Skip to main content

Currently Skimming:

2 The Value and Importance of Health Information Privacy
Pages 75-110

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.


From page 75...
... In contrast, the primary justification for collecting personally identifiable health information for health research is to benefit society. But it is important to stress that privacy also has value at the societal level, because it permits complex activities, including research and public health activities to be carried out in ways that protect individuals' dignity.
From page 76...
... . Our report, and the Privacy Rule itself, are concerned with health informational privacy.
From page 77...
... When personally identifiable health information, for example, is disclosed to an employer, insurer, or family member, it can result in stigma, embarrassment, and discrimination. Thus, without some assurance of privacy, people may be reluctant to provide candid and complete disclosures of sensitive information even to their physicians.
From page 78...
... . Privacy can foster socially beneficial activities like health research.
From page 79...
... Privacy Rule, 67 percent of respondents still said they were concerned about the privacy of their medical records, suggesting that the Privacy Rule had not effectively alleviated public concern about health privacy. Ethnic and racial minorities showed the greatest concern among the respondents.
From page 80...
... . When presented with the possibility that there would be a nationwide system of electronic medical records, one survey found 70 percent of respondents were concerned that sensitive personal medical record information might be leaked because of weak data security, 69 percent expressed concern that there could be more sharing of medical information without the patient's knowledge, and 69 percent were concerned that strong enough data security will not be installed in the new computer system.
From page 81...
... Recent passage of the Genetic Information Nondiscrimination Act in the United States will hopefully begin to address some of these concerns.4 Patient Attitudes About Privacy in Health Research Ideally, there would be empirical evidence regarding the privacy value of all the specific Privacy Rule provisions that impact researchers, but there are only limited data on this topic from the consumer/patient perspective. A few studies have attempted to examine the public's attitudes about the use of health information in research.
From page 82...
... For example, a recent Harris Poll found that 63 percent of respondents would give general consent to the use of their medical records for research, as long as there were guarantees that no personally identifiable health information would be released from such studies (Harris Interactive, 2007)
From page 83...
... Thirtyfour percent of veterans who participated in intensive focus groups using deliberative democracy were willing to allow researchers associated with the Veterans Health Administration to use their medical records without any procedures for patient input, subject to Institutional Review Board (IRB) approval, and another 17 percent reported that patients should have to ask for their medical records to be excluded from research studies (opt-out)
From page 84...
... Although the commissioned Harris Poll found that people who are in only fair health, who have a disability, or who had taken a genetic test were slightly more concerned than the public about health researchers seeing their medical records (55 percent versus 50 percent) , other data suggest that people with health concerns may be more supportive of using medical records in research.
From page 85...
... Surveys indicate that the public is deeply concerned about the privacy and security of personal health information, and that the HIPAA Privacy Rule has perhaps reduced -- but not eliminated -- those concerns. Patients were generally very supportive of research, provided safeguards were established to protect the privacy and security of their medical information, although some surveys
From page 86...
... An understanding the public's attitude toward privacy is important throughout the rest of this report, because many of the IOM committee's recommendations affect the nature of the privacy protections afforded by the federal health research regulations. HISTORICAL DEVELOPMENT OF LEGAL PROTECTIONS OF HEALTH INFORMATION PRIVACY The medical community has long recognized the importance of protecting privacy in maintaining public trust in doctors and researchers, and codes of medical ethics reflect a desire to increase this public trust.
From page 87...
... Common Law Protections State common law generally recognizes that some health care relationships are based on maintaining the confidentiality of information obtained in the course of care and affords a remedy when that confidentiality is breached. Traditionally, the law's regulation of "privacy" consisted essentially of the protection of confi dentiality within the doctor–patient relationship.
From page 88...
... The shift to statutory and regulatory protections for health information was largely a response to the changing nature of recordkeeping in general, and of the nature of the provision of health care. As noted by the 1977 Privacy Protection Study Commission, "The emergence of third-party payment plans; the use of health care information for non-healthcare purposes; the growing involvement of government agencies in virtually all aspects of health care; and the exponential increase in the use of computers and automated information systems for health care record information have combined to put substantial pressure on traditional confidentiality protections." SOURCES: Bodger (2006)
From page 89...
...  HEALTH INFORMATION PRIVACY TABLE 2-1 Federal Health Privacy Statutes and Executive Orders That Regulate the Collection and Disclosure of Information Statute Year Privacy Protection Freedom of Information 1966 Prevents personally identifiable health Act (FOIA) information from being included in the release of information as part of a FOIA request Privacy Act 1974 Protects the privacy of health, research, and other records held by federal agencies Family Educational Rights 1974 Requires schools to have written and Privacy Act permission from a parent or student prior to releasing information from a student's education record Veterans Omnibus Health 1976 Protects the privacy of medical records Care Act relating to the treatment of drug abuse, alcohol abuse, infection with AIDS or sickle cell anemia, in the Department of Veterans Affairs Protection of Pupil Rights 1978 Protects the rights of pupils and the Amendment parents of pupils in programs funded by the Department of Education Social Security Act, 1986 Prohibits unauthorized disclosure of Section 1106 individually identifiable records held by the Department of Health and Human Services, the Social Security Administration, and their contractors Clinical Laboratory 1988 Requires clinical laboratories to protect Improvement the confidentiality of test results and Amendments reports, including information on patient and clinical study subjects; medical information may only be disclosed to authorized persons as defined by state or federal law Public Health Service Act, 1988 Provides for Certificates of Confidentiality Health Omnibus Program that protect personally identifiable Extension research information continued
From page 90...
