[Med-privacy] CDT: Privacy and Security Principles for Health Information Technology
peter marshall
pwm@comcast.net
Tue, 24 Jun 2008 13:52:25 -0700
Date: June 24, 2008
Subject: CDT Policy Post 14.9: Privacy and Security Principles for=20
Health Information Technology
This Policy Post is=20
online:=A0http://cdt.org/publications/policyposts/2008/9
Privacy and Security Principles for Health Information Technology
(1) CDT Calls for the Adoption of a Comprehensive Privacy and=A0Security=20=
Framework for Health Information Technology
(2) Basics Required in any Health Information Technology Policy
(3) CDT's Suggested Implementation
_________________________________________________________
(1) CDT Calls for the Adoption of a Comprehensive Privacy and=A0Security=20=
Framework for Health Information Technology
CDT believes there is a need to adopt a comprehensive privacy and=20
security framework for protection of health data as information=20
technology is increasingly used to support exchange of medical records=20=
and other health information. CDT believes that privacy and security=20
protections will build public trust, which is crucial if the benefits=20
of health information technology (health IT) are to be realized.
In CDT's view, implementation of a comprehensive privacy and security=20
framework will require a mix of legislative action, regulation and=20
industry commitment and must take into account the complexity of the=20
evolving health exchange environment.
Privacy and security are paramount concerns for any health IT system=20
and must be addressed at the outset. =A0With a comprehensive, =
thoughtful,=20
and flexible approach, we can ensure that the enhanced privacy and=20
security built into health IT systems will bolster consumer trust and=20
confidence, spur faster adoption of health IT, and bring the=20
realization of health IT's potential benefits.
Without a comprehensive health IT privacy and security framework,=20
patients will engage in "privacy-protective" behaviors, which may=20
include withholding crucial health information from providers or=20
avoiding treatment. =A0The consequences are significant - for individual=20=
as well as population health.
_________________________________________________________
(2) Basic Requirements of a Comprehensive Privacy and Security Framework
Health IT policies and practices should be built on three fundamental=20
principles, as outlined by the Markle Foundation's Connecting for=20
Health Initiative and briefly discussed below:
- Implementation of core privacy principles,
- Adoption of trusted network design characteristics, and
- Establishment of oversight and accountability mechanisms.
Core Privacy Principles
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Privacy and security policies should incorporate "fair information=20
practices" (FIPs) such as those outlined in the Markle Foundation's=20
Connecting for Health initiative:
- Openness and Transparency: A general policy of openness should be=20=
enforced for any new developments, practices, and policies with respect=20=
to personal data. =A0Individuals should be able to know what information=20=
exists about them, who has access to it, and where it is stored.
- Purpose Specification and Minimization: Patients should be made=20
aware of the purpose for data collection at the time the data are=20
collected. =A0The data should not be used for any other purpose without=20=
first notifying the patient.
- Collection Limitation: Personal health information should only be=20=
collected for specified purposes and should be obtained by lawful and=20
fair means - and where possible, with the knowledge or consent of the=20
data subject.
- Use Limitation: Personal data should not be disclosed, made=20
available, or otherwise used for purposes other than those specified.
- Individual Participation and Control: Individuals should be able=20=
to obtain from each entity that controls personal health data,=20
information about whether or not the entity has data relating to them.=20=
=A0As well, individuals
should have the right to have the data communicated to=20=
them in a timely and reasonable manner. =A0Finally, individuals should =
be=20
able to challenge data relating to them, and have it rectified,=20
completed, or amended.
- Data Integrity and Quality: All personal data collected should be=20=
relevant to the purposes for which they are to be used and should be=20
accurate, complete, and current.
- Security Safeguards and Controls: Personal data should be=20
protected by reasonable security safeguards against such risks as loss,=20=
unauthorized access, destruction, use, modification, or disclosure.
- Accountability and Oversight: Entities in control of personal=20=
health data must be held accountable for implementing these information=20=
practices.
- Remedies: Legal and financial remedies must exist to address any=20=
security breaches or privacy violations.
