Table of
Contents

About WISE

How To Apply

WISE Sponsors

WISE Alumni

Journal of
Engineering
& Public Policy

Intern
Orientation

 

wiseheader.gif (8532 bytes)

Journal of Engineering and Public Policy
(Vol. 9, August 2002)

Privacy and Security Issues of a National Health Information Network

By Patrick Stokes


Executive Summary

On April 27, 2004, President Bush called for a system of interoperable electronic health records (EHRs) covering most Americans within ten years and called for the creation of the Office of the National Coordinator (ONC) for Health Information Technology (HIT) to lead in the establishment and implementation of a National Health Information Network (NHIN). The adoption of HIT towards the development of a NHIN of interoperable EHRs can lower health care costs, reduce the number of medical errors, and improve the quality of health care. A NHIN will also allow for public health benefits including improved disease control for acts of bioterrorism and disease outbreak; greater medical research capabilities with large scale studies and patient outcome tracking; and an improved health care system due to determination and implementation of medical best-practices.

Unfortunately, the adoption of information technology (IT) in the health care system lags behind other industries because of financial and technical obstacles. The adoption of HIT requires substantial investment. A single EHR can cost between $16,000 and $36,000. But while the benefits of HIT are great, they mostly affect the patient and the public. Furthermore, even if a health care provider is inclined to adopt HIT to provide better care, there are no standards for technology, making information exchange and interoperability difficult and preventing the widespread adoption of HIT for a NHIN.

To drive the adoption of HIT and establish a NHIN, the public must be aware of the benefits of HIT and support its adoption. To build public support of and encourage participation in a NHIN, the privacy and security of personal health information must be established and demonstrated. Many federal laws address the discriminatory uses of personal health information. Currently the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the broadest legislation addressing privacy and security of personal health information. However, the HIPAA Privacy and Security Rules do not address specific privacy and security issues of a NHIN.

The Federal Government has over 20 years experience in the development and maintenance of a health information network focused on privacy and security of personal health information through its work with the Veterans Health Administration and establishment of the Consolidated Health Informatics (CHI) Initiative. Due to the significant cost of implementation and maintenance and the need for nationwide technical standards, the Federal Government is in the unique position to fund and oversee the development of a NHIN.

Overall, this report concludes that due to the significant public interest in the implementation of a NHIN, the slow adoption of IT in the health care system, and the need for public confidence in the confidentiality of personal health information, the Federal Government should take the responsibility to direct the adoption of HIT towards the establishment of a NHIN with a structure and technical standards focused on privacy and security.

Issues/Recommendations

Issue 1: Current legislation does not address ownership and control of personal health information as it relates to the collection and disclosure of information by non-covered entities, whether participation in a NHIN is voluntary or compulsory, and whether there will be individual privacy limitations set by patients.

Recommendations:

  • To prevent collection and disclosure of personal health information by non-covered entities and to demonstrate patient control of personal health information, Congress should enact legislation to establish patient ownership of health information.

  • To prevent public perception of unauthorized disclosure of personal health information, HHS should establish the NHIN as an opt-in system.

  • To give patients additional control of personal health information, HHS should establish that participation in a NHIN will allow individual privacy settings for patients to choose to disallow certain groups or individuals from accessing their information.

Issue 2: It is not currently established who will have access to what information and what are the limits of that access.

Recommendations:

  • HHS should adopt an interoperable EHR standard that incorporates role-based user access with a minimum data set, such as the Health Level 7 (HL7) EHR standard that incorporates the Continuity of Care Record (CCR) standard for a minimum data set.

  • HHS should establish additional access and disclosure limits for instances when consent cannot be obtain or is not required, such as how long the user will have access, how the necessity of the privacy invasion is authenticated, and other similar issues.

  • HHS should require automatic patient notification of user access of PHI.

Issue 3: Interoperability requires reliable identification of patients for matching records, but identification poses additional confidentiality risks.

Recommendations

  • HHS should adopt a voluntary healthcare identifier program.

  • Data should be de-identified to allow use of information to support government public health surveillance, quality control efforts, and statistical research without violating confidentiality.

Issue 4: Nationwide standards for technical implementation of security are absent, making interoperability difficult. However, constantly evolving technology could leave technical standards out of date, and currently, evaluation of privacy and security compliance is left to the health care provider or plan.

Recommendations:

  • CHI should continue to investigate standards for all aspects of storage and transmission of EPHI.

  • HHS adopted technical security requirements should be reviewed and updated periodically by CHI.

  • Congressional should give authority to HHS to oversee and evaluate compliance with privacy and security standards.

Issue 5: Additional privacy and security measures may have unintended consequences.

Recommendation:

  • HHS should document the costs, benefits, and impacts of implementing a NHIN with the above recommendations.

     

Download Full Paper

WISE Webmaster: Chris Brantley, c.brantley@ieee.org
(Last Update:  04/10/08 )

Copyright ©, 2005, Washington Internships for Students of Engineering.  Students
retain rights to their individual papers unless otherwise indicated.