This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these template messages)(Learn how and when to remove this template message)
Medical privacy or health privacy is the practice of maintaining the security and confidentiality of patient records. It involves both the conversational discretion of health care providers and the security of medical records. The terms can also refer to the physical privacy of patients from other patients and providers while in a medical facility. Modern concerns include the degree of disclosure to insurance companies, employers, and other third parties. The advent of electronic medical records (EMR) and patient care management systems (PCMS) have raised new concerns about privacy, balanced with efforts to reduce duplication of services and medical errors.
Many countries - including Australia, Canada, Turkey, the United Kingdom, the United States, New Zealand, and the Netherlands - have enacted laws that try to protect people's privacy. However, many of these laws have proven to be less effective in practice than in theory. The United States has passed the Health Insurance Portability and Accountability Act (HIPAA) as an attempt to increase privacy precautions within medical institutions.
- 1 History of Medical Privacy
- 2 Effects of changing medical privacy laws
- 3 Medical privacy standards and laws by country
- 3.1 Australia – eHealth
- 3.2 Canada
- 3.3 Turkey
- 3.4 United Kingdom
- 3.5 United States
- 3.6 Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- 3.7 Netherlands
- 4 Privacy for research participants
- 5 See also
- 6 References
- 7 External links
History of Medical Privacy
Prior to the technological boom, medical institutions relied on the paper medium to file individual's medical data. Nowadays more and more information is stored within electronic databases. Research shows that it is safer to have information stored within a paper medium as it is harder to physically steal data, whilst digital records are vulnerable to access by hackers.
In order to reform the healthcare privacy issues in the early 1990's, researchers looked into the use of credit cards and “smart” cards to allow access to their medical information without fear of stolen information. The “smart” card allowed the storage and processing of information to be stored in a singular microchip, yet people were fearful of having so much information stored in a single spot that could easily be accessed. This “smart” card included an individual’s social security number; this is an important piece of identification that can lead to identity theft if data bases are breached. Additionally, there was a fear that people would target these medical cards because they have information that can be of value to many different third parties including employers, pharmaceutical companies, drug marketers, and insurance reviewers.
In response to the lack of medical privacy, there was a movement to create better medical privacy protection, but nothing has been officially passed. The Medical Information Bureau was thus created to prevent insurance fraud, yet it has since become a significant source of medical information for over 750 life insurance companies; thus, it is very dangerous as it is a target of privacy breachers. Although the electronic filing system of medical information has increased efficiency and administration costs have been reduced, there are negative aspects to consider. The electronic filing system allows for individual’s information to be more susceptible to outsiders; even though their information is stored on a singular card. Therefore, the medical card serves as a false sense of security as it does not protect their information completely.
Emergence of the Insurance System
The emergence of the insurance system was part of the growing democratic movement of the working-class movement. However, the idea of traditional insurance policies was soon overtaken by corporate and social insurance companies who wanted to take advantage of individuals. This ultimately caused many individuals to lose the social assistance they needed from the government. This marginalization of individuals ultimately shaped many of the institutions of many civil insurance practices.
In the nineteenth century, insurance policies were not as formal as they currently are, instead there was an ambivalent relationship between democratic institutions and civil policies. Society was primarily characterized by principles of democracy and elitism which, in theory, should create equality. However, power was concentrated among the elite, causing a feeling of mutuality and exclusivity. Therefore, many of the policies that should have created inclusivity ultimately caused more people to be marginalized. Realizing this was an issue, there was a call for inclusivity and sociability which led to new cautions regarding medical privacy and ability to access individual information.
As a result, during the twentieth century, there was a change within the insurance industry which caused a new development of medical policies on how to handle individual's medical information. There was a shift from being selective to broadening the qualifications of being able to receive insurance help. With the end of exclusiveness within the insurance market, the government started to regulate the market more and thus emerged the fear of lack of privacy. Ideas of transparency caused many people to become wary of privacy violation rights. This led to modern day advocacy groups that argued for larger protections and regulations of insurance companies. As a result, in today's society, the government plays a large role in enforcing these roles within society. Since then, the government has had the role of enforcing these regulations to protect individual’s information and data.
Patient care management systems (PCMS)
With the technological boom, there has been an expansion of the record filing system and many hospitals have therefore adopted new PCMS. PCMS are large medical records that hold many individuals' personal data. These have become critical to the efficiency of storing medical information because of high volumes of paperwork, the ability to quickly share information between medical institutions, and the increased mandatory reporting to the government. PCMS have ultimately increased the productivity of data record utilization and have created a large dependence on technology within the medical field.
It has also led to social and ethical issues because of the basic human rights that can be a casualty for this expansion of knowledge. Hospitals and health information services are now more likely to share information with third party companies. Thus, there needs to be a reform to specify the rules of the hospital personnel who have the access to medical records. This has led to the discussion of privacy rights and created safeguards that will help data keepers understand situations where it is ethical to share an individual’s medical information, provide ways for individuals to gain access to their own records, and determine who has ownership of those records. Additionally, it is used to ensure that a person’s identity is kept confidential in research or statistical purposes and understand the process to make individual’s aware that their health information is being used. Thus, a balance between privacy and confidentiality must occur in order to limit the amount of information disclosed and keep the occupations of physicians in check by constricting the information flow
Electronic Medical Records (EMR)
Electronic medical records (EMR) are a more efficient way of storing medical information, yet there are many negative aspects of this type of filing system as well. Hospitals are willing to adopt this type of filing system, yet only if they are able to ensure the protection of patient information.
