Skip to main content

Currently Skimming:

5 Healthcare Data as a Public Good: Privacy and Security
Pages 171-202

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.


From page 171...
... To provide insight into the public views on privacy issues in health care, Alan Westin, professor emeritus of public law and government at Columbia University and principal of the Privacy Consulting Group, presents outcomes of the 2007 national Harris/Westin survey that evaluates public attitudes toward the current state of health information privacy and security protection.1 The survey examines attitudes about handling sensitive patient information, health research activities involving individual patient data, and 1 This survey was commissioned by the Institute of Medicine as part of the work of the IOM Committee on Health Research and the Privacy of Health Information.
From page 172...
... In 2003, the HIPAA Privacy Rule took effect, and early changes to the Rule permitted sharing healthcare data for restricted purposes, essentially easing some limitations on providers and health plans related to health services research. With the increased incorporation of electronic health records (EHRs)
From page 173...
... Members of the public are identified who believe their personal health information has been disclosed improperly and by whom. Explaining the benefits and risks involved in having one's personally identified health records used in health research, the paper explores what kinds of advance patient/consumer notice and consent mechanisms are desired by various subsets of the public.
From page 174...
... . How the public feels about privacy issues links directly to the trust level that people have in the entire healthcare establishment, and factors significantly in the move to EHRs, personal health records, interoperability exchanges, and so forth.
From page 175...
... Finally, we asked people to agree or disagree with this statement: "Even if nothing that identifies me were ever published or given to an organization making consumer or employee decisions about me, I still worry about a professional health researcher seeing my medical records." The public is split right down the middle: 50/50. Half agree with the sense that there is an exposure that worries them and half are comfortable.
From page 176...
... Perhaps the single most important focus of our study was when we asked people whether they were ready to have their personally identified health information used by health researchers, and, if so, what kind of notice and consent they would want to have provided. The fact that this was an online survey enabled us to ask a detailed and carefully crafted question that described how health research is done and gave the arguments of health researchers in favor of general advance consent or consents based on promises of confidentiality and human subject or Privacy Board oversight.
From page 177...
... A strong majority, 58 percent, do not believe that current laws and organizational practices provide adequate privacy protection. The majority generally trust health researchers (albeit researchers undefined as to what kind they are)
From page 178...
... Rather, privacy is a matter of balance and judgment, and it is very contextual. Still, unless we can create what the National Committee on Vital and Health Statistics called a new data stewardship responsibility for health data holders and secondary users, we are going to lose the balanced-privacy battle, with the risk of sharp limits being placed on using personal health data for very important health research.
From page 179...
... As healthcare and HIT systems evolve, experience suggests that modifications are needed to strike the proper balance between protecting patient privacy and making data available for research to improve healthcare quality and to lower costs. Early advocacy efforts by the research community resulted in changes to the Privacy Rule that lightened some of the administrative burdens on healthcare providers and plans associated with making data available for research purposes.
From page 180...
... HIPAA restricted access by researchers to PHI, which at that time was held by healthcare providers and health plans. These HIPAA-covered entities would need guidance on how they were to treat uses and disclosures of PHI for research purposes.
From page 181...
... In addition, in 2002 HHS provided an alternative to the accounting of disclosure requirement.5 The accounting of disclosure requirement mandates that when covered entities such as hospital systems and health plans disclose information for research purposes pursuant to an IRB waiver, they need to keep an accounting of these disclosures and make it available to individuals on request. Keeping individualized records about which records were disclosed for which research protocols operating under an IRB waiver of consent was seen as quite burdensome by the covered entities.
From page 182...
... Another issue that should be reconsidered is whether individuals should be permitted to authorize the use of information about them for future unspecified research. Today, obtaining a HIPAA authorization for uses and disclosures for future unspecified research is not permitted under the Privacy Rule.7 Privacy advocates argued at the time of the rulemaking that there is no way to adequately inform an individual about the privacy risks related to future unspecified studies.
From page 183...
... Communications Fellow, Johns Hopkins Uniersity This paper will attempt to put the use of healthcare data into the larger context of transforming health care by increasing openness. This means providing more access to more information to more people and allowing individuals to contribute their own expertise and insights to that information.
From page 184...
... These licenses also allow the poster to announce that there are no restrictions -- that the information is completely "open." However, if no restrictions are placed on the use of the information, does it still have value? With the increasing use of the Internet, we are finding that we can obtain great value from sharing information.
From page 185...
... As noted earlier, the greatest degree of openness is not always the best answer to the question of what degree of openness is best suited for a particular purpose. This is where we can begin to ask salient questions regarding health care.
From page 186...
