Privacy in HealthcareChallenges Associated with Implementing Privacy

in an Electronic Health Records Environment

John P. Houston, J.D.Vice President, Privacy & Information Security, Assistant Counsel

University of Pittsburgh Medical CenterAdjunct Assistant Professor of Biomedical Informatics

University of Pittsburgh School of Medicine

Privacy in HealthcareChallenges Associated with Implementing Privacy

in an Electronic Health Records Environment

John P. Houston, J.D.Vice President, Privacy & Information Security, Assistant Counsel

University of Pittsburgh Medical CenterAdjunct Assistant Professor of Biomedical Informatics

University of Pittsburgh School of Medicine

2

Questions

What is Privacy?

What is Confidentiality?

What is (Information) Security?

3

Security, Privacy & Confidentiality

• Privacy - the state of being free from intrusion or disturbance in one's private life or affairs. (Random House Dictionary)

• Confidentiality - The ethical principle or legal right that a physician or other health professional will hold secret all information relating to a patient, unless the patient gives consent permitting disclosure. (The American Heritage® Stedman's Medical Dictionary)

• Security - Protection against unauthorized access to, or alteration of, information and system resources including CPUs, storage devices and programs. (Free On-line Dictionary of Computing)

4

Security, Privacy & Confidentiality

(Information) SecurityKeeping the bad guys out.

PrivacyConfidentiality

Making sure that those people who have access to information, only access the information for appropriate purposes.

5

Health Privacy Laws in Pennsylvania

• PA Medical Records Laws• HIPAA Privacy Rule• ARRA Privacy Rule• Federal & State “Sensitive

Information laws

6

Observation

We have reached a tipping point where the volume and complexity of privacy

regulations have made compliance extremely difficult

7

Observation

Even intelligent, well educated and informed individuals do not fully or accurately understand the privacy

regulations

8

Result

Many institutions inappropriately implement privacy regulations

9

Reality

Timely, accurate and complete information is necessary to provide effective and

efficient health care

10

Challenge

To provide the right information to the right individual at the right time

11

Failure must be defined in terms of impacting patient care• Patients often do not know what they really want• Arbitrary or overly restrictive barriers• HIPAA contemplates taking reasonable steps• If we must error, error to the benefit of ensuring that good

quality patient care is delivered

Failure

12

Privacy Is a Balance

Privacy is a balance between:•An individual’s right to have his / her information kept confidential•A provider’s need for information to support the delivery of effective and efficient healthcare•Public / societal interests

Practically speaking privacy is not an absolute

13

Privacy Is a Societal Value

In good faith people have substantial differences of opinion regarding the value

and importance of privacy

14

Reality

The Healthcare industry is quickly moving towards a highly integrated and highly distributable electronic health records

environment

15

Global Access to Information

Health Information ExchangesNationwide Health Information Network

16

The Move to Electronic Health Records

The implementation of an electronic health records environment fundamentally changes the manner in which privacy must

be viewed and addressed

17

How is Privacy Different?

Local Availabilityvs.

Global Availability

18

Paper Records - Local Availability

Information is locked up in a file cabinet or the Medical Records Department

19

Electronic Records - Global Availability

Information is:• Accessible through an institution’s

electronic health records system(s)• Accessible via an HIE• Accessible via the Internet on the

NHIN(future)

20

Myth

Institutions all operate a single monolithic health information system

21

Examples of Issues

• Impractical to honor patient request for additional privacy protections / consents

• Difficult to perform new accounting of disclosure requirements

• Difficult to comply with new “Pay for out of pocket in full” restrictions.

22

Computers areSTUPID!

WARNING!

23

The Evolution of Privacy in EHRs

24

System Flexibility

It is difficult to develop / implement information system controls that support

privacy while providing the flexibility necessary to ensure the efficient and

effective delivery of health care

25

System Flexibility

Due to the difficult in developing / implement information system controls that support privacy, institutions often establish

structural barriers (separate systems, shadow records, paper records, etc).

26

Immediacy

Prospective controls and structural barriers often impede access to information in emergent situations and significantly

reduce efficiency

27

Should psychiatric information be segregated?

Example – Psychiatric Information

28

Should psychiatric Information be segregated?•Information results from services provided by a PCP or in an acute care setting•Access is often important in emergent situations•Drug – to – drug interactions•Alternative diagnosis?•Drug diversion?

Example – Psychiatric Information

29

Where do you draw the line?

Question

30

In The End

• Institutions must be diligent in training their work force

• Enforcement is vital

31

Commercial

http://www.ge.com/company/advertising/index.html