The benefits of computerized data systems that facilitate access to personal health information are clear. Also evident is the need to protect the privacy, confidentiality, and security of that information. Media reports about data breaches have understandably heightened the public’s concerns about protecting personal information. A number of federal laws and regulations govern the disclosure and safeguarding of health information.
Regulations issued under the 1996 Health Insurance Portability and Accountability Act (HIPAA) established important privacy and security protections. HIPAA rules apply to health plans, health care clearinghouses, and health care providers that conduct billing and other transactions electronically (“covered entities”). The HIPAA Privacy Rule delineates who is allowed to access personal health information and for what purposes. The Privacy Rule also obligates covered entities to release records to patients who request them or to transmit records to any recipient designated by the patient. The HIPAA Security Rule requires that covered entities implement safeguards to prevent inappropriate disclosure of personal health information.
The High Information Technology for Economic and Clinical Health (HITECH) portion of the American Recovery and Reinvestment Act of 2009 further strengthened privacy and security protections, moving the health care system closer to achieving a robust privacy and data security framework. HITECH also extends accountability to those doing business (known as “business associates”) with HIPAA covered entities. (It is important to note that HIPAA does not apply to most mobile application developers or device manufacturers.)
The Genetic Information Nondiscrimination Act (GINA), enacted in 2008, provides additional protections for genetic information, which includes family medical history as well as genetic test results pertaining to an individual or their family members. GINA bars the use of genetic testing information for health insurance and employment decisions. It does not apply to life, disability, or long-term care insurance.
Recognizing that the use of Social Security numbers (SSN) as a primary form of identification in health insurance programs exposes individuals to identity theft, Medicare began issuing non-SSN linked Medicare cards in 2018.
Additionally, many states have enacted statutes that provide some protection against inappropriate disclosures of personally identifiable medical information, but the patchwork of state laws leaves many gaps in privacy protections.
Emerging technologies including genetic testing kits marketed directly towards consumers or mobile applications designed to help patients manage their health and wellness outside of clinical settings. Such advances raise concerns about opportunities for the inappropriate disclosure of personal health information. Additionally, the flow of data from covered entities to consumers via third-party applications raises questions about the limits of existing protections.
Third-party intermediaries like app developers and mobile device manufacturers—that are not covered by HIPAA—may become responsible for holding or directing personal health data to various providers. The Food and Drug Administration (FDA) regulates a limited number of mobile applications that are used by health care professionals but does not regulate many applications that are used by consumers. FDA’s policy tries to balance the need for consumer protections and the advantages of innovative technologies (see also this chapter’s section on Specific Needs and Services—Medical Devices). Technology experts say that it is possible to protect personal health information by encrypting or anonymizing user data stored on mobile devices, but many consumer devices lack these protections. They also caution that the more data that are stored on a device, the greater the consequences of a potential security breach.
Through a process known as consumer-mediated data-sharing, consumers would be responsible for requesting and authorizing third-party apps to perform health information exchange (see also this chapter’s section on Reforming the Delivery of Health Care Services—Health Information Technology for more discussion about consumer-mediated data-sharing). Anecdotal evidence from focus groups of consumers and family caregivers conducted by AARP in 2016, participants raised concerns about the privacy and security of their personal data in such exchanges of personal health information.
Privacy experts believe that the Fair Information Practice Principles developed by the Federal Trade Commission could provide a framework to protect personal health information stored or transmitted via mobile applications, health devices, consumer-mediated health information exchange, and other emerging technologies. The principles call for full disclosure, including details of how data will be used. They call for data integrity, quality, and accuracy.
Lastly, while leveraging health information to improve the quality and efficiency of care for individual patients may be considered of paramount importance, federal and state laws also support the secondary use of electronic health information for public health and research purposes. Some critics say that HIPAA (which established federal privacy and security protections concerning the access, use, and disclosure of personal health information) and the “Common Rule” (which outlines basic provisions for the protection of human subjects in research) interfere with biomedical research and restrict access to genetic databases, patient registries, medical records, and other information sources. Others maintain that barriers to the access, use, and disclosure of health information result from overzealous interpretation of the legal requirements, not the law or the regulations themselves.
A comprehensive framework of privacy and security safeguards, including transparency regarding uses and disclosures of personal health data, will help ensure public trust in health information technology and the appropriate use of health information.
ENSURING THE PRIVACY, CONFIDENTIALITY, AND SECURITY OF HEALTH INFORMATION: Policy
The right to privacy and security of health information
Federal and state governments should ensure individuals’ right to privacy and data security with respect to their personal health information.
Federal policies that protect the privacy and security of personal health information stored in new technologies should ensure that people can control the use of their information without creating barriers to appropriate, innovative uses of this information.