Researchers found that state legislation and regulation of medical privacy laws reduce the amount of hospitals that adopt EMR by more than 24%. This is ultimately due to the decreasing positive network externalities that are created by additional state protections. With increases in restrictions against the diffusion of medical information, hospitals have neglected to adopt the new EMR’s because privacy laws restrict health information exchanges. With decreasing amounts of medical institutions adopting the EMR filing system, the federal government’s plan to have a national health network will be stopped. The national network will ultimately cost the US $156 billion in investments, yet in order for this to happen, the government needs to place higher emphasis on protecting individual medical privacy. Many politicians and business leaders find that EMR’s allow for more efficiency in both time and money, yet they neglect to address the decreasing privacy protections, demonstrating the significant trade off between EMR’s and individual privacy.
Privacy and Electronic Health Records (EHRs)
The three goals of information security, including electronic information security, are confidentiality, integrity, and availability. Organizations are attempting to meet these goals, referred to as the C.I.A. Triad, which is the "practice of defending information from unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction."
In a 2004 editorial in the Washington Post, U.S. Senators Bill Frist and Hillary Clinton supported this observation, stating "[patients] need...information, including access to their own health records... At the same time, we must ensure the privacy of the systems, or they will undermine the trust they are designed to create". A 2005 report by the California Health Care Foundation found that "67 percent of national respondents felt 'somewhat' or 'very concerned' about the privacy of their personal medical records".
The importance of privacy in electronic health records became prominent with the passage of the American Recovery and Reinvestment Act (ARRA) in 2009. One of the provisions (known as the Health Information Technology for Economic and Clinical Health [HITECH] Act) of the ARRA mandated incentives to clinicians for the implementation of electronic health records by 2015.Privacy advocates in the United States have raised concerns about unauthorized access to personal data as more medical practices switch from paper to electronic medical records. The Office of the National Coordinator for Health Information Technology (ONC) explained that some of the safety measures that EHR systems can utilize are passwords and pin numbers that control access to such systems, encryption of information, and an audit trail to keep track of the changes made to records.
Providing patient access to EHRs is strictly mandated by HIPAA's Privacy Rule. One study found that each year there are an estimated 25 million compelled authorizations for the release of personal health records. Researchers, however, have found new security threats open up as a result. Some of these security and privacy threats include hackers, viruses, and worms. These privacy threats are made more prominent by the emergence of "cloud computing", which is the use of shared computer processing power. Health care organizations are increasingly using cloud computing as a way to handle large amounts of data. This type of data storage, however, is susceptible to natural disasters, cybercrime and technological terrorism, and hardware failure. Health information breaches accounted for the 39 percent of all breaches in 2015. IT Security costs and implementations are needed to protect health institutions against security and data breaches.
Health screening cases
Although privacy issues with the health screening is a great concern among individuals and organizations, there has been little focus on the amount of work being done within the law to maintain the privacy expectation that people desire. Many of these issues lie within the abstractness of the term “privacy” as there are many different interpretations of the term, especially in the context of the law. Prior to 1994, there had been no cases regarding screening practices and the implications towards an individual’s medical privacy, unless it was regarding HIV and drug testing. Within Glover v Eastern Nebraska Community Office of Retardation, an employee sued her employer against violating her 4th amendment rights because of unnecessary HIV testing. The court ruled in favor of the employer and argued that it was unreasonable search to have it tested. However, this was only one of the few precedents that people have to use. With more precedents, the relationships between employees and employers will be better defined. Yet with more requirements, testing among patients will lead to additional standards for meeting health care standards. Screening has become a large indicator for diagnostic tools, yet there are concerns with the information that can be gained and subsequently shared with other people other than the patient and healthcare provider
Third party issues
One of the main dangers to an individual’s privacy are private corporations because of the profits they can receive from privacy-violating information. Privacy merchants are made up of two groups - one that tries to collect people’s personal information while the other focuses on using client’s information to market company products. Subsequently, privacy merchants purchase information from other companies, such as health insurance companies, if there is not sufficient information from their own research. Privacy merchants target health insurance companies because, nowadays, they collect huge amounts of personal information and keep them in large databases. They often require patients to provide more information that is needed for purposes other than that of doctors and other medical workers.
Additionally, people’s information can be linked to other information outside of the medical field. For example, many employers use insurance information and medical records as an indicator of work ability and ethic. The selling of privacy information can also lead employers to make lots of money; however, this happens to many people without their consent or knowledge.
Within the United States, in order to define clear privacy laws regarding medical privacy, Title 17 thoroughly explains the ownership of one’s data and adjusted the law so that people have more control over their own property. The Privacy Act of 1974 offers more restrictions regarding what corporations can access outside of an individual’s consent.
