Healthcare Information Technology

Healthcare IT
1. How safe do you think the “safe harbor” of HIPAA’s 18 fields is? Why?
There are two approaches towards HIPAA-compliant de-identification of PHI. These are expert determination and safe harbor (U.S. Department of Health and Human Services - HHS, 2018). In essence, safe harbor, which this section will concern itself with, has got to do with the removal of certain identifiers from the data set. In this case, a total of 18 “identifiers of the individual or of relatives, employers, or household members of the individual, are removed” (HHS, 2018). A key advantage of safe harbor is its simplicity. This is more so the case given that its implementation does not call for any technical or specialized knowhow. Its application is rather straightforward. It is important to note that even the removal of the said identifiers does not result in the total elimination or removal of the patient re-identification risk.
One of the key disadvantages of safe harbor is that except under very few circumstances, the safety of data is actually not guaranteed. This effectively means that the risk of re-identification happens to be rather high in some instances. For instance, assume a scenario whereby a public file has met the safe harbor standard but there is an ‘intruder’ who happens to know of a specific person in the data. All that the said intruder would have to do is retrieve the data set (which, by the way, satisfies the conditions of safe harbor) and fish for specific identifiers in relation to the person he is interested in. In this case, we could assume that the data set contains the first three ZIP code digits and ages (in years). All that the intruder has to do in this case is be certain of the age of his person of interest and perhaps where he resides to positively identify the record associated with the said person of interest. This is just one example of an instance whereby re-identification would happen with relative ease.
2. What do you think is the right balance between “patient’s privacy” and “public good”? Why?
It is important to note that some researchers have in the past argued that data protection laws could effectively impede the research process because in some instances they essentially make access to data a complex process for researchers (Steeves, 2007). A good example in this case, according to the author, would be the requirement to obtain consent. On this front, it becomes “difficult for researchers to access data that would otherwise be available to them” (Steeves, 2007, p. 27). This appears to defeat the ‘public good’, while advancing the ‘patient’s privacy’ - especially when the research in question happens to be of great relevance to public health. Furthermore, we could argue that all medical and health research is essentially a social good that must not be hampered. Are the data protection laws in place at present overly restrictive – and hence an encumbrance to public good?
It should be noted that without a solid privacy protection framework in place, research undertakings would be devoid of the critical trust and confidence element. This is more so the case given that participants would never really get ‘off-stage’ – i.e. with regard to their role in research and their own individual lives. Given that research undertakings are in some instances private-public engagements, the risk of data commodification cannot be overlooked. It therefore follows that ignoring privacy safeguards would effectively erect significant obstacles to research. Towards this end, the middle ground would be the implementation of privacy policies that promote privacy as a social value. Ideally, what should be avoided is a zero-sum kind of game on this front. In that regard, therefore, ongoing dialogue ought to be embraced with an aim of ensuring that lasting frameworks are established to ensure that respecting patient privacy advances, rather than impedes, knowledge advancement.
3. List three areas where HITECH was in line with the recommendations of the proposed National Framework
In seeking to highlight where HITECH was in line with the proposed National Framework recommendations, it would be prudent to first assess the basis of the framework. As Safran, Bloomrosen, Hammond, Labkoff, Markel-Fox, Tang, and Datmer (2007) point out, the nation is in need of a well-defined framework for the secondary utilization of health data. The said framework, according to the authors, ought to incorporate a robust infrastructure of not only the best practices, but also standards and policies. With such a framework in place, data collection as well as aggregation, storage and transmission will be guided and facilitated as appropriate (Safran et al., 2007). The said framework ought to be ideally molded by the following components: “transparent policies and practices for the secondary use of health data; focus on data control ownership; consensus on privacy, policy, and security; public awareness and trust; comprehensive scope (beginning with a taxonomy); and national leadership” (Safran et al., 2007). To begin with, HITECH sought to widen the security and privacy protections scope that were accessible under the Health Insurance Portability and Accountability Act (HIPPA). It is important to note that in this case, breaches of data affecting more than 500 people ought to be reported as appropriate. Business associates of covered entities are also extended HIPAA’s security and privacy provisions. Secondly, there is also the provision for more enforcement. This is particularly important given that the enforcement standards of HIPAA have been questioned in the past. It should be noted that with HITECH, ‘willful neglect’ will most likely attract mandatory penalties. Lastly, the adoption of electronic health records (EHR) is incentivized and meaningful use set as an important goal – with the overriding mandate in this case being the need to direct meaningful care improvements.
4. What technology solutions can be used to improve the safety of ePHI? How? What risks do each mitigate?
In addition to being required to protect ePHI by law under HIPAA, institutions seek improve the safety of ePHI because it is the right thing to do. This is more so the case given that some health information could either be embarrassing if traced back to the owners, or potentially sensitive. If such health data were to fall into the wrong hands, it would potentially be used by malicious third parties to either embarrass or blackmail the concerned individual. Thus, the relevance of appropriate technology solutions to enhance the safety of ePHI cannot be overstated.
To begin with, firewalls would come in handy in this regard. Firewalls seek to ensure that the network is cushioned against attacks by external parties. According to O’Dowd (2019), “firewalls are the first line of defense for securing healthcare network against the public internet.” As the author further points out, firewalls constantly monitor traffic (both outgoing and incoming) and thus only permit data that is pre-cleared to go through. Secondly, hard drives could also be encrypted. This move would effectively minimize data access by third parties if the said third parties were to gain physical access to hard drives used to store patient information and other related data. Thanks to the said encryption, the data contained therein cannot be read. Third, a two-factor authentication mechanism could be adopted with an intention of ensuring that security is extended beyond the basic combination of password and username. With two-factor authentication, the user can be verified via an additional method. A key component of this identification mechanism is the need for users to make use of a second factor, i.e. finger print scan or code set to phone, to identify themselves. This protects PHI from access by persons able to ‘beat’ the first line of defense, i.e. username and password.
References
O’Dowd, E. (2019). Using Firewalls to Prevent Health Data Security Risks. Retrieved from https://hitinfrastructure.com/news/using-firewalls-to-prevent-health-data-security-risks
Safran, C., Bloomrosen, M., Hammond, W.E., Labkoff, S., Markel-Fox, S., Tang, P.C. & Datmer, D.E. (2007). Toward a National Framework for the Secondary Use of Health Data: An American Medical Informatics Association White Paper. J Am Med Inform Assoc., 14(1), 1-9.
Steeves, V. (2007). Data Protection and the Promotion of Health Research. Health Policy, 2(3), 26-38.
U.S. Department of Health and Human Services – HHS (2018). Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Retrieved from https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html