Privacy and Confidentiality of Health Information

Background

Fully computerized data systems will facilitate access to personal health information. While the public values HIT, it also wants data-access practices that secure the confidentiality of personally identifiable information.

Media reports about data breaches have heightened the public’s concerns about protecting personal information. The use of Social Security numbers as a primary form of identification in Medicare and other health insurance programs exposes individuals to identity theft. Many states have enacted statutes that provide some protection against inappropriate disclosures of personally identifiable medical information, but the patchwork of state laws leaves many gaps in privacy protections. A comprehensive framework of privacy and security safeguards, including transparency regarding uses and disclosures of personal health data, will help to ensure public trust in HIT and the appropriate use of health information.

The Genetic Information Nondiscrimination Act (GINA), enacted in 2008, bars the use of genetic testing information for health insurance and employment decisions. (GINA does not apply to life, disability, or long-term care insurance.) Increased marketing of genetic testing kits to beneficiaries poses potentially unnecessary risks due to the possibility of misinterpretation and the unreliability of results. Counseling on the proper use and interpretation of such tests is not always available or adequate.

Regulations issued under the 1996 Health Insurance Portability and Accountability Act (HIPAA) established important privacy protections, such as requirements for “covered entities” to provide beneficiaries with notice of their rights and protections along with access to or copies of their personal health information if requested. HIPAA rules apply to health plans, health care clearinghouses, and health care providers that conduct billing and other transactions electronically.

The HITECH portion of the American Recovery and Reinvestment Act of 2009 further strengthened privacy protections, moving the health care system closer to achieving the necessary privacy and data security framework. HITECH also extends accountability to those doing business (known as “business associates”) with HIPAA covered entities. (It is important to note that HIPAA does not apply to most mobile application developers or device manufacturers.)

Secondary uses of personal health information—most people understand that their personal health information must be disclosed to health care providers and insurers. But they are less likely to know that it may be used for other purposes, called “secondary use” or “reuse” of clinical data. Many quality improvement and research initiatives rely on access to personal health information to understand the effects of medical interventions or medications on individuals and populations. New technologies, such as mobile health applications and big-data sets, use personal health information for other purposes. Federal policies that protect the privacy of personal health information stored in new technologies should ensure that people can control the use of their information without creating barriers to appropriate, innovative uses of this information.

Mobile applications (e.g., heart rhythm monitors and blood sugar monitors) can help clinicians diagnose and treat some health conditions remotely. They can also help some patients manage their conditions.

The Food and Drug Administration (FDA) regulates a limited number of mobile applications that are used by health care professionals, but does not regulate many applications that are used by consumers. FDA’s policy tries to balance the need for consumer protections and the advantages of innovative technologies. (See this chapter’s section Specific Needs and Services—Medical Devices.) Technology experts say that it is possible to protect personal health information by encrypting or anonymizing user data stored on mobile devices, but many consumer devices lack these protections. They also caution that the more data that are stored on a device, the greater the consequences of a potential security breach.

New approaches to diagnosing, treating, and managing patient health may rely upon the exchange of personal health information such as EHR. Some of this exchange may occur outside of HIPAA covered entities (i.e., providers, health plans, and business associates). For example, third-party intermediaries like app developers—that are not covered by HIPAA—may become responsible for holding or directing personal health data to various providers. Through a process known as “consumer-mediated data-sharing, consumers would be responsible for requesting and authorizing third-party apps to perform the exchange (for more discussion about consumer-mediated data-sharing, see the preceding section, Reforming the Delivery of Health Care Services—Health Information Technology). In focus groups of consumers and family caregivers conducted by AARP in 2016, participants raised concerns about the privacy and security of their personal data in such exchanges of personal health information. There should be appropriate privacy protections in place when personal health data is stored or managed outside of HIPAA covered entities.

Privacy experts believe that the Fair Information Practice Principles developed by the Federal Trade Commission could provide a framework to protect personal health information stored or transmitted via mobile applications, health devices, consumer-mediated health information exchange, and other emerging technologies. The principles call for full disclosure, including details of how data will be used. They call for data integrity, quality, and accuracy. Organizations collecting and storing data should engage in “data minimization,” which means collecting and retaining the least amount of data needed. They should also engage in “de-identification,” which means removing information that could help to identify an individual. Finally, they should ensure individual control and accountability. Regulators should ensure proper oversight of these practices, enforce them, and implement remedies and penalties when security is breached.

Some critics say that HIPAA (which applies to covered entities and their business associates when accessing, using, and disclosing personal health information) and the “Common Rule” (which covers some federal agency research) interfere with biomedical research and obstruct access to genetic databases, patient registries, medical records, and other important information sources. Others maintain that the problem comes from overzealous interpretation of the legal requirements, not the law or the regulations themselves.

