Privacy is a fundamental right. As such, it must be viewed differently than any ordinary economic good. The costs and benefits of a regulation must, of course, be considered as a means of identifying and weighing options. At the same time, it is important not to lose sight of the inherent meaning of privacy—it speaks to our individual and collective freedom.
A right to privacy in personal information has historically found expression in American law. All fifty states today recognize in tort law a common law or statutory right to privacy. Many states specifically provide a remedy for public revelation of private facts. Some states, such as California and Tennessee, have a right to privacy as a matter of state constitutional law. The multiple historical sources for legal rights to privacy are traced in many places, including Chapter 13 of Alan Westin’s Privacy and Freedom and in Ellen Alderman & Caroline Kennedy, The Right to Privacy (1995).
Increasing Use of Interconnected Electronic Information Systems
Until recently, health information was recorded and maintained on paper and stored in the offices of community-based physicians, nurses, hospitals, and other health care professionals and institutions. In some ways, this imperfect system of record keeping created a false sense of privacy among patients, providers, and others. Patients’ health information has never remained completely confidential. Until recently, however, a breach of confidentiality involved a physical exchange of paper records or a verbal exchange of information. Today, however, more and more health care providers, plans, and others are utilizing electronic means of storing and transmitting health information. In 1996, the health care industry invested an estimated $10 to $15 billion on information technology.
The electronic information revolution is transforming the recording of health information so that the disclosure of information may require only a push of a button. In a matter of seconds, a person’s most profoundly private information can be shared with hundreds, thousands, even millions of individuals and organizations at a time. While the majority of medical records still are in paper form, information from those records is often copied and transmitted through electronic means.
This ease of information collection, organization, retention, and exchange made possible by the advances in computer and other electronic technology affords many benefits to individuals and to the health care industry. Use of electronic information has helped to speed the delivery of effective care and the processing of billions of dollars worth of health care claims. Greater use of electronic data has also increased our ability to identify and treat those who are at risk for disease, conduct vital research, detect fraud and abuse, and measure and improve the quality of care delivered in the U.S.. The National Research Council recently reported the Internet has great potential to improve Americans health by enhancing communications and improving access to information for health care providers, patients, health plan administrators, public health officials, biomedical researchers, and other health care professionals.
At the same time, these advances have reduced or eliminated many of the financial and logistical obstacles that previously served to protect the confidentiality of health information and the privacy interests of individuals. They have also made our information available to many more people. The shift from paper to electronic records, with the accompanying greater flows of sensitive health information, thus strengthens the arguments for giving legal protection to the right to privacy in health information. In an earlier period where it was far more expensive to access and use medical records, the risk of harm to individuals was relatively low. In the potential near future, when technology makes it almost free to send lifetime medical records over the Internet, the risks may grow rapidly. It may become cost-effective, for instance, for companies to offer services that allow purchasers to obtain details of a person’s physical and mental treatments. In addition to legitimate possible uses for such services, malicious or inquisitive persons may download medical records for purposes ranging from identity theft to embarrassment to prurient interest in the life of a celebrity or neighbor. The comments to the proposed privacy rule indicate that many persons believe that they have a right to live in society without having these details of their lives laid open to unknown and possibly hostile eyes. These technological changes, in short, may provide a reason for institutionalizing privacy protections in situations where the risk of harm did not previously justify writing such protections into law.
Recently, scientists completed nearly a decade of work unlocking the mysteries of the human genome, creating tremendous new opportunities to identify and prevent many of the leading causes of death and disability in this country and around the world. Yet the absence of privacy protections for health information endanger these efforts by creating a barrier of distrust and suspicion among consumers. A 1995 national poll found that more than 85 percent of those surveyed were either very concerned or somewhat concerned that insurers and employers might gain access to and use genetic information.
Sixty-three percent of the 1,000 participants in a 1997 national survey said they would not take genetic tests if insurers and employers could gain access to the results. In genetic testing studies at the National Institutes of Health, thirty-two percent of eligible people who were offered a test for breast cancer risk declined to take it, citing concerns about loss of privacy and the potential for discrimination in health insurance.
The Changing Health Care System
U.S. Department of Health and Human Services (HHS) published the final Privacy Rule which gives patients greater access to their own medical records and more control over how their personal health information is used. This rule was published on December 28, 2000 and became affective on April 14, 2001. This rule also addresses the obligations of health care providers and health plans to protect health information. By law, covered entities (health plans, health care clearinghouses, and health care providers who conduct certain financial and administrative transactions electronically) have until April 14, 2003, to comply.
This regulation has three major purposes:
to protect and enhance the rights of consumers by providing them access to their health information and controlling the inappropriate use of that information
to improve the quality of health care in the US by restoring trust in the health care system among consumers, health care professionals, and the multitude of organizations and individuals committed to the delivery of care
to improve the efficiency and effectiveness of health care delivery by creating a national framework for health privacy protection that builds on efforts by states, health systems, and individual organizations and individuals
The number of entities who are maintaining and transmitting individually identifiable health information has increased significantly over the last 10 years. In addition, the rapid growth of integrated health care delivery systems requires greater use of integrated health information systems. The health care industry has been transformed from one that relied primarily on one-on-one interactions between patients and clinicians to a system of integrated health care delivery networks and managed care providers. Such a system requires the processing and collection of information about patients and plan enrollees (for example, in claims files or enrollment records), resulting in the creation of databases that can be easily transmitted. This dramatic change in the practice of medicine brings with it important prospects for the improvement of the quality of care and reducing the cost of that care. It also, however, means that increasing numbers of people have access to health information. And, as health plan functions are increasingly outsourced, a growing number of organizations not affiliated with our physicians or health plans also have access to health information.
