for Economic and Clinical Health Act. 2009. PubLaw 111-5(123 STAT. 226, et seq.) Feb. 17, 2009. Available from: https://www.healthit.gov/policy-researchers-im-plementers/select-portions-hitech-act-and-rela-tionship-onc-work
  PubMedGoogle Scholar
• 29 Office of the National Coordinator for Health Information Technology. Draft U.S. Core Data for Interoperability (USCDI) and Proposed Ex-pansion Process. January 2018. Available from: https://www.healthit.gov/sites/default/files/draft-uscdi.pdf
  PubMedGoogle Scholar
• 30 Office of the National Coordinator for Health Information Technology Connecting Health and Care for the Nation A Shared Nationwide Interop-erability Roadmap. 2015. Available from: https://www.healthit.gov/sites/default/files/hie-interoperability/nationwide-interoperability-roadmap-final-version-1.0.pdf
  PubMedGoogle Scholar
• 31 Office of the National Coordinator for Health Information Technology. Proposed Interopera-bility Standards Measurement Framework. 2017. Available from: https://www.healthit.gov/sites/default/files/ONCProposedIOStandardsMeas-FrameworkREV.pdf
  PubMedGoogle Scholar
• 32 Office of the National Coordinator for Health Information Technology. Draft Trusted Exchange Framework. 2018. Available from: https://www.healthit.gov/sites/default/files/draft-trusted-ex-change-framework.pdf
  PubMedGoogle Scholar
• 33 Morris G. Trusted Exchange Framework and Common Agreement: A Common Sense Approach to Achieving Health Information Interoperability. 2018. Health IT Buzz. Available from: https://www.healthit.gov/buzz-blog/interoperability/trusted-ex-change-framework-common-agreement-com-mon-sense-approach-achieving-health-information-interoperability/
  PubMedGoogle Scholar
• 34 President's Council of Advisors on Science and Technology. Big Data and Privacy: A Technolog-ical Perspective. 2014. Available from: https://bigdatawg.nist.gov/pdf/pcast_big_data_and_privacy_-_may_2014.pdf
  PubMedGoogle Scholar
• 35 Pasquale F. Virtual hearing of the NCVHS Privacy, Confidentiality, and Security Subcommittee. Nov. 28, 2017. Available from: https://www.ncvhs.hhs.gov/transcripts-minutes/transcript-of-the-november-28-2017-meeting-of-the-privacy-confidentiality-and-security-subcommittee/
  PubMedGoogle Scholar
• 36 European Commission Data Protection Working Party. Statement on Statement of the WP29 on the Impact of the development of big data on the protection of individuals with regard to the processing of their personal data in the EU. Sept 2014. Available from: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp221_en.pdf
  PubMedGoogle Scholar
• 37 Federal Trade Commission. Big Data A Tool for Inclusion or Exclusion? Understanding the Issues. 2016. Available from: https://www.ftc.gov/system/files/documents/reports/big-data-tool-inclusion-or-exclusion-understanding-issues/160106big-data-rpt.pdf
  PubMedGoogle Scholar
• 38 Garfinkel S. De-identifying Government Datasets, National Institute of Standards and Technology 800-188 (2d DRAFT)(Dec. 2016), p. 8. Available from: https://csrc.nist.gov/CSRC/media/Publications/sp/800-188/draft/documents/sp800_188_draft2.pdf
  PubMedGoogle Scholar
• 39 European Patients Forum. The New EU Regula-tions on the protection of personal data: what does it mean for patients? A guide for patients and patients' organizations. 2016; Available from: http://www.eu-patient.eu/globalassets/policy/data-protection/data-protection-guide-for-patients-organisations.pdf
  PubMed
• 40 Hale H. St. Luke's Health System: Transforming ROI From Siloed to Enterprise-Wide Function. AHIMA Annual Convention and Exhibit; 2017 October 8-12; Los Angeles CA
  PubMedGoogle Scholar