States have created additional supplements to medical privacy laws. With HIPAA, many individuals were pleased to see the federal government take action in protecting the medical information of individuals. Yet when people looked into it, there was proof that the government was still protecting the rights of corporations. Many rules were seen as more of suggestions and the punishment for compromising the privacy of its patients were minimal. Even if release of medical information requires consent, blank authorizations can be allowed and will not ask for individuals for additional consent later on.
Although there is a large group of people who oppose the selling of individual’s medical information, there are groups such as the Health Benefits Coalition, the Healthcare Leadership Council, and the Health Insurance Association of America that are against the new reforms for data protection as it can ruin their work and profits. Furthermore, it is not the government that is the reason for many issues with medical privacy, but it is the large corporations that are trying to make profits off of our data.
Recent efforts to protect health information
With the lack of help from the Department of Health and Human Services there is a conflict of interest that has been made clear. Some wish to place individual betterment as more important, while others focus more on external benefits from outside sources. The issues that occur when there are problems between the two groups are also not adequately solved which leads to controversial laws and effects. Individual interests take precedence over the benefits of society as a whole and are often viewed as selfish and for the gain of capital value. If the government does not make any more future changes to the current legislation, countless organizations and people will have access to individual medical information.
In 1999, the Gramm-Leach-Biley Act (GLBA) addressed the insurance privacy debate regarding medical privacy. Yet, there were many issues with the implementation. One issue was that there were inconsistent regulation requirements within the different states due to preexisting laws. Secondly, it was difficult to combine the pre-existing laws with the new framework. And thirdly, in order for the federal government to implement these new rules, they needed state legislature to pass it.
GLBA aimed to regulate financial institutions so that corporations could not affect people’s insurance. Because of the difficulty of the implementation of the GBLA, state legislatures are able to interpret the laws themselves and create initiatives to protect the medical privacy. When states are creating their own independent legislature, they create standards that understand the impact of the legislation. If they stray from the standard laws, they must be valid and fair. The new legislation must protect the rights of businesses and allow them to continue to function despite federally regulated competition. Patients gain benefits from these new services and standards through the flow of information that is considerate with medical privacy expectations.
These regulations should focus more on the consumer versus the benefits and political exploitation. Many times, regulations are for the personal gain of the corporation, therefore, state legislatures be wary of this and try to prevent it to the best of their abilities. Medical privacy is not a new issue within the insurance industry, yet the problems regarding exploitation continue to reoccur; there is more focus on taking advantage of the business environment for personal gain.
In 2001, President George W. Bush passed additional regulations to HIPAA in order to better protect the privacy of individual medical information. These new regulations were supposed to safeguard health information privacy by creating extensive solutions for the privacy of patients. The new regulation goals included being notified once an individual's information is inspected, amend any medical records, and request communication opportunities to discuss information disclosure.
However, there are exceptions to when the disclosure of PHI can be inspected. This includes specific conditions among law enforcement, judicial and administrative proceedings, parents, significant others, public health, health research, and commercial marketing. These aspects of lack of privacy have caused an alarming amount of gaps within privacy measures.
Ultimately, there is still an issue on how to ensure privacy securities; in response, the government has created new regulations that makes trade offs between an individual's privacy and public benefit. These new regulations, however, still cover individually identifiable health information - any data that contains information unique to an individual. However, non-identifiable data is not covered as the government claims it will cause minimal damage to a person’s privacy. It also covers all health care organizations, covers businesses as well.
Additionally, under new HIPAA additions, the state legislation is more protective than national laws because it created more obligations for organizations to follow. Ultimately, the new rules called for expansive requirements that created better safety measures for individuals. Yet, there are still ways that businesses and healthcare organizations can be exempt from disclosure rules for all individuals. Thus, the HHS needs to find more ways to balance personal and public trade offs within medical laws. This creates a need for extra government intervention to enforce legislation and new standards to decrease the amount of threats against an individual’s privacy of health data.[opinion]
Effects of changing medical privacy laws
Patients want to be able to share medical information with their physicians, yet they worry about potential privacy breaches that can occur when they release financial and confidential medical information. In order to ensure better protection, the government has created frameworks for keeping information confidential - this includes being transparent about procedures, disclosure and protection of information, and monitoring of these new rules to ensure that people’s information.
Effects of Technological Advances regarding physician-patient relationships
Recently physicians and patients have started to use email as an additional communication tool for treatment and medical interactions. This way of communication is not “new”, but its effects on doctor patient relationships has created new questions regarding legal, moral, and financial problems.
The American Medical Informatics Association has characterized medical emails as way to communicate “medical advice, treatment, and information exchanged professionally”; yet, the “spontaneity, permanence, and information power characterizing” role is significant because of its unknown affects. However, the use of emails allows for increased access, immediate aid, and increased interactions between patients and doctors. There are many benefits and negative aspects of using emails; doctors feel a new sense of negative responsibility to respond to emails outside of the office, but also find benefits with facilitating rapid responses to patient’s questions.