According to the American Health Information Management Association (AHIMA), an average of 150 people from nursing staff, to x-ray technicians, to billing clerks, have access to a patient’s medical records during the course of a typical hospitalization. While many of these individuals have a legitimate need to see all or part of a patient’s records, no laws govern who those people are, what information they are able to see, and what they are and are not allowed to do with that information once they have access to it. According to the National Research Council, individually identifiable health information frequently is shared with:
consulting physicians
managed care organizations
health insurance companies
life insurance companies
self-insured employers
pharmacies
pharmacy benefit managers
clinical laboratories
accrediting organizations
state and federal statistical agencies
medical information bureaus
Much of this sharing of information is done without the knowledge of the patient involved. While many of these functions are important for smooth functioning of the health care system, there are no rules governing how that information is used by secondary and tertiary users. For example, a pharmacy benefit manager could receive information to determine whether an insurance plan or HMO should cover a prescription, but then use the information to market other products to the same patient. Similarly, many of us obtain health insurance coverage though our employer and, in some instances, the employer itself acts as the insurer. In these cases, the employer will obtain identifiable health information about its employees as part of the legitimate health insurance functions such as claims processing, quality improvement, and fraud detection activities. At the same time, there is no comprehensive protection prohibiting the employer from using that information to make decisions about promotions or job retention.
Privacy Is Necessary To Secure Effective, High Quality Health Care
While privacy is one of the key values on which our society is built, it is more than an end in itself. It is also necessary for the effective delivery of health care, both to individuals and to populations. In short, the entire health care system is built upon the willingness of individuals to share the most intimate details of their lives with their health care providers.
The need for privacy of health information, in particular, has long been recognized as critical to the delivery of needed medical care. More than anything else, the relationship between a patient and a clinician is based on trust. The clinician must trust the patient to give full and truthful information about their health, symptoms, and medical history. The patient must trust the clinician to use that information to improve his or her health and to respect the need to keep such information private. In order to receive accurate and reliable diagnosis and treatment, patients must provide health care professionals with accurate, detailed information about their personal health, behavior, and other aspects of their lives. The provision of health information assists in the diagnosis of an illness or condition, in the development of a treatment plan, and in the evaluation of the effectiveness of that treatment. In the absence of full and accurate information, there is a serious risk that the treatment plan will be inappropriate to the patient’s situation.
Federal Response
A breach of a person’s health privacy can have significant implications well beyond the physical health of that person, including the loss of a job, alienation of family and friends, the loss of health insurance, and public humiliation.
Congress recognized the importance of protecting the privacy of health information by enacting the Health Insurance Portability and Accountability Act (HIPAA) of 1996. The Act called on Congress to enact a medical privacy statute and asked the Secretary of HHS to provide Congress with recommendations for protecting the confidentiality of health care information. The Congress further recognized the importance of such standards by providing the Secretary with authority to promulgate regulations on health care privacy in the event that lawmakers were unable to act within the allotted three years.
The HIPAA Act requires standards for transactions, and data elements for such transactions, to enable health information to be exchanged electronically. This standard specifies unique health identifiers, code sets, security standards, electronic signatures, and transfer of information among health plans. Of particular relevance to this proposed rule is the security standard provision. The security standard authority applies to both the transmission and the maintenance of health information, and requires the users to maintain reasonable and appropriate safeguards to ensure the integrity and confidentiality of the information, protect against reasonably anticipated threats or hazards to the security or integrity of the information or unauthorized uses or disclosures of the information, and to ensure compliance by the medical facility’s officers and employees.
The DK Consulting Services Solution
DK Consulting Services remains informed of the rapid evolution in industry, organization, and practice. Our goal is to enhance privacy protections in ways that do not impede this evolution.
Step one—conduct a security requirements review. DK Consulting Services will conduct a review of your Automated Information System to determine the status of compliance with information assurance security requirements, as applicable. This will include, but is not limited to, Privacy Act Requirements, Telecommunications Act of 1996 Requirements, Standards for Electronic Transactions 65 FR 50312, and Personnel Security Program DoD 5200.2-R.
Step two—present documentation review assessment. DK Consulting Services will present the findings to the Congressman’s chief of staff to include a recommendation on the security status of the system and any shortcomings which need to be addressed.
Products DK Consulting Services Recommends
Implement multiple security capabilities to ensure the protection of sensitive data. We accomplishes this by implementing a role-based access control that will allow the enforcement of security policies based on the ability to provide granular authorization and advanced entitlements.
We provide institutions and companies with a secure means of employee authentication for remote access to their computer systems and networks. Using smart card technology we offers security and flexibility for protecting valuable transactions and sensitive applications.
Infrared (IR) Imaging cameras operate like standard video cameras but with one major difference—they are sensitive to heat emissions rather than normal light patterns. IR cameras do not require light in order to produce an image of any part of a person's body. IR cameras are so sensitive they can image the detailed patterns of blood vessels under the skin resulting in patterns different for each individual, like finger prints.
