Skip to Content

Privacy and Security Principles for Health Information Technology

CDT believes there is a need to adopt a comprehensive privacy and security framework for protection of health data as information technology is increasingly used to support exchange of medical records and other health information. CDT believes that privacy and security protections will build public trust, which is crucial if the benefits of health information technology (health IT) are to be realized.

(1) CDT Calls for the Adoption of a Comprehensive Privacy and Security Framework for Health Information Technology

(2) Basics Required in any Health Information Technology Policy

(3) CDT’s Suggested Implementation

(1) CDT Calls for the Adoption of a Comprehensive Privacy and Security Framework for Health Information Technology

CDT believes there is a need to adopt a comprehensive privacy and security framework for protection of health data as information technology is increasingly used to support exchange of medical records and other health information. CDT believes that privacy and security protections will build public trust, which is crucial if the benefits of health information technology (health IT) are to be realized.

In CDT’s view, implementation of a comprehensive privacy and security framework will require a mix of legislative action, regulation and industry commitment and must take into account the complexity of the evolving health exchange environment.

Privacy and security are paramount concerns for any health IT system and must be addressed at the outset. With a comprehensive, thoughtful, and flexible approach, we can ensure that the enhanced privacy and security built into health IT systems will bolster consumer trust and confidence, spur faster adoption of health IT, and bring the realization of health IT’s potential benefits.

Without a comprehensive health IT privacy and security framework, patients will engage in "privacy-protective" behaviors, which may include withholding crucial health information from providers or avoiding treatment. The consequences are significant – for individual as well as population health.

 

(2) Basic Requirements of a Comprehensive Privacy and Security Framework

Health IT policies and practices should be built on three fundamental principles, as outlined by the Markle Foundation’s Connecting for Health Initiative and briefly discussed below:

 

  • Implementation of core privacy principles,
  • Adoption of trusted network design characteristics, and
  • Establishment of oversight and accountability mechanisms.

Core Privacy Principles

Privacy and security policies should incorporate "fair information practices" (FIPs) such as those outlined in the Markle Foundation’s Connecting for Health initiative:

 

  • Openness and Transparency: A general policy of openness should be enforced for any new developments, practices, and policies with respect to personal data. Individuals should be able to know what information exists about them, who has access to it, and where it is stored.
  • Purpose Specification and Minimization: Patients should be made aware of the purpose for data collection at the time the data are collected. The data should not be used for any other purpose without first notifying the patient.
  • Collection Limitation: Personal health information should only be collected for specified purposes and should be obtained by lawful and fair means – and where possible, with the knowledge or consent of the data subject.
  • Use Limitation: Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified.
  • Individual Participation and Control: Individuals should be able to obtain from each entity that controls personal health data, information about whether or not the entity has data relating to them. As well, individuals should have the right to have the data communicated to them in a timely and reasonable manner. Finally, individuals should be able to challenge data relating to them, and have it rectified, completed, or amended.
  • Data Integrity and Quality: All personal data collected should be relevant to the purposes for which they are to be used and should be accurate, complete, and current.
  • Security Safeguards and Controls: Personal data should be protected by reasonable security safeguards against such risks as loss, unauthorized access, destruction, use, modification, or disclosure.
  • Accountability and Oversight: Entities in control of personal health data must be held accountable for implementing these information practices.
  • Remedies: Legal and financial remedies must exist to address any security breaches or privacy violations.

 

Network Design Characteristics

The network design should facilitate exchange not through centralization of data, but rather through a "network of networks." This distributed architecture is more likely to protect information. The network must also provide for interoperability and flexibility, which support innovation and create opportunities for new entrants.

Oversight and Accountability Mechanisms

To build consumer trust in e-health systems, it is critical that all entities be held accountable for complying with the privacy and security framework. For example, Congress should enhance oversight and accountability within the health care system by enhancing enforcement of the HIPAA Privacy and Security Rules and ensuring the enactment of new, enforceable standards for entities outside of the traditional health care system with access to identifiable health information.

Role of HIPAA in the New Environment

  • The HIPAA Privacy Rule was a landmark in privacy protection, but it is widely recognized that the regulation is insufficient to adequately cover the new and rapidly evolving e-health environment. For example, HIPAA’s Privacy Rule often does not cover state and regional health information organizations, or third-party providers of services that facilitate consumer access to or control of health information. Further, though HIPAA’s Privacy Rule includes criteria for de-identifying data, new technologies are making it much easier to re-identify once de-identified health information and to combine it with personal information in other databases. In building a comprehensive privacy and security framework, Congress should build on HIPAA -filling its gaps and enacting new protections to address the increased migration of personal health information out of the health care system.

 

(3) CDT’s Suggested Implementation

Too much emphasis has been placed on individual consent as the method to protect privacy and security. There is an appropriate role for patient consent in a comprehensive privacy and security framework. But CDT believes that a purely consent-based system would result in a system that is less protective of privacy and confidentiality. Consent-based systems place most of the burden of privacy protection on patients, often at a time when they are least able to make complicated decisions about the use of their health data. Further, a consent-based system provides disincentives to the healthcare industry to design systems with stronger privacy and security protections. A comprehensive framework should be the goal – both for policymakers and for those implementing health IT systems.

Though entities engaged in e-health can and should act without prompting from Congress, Congress can and should establish a comprehensive policy framework to ensure that health IT and electronic health information exchange is facilitated by strong and enforceable privacy and security protections. CDT calls on Congress to have a comprehensive vision – but acknowledges that progress toward a comprehensive framework is likely to occur in a steady set of incremental, workable steps. When developing new policies, Congress should consider:

  • The appropriate role for patient consent for different e-health activities.
  • The ability of consumers to have information about when, where, and how their Personal Health Information (PHI) is accessed, used, disclosed, and stored.
  • The right of individuals to view all PHI that is collected about them and be able to correct or remove data that is not timely, accurate, relevant, or complete.
  • Limits on the collection, use, disclosure, and retention of PHI.
  • Requirements with respect to data quality.
  • Reasonable security safeguards given advances in affordable security technology.
  • Use of PHI for marketing.
  • Other secondary uses (or "reuses") of health information.
  • Responsibilities of "downstream" users of PHI.
  • Accountability for complying with rules and policies governing access, use, disclosure, enforcement, and remedies for privacy violations or security breaches.
  • Uses and safeguards for de-identified information.

While Congress should establish a strong framework for health privacy and security, it must avoid a "one size fits all" approach that treats all actors that hold personal health information the same. The complexity and diversity of entities connected through health information exchange, and their very different roles and different relationships to consumers, require precisely tailored policy solutions that are context and role-based and flexible enough to both encourage and respond to innovation.