... 0 BEYOND THE HIPAA PRIVACY RULE BOX 2-1 Continued TABLE 2-1 Continued Statute Year Privacy Protection Americans with 1990 Employers must treat employees' and Disabilities Act applicants' medical information and medical conditions confidentially Public Health Service Act, 1992 Federally assisted alcohol or substance Section 543, Federal abuse programs must keep patient alcohol Confidentiality and drug abuse treatment records Requirements for confidential, absent patient consent or a Substance Abuse Patient court order Records Health Insurance 1996 Protects the privacy of individually Portability and identifiable information held by covered Accountability Act entities (HIPAA) , Privacy Rule Balanced Budget Act 1997 Added language to the Social Security Act to require Medicare+Choice organizations to establish safeguards for the privacy of individually identifiable patient information Clinton's Executive Order 2000 Bans the use of genetic information in 13145 federal hiring and promotion decisions Confidential Information 2002 Ensures that information supplied by Protection and Statistical individuals or organizations to a federal Efficiency Act agency for statistical purposes under a pledge of confidentiality is used exclusively for statistical purposes Medicare Prescription 2003 Requires prescription drug plan sponsors Drug, Improvement and to comply with the HIPAA Privacy Rule Modernization Act and the Security Rule requirements Genetic Information 2008 Prohibits discrimination against Nondiscrimination Act individuals based on their genetic information in health insurance and employment
From page 91...
... . In addition to affording individuals the meaningful right to control the collection, use, and disclosure of their information, the fair information practices also impose affirmative responsibilities to safeguard information on those who collect it (reviewed by Pritts, 2008)
From page 92...
... The United States has taken a sector-driven approach toward adopting the principles of fair information practices, with the federal and state governments promulgating statutes and regulations that apply only to specific classes of record keepers or categories of records.9,10 At the federal level, the fair information practices were first incorporated into the Privacy Act of 1974, which governs the collection, use, and disclosure of personally identifiable data held by the federal government and some of its contractors. Hospitals operated by the federal government and health care or research institutions operated under federal contract are subject to the Privacy Act, while other health care entities remained outside its scope (Gostin, 1995)
From page 93...
... Also, only a few states have statutorily required providers to undertake security measures to ensure that health information is used and disclosed properly. SECURITY OF HEALTH DATA Protecting the security of data in health research is important because health research requires the collection, storage, and use of large amounts of personally identifiable health information, much of which may be sensitive and potentially embarrassing.
From page 94...
... .11 The HIPAA Security Rule has several major gaps in security protection. First, like the HIPAA Privacy Rule, the HIPAA Security Rule only applies to covered entities.
From page 95...
... personal health password protected, so information on it is unlikely that any research participants data were accessed. from 10 research studies was stolen.
From page 96...
... proper security standards are in place. 3/30/07 University of A computer that +3,000 There is no evidence California– contained the that any information San Francisco personal information on the computer was on cancer research used by unauthorized subjects was stolen persons.
From page 97...
... Third, many covered entities apparently are not yet in full compliance with all the requirements of the HIPAA Security Rule, based on surveys13 of 13 Since 2004, the American Health Information Management Association has annually surveyed health care privacy officers and others whose jobs related to the HIPAA privacy function to gain an understanding of where health care organizations stand with regard to implementing the Privacy and Security Rules required by HIPAA (AHIMA, 2006)
From page 98...
... Regardless of whether the HIPAA Security Rule is actively enforced, the other gaps in the HIPAA Security Rule's protection of personal health information are problematic because enhanced security is necessary to reduce the risk of data theft and to reinforce the public's trust in the research community by diminishing anxiety about the potential for unintentional disclosure
From page 99...
... in the health research community that are involved in the collection, use, and disclosure of personally identifiable health information take strong measures to safeguard the security of health data. Given the differences among the missions and activities of institutions in the health research community, some flexibility in the implementation of specific security measures will be necessary.
From page 100...
... Although the committee does not recommend a specific technology solution, there are at least four technological approaches to enhancing data privacy and security that have been proposed by others as having the potential to be particularly influential in health research: (1) Privacy-preserving data mining and statistical disclosure limitation, (2)
From page 101...
... Only individuals who are on the Internet and are involved in health research could easily be queried. Third, the use of personal electronic devices would make it almost impossible to aggregate data because of the difficulty of accessing data from multiple sources.
From page 102...
... In addition, these organizations are currently not regulated by the HIPAA Privacy Rule, so there are no legal federal privacy restrictions preventing these entities from releasing individuals' data to the government, marketing companies, or others, and no mandatory data security requirements. New legislation or regulation making health trusts liable for security breaches may be necessary before the public is willing to trust these organizations to store personal health data (Metz, 2008)
From page 103...
... In order for information to be considered deidentified, the HIPAA Privacy Rule specifically states that covered entities can assign a code or other means of
From page 104...
... The committee affirms the importance of maintaining and improving the privacy of health information. In the context of health research, privacy includes the commitment to handle personal information of patients and research participants with meaningful privacy protections, including strong security measures, transparency, and accountability.16 These commitments extend to everyone who collects, uses, or has access to personally identifiable health information of patients and research participants.
From page 105...
... already sets a floor for data security standards within covered entities, but not all institutions that conduct health research are subject to HIPAA regulations. Also, the survey data presented in this chapter show that neither the HIPAA Privacy Rule nor the HIPAA Security Rule have directly improved public confidence that personal health information will be kept confidential.
From page 106...
... 2006. Concept and message development research on engaging communities to promote electronic personal health records for the National Health Council.
From page 107...
... 2002. Personal privacy and common goods: A framework for balancing under the national health information Privacy Rule.
From page 108...
... 2002. Learning from experience, privacy and the secondary use of data in health research.
From page 109...
... 2008. The importance and value of protecting the privacy of health information: Roles of HIPAA Privacy Rule and the Common Rule in health research.
From page 110...
... . Alternatives to project-specific consent for access to personal information for health research.


This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.