Executive Summary

Introduction and Overview

A networked health information-sharing environment has the potential to enable decision support anywhere at any time, improving public and individual health, and reducing cost. Consumers and patients can benefit directly when their personal information is available to health care providers, and indirectly when their information is available in the aggregate to researchers seeking new ways to prevent, manage, or cure health problems. At the same time, the potential benefits must be weighed against the risks of privacy and security violations, which may increase if not addressed at the outset.

The accompanying document begins from the premise that any new health network needs to take into account the potential for such violations, and to build privacy and information security into its architecture from the outset, not as an afterthought. The document provides background on the issues at stake, explains the current status of health privacy, considers new challenges and opportunities in an electronic environment, and offers some solutions for a comprehensive response to those challenges.

I. What is at Stake?

The paper begins by examining why privacy matters, both in an online and offline environment. It first considers privacy as a matter of individual liberty, autonomy, and even a fundamental human right. All these perspectives remain applicable in a health context, but in addition, breaches of confidentiality are harmful because they can lead to so-called “privacy protective behavior,” in which patients avoid seeking health care in order to protect their personal information. Such behavior has a toll on both individual health and, more generally, on public health. It suggests just one important reason why we need to build confidentiality and security into a networked environment.

II. Health Privacy: Definitions and Underlying Concepts

This section considers the concept of privacy, both as it applies to a general environment and more specifically to the medical context. It begins by considering the historical evolution of the term. In 1890, Samuel Warren and Louis Brandeis famously argued that privacy should be defined as “the right to be let alone.” Today, definitions tend more closely to resemble Alan Westin’s notion of “informational privacy,” which suggests that the concept should be understood as an individual’s right to control personal information.

Such a definition is particularly important in a global information age, and this section identifies two considerations that are repeatedly voiced regarding the handling of medical data. The first concerns the almost unlimited uses for medical information. Data gathered in a medical context and used for other purposes, it is argued, poses serious privacy risks. The second concern emphasizes the benefits that can be accrued through medical data. This section points to these tremendous benefits, and argues that, while confidentiality of information is essential, patients may miss out on some of the benefits if data controls in the name of confidentiality over-restrict the uses and dissemination of information. The solution is to find a balance between the potential harms and the potential benefits represented by medical data. That balance can be achieved through a careful deployment of appropriate technologies, combined with strong laws and other forms of confidentiality protection.

III. Health Privacy in a Digital Health Information Networked Environment: What is Different?

This section argues that existing notions of medical privacy are somewhat outdated in a networked health information exchange environment. It discusses six risks increased by such an environment, arguing that these risks require new and innovative solutions. While some of these risks exist in an offline world, they have become more pronounced, in large part due to the scale of data transactions and the relatively greater ease of collecting, linking, and disseminating information over a network, and to a reduced ability to “leave the past behind” and to shield sensitive information. Among the increased risks include:

1.     Commercial misuses of data, including the use of medical data to deny or restrict insurance coverage; restrict credit or other financial benefits; or in unsolicited marketing;

2.     Government misuses of data, including secondary use of personal health information by government agencies (for employment and other purposes) and the need to balance national security   with health privacy considerations;

3.     Criminal misuses of data, including fraudulent acts that result in financial or other harm;

4.     Security breaches, including hacking and other criminal activities that lead to “data leakage”;

5.     Data quality issues, including data corruption and loss; and

6.     Harmful social consequences, including stigma, exposure, and embarrassment.

IV. Defining a Comprehensive Privacy Architecture: Establishing Trust in the Network

This section defines some principles for responding to the above risks and protecting medical privacy in a networked environment. It begins by discussing existing privacy protection principles adopted in the United States, the Organisation for Economic Co-operation and Development (OECD), and Canada. It then argues for the following nine principles:

  1. Openness and Transparency
  2. Purpose Specification and Minimization
  3. Collection Limitation
  4. Use Limitation
  5. Individual Participation and Control
  6. Data Integrity and Quality
  7. Security Safeguards and Controls