Privacy - Introductie Beware of privacy – security fallacies ! Privacy ...
Health Information Security & Privacy February 9, 2014 ONC Policy HIT Policy Committee Privacy and...
-
Upload
neal-franklin -
Category
Documents
-
view
218 -
download
3
Transcript of Health Information Security & Privacy February 9, 2014 ONC Policy HIT Policy Committee Privacy and...
![Page 1: Health Information Security & Privacy February 9, 2014 ONC Policy HIT Policy Committee Privacy and Security Workgroup Denise Anthony Sociology and ISTS.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649ccb5503460f949947e6/html5/thumbnails/1.jpg)
Health Information Security & Privacy
February 9, 2014
ONC Policy HIT Policy Committee Privacy and Security Workgroup
Denise Anthony • Sociology and ISTS • Dartmouth College
![Page 2: Health Information Security & Privacy February 9, 2014 ONC Policy HIT Policy Committee Privacy and Security Workgroup Denise Anthony Sociology and ISTS.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649ccb5503460f949947e6/html5/thumbnails/2.jpg)
AcknowledgementsSome of the work reported here was supported by NSF grant (CNS-0910842) on Trustworthy Information Systems in Healthcare (TISH), and the SHARPS project , under award HHS 90TR0003/01 from U.S. Department of Health & Human Services. The statements, findings, conclusions, and recommendations are those of the author and do not necessarily reflect the views of the National Science Foundation, or U.S. Department of Health & Human Services.
Thanks to many colleagues who are collaborators on some of the work described here: Ajit Appari, Celeste Campos-Castillo, Carl Gunter, Eric Johnson, David Kotz, Sean Smith, Timothy Stablein.
![Page 3: Health Information Security & Privacy February 9, 2014 ONC Policy HIT Policy Committee Privacy and Security Workgroup Denise Anthony Sociology and ISTS.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649ccb5503460f949947e6/html5/thumbnails/3.jpg)
EHRs and Privacy, Trust, & Transparency Many patients value EHRs for themselves and their providers Positive correlation between EHR use and patient perceptions
of quality of care BUT controlling for quality, patients more likely to withhold
information because of concerns about privacy with providers who use an EHR (Campos-Castillo & Anthony 2014)
Particular groups (e.g., those at risk of health-related or other social stigma) have less trust in physician confidentiality generally express concerns about disclosure of PHI when EHRs in use
(though also see benefits of EHRs) (Teixeira et al 2011; Stablein & Anthony 2012)
willing to disclose when have trusting relationship with a provider
Dartmouth
![Page 4: Health Information Security & Privacy February 9, 2014 ONC Policy HIT Policy Committee Privacy and Security Workgroup Denise Anthony Sociology and ISTS.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649ccb5503460f949947e6/html5/thumbnails/4.jpg)
Implications: EHRs increase patient concerns about information flows
(who has access to what; why access), particularly among some groups (e.g., those at risk of stigma)
Doctors and other health care providers can facilitate communication and trust by acknowledging patient privacy concerns and discussing commitment to confidentiality* as part of doctor/provider-patient relationship
Recommendation: Promote transparency about information flows and
commitment to confidentiality through provider communication – more than simply Notice of Privacy Practices
EHRs and Privacy, Trust, & Transparency
* confidentiality: expectation that personal information is protected and used appropriately;a set of rules that governs access to and use of information.
Dartmouth
![Page 5: Health Information Security & Privacy February 9, 2014 ONC Policy HIT Policy Committee Privacy and Security Workgroup Denise Anthony Sociology and ISTS.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649ccb5503460f949947e6/html5/thumbnails/5.jpg)
2014 national random probability sample of continental US residential population of adults, n=784
Sample Characteristics Weighted Mean or Percentage
%Female 51.1%Race/ethnicityWhite 82.9Black 7.7
Hispanic 5.6Other 4.2
%U.S. Immigrant 9.1Mean household income (dollars)
85,304
%EducationHigh school or less 14.9
Some college 28.2College 35.9
Graduate 21.0% Employed 67.8
Mean age 48.3% Private Health insurance 79.4
%Made health care visit past year
87.1
%Has regular provider 77.5%Provider uses EHR 60.2
Dartmouth
What are consumer expectations about disclosure of PHI?
![Page 6: Health Information Security & Privacy February 9, 2014 ONC Policy HIT Policy Committee Privacy and Security Workgroup Denise Anthony Sociology and ISTS.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649ccb5503460f949947e6/html5/thumbnails/6.jpg)
What do consumers think about EHRs?
AgreeStrongly
AgreeTOTALAgree
It is important for my doctor to have an electronic record
of me.37% 22% 59%
Doctors and other health care providers should be
able to share my medical info electronically.
