IAPP-GDPR Web Banners-300x250-FINAL

By Stephen Gantz

One of the primary obstacles to widespread adoption of electronic health records is agreeing on appropriate privacy protections for the personal information contained in medical records. Much of the current debate centers on what classes of data must be protected, how they should be protected, and under whose control. Special challenges exist where different stewards and users of health records (e.g., federal government agencies, health care providers, state public health agencies, private companies) are subject to different privacy and security rules and regulations. Organizations with relatively stringent privacy requirements are understandably reluctant to share data with others subject to less rigorous requirements. Generally speaking, government agencies are subject to more stringent privacy laws and constraints on the collection, use, and disclosure of personal health information than their counterparts in the private sector, although such significant variations exist in state-level regulations that some commercial entities may face very tight restrictions. The key point is that there is no well-defined baseline of privacy requirements for all health information exchange participants, and significant efforts will be required to arrive at a level of trust acceptable to health data owners in order for them to agree to disclose information to authorized requesting entities.

The fundamental challenge is how to establish a framework of trust among all the entities participating in health information exchange, so that the existing technical means of information sharing will actually be adopted and put into practice. This challenge was made even more pressing by the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act within the American Recovery and Reinvestment Act of 2009, signed on February 17. This legislation includes measures intended to strengthen federal privacy and security laws protecting individually identifiable health information from unauthorized disclosure and misuse. One implication is to expand the coverage of the requirements of the Privacy Rule under the Health Insurance Portability and Accountability Act (HIPAA) to hold all “business associates” of covered entities to the same requirements as the “covered entities” defined in the original HIPAA legislation (i.e., health plans, health care providers, and health care clearinghouses). There is additional language in the law to consider certain non-covered entities as business associates, and therefore to extend privacy and security requirements to health information exchange participants such as Regional Health Information Organizations (RHIOs) that provide data transmission to covered entities.

These steps go a long way toward leveling the privacy playing field in terms of information use and disclosure and in requiring explicit consent from individuals before using their health information for any purpose outside a clearly defined set of permitted uses. However, there are still significant potential players in health information exchange that remain non-covered entities, most notably including vendors of personal health records like Google Health and Microsoft Health Vault. These are data aggregation applications that depend on pulling personal health information from records maintained by insurance plans, health providers, labs, and other covered entities, so resolving the disparity in required privacy and security protections is necessary to establish sufficient trust to allow personal health record systems to function as intended. Personal health records are often promoted as the best mechanism for allowing individuals to control their own health information, including providing or revoking consent to disclose their information for specific purposes. To make this vision feasible, it is essential that personal health record systems are able to retrieve individually identifiable health information from a broad range of covered and non-covered entities. Since not all of these health information exchange participants are bound by the same rules, additional measures are needed.

As privacy practitioners are well aware, HIPAA is not the only legislative source of privacy protections for health information, so even if HIPAA coverage were broadened to apply to a wider range of health information exchange participants, there are other differences to be addressed, especially when comparing federal government agencies to commercial sector entities. U.S. federal agencies are subject to a variety of general and health-specific privacy and security regulations, most of which have no corresponding equivalent in the commercial sector. Many of these regulations have similarly worded privacy protections but differ in scope or applicability to certain types of data:

  • The E-Government Act of 2002 (includes the Federal Information Security Management Act as Title III, and also requires privacy impact assessments be performed before creating new data collections containing personally identifiable information and posting privacy policies on agency Web sites)
  • The Privacy Act of 1974 (established requirements for collection, use, anddisclosure of personally identifiable information by U.S. federal agencies; applies only to U.S. citizens and permanent resident aliens)
  • Title 38 of the United States Code (applies only to U.S. veterans; specific sections address privacy of veterans’ claims and confidentiality of veterans’ medical records)
  • Title 42 of the United States Code (specific privacy protections enumerated medical records related to particular types of treatment, such as mental health and substance abuse).

Another significant point of disagreement between government and non-government entities is data disclosure, both authorized and unauthorized. All federal agencies are required to report actual and potential breaches of personally identifiable information to the U.S. Computer Emergency Response Team (US-CERT) within one hour of discovery. While the majority of states have personal data breach disclosure laws on the books, the HITECH Act established a federal data breach disclosure requirement for health information unless it is encrypted or otherwise rendered unusable. This requirement applies to all covered entities and business associates, but the timeline for notification is as long as 60 days from when the breach occurs. When authorized data disclosures occur, federal agencies are further required to verify that sensitive data extracted for information systems are erased within 90 days unless its use is still required. This requirement minimizes the long-term storage of personally identifiable information by authorized requesters, and also means that for each new use of data stored in a government database, a new request must be submitted. Private-sector entities receiving this type of data from the government are not bound by these requirements, increasing the threat of secondary data disclosure and reducing the willingness of federal agencies to share this data at all.

How then to establish the basis of mutual trust needed to enable health information exchange, and what requirements should be included? There are three general approaches to this problem: individually negotiated data sharing agreements between each pair of information exchange partners (sender and receiver); a single master trust agreement to which all participants become a party; or a combination of these two, with a master agreement setting the minimum level of trust and purpose-specific extensions or augmentations of the master agreement where needed. To reduce administrative complexity, a multi-party master trust agreement can be an attractive option—the Data Use and Reciprocal Sharing Agreement being negotiated for the Nationwide Health Information Network (NHIN) is one example of a master trust agreement. Unless and until some greater harmonization of privacy policies and requirements is reached—between public and private sector, HIPAA covered and non-covered, state and federal, and even health and non-health data—it is likely that specialized trust agreements will continue to be used between pairs of health information exchanging organizations.

Complicating this issue is the fact that the primary means of enforcement for privacy requirements is manual auditing for compliance in accordance with legal constructs or contractual agreements. The lack of automated technical means of enforcing or monitoring compliance with privacy rules means that enforcement of any new health IT privacy standards must rely on non-technical means. Driven in part by past experience with HIPAA enforcement, the HITECH Act both increases the tiered civil and criminal penalties for violations of the privacy rules, and now requires the imposition of penalties and a formal investigation in cases of willful neglect, and also confers on state attorneys general the right to bring civil action on behalf of residents adversely affected by violations of the law.

The biggest obstacle to more effective enforcement of privacy regulations is the lack of automated monitoring and auditing methods to augment voluntary compliance and manual auditing efforts. An alternate technical approach could include tagging data with privacy requirement information and using policy evaluation and enforcement tools to validate that the provision and use of that data complies with the requirements. This idea is analogous to digital rights management measures used to limit copying and redistribution of audio and video files. One key distinction is that digital media frequently use proprietary file formats, while most information exchange and interoperability formats promoted for health information exchange rely on open data standards and protocols. The Web Services Security standards developed through the Organization for the Advancement of Structured Information Standards (OASIS) include some work on electronic representation of privacy policies (WS-Policy and WS-Privacy), but attaching the corresponding privacy requirements to data to provide the technical means of privacy compliance and enforcement remains an undeveloped opportunity. In the current environment, establishing trust among health information exchange participants remains a process of negotiation, contractual agreements, and manual legal enforcement.

Stephen Gantz, CISSP-ISSAP, CEH, CIPP/G, is director of security and privacy for the Health Solutions division of Vangent, Inc. He can be reached at s tephen.gantz@vangent.com or through his Web site, www.securityarchitecture.com.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»