Additionally, the use of email between physicians and their patients will continue to grow because of the increasing use of the Internet. With the Internet, patients are able to ask for medical advice and treatment, yet issues regarding confidentiality and legal issues come up. Ultimately, emails between a physician and patient are supposed to be used as a supplement for face to face interactions, not for casual messages. If used properly, physicians could use emails as a way to supplement interactions and provide more medical aid to those who need it immediately.
Traditional beliefs on doctor-patient relationship that spur fear
Although many people believe that the technological changes are the reason for fear of sharing medical privacy, there is a theory that states that institutional ideals between doctors and their patients have created the fear of sharing medical privacy information. Although levels of confidentiality are changing, individuals often feel the need to share more information with their doctors in order to get diagnosed correctly. Because of this, people are concerned with how much information their physicians have. This information could be transferred to other third party companies. However, there is a call for smaller emphasis on sharing and confidentiality in order to rid patients from their fears of information breaching. There is a common belief that the confidentiality of one’s information also only protects the doctors and not the patients, therefore there is a negative stigma towards revealing too much information. Thus it causes patients to not share vital information relevant to their illnesses.
Medical privacy standards and laws by country
Australia – eHealth
This section's tone or style may not reflect the encyclopedic tone used on Wikipedia. (June 2015) (Learn how and when to remove this template message)
On July 1, 2012, the Australian Government launched the Personally Controlled Electronic Health Record (PCEHR) (eHealth) system. Once the system is fully implemented, it will incorporate an electronic summary prepared by nominated healthcare providers along with consumer-provided notes. Further, the summary will include information on the individual's allergies, adverse reactions, medications, immunizations, diagnoses, and treatments. The consumer notes will operate as a personal medical diary that only the individual can view and edit. The opt-in system gives people the option to choose whether to register for the eHealth record or not.
As of January 2016, the Commonwealth Department of Health changed the name PCEHR to My Health Record.
Privacy – Governance
The Personally Controlled Electronic Health Records Act 2012 and Privacy Act 1988 governs how eHealth record information is managed and protected. The PCEHR System Operator abides by the Information Privacy Principles in the Privacy Act 1988 (Commonwealth) as well as any applicable State or Territory privacy laws. A Privacy Statement sets out the application of the collection of personal information by the System Operator. The statement includes an explanation of the types of personal information collected, what the information is used for, and how the information is stored. The statement covers measures in place to protect personal information from misuse, loss, unauthorized access, modification, and disclosure.
Privacy – Security measures
Security measures include audit trails so that patients can see who has accessed their medical records along with the time the records were accessed. Other measures include the use of encryption as well as secure logins and passwords. Patient records are identified using an Individual Health Identifier (IHI), assigned by Medicare, the IHI service provider.
Privacy – Issues
A 2012 nationwide survey in Australia assessed privacy concerns on patients' health care decisions, which could impact patient care. Results listed that 49.1% of Australian patients stated they have withheld or would withhold information from their health care provider based on privacy concerns.
- How does consent impact privacy?
One concern is that personal control of the eHealth record via consent does not guarantee the protection of privacy. It is argued that a narrow definition, 'permission' or 'agreement', does not provide protection for privacy and is not well represented in Australian legislation. The PCEHR allows clinicians to assume consent by consumer participation in the system; however, the needs of the consumer may not be met. Critics argue that the broader definition of 'informed consent' is required, as it encompasses the provision of relevant information by the healthcare practitioner, and understanding of that information by the patient.
- Is it legitimate to use personal information for public purposes?
Data from the PCEHR is to be predominantly used in patient healthcare, but other uses are possible, for policy, research, audit and public health purposes. The concern is that in the case of research, what is allowed goes beyond existing privacy legislation.
- What are ‘illegitimate’ uses of health information?
The involvement of pharmaceutical companies is viewed as potentially problematic. If they are perceived by the public to be more concerned with profit than public health, public acceptance of their use of PCEHRs could be challenged. Also perceived as problematic, is the potential for parties other than health care practitioners, such as insurance companies, employers, police or the government, to use information in a way which could result in discrimination or disadvantage.
- What are the potential implications of unwanted disclosure of patient information?
Information 'leakage' is seen as having the potential to discourage both patient and clinician from participating in the system. Critics argue the PCEHR initiative can only work, if a safe, effective continuum of care within a trusting patient/clinician relationship is established. If patients lose trust in the confidentiality of their eHealth information, they may withhold sensitive information from their health care providers. Clinicians may be reluctant to participate in a system where they are uncertain about the completeness of the information.
- Are there sufficient safeguards for the protection of patient information?
Security experts have questioned the registration process, where those registering only have to provide a Medicare card number, and names and birth dates of family members to verify their identity. Concerns have also been raised by some stakeholders, about the inherent complexities of the limited access features. They warn that access to PCEHR record content, may involve transfer of information to a local system, where PCEHR access controls would no longer apply.
The privacy of patient information is protected at both the federal level and provincial level in Canada. The health information legislation established the rules that must be followed for the collection, use, disclosure and protection of health information by healthcare workers known as "custodians". These custodians have been defined to include almost all healthcare professionals (including all physicians, nurses, chiropractors, operators of ambulances and operators of nursing homes). In addition to the regulatory bodies of specific healthcare workers, the provincial privacy commissions are central to the protection of patient information.
