Health Information Security & Privacy

February 9, 2014

ONC Policy HIT Policy Committee Privacy and Security Workgroup

Denise Anthony • Sociology and ISTS • Dartmouth College

AcknowledgementsSome of the work reported here was supported by NSF grant (CNS-0910842) on Trustworthy Information Systems in Healthcare (TISH), and the SHARPS project , under award HHS 90TR0003/01 from U.S. Department of Health & Human Services. The statements, findings, conclusions, and recommendations are those of the author and do not necessarily reflect the views of the National Science Foundation, or U.S. Department of Health & Human Services.

Thanks to many colleagues who are collaborators on some of the work described here: Ajit Appari, Celeste Campos-Castillo, Carl Gunter, Eric Johnson, David Kotz, Sean Smith, Timothy Stablein.

EHRs and Privacy, Trust, & Transparency Many patients value EHRs for themselves and their providers Positive correlation between EHR use and patient perceptions

of quality of care BUT controlling for quality, patients more likely to withhold

information because of concerns about privacy with providers who use an EHR (Campos-Castillo & Anthony 2014)

Particular groups (e.g., those at risk of health-related or other social stigma) have less trust in physician confidentiality generally express concerns about disclosure of PHI when EHRs in use

(though also see benefits of EHRs) (Teixeira et al 2011; Stablein & Anthony 2012)

willing to disclose when have trusting relationship with a provider

Dartmouth

Implications: EHRs increase patient concerns about information flows

(who has access to what; why access), particularly among some groups (e.g., those at risk of stigma)

Doctors and other health care providers can facilitate communication and trust by acknowledging patient privacy concerns and discussing commitment to confidentiality* as part of doctor/provider-patient relationship

Recommendation: Promote transparency about information flows and

commitment to confidentiality through provider communication – more than simply Notice of Privacy Practices

EHRs and Privacy, Trust, & Transparency

* confidentiality: expectation that personal information is protected and used appropriately;a set of rules that governs access to and use of information.

Dartmouth

2014 national random probability sample of continental US residential population of adults, n=784

Sample Characteristics Weighted Mean or Percentage

%Female 51.1%Race/ethnicityWhite 82.9Black 7.7

Hispanic 5.6Other 4.2

%U.S. Immigrant 9.1Mean household income (dollars)

85,304

%EducationHigh school or less 14.9

Some college 28.2College 35.9

Graduate 21.0% Employed 67.8

Mean age 48.3% Private Health insurance 79.4

%Made health care visit past year

87.1

%Has regular provider 77.5%Provider uses EHR 60.2

Dartmouth

What are consumer expectations about disclosure of PHI?

What do consumers think about EHRs?

AgreeStrongly

AgreeTOTALAgree

It is important for my doctor to have an electronic record

of me.37% 22% 59%

Doctors and other health care providers should be

able to share my medical info electronically.

32% 22% 54%

It is important for me to be able to get my medical

information electronically.37% 35% 72%

Dartmouth

What do consumers expect about transparency of PHI disclosure?

AgreeStrongly

AgreeTOTALAgree

It is important for me to find out who has looked at my

medical records.44% 22% 66%

I should be able to find out who my doctor discloses my

medical information to.42% 49% 91%

Dartmouth

VeryConfiden

t

Somewhat

Confident

Not Confide

nt

I have some say in who is allowed to collect, use, and

share my medical information.

33% 49% 18%

I have some say in whether my medical information is shared with anyone other than my doctor/provider.

36% 45% 19%

Safeguards (including the use of technology) are in

place to protect my medical records from being seen by people who aren’t

authorized to see them

31% 52% 17%

How confident are consumers in control over and protection of their PHI?

Dartmouth

Implications: Patients expect that they can find out who looks at their

medical records, and to whom their doctor discloses their PHI

At least some patients feel confident that they have some say over disclosure of their PHI, and that safeguards are in place to protect PHI from unauthorized access

Recommendation: Promote transparency about information flows by facilitating

patients’ right to receive an accounting of disclosures Provide information/tools for how to do so

Follow basic FIPPs and Security & Privacy “by design” principles to build on foundation of patient expectations and promote trust in system through increased transparency

Patient expectations about disclosure of PHI

Dartmouth

Dartmouth

Mandatory Privacy Rule Voluntary Security Rule0

10

20

30

40

50

60

70

80

90

100

65

16

88 †

6 ‡

59

19

HIPAA Compliance in U.S. Hos-pitals* in 2003

All hospitals For-Profit hospitals Non-Profit hospitals

% H

ospit

als

at

Full C

om

pliance

Note: HIPAA = Health Insurance Portability and Accountability Act.* Non-federal, acute care hospitals with 50 or more beds.† For-profit hospitals are significantly more likely than Non-Profit hospitals to be in compliance with the mandatory HIPAA Privacy Rule.‡ For-profit hospitals are significantly less likely than Non-Profit hospitals to be in compliance with the voluntary (in 2003) HIPAA Security Rule.

WHY DO HOSPITALS COMPLY WITH HIPAA REGULATIONS AND WHAT DOES IT MEAN FOR US HEALTH CARE?

DOI: 10.1177/0022146513520431

Hospitals comply with HIPAA regulations:• At different

rates• In different ways• For different

reasons

Denise L. Anthony, Ajit Appari, M. Eric Johnson. 2014. Journal of Health & Social Behavior.

Implications: Despite ongoing regulatory efforts and incentives,

IT systems and resources vary significantly across hospitals and other health care providers

Providers implement and follow regulations in different ways, so patients experience IT and information flows differently across providers

Recommendation: FIPPs, and Security & Privacy “by design”

principles provide common baseline despite variation in applications, systems, devices, as well as provider structures and practices

Health IT, security and regulation

Dartmouth

Thoughts on “big” data and mobile data Delivery of health care (versus medical research)

unlikely to require sharing of “big” data Major advances possible from research using “big” data,

and combining multiple types of data, but unlikely need to be in real time

Delivery of health care may soon require (or at least benefit from) sharing mobile health data Consumers will continue to demand access to medical

records, and ability to combine medical records with personal health data

Access to and use of mobile health devices and data varies across population

Essential to require FIPPs principles in mobile apps/devices

Dartmouth