• 41 Vayena E, Gasser U, Wood A, O'Brien DR, Altman M. Elements of a New Ethical Framework for Big Data Research. Washington and Lee Law Review [Internet] 2016; 72(3) Available from: http://openscholar.mit.edu/sites/default/files/dept/files/elements_of_a_new_ethical_framework_for_big_data_research.pdf
  PubMedGoogle Scholar
• 42 Organization for Economic Cooperation and De-velopment. OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. 1980. Available from: theprotectionofpriva-cyandtransborderflowsofpersonaldata.htm
  PubMedGoogle Scholar
• 43 US Department of Health and Human Ser-vices, National Committee on Vital and Health Statistics (NCVHS) 2018. Health Information Privacy Beyond HIPAA: An Environmental Scan of Major Trends and Challenges. Available from: https://www.ncvhs.hhs.gov/wp-content/uploads/2018/02/NCVHS-Beyond-HIPAA_Re-port-Final-02-08-18.pdf
  PubMedGoogle Scholar
• 44 American Health Information Management Association. Awareness and Use Growing with Information Governance AHIMA's third IG survey showcases key recommendations for organizations seeking to transform through IG. AHIMA News Oct 17, 2017. Available from: http://www.ahima.org/topics/infogovernance/ignews
  PubMedGoogle Scholar
• 45 National Health Service. Information Governance Toolkit. Available from: https://www.igt.hscic.gov.uk
  PubMed
• 46 American Health Information Management Association. Information Governance Toolkit 3.0. 2017. Available from: http://bok.ahima.org/doc?oid = 302242#.WjAUOEuQxgc
  PubMed
• 47 Integrating the Healthcare Enterprise (IHE). Health IT Standards for Health Information Management Practices. September 18, 2015. http://ihe.net/uploadedFiles/Documents/ITI/IHE_ITI_WP_HIT-StdsforHIMPratices_Rev1.1_2015-09-18.pdf
  PubMed
• 48 Canadian Health Information Management As-sociation. Information Governance for Canadian Healthcare. May, 2017. Available from: https://www.echima.ca/uploaded/pdf/reports/IG_Pa-per_summary_Short_Final.pdf
  PubMed
• 49 International Federation of Health Information Management Associations. 2017. Available from: https://ifhima.files.wordpress.com/2017/10/ifhi-ma-ig-whitepaper-final.pdf
  PubMed
• 50 Regulation (EU) 2016/679 of the European Parlia-ment and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free move-ment of such data, and repealing Directive 95/46/ EC (General Data Protection Regulation) Available from: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC
  PubMed
• 51 Rubinstein IS, Hartzog W. Anonymization and Risk. New York University Law School, Public Law & Legal Theory Research Paper Series, Working Paper No 15-36
  PubMedGoogle Scholar
• 52 National Committee on Vital and Health Statis-tics (NCVHS), 2017 Letter to the Secretary on De-identification of Protected Health Information. Available from: https://www.ncvhs.hhs.gov/wp-content/uploads/2013/12/2017-Ltr-Privacy-DeIdentification-Feb-23-Final-w-sig.pdf
  PubMed
• 53 National Institute for Science and Technology An Introduction to Privacy Engineering and Risk Management in Federal Systems. NISTIR 8062 Available from: https://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf
  PubMed
• 54 Australian Government. Federal Register of Legislation. 2017. Available from: https://www.legislation.gov.au/Details/C2017A00012
  PubMed
• 55 NHS, Information Governance Toolkit. https://www.igt.hscic.gov.uk/
  PubMed
• 56 Kloss L. Implementing Information Governance, Lessons from the Field. AHIMA Press; 2015: 111-113
  Google Scholar
• 57 Rubinstein IS, Hartzog W. Anonymization and Risk. New York University Law School, Public Law & Legal Theory Research Paper Series, Working Paper No 15-36
  PubMedGoogle Scholar