Network Design Characteristics
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
The network design should facilitate exchange not through=20
centralization of data, but rather through a "network of networks."=20
=A0This distributed architecture is more likely to protect information.=20=
=A0The network must also provide for interoperability and flexibility,=20=
which support innovation and create opportunities for new entrants.
Oversight and Accountability Mechanisms
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
To build consumer trust in e-health systems, it is critical that all=20
entities be held accountable for complying with the privacy and=20
security framework. =A0For example, Congress should enhance oversight =
and=20
accountability within the health care system by enhancing enforcement=20
of the HIPAA Privacy and Security Rules and ensuring the enactment of=20
new, enforceable standards for entities outside of the traditional=20
health care system with access to identifiable health information.
Role of HIPAA in the New Environment
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D
- The HIPAA Privacy Rule was a landmark in privacy protection, but=20=
it is widely recognized that the regulation is insufficient to=20
adequately cover the new and rapidly evolving e-health environment.=20
=A0For example, HIPAA's Privacy Rule often does not cover state and=20
regional health information organizations, or third-party providers of=20=
services that facilitate consumer access to or control of health=20
information. Further, though HIPAA's Privacy Rule includes criteria for=20=
de-identifying data, new technologies are making it much easier to=20
re-identify once de-identified health information and to combine it=20
with personal information in other databases. =A0In building a=20
comprehensive privacy and security framework, Congress should build on=20=
HIPAA -filling its gaps and enacting new protections to address the=20
increased migration of personal health information out of the health=20
care system.
_________________________________________________________
(3) CDT's Suggested Implementation
Too much emphasis has been placed on individual consent as the method=20
to protect privacy and security. =A0There is an appropriate role for=20
patient consent in a comprehensive privacy and security framework. =A0But=20=
CDT believes that a purely consent-based system would result in a=20
system that is less protective of privacy and confidentiality.=20
=A0Consent-based systems place most of the burden of privacy protection=20=
on patients, often at a time when they are least able to make=20
complicated decisions about the use of their health data. Further, a=20
consent-based system provides disincentives to the healthcare industry=20=
to design systems with stronger privacy and security protections. =A0A=20=
comprehensive framework should be the goal - both for policymakers and=20=
for those implementing health IT systems.
Though entities engaged in e-health can and should act without=20
prompting from Congress, Congress can and should establish a=20
comprehensive policy framework to ensure that health IT and electronic=20=
health information exchange is facilitated by strong and enforceable=20
privacy and security protections. CDT calls on Congress to have a=20
comprehensive vision - but acknowledges that progress toward a=20
comprehensive framework is likely to occur in a steady set of=20
incremental, workable steps. =A0When developing new policies, Congress=20=
should consider:
- The appropriate role for patient consent for different e-health=20=
activities.
- The ability of consumers to have information about when, where,=20=
and how their Personal Health Information (PHI) is accessed, used,=20
disclosed, and stored.
- The right of individuals to view all PHI that is collected about=20
them and be able to correct or remove data that is not timely,=20
accurate, relevant, or complete.
- Limits on the collection, use, disclosure, and retention of PHI.
- Requirements with respect to data quality.
- Reasonable security safeguards given advances in affordable=20
security technology.
- Use of PHI for marketing.
- Other secondary uses (or "reuses") of health information.
- Responsibilities of "downstream" users of PHI.
- Accountability for complying with rules and policies governing=20
access, use, disclosure, enforcement, and remedies for privacy=20
violations or security breaches.
- Uses and safeguards for de-identified information.
While Congress should establish a strong framework for health privacy=20
and security, it must avoid a "one size fits all" approach that treats=20=
all actors that hold personal health information the same. =A0The=20
complexity and diversity of entities connected through health=20
information exchange, and their very different roles and different=20
relationships to consumers, require precisely tailored policy solutions=20=
that are context and role-based and flexible enough to both encourage=20
and respond to innovation.
_________________________________________________________
Policy Post 14.9 Copyright 2008 Center for Democracy and Technology=