Organizations collecting and storing data should engage in “data minimization”—the collecting and retaining the least amount of data needed. They should also engage in “de-identification”—removing information that could help to identify an individual. Finally, they should ensure individual control and accountability. Regulators should ensure proper oversight of these practices, enforce them, and implement remedies and penalties when security is breached.
Appropriate federal and state agencies should monitor and enforce compliance with privacy and security regulations, as well as educate and guide covered entities as to whether their policies and procedures are reasonable and appropriate.
State and federal policies should grant individuals the right to examine and copy the contents of their health care records, to be notified who has examined these records, and to identify who may have access to their personally identifiable health information and for what purpose.
The Department of Health and Human Services should ensure that business associates of entities covered by Health Insurance Portability and Accountability Act restrict their uses and disclosure of individuals’ personal health information to only what is necessary for the business associate to carry out the activities it has agreed to perform for the covered entity.
States and the federal government should ensure robust protections for all personal and health information that allows for reasonable sharing to support better care. All business entities including third-party data intermediaries that access, use, and disclose identifiable health information—whether covered by HIPAA or not—should comply with any federal, state, or local confidentiality, privacy, and security safeguards for ensuring that such information is protected.
State and federal regulators should establish clear expectations for compliant behavior so that all regulated entities understand when it is permissible to share information with other entities authorized to receive it. This guidance should be designed to address uncertainties that may inhibit or deter appropriate, legal data-sharing.
State and federal regulators should periodically review privacy and security laws and revise them to address new technology innovation, including consumer-mediated health exchanges, records, and information.
Appropriate federal and state regulators should initiate public education about the risks and benefits of mobile devices, including potential breaches of the confidentiality of the personal information stored on them.
Designing attributes for Health Information Technology (HIT) systems to protect personal health information
Essential design attributes of HIT systems must address the following:
- control and access—individuals must have the ability to control who has access to their personal health information and have the ability to review who has accessed their files;
- disclosure and accountability—individuals should receive readily accessible information that fully explains policies affecting the transfer of their personal health information and how it may be used;
- functionality—individuals and authorized health care providers must be able to access or move health information securely and reliably from one health care entity to another; and
- governance—consumers must be represented on an equal footing with other parties in the governance and advisory structure of all regional and national bodies that regulate personal health information, including standard-setting and operational entities.
Federal and state agencies must ensure that:
- policies and practices addressing personal health information are developed in an open and transparent manner;
- the purposes and intended uses for which personal data are collected are specified at the time of collection, and subsequent uses are limited to the initially specified purpose unless otherwise disclosed;
- personal health information is not made available or used for any purposes other than those specified;
- individuals can control access to their personal health information and have the right to obtain data relating to them delivered within a reasonable timeframe at an affordable cost (if any), and in a readily understandable form;
- if an individual’s request for personal health data is denied by the entity controlling access to the data, the individual should be able to challenge the denial and have such data corrected, completed, or amended;
- all personal data collected are relevant to the purposes for which they are to be used and are accurate, complete, and current;
- personal data are protected by reasonable security safeguards against risks such as loss, unauthorized access, theft, destruction, use, modification, or disclosure;
- entities controlling personal health data are held accountable for implementing effective practices to ensure adherence to these principles; and
- legal and financial remedies exist to address security breaches or privacy violations.
An individual’s health information should not be disclosed without prior consent in most cases. Exceptions include:
- public health reporting, as required by law—a court order must be required of law enforcement agencies seeking access to personal health information;
- ensuring the financial integrity of publicly funded health programs (provided that personal identifiers have been removed);
- research and quality assessment and improvement (provided that personal identifiers have been removed); and
- health care interventions, including disease management programs and chronic-care coordination.
AARP supports policies that:
- prohibit the use of patients’ clinical information for marketing purposes without the individuals’ express written consent or opt-in authorization;
- require the types of communication constituting “marketing” to be clearly delineated—criteria to define this term include whether the information is directly related to ongoing treatment regimens, whether it concerns new products, and whether a covered entity is receiving any remuneration for giving information to consumers;
- ensure the right of consumers to have their names removed from marketing lists; and
- ensure consumers are informed when their personal health information is transferred by a health care entity.
Genetic testing should not be performed on individuals unless they have provided informed consent.
AARP supports the role of licensed health professionals in advising consumers about the need for an interpretation of all genetic testing.
AARP supports the value of family health history being discussed with family members and clinicians, with appropriate referral to genetic counselors as necessary.
Replace Social Security numbers with another unique identifier for health insurance coverage
All health insurers should replace Social Security numbers with new identification numbers by a specified date (see also Chapter 11, Financial Services and Consumer Products - Digital Privacy and Security, for background and further policies on protecting the privacy of Social Security numbers).