32% 22% 54%
It is important for me to be able to get my medical
information electronically.37% 35% 72%
Dartmouth
![Page 7: Health Information Security & Privacy February 9, 2014 ONC Policy HIT Policy Committee Privacy and Security Workgroup Denise Anthony Sociology and ISTS.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649ccb5503460f949947e6/html5/thumbnails/7.jpg)
What do consumers expect about transparency of PHI disclosure?
AgreeStrongly
AgreeTOTALAgree
It is important for me to find out who has looked at my
medical records.44% 22% 66%
I should be able to find out who my doctor discloses my
medical information to.42% 49% 91%
Dartmouth
![Page 8: Health Information Security & Privacy February 9, 2014 ONC Policy HIT Policy Committee Privacy and Security Workgroup Denise Anthony Sociology and ISTS.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649ccb5503460f949947e6/html5/thumbnails/8.jpg)
VeryConfiden
t
Somewhat
Confident
Not Confide
nt
I have some say in who is allowed to collect, use, and
share my medical information.
33% 49% 18%
I have some say in whether my medical information is shared with anyone other than my doctor/provider.
36% 45% 19%
Safeguards (including the use of technology) are in
place to protect my medical records from being seen by people who aren’t
authorized to see them
31% 52% 17%
How confident are consumers in control over and protection of their PHI?
Dartmouth
![Page 9: Health Information Security & Privacy February 9, 2014 ONC Policy HIT Policy Committee Privacy and Security Workgroup Denise Anthony Sociology and ISTS.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649ccb5503460f949947e6/html5/thumbnails/9.jpg)
Implications: Patients expect that they can find out who looks at their
medical records, and to whom their doctor discloses their PHI
At least some patients feel confident that they have some say over disclosure of their PHI, and that safeguards are in place to protect PHI from unauthorized access
Recommendation: Promote transparency about information flows by facilitating
patients’ right to receive an accounting of disclosures Provide information/tools for how to do so
Follow basic FIPPs and Security & Privacy “by design” principles to build on foundation of patient expectations and promote trust in system through increased transparency
Patient expectations about disclosure of PHI
Dartmouth
![Page 10: Health Information Security & Privacy February 9, 2014 ONC Policy HIT Policy Committee Privacy and Security Workgroup Denise Anthony Sociology and ISTS.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649ccb5503460f949947e6/html5/thumbnails/10.jpg)
Dartmouth
Mandatory Privacy Rule Voluntary Security Rule0
10
20
30
40
50
60
70
80
90
100
65
16
88 †
6 ‡
59
19
HIPAA Compliance in U.S. Hos-pitals* in 2003
All hospitals For-Profit hospitals Non-Profit hospitals
% H
ospit
als
at
Full C
om
pliance
Note: HIPAA = Health Insurance Portability and Accountability Act.* Non-federal, acute care hospitals with 50 or more beds.† For-profit hospitals are significantly more likely than Non-Profit hospitals to be in compliance with the mandatory HIPAA Privacy Rule.‡ For-profit hospitals are significantly less likely than Non-Profit hospitals to be in compliance with the voluntary (in 2003) HIPAA Security Rule.
WHY DO HOSPITALS COMPLY WITH HIPAA REGULATIONS AND WHAT DOES IT MEAN FOR US HEALTH CARE?
DOI: 10.1177/0022146513520431
Hospitals comply with HIPAA regulations:• At different
rates• In different ways• For different
reasons
Denise L. Anthony, Ajit Appari, M. Eric Johnson. 2014. Journal of Health & Social Behavior.
![Page 11: Health Information Security & Privacy February 9, 2014 ONC Policy HIT Policy Committee Privacy and Security Workgroup Denise Anthony Sociology and ISTS.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649ccb5503460f949947e6/html5/thumbnails/11.jpg)
Implications: Despite ongoing regulatory efforts and incentives,
IT systems and resources vary significantly across hospitals and other health care providers
Providers implement and follow regulations in different ways, so patients experience IT and information flows differently across providers
Recommendation: FIPPs, and Security & Privacy “by design”
principles provide common baseline despite variation in applications, systems, devices, as well as provider structures and practices
Health IT, security and regulation
Dartmouth
![Page 12: Health Information Security & Privacy February 9, 2014 ONC Policy HIT Policy Committee Privacy and Security Workgroup Denise Anthony Sociology and ISTS.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649ccb5503460f949947e6/html5/thumbnails/12.jpg)
Thoughts on “big” data and mobile data Delivery of health care (versus medical research)
unlikely to require sharing of “big” data Major advances possible from research using “big” data,
and combining multiple types of data, but unlikely need to be in real time
Delivery of health care may soon require (or at least benefit from) sharing mobile health data Consumers will continue to demand access to medical
records, and ability to combine medical records with personal health data
Access to and use of mobile health devices and data varies across population
Essential to require FIPPs principles in mobile apps/devices
Dartmouth