Privacy and Confidentiality of Health Information: Policy

Right to privacy

In this policy: FederalState

Appropriate federal and state agencies should monitor and enforce compliance with privacy regulations, and educate and guide covered entities as to whether their policies and procedures are reasonable and appropriate.

Federal and state governments should ensure individuals’ right to privacy and data security with respect to their personal health information. State and federal policies should grant individuals the right to examine and copy the contents of their health care records, to be notified who has examined these records, and to identify who may have access to their personally identifiable health information and for what purpose.

HHS should ensure that business associates of entities covered by HIPAA restrict their uses and disclosure of an individual’s personal health information to only what is necessary for the business associate to carry out the activities it has agreed to perform for the covered entity.

States and the federal government should ensure robust protections for all personal and health information that allows for reasonable sharing to support better care. All business entities including third-party data intermediaries that access, use, and disclose identifiable health information—whether covered by HIPAA or not—should comply with any federal, state, or local confidentiality and privacy safeguards for ensuring that such information is protected.

State and federal regulators should establish clear expectations for compliant behavior so that all regulated entities will have an understanding of when it is permissible to share information with other entities authorized to receive it. This guidance should be designed to address uncertainties that may inhibit or deter appropriate, legal data-sharing.

State and federal regulators should periodically review privacy and security laws and revise them to address new technology innovation, including consumer-mediated health exchanges, records, and information.

Appropriate federal and state regulators should initiate public education about the risks and benefits of mobile devices, including potential breaches of the confidentiality of the personal information stored on them.

Design attributes for health information technology (HIT) systems to protect personal health information

In this policy: FederalState

Essential design attributes of HIT systems must address the following:

  • control and access—individuals must have the ability to control who has access to their personal health information and have the ability to review who has accessed their files;
  • disclosure and accountability—individuals should receive readily accessible information that fully explains policies affecting the transfer of their personal health information and how it may be used;
  • functionality—individuals must be able to move their information securely and reliably from one health care entity to another; and
  • governance—consumers must be represented on an equal footing with other parties in the governance and advisory structure of all regional and national bodies, including standard-setting and operational entities.

Federal and state agencies must ensure that:

  • policies and practices addressing personal health information are developed in an open and transparent manner;
  • the purposes and intended uses for which personal data are collected are specified at the time of collection, and subsequent uses are limited to the initially specified purpose unless otherwise disclosed;
  • personal health information is not made available or used for any purposes other than those specified;
  • individuals can control access to their personal health information and have the right to obtain data relating to them delivered within a reasonable timeframe at an affordable cost (if any), and in a form that is readily understandable;
  • if an individual’s request for personal health data is denied by the entity controlling access to the data, the individual should be able to challenge the denial and have such data corrected, completed, or amended;
  • all personal data collected are relevant to the purposes for which they are to be used and are accurate, complete, and current;
  • personal data are protected by reasonable security safeguards against risks such as loss, unauthorized access, destruction, use, modification, or disclosure;
  • entities controlling personal health data are held accountable for implementing effective practices to ensure adherence to these principles; and
  • legal and financial remedies exist to address security breaches or privacy violations.

Disclosures

In this policy: FederalState

AARP opposes the use or disclosure of an individual’s health information without prior consent except for:

  • public health reporting, as required by law—a court order must be required of law enforcement agencies seeking access to personal health information;
  • ensuring the financial integrity of publicly funded health programs (provided that personal identifiers have been removed);
  • research and quality assessment and improvement (provided that personal identifiers have been removed); and
  • health care interventions, including disease management programs and chronic-care coordination.

AARP supports policies that:

  • prohibit the use of patients’ clinical information for marketing purposes without the individuals’ express written consent or opt-in authorization;
  • require the types of communication constituting “marketing” to be clearly delineated—criteria to define this term include whether information is directly related to ongoing treatment regimens, whether it concerns new products, and whether a covered entity is receiving any remuneration for giving information to consumers;
  • ensure the right of consumers to have their names removed from marketing lists; and
  • ensure consumers are informed when their personal health information is transferred by a health care entity.

Genetic testing

In this policy: Federal

Genetic testing should not be performed on individuals unless they have provided informed consent.

AARP supports the role of licensed health professionals in advising consumers about the need for and interpretation of all genetic testing.

AARP supports the value of family health history being discussed with family members and clinicians, with appropriate referral to genetic counselors as necessary.

Social Security numbers

In this policy: FederalState

Medicare and other insurers should transition by a certain date from the use of Social Security numbers as the primary form of identification to some other appropriate form of identification, to better ensure individual privacy and security while maintaining convenience and access to services. (For background and further policies on protecting the privacy of Social Security numbers, see Chapter 11, Financial Services and Consumer Products: Digital Privacy and Security-Information Privacy.)