Much of the current legislation concerning privacy and patient information was enacted since 2000 as a result of the proliferation of the use electronic mobile devices in Canada. As a result, both large and small private businesses created smartphone and EMR solutions that comply with applicable legislation.
The privacy of patient information is guaranteed by articles 78 and 100 of legal code 5510.
On the other hand, the Social Security Institution (SGK), which regulates and administers state-sponsored social security / insurance benefits, sells patient information after allegedly anonimizing the data, confirmed on October 25, 2014.
The National Health Service is increasingly using electronic health records, but until recently, the records held by individual NHS organisations, such as General Practitioners, NHS Trusts, dentists and pharmacies, were not linked. Each organisation was responsible for the protection of patient data it collected. The care.data programme, which proposed to extract anonymised data from GP surgeries into a central database, aroused considerable opposition.
In 2003, the NHS made moves to create a centralized electronic registry of medical records. The system is protected by the UK's Government Gateway, which was built by Microsoft. This program is known as the Electronic Records Development and the Implementation Programme (ERDIP). The NHS National Program for IT was criticized for its lack of security and lack of patient privacy. It was one of the projects that caused the Information Commissioner to warn about the danger of the country "sleepwalking" into a surveillance society. Pressure groups[according to whom?] opposed to ID cards also campaigned against the centralized registry.
Newspapers feature stories about lost computers and memory sticks but a more common and longstanding problem is about staff accessing records that they have no right to see. It has always been possible for staff to look at paper records, and in most cases, there is no track of record. Therefore, electronic records make it possible to keep track of who has accessed which records. NHS Wales has created the National Intelligent Integrated Audit System which provides "a range of automatically generated reports, designed to meet the needs of our local health boards and trusts, instantly identifying any potential issues when access has not been legitimate". Maxwell Stanley Consulting will use a system called Patient Data Protect (powered by VigilancePro) which can spot patterns – such as whether someone is accessing data about their relatives or colleagues.
Since 1974, numerous federal laws have been passed in the United States to specify the privacy rights and protections of patients, physicians, and other covered entities to medical data. Many states have passed its own laws to try and better protect the medical privacy of their citizens.
An important national law regarding medical privacy is the Health Insurance Portability and Accountability Act of 1996 (HIPAA), yet there are many controversies regarding the protection rights of the law.
The Oregon Genetic Privacy Act (GPA) states that “an individual’s genetic information is the property of the individual”. The idea of an individual’s DNA being compared to property occurred when research caused an individual’s privacy to be threatened. Many individuals believed that their genetic information was “more sensitive, personal, and potentially damaging than other types of medical information.” Thus, people started calling for more protections. People started to question the how their DNA would be able to stay anonymous within research studies and argued that the identity of an individual could be exposed if the research was later shared. As a result, there was a call for individuals to treat their DNA as property and protect it through property rights. Therefore, individuals can control the disclosure of their information without extra questioning and research. Many people believed that comparing one’s DNA to property was inappropriate, yet individuals argued that property and privacy are interconnected because they both want to protect the right to control one’s body.
Many research and pharmaceutical companies showed opposition because they were worried about conflicts that might arise regarding privacy issues within their work. Individuals, on the other hand, continued to support the act because they wanted protection over their own DNA. As a result, lawmakers created a compromise that included a property clause, that would give individuals protection rights, but also included provisions that would allow research to be done without much consent, limiting the benefits of the provisions. Afterwards, a committee was created to study the effects of the act and how it affected the way it was analyzed and stored. They found that the act benefited many individuals who did not want their privacy being shared with others and therefore the law was officially implemented in 2001.
In order to solve HIPAA issues within Connecticut, state legislatures tried to create better provisions to protect the people living within the state. One of the issues that Connecticut tried to solve were issues with consent. Within the consent clause, health plans and health care clearinghouses do not need to receive consent from individuals because of a general provider consent form with gives healthcare providers permission to disclose all medical information. The patient thus does not get notification when their information is being shared afterwards.
Connecticut, like many other states, tried to protect individual’s information from disclosure of information through additional clauses that would protect them from businesses initiatives. In order to do so, Connecticut legislature passed the Connecticut Insurance Information and Privacy Protect Act, which provides additional protections of individual medical information. If third parties neglect to follow this law, they will be fined, may face jail time, and may have their licenses suspended. Yet, even in these additional provisions, there were many holes within this legislation that allowed for businesses agreements to be denied and subsequently, information was compromised. Connecticut is still working to shift its divergent purposes to creating more stringent requirements that create better protections through clear provisions of certain policies.
In California, the Confidentiality of Medical Information Act (CMIA), provides more stringent protections than the federal statutes. HIPAA expressly provides that more stringent state laws like CMIA, will override HIPAA's requirements and penalties. More specifically, CMIA prohibits providers, contractors and health care service plans from disclosing PHI without prior authorization.
These medical privacy laws also set a higher standard for health IT vendors or vendors of an individual's personal health record (PHR) by applying such statutes to vendors, even if they are not business associates of a covered entity. CMIA also outlines penalties for violating the law. These penalties range from liability to the patient (compensatory damages, punitive damages, attorneys’ fees, costs of litigation) to civil and even criminal liability.