... . The report also considers cases in which greater openness can be harmful -- such as unauthorized access to medical records or unauthorized disclosure of genetic information about an individual -- and destabilizing such as in the relationship between patients and their caregivers.
From page 187...
... On the other hand, withholding the data prevents academic researchers interested in the efficacy and safety of the intervention from benefiting from the data. Access to data underlying clinical trials does raise important questions of openness, including the value of the data to the company that submits the data and to competitors.
From page 188...
... The report also deals with openness issues involving electronic health records. As with the data underlying clinical trials, data from EHRs are likely to be critical components of large databases that will serve as the breeding grounds for development of evidence-based medicine.
From page 189...
... But although there is much debate about how to deal with privacy and security, both technological and marketplace forces are racing ahead, rendering HIPAA's privacy regime increasingly problematic. For example, there are more than 200 different systems of personal health records now in the marketplace, including Microsoft's HealthVault.
From page 190...
... There is yet another issue as to whether the respective rules are being enforced. One of the reasons for the log jam about EHRs is the belief that enforcement of the HIPAA Privacy Rule is nearly nonexistent.
From page 191...
... The CED report is an attempt to show the benefits, but it is only a beginning. INSTITUTIONAL AND TECHNICAL APPROACHES TO ENSURING PRIVACY AND SECURITY OF CLINICAL DATA Alexander D
From page 192...
... Healthcare providers have an interest in each of these goals, but perceived and actual privacy or security hurdles, patient trust considerations, potential legal consequences, and actual costs associated with retrieval of data pose barriers to releasing data for research purposes. In particular, healthcare providers often find the privacy and security requirements of HIPAA confusing, and health information data custodians and researchers sometimes have limited awareness of HIPAA's data access and disclosure requirements.
From page 193...
... One area of significant concern, therefore, is how to most appropriately release and provide access to information to researchers who are not members of our workforce. Because these databases, repositories, and record sets are usually created primarily for treatment, healthcare operational purposes, or billing and financial purposes -- not for research purposes -- they often lack a built-in framework for addressing the needs and requirements associated with research-related access as well as the obligations we have for research-related disclosures.
From page 194...
... The Privacy Rule continues to be confusing to many healthcare providers, who often view its requirements as arbitrary and overly complex. Healthcare administrators often face the burden of too many forms and policies that are generated as a result of our responsibilities to protect
From page 195...
... , IRBs need not be affiliated with the Covered Entity to grant a waiver of the authorization requirement and may not be entirely concerned with the Covered Entity's obligations. In addition, many IRBs also have regular turnover and have many members, including unaffiliated community representatives, who sometimes do not understand the requirements for protecting patient privacy.
From page 196...
... This is extremely burdensome for healthcare providers, particularly in the paper world, and often necessitates physically placing a marker or informational sheet in each record accessed. One might think this would be easier in an electronic world, but in reality it is not!
From page 197...
... Even if such restrictions are accepted, healthcare providers are not necessarily culpable under HIPAA if the release of information is for research purposes.8 Nonetheless, we believe that if we make a commitment to our patients, we are ethically obligated to try to fulfill it. Though most Notices of Privacy Practices require that any request for restrictions be placed in writing and though most Covered Entities try to educate their staff to not accept a restriction unless it is in writing and clearly agreed to, it is possible that physicians or other staff members occasionally and informally make commitments and promises to their patients that their health information will not be used for any purposes except their own treatment unless the patients otherwise consent.
From page 198...
... This can alleviate both the potentially invasive feeling by patients of being contacted by a stranger for research as well as physicians' concerns that their patients may be recruited without the physicians' knowledge into research that they do not believe is commensurate with the care they provide. Patient attitudes also play a key role in determining whether health information can or should be released for research purposes.
From page 199...
... . Unfortunately, most healthcare providers have no cost-effective way of protecting just limited portions of the patient record, even when individuals feels comfortable that the rest of their file could be used for research purposes.
From page 200...
... Expansion of the Limited Dataset concept could potentially assist both researchers and Covered Entities if the Covered Entity has systems that can cost-effectively produce data and the Limited Dataset vehicle is greatly expanded to include identifiers that would permit screening and recruitment activities. In addition, as vendors and suppliers of our data systems and electronic medical records systems become more sophisticated in the potential applications of this information, the design of operational databases
From page 201...
... With respect to technology, interoperable data exchange may ease some of the technological burdens we face and could result in greater access to health information by researchers, but the details and potential barriers associated with access to data exchanges remain uncertain and may require further legal clarifications. Perhaps most importantly, an increased awareness and sensitivity on the part of researchers to the requirements, burdens, and costs associated with healthcare providers' provision of information, and a willingness to share in those costs and burdens, can greatly aid in overcoming the obstacles that currently impede research efforts.


This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.