One of the great values of the EHR is the ability to exchange information. But how does one protect the privacy of information while ensuring the security of that data? Because EHRs and other clinical information systems are interconnected, security is only as good as the weakest link in the system.
The HIPAA Privacy Rule (.pdf) of August 14, 2002 and HIPAA Security Rule (.pdf) of February 20, 2003 describe in extensive detail the obligations of individuals and hospitals in the protection of the privacy and security of health information. For more information on the HIPAA statute and rules, click here. Sometimes privacy and security are used interchangeably; however, there are significant differences that should be understood.
What is the Difference between Privacy, Confidentiality, and Security?
According to Nigel Brown, Managing Consultant of the Security, Identity and Privacy Practice, IBM Global Technology Services, privacy can be defined in the following ways:
Historical Definition — Physical Privacy: “the right to be left alone”
Modern Context — Information Privacy: “the right to have knowledge and control over information about you”
Information Privacy — Identifiable Information about an individual, including the following:
- Factual information such as contact, health, financial, affiliations, etc.
- Biological information: biometrics, blood type, DNA
- Derived information: credit scores, etc.
- Opinions: performance evaluations, etc.
- Observations: shopping habits, etc.
Confidentiality is the process of ensuring that information is accessible only to authorized individuals.
Security is the ability to protect the confidentiality and integrity of information and computer resources.
Computer security can be summarized using the acronym CIA:
- Confidentiality: Allowing access only by authorized individuals.
- Integrity: Ensuring that information is not altered or tampered with by unauthorized individuals.
- Availability: Ensuring that information is available when needed.
A failure in either security or confidentiality can compromise privacy. However, privacy can also be compromised through the use or misuse of information by authorized individuals.
In order to safeguard personal information, a number of steps need to undertaken to protect the collection, use, modification, disclosure, retention, transfer, and disposal of personal health information. Consider the following in your practice:
- Physical security such as the use of locks and alarms to restrict access.
- Technical security such as the use of routers with firewalls, passwords, and encryption.
- Administrative controls such as the use of password update protocols, role-based access, effective staff training, and confidentiality agreements.
What can you do within your office to protect privacy? The following are a number of suggestions that apply to both paper-based and EHR-based practices:
- Position computers in administrative areas so that staff conversations cannot be overheard from public areas.
- Place computers, printers, and other devices in non-public areas and rooms that can be locked.
- Limit the display of personal information in areas where patients wait or walk to examination rooms.
- Establish policies that encourage discretion when discussing patient information, particularly if there is a possibility of being overheard by other patients, for example in check-in areas.
It is not possible in this brief overview to provide a comprehensive guide to privacy and security; however, think of these principles and guidelines in the context of your practice when situations arise.