Likewise, California's Insurance Information and Privacy Protection Act (IIPPA) protects against unauthorized disclosure of PHI by prohibiting unapproved information sharing for information collected from insurance applications and claims resolution.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
The most comprehensive law passed is the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which was later revised after the Final Omnibus Rule in 2013. HIPAA provides a federal minimum standard for medical privacy, sets standards for uses and disclosures of protected health information (PHI), and provides civil and criminal penalties for violations.
Prior to HIPAA, only certain groups of people were protected under medical laws such as individuals with HIV or those who received Medicare aid. HIPAA provides protection of health information and supplements additional state and federal laws; yet it should be understood that the law’s goal is to balance public health benefits, safety, and research while protecting the medical information of individuals. Yet many times, privacy is compromised for the benefits of the research and public health.
According to HIPAA, the covered entities that must follow the law's set mandates are health plans, health care clearinghouses, and health care providers that electronically transmit PHI. Business associates of these covered entities are also subject to HIPAA's rules and regulations.
In 2008, Congress passed the Genetic Information Nondiscrimination Act of 2008 (GINA), which aimed to prohibit genetic discrimination for individuals seeking health insurance and employment. The law also included a provision which mandated that genetic information held by employers be maintained in a separate file and prohibited disclosure of genetic information except in limited circumstances.
In 2013, after GINA was passed, the HIPAA Omnibus Rule amended HIPAA regulations to include genetic information in the definition of Protected Health Information (PHI). This rule also expanded HIPAA by broadening the definition of business associates to include any entity that sends or accesses PHI such as health IT vendors.
Controversies regarding HIPAA
Contrary to the popular belief, the Health Insurance Portability and Accountability Act (HIPAA) does not provide strong medical privacy protections as it only provides regulations that disclose certain information.
The government authorizes the access of an individual’s health information for “treatment, payment, and health care options without patient consent”. Additionally, HIPAA rules are very broad and do not protect an individual from unknown privacy threats. Additionally, a patient would not be able to identify the reason for breach due to inconsistent requirements. Because of limited confidentiality, HIPAA facilitates the sharing of medical information as there is little limitation from different organizations. Information can easily be exchanged between medical institutions and other non-medical institutions because of the little regulation of HIPAA - some effects include job loss due to credit score sharing or loss of insurance.
Additionally, doctors are not required to keep patients information confidential because in many cases patient consent is now optional. Patients are often unaware of the lack of privacy they have as medical processes and forms do not explicitly state the extent of how protected they are. Physicians believe that overall, HIPAA will cause unethical and non-professional mandates that can affect a person’s privacy and therefore, they in response have to provide warnings about their privacy concerns. Because physicians are not able to ensure a person’s privacy, there is a higher chance that patients will be less likely to get treatment and share what their medical concerns are. Individuals have asked for better consent requirements by asking if physicians can warn them prior to the sharing of any personal information. Patients want to be able to share medical information with their physicians, yet they worry about potential breaches that can release financial information and other confidential information and with that fear, they are wary of who may have access.
In order to ensure better protection, the government has created frameworks for keeping information confidential - some of which include being transparent about procedures, disclosure and protection of information, and monitoring of these new rules to ensure that people’s information is not affected by breaches. Although there are many frameworks to ensure the protection of basic medical data, many organizations do not have these provisions in check. HIPAA gives a false hope to patients and physicians as they are unable to protect their own information. Patients have little rights regarding their medical privacy rights and physicians cannot guarantee those.
HIPAA and Hurricane Katrina
HIPAA does not protect the information of individuals as the government is able to publish certain information when they find it necessary. The government is exempted from privacy rules regarding national security. HIPAA additionally allows the authorization of protected health information (PHI) in order to aid in threats to public health and safety as long as it follows the good faith requirement - the idea that disclosing of information is necessary to the benefit of the public. The Model State Emergency Powers Act (MSEHPA) gives the government the power to “suspend regulations, seize property, quarantine individuals and enforce vaccinations” and requires that healthcare providers give information regarding potential health emergencies".
In regards to Hurricane Katrina, many people in Louisiana relied on Medicaid and their PHI was subsequently affected. People’s medical privacy rights were soon waived in order for patient’s to get the treatment they needed. Yet, many patients were unaware that their rights had been waived. In order to prevent the sharing of personal information in future natural disasters, a website was created in order to protect people’s medical data. Ultimately, Katrina showed that the government was unprepared to face a national health scare.
Medical data outside of HIPAA
Many patients mistakenly believe that HIPAA protects all health information. HIPAA does not usually cover fitness trackers, social media sites and other health data created by the patient. Health information can be disclosed by patients in emails, blogs, chat groups, or social media sites including those dedicated to specific illnesses, "liking" web pages about diseases, completing online health and symptom checkers, and donating to health causes. In addition, credit card payments for physician visit co-pays, purchase of over the counter (OTC) medications, home testing products, tobacco products, and visits to alternative practitioners are also not covered by HIPAA.
