Post on 02-Jan-2016
Privacy in HealthcareChallenges Associated with Implementing Privacy
in an Electronic Health Records Environment
John P. Houston, J.D.Vice President, Privacy & Information Security, Assistant Counsel
University of Pittsburgh Medical CenterAdjunct Assistant Professor of Biomedical Informatics
University of Pittsburgh School of Medicine
Privacy in HealthcareChallenges Associated with Implementing Privacy
in an Electronic Health Records Environment
John P. Houston, J.D.Vice President, Privacy & Information Security, Assistant Counsel
University of Pittsburgh Medical CenterAdjunct Assistant Professor of Biomedical Informatics
University of Pittsburgh School of Medicine
2
Questions
What is Privacy?
What is Confidentiality?
What is (Information) Security?
3
Security, Privacy & Confidentiality
• Privacy - the state of being free from intrusion or disturbance in one's private life or affairs. (Random House Dictionary)
• Confidentiality - The ethical principle or legal right that a physician or other health professional will hold secret all information relating to a patient, unless the patient gives consent permitting disclosure. (The American Heritage® Stedman's Medical Dictionary)
• Security - Protection against unauthorized access to, or alteration of, information and system resources including CPUs, storage devices and programs. (Free On-line Dictionary of Computing)
4
Security, Privacy & Confidentiality
(Information) SecurityKeeping the bad guys out.
PrivacyConfidentiality
Making sure that those people who have access to information, only access the information for appropriate purposes.
5
Health Privacy Laws in Pennsylvania
• PA Medical Records Laws• HIPAA Privacy Rule• ARRA Privacy Rule• Federal & State “Sensitive
Information laws
6
Observation
We have reached a tipping point where the volume and complexity of privacy
regulations have made compliance extremely difficult
7
Observation
Even intelligent, well educated and informed individuals do not fully or accurately understand the privacy
regulations
8
Result
Many institutions inappropriately implement privacy regulations
9
Reality
Timely, accurate and complete information is necessary to provide effective and
efficient health care
10
Challenge
To provide the right information to the right individual at the right time
11
Failure must be defined in terms of impacting patient care• Patients often do not know what they really want• Arbitrary or overly restrictive barriers• HIPAA contemplates taking reasonable steps• If we must error, error to the benefit of ensuring that good
quality patient care is delivered
Failure
12
Privacy Is a Balance
Privacy is a balance between:•An individual’s right to have his / her information kept confidential•A provider’s need for information to support the delivery of effective and efficient healthcare•Public / societal interests
Practically speaking privacy is not an absolute
13
Privacy Is a Societal Value
In good faith people have substantial differences of opinion regarding the value
and importance of privacy
14
Reality
The Healthcare industry is quickly moving towards a highly integrated and highly distributable electronic health records
environment
15
Global Access to Information
Health Information ExchangesNationwide Health Information Network
16
The Move to Electronic Health Records
The implementation of an electronic health records environment fundamentally changes the manner in which privacy must
be viewed and addressed
17
How is Privacy Different?
Local Availabilityvs.
Global Availability
18
Paper Records - Local Availability
Information is locked up in a file cabinet or the Medical Records Department
19
Electronic Records - Global Availability
Information is:• Accessible through an institution’s
electronic health records system(s)• Accessible via an HIE• Accessible via the Internet on the
NHIN(future)
20
Myth
Institutions all operate a single monolithic health information system
21
Examples of Issues
• Impractical to honor patient request for additional privacy protections / consents
• Difficult to perform new accounting of disclosure requirements
• Difficult to comply with new “Pay for out of pocket in full” restrictions.
22
Computers areSTUPID!
WARNING!
23
The Evolution of Privacy in EHRs
24
System Flexibility
It is difficult to develop / implement information system controls that support
privacy while providing the flexibility necessary to ensure the efficient and
effective delivery of health care
25
System Flexibility
Due to the difficult in developing / implement information system controls that support privacy, institutions often establish
structural barriers (separate systems, shadow records, paper records, etc).
26
Immediacy
Prospective controls and structural barriers often impede access to information in emergent situations and significantly
reduce efficiency
27
Should psychiatric information be segregated?
Example – Psychiatric Information
28
Should psychiatric Information be segregated?•Information results from services provided by a PCP or in an acute care setting•Access is often important in emergent situations•Drug – to – drug interactions•Alternative diagnosis?•Drug diversion?
Example – Psychiatric Information
29
Where do you draw the line?
Question
30
In The End
• Institutions must be diligent in training their work force
• Enforcement is vital
31
Commercial
http://www.ge.com/company/advertising/index.html