A 2015 study reported over 165,000 health apps available to consumers. Disease treatment and management account for nearly a quarter of consumer apps. Two-thirds of the apps target fitness and wellness, and ten percent of these apps can collect data from a device or sensor. Since the Food and Drug Administration (FDA) only regulates medical devices and most of these applications are not medical devices, they do not require FDA approval. The data from most apps are outside HIPAA regulations because they do not share data with healthcare providers. "Patients may mistakenly assume that mobile apps are under the scope of HIPAA since the same data, such as heart rate, may be collected by an application that is accessible to their physician and covered by HIPAA, or on a mobile app that is not accessible to the physician and not covered by HIPAA.
Recent Attempts to improve HIPAA
In 2000, there was a new surge to add new regulations to HIPAA.
It included the following goals: to protect individual medical information by providing secure access and control of their own information, improving healthcare quality by creating a more trust between consumers and their healthcare providers and third party organizations, and improve the efficiency of the medical system through new rules and regulations put forth by the local governments, individuals, and organizations.
The implementation of these new goals was complicated by the change in administrations (Clinton to Bush), so it was difficult for the changes to be successfully implemented. HIPAA, in theory, should apply to all insurance companies, services, and organizations, yet there are exceptions to who actually qualifies under these categories.
Yet, within each category, there are specific restrictions that are different in every category. There are no universal laws that can be easily applied that are easy for organizations can follow. Thus, many states have neglected to implement these new policies. Additionally, there are new patient rights that call for better protection and disclosure of health information. However, like the new rules regarding insurance companies, the enforcement of the legislation is limited and not effective as they are too broad and complex. Therefore, it is difficult for many organizations to ensure the privacy of these people. Enforcing these new requirements also causes companies to spend many resources that they are not willing to use and enforce, which ultimately leads to further problems regarding the invasion of an individual's medical privacy.
In New Zealand, the Health Information Privacy Code (1994) sets specific rules for agencies in the health sector to better ensure the protection of individual privacy. The code addresses the health information collected, used, held and disclosed by health agencies. For the health sector, the code takes the place of the information privacy principles.
Privacy for research participants
In the course of having or being part of a medical practice, doctors may obtain information that they wish to share with the medical or research community. If this information is shared or published, the privacy of the patients must be respected. Likewise, participants in medical research that are outside the realm of direct patient care have a right to privacy as well.
- Hiller, Mare (1982). ""Patient Care Management Systems, Medical Records, and Privacy: A Balancing Act."". Public Health Reports. 97: 332–45 – via JSTOR.
- Miller, Amalia (2009). ""Privacy Protection and Technology Diffusion: The Case of Electronic Medical Records."". Management Science. 55: 1077–1093 – via JSTOR.
- Manager, Web (2011-09-28). "Australian Privacy Law & Practice - Key Recommendations for Health Information Privacy Reform". www.alrc.gov.au. Retrieved 2018-12-03.
- Edemekong, Peter F.; Haydel, Micelle J. (2018), "Health Insurance Portability and Accountability Act (HIPAA)", StatPearls, StatPearls Publishing, PMID 29763195, retrieved 2018-12-03
- Alpert, Sheri (1993). ""Smart Cards, Smarter Policy Medical Records, Privacy, and Health Care Reform."". The Hastings Center Report. 23: 13–23 – via JSTOR.
- Lengwiler, Martin (2006). ""Insurance and Civil Society: Elements of an Ambivalent Relationship."". Contemporary European History. 15: 397–416 – via JSTOR.
- Angst, Corey M., Emily S. Block, John D’Arcy, and Ken Kelley. 2017. “When Do IT Security Investments Matter? Accounting for the Influence of Institutional Factors in the Context of Healthcare Data Breaches.” MIS Quarterly 41(3):893–916.
- Simms, Michele (1994). ""Defining Privacy in Employee Health Screening Cases: Ethical Ramifications Concerning the Employee/Employer Relationship."". Journal of Business Ethics. 13: 315–325 – via JSTOR.
- Etzioni, Amitai (2000). ""The New Enemy of Privacy: Big Bucks."". Challenge. 43: 91–106 – via JSTOR.
- Zittrain, Jonathan (2000). ""What the Publisher Can Teach the Patient: Intellectual Property and Privacy in an Era of Trusted Privication."". Stanford Law Review. 52: 1201–50 – via JSTOR.
- Van der Goes, Jr., Peter (1999). ""Opportunity Lost: Why and How to Improve the HHS-Proposed Legislation Governing Law Enforcement Access to Medical Records."". University of Pennsylvania Law Review. 147: 1009–1067 – via JSTOR.
- Zielezienski, Stephen (2002). "Insurance Privacy after Gramm-Leach-Bililey- Old Concerns, New Protections, Future Challenges". Tort & Insurance Law Journal. 37: 1139–1179.
- Gostin, Lawrence (2002). ""The Nationalization of Health Information Privacy Protections ."". Tort & Insurance Law Journal. 37: 1113–1138 – via JSTOR.
- Hosek, Susan (2013). ""Privacy of Individual Health Information."". Patient Privacy, Consent, and Identity Management in Health Information Exchange: Issues for the Military Health System: 19–30 – via JSTOR.
- Wieczorek, Susan (2010). ""From Telegraph to E-mail: Preserving the Doctor-Patient Relationship in a High-Tech Environment"". ETC: A Review of General Semantics. 67: 311–327 – via JSTOR.
- Bradburn, Norman (2001). ""Medical Privacy and Research."". The Journal of Legal Studies. 30: 687–701 – via JSTOR.
- "Australian Government - Department of Health and Ageing". PCEHR Governance. Retrieved 18 May 2013.
- "National E-Health Transition Authority (NEHTA)". Our Work - PCEHR. Retrieved 18 May 2013.
- "Australian Government - Department of Health and Ageing". Expected benefits of the national PCEHR system. Retrieved 18 May 2013.
- "Australian Government - ComLaw". Personally Controlled Electronic Health Records Act 2012. Retrieved 18 May 2013.
- "Australian Government - Office of the Australian Information Commissioner". Information Privacy Principles under the Privacy Act 1988. Retrieved 18 May 2013.
- "Australian Government - Department of Health and Ageing". Privacy. Retrieved 18 May 2013.
- Showell, CM (2011). "Citizens, patients and policy: a challenge for Australia's national electronic health record". Health Information Management Journal. 40 (2): 39–43. doi:10.1177/183335831104000206. PMID 28683627. http://www.himaa.org.au/members/journal
- Anonymous (2012). "e-Health". Australian Nursing Journal. 20 (2): 20.
- Spriggs, Merle; Arnold, Michael V; Pearce, Christopher M; Fry, Craig (2012). "Ethical questions must be considered for electronic health records" (Submitted manuscript). Journal of Medical Ethics. 38 (9): 535–539. doi:10.1136/medethics-2011-100413. PMID 22573881.
- Liaw, S. T; Hannan, T (2011). "Can we trust the PCEHR not to leak?". The Medical Journal of Australia. 195 (4): 222. PMID 21843131.
- Chan, N; Charette, J; Dumestre, D. O; Fraulin, F. O (2016). "Should 'smart phones' be used for patient photography?". Plastic Surgery (Oakville, Ont.). 24 (1): 32–4. PMC 4806754. PMID 27054136.
- "About TELUS". about.telus.com. Retrieved 2016-05-24.
- ""Sağlık Bakanlığı SGK bilgilerini sattığını doğruladı: İsim vermeden sattık" ("The Miistry of Health confirms the sale of information [to third parties] through SGK database: 'We sold [data] without [patients'] names'")". Birgün. Archived from the original on 26 October 2014. Retrieved 25 October 2014.
- Amoore, Louise & Ball, Kirstie & Graham, Stephen & Green, Nicola & Lyon, David & Murakami Wood, David & Norris, Clive & Pridmore, Jason & Raab, Charles & Rudinow Saetnan, Ann. (2006). A Report on the Surveillance Society.
- "Paperless NHS supplement: Data protection – it's a breach of trust". Health Service Journal. 13 March 2015. Retrieved 28 April 2015.
- Everett, Margaret (2007). ""The 'I' in the Gene: Divided Property, Fragmented Personhood, and the Making of a Genetic Privacy Law."". American Ethnologist. 34: 375–86 – via JSTOR.
- Butera, Adam (2002). ""HIPAA Preemption Implications for Covered Entities Under State Law"". Tort & Insurance Law Journal. 37: 1181–1211 – via JSTOR.
- Baum, Stephanie (2013-09-23). "10 things you need to know about HIPAA Omnibus final rule". MedCity News. Retrieved 2016-10-08.
- "The Law and Medical Privacy". Electronic Frontier Foundation. Retrieved 2016-10-08.
- Henry, Davis Wright Tremaine LLP-Karen A.; Keville, Terri D. "What you don't know about California's Confidentiality of Medical Information Act might hurt you! | Lexology". Retrieved 2016-10-08.
- "California Legislative Information". leginfo.legislature.ca.gov. Retrieved 2016-10-08.
- Sobel, Richard (2007). ""The HIPAA Paradox: The Privacy Rule That's Not."". Hastings Center Report. 37: 40–50 – via JSTOR.
- Hosek, Susan (2013). ""Privacy of Individual Health Information."". Patient Privacy, Consent, and Identity Management in Health Information Exchange: Issues for the Military Health System: 19–30.
- Sobel, Richard (2007). "The HIPAA Paradox: The Privacy Rule That's Not". Hastings Center Report. 37: 40–50. doi:10.1353/hcr.2007.0062. JSTOR 4625762. PMID 17844923.
- Parver, Corrine (2006). ""Lessons From Disaster: HIPAA, Medicaid, and Privacy Issues- The Nation's Response to Hurricane Katrina."". Administrative Law Review. 58: 651–662 – via JSTOR.
- Woody, Robert (2002). ""Health Information Privacy: The Rules Get Tougher"". Tort & Insurance Law Journal. 37: 1051–1076 – via JSTOR.
- EPD enquête, archived from the original on 2016-01-12
- European Standards on Confidentiality and Privacy in Healthcare
- Opt out of the NHS Spine, or the NHS Confidentiality campaign
- Electronic Frontier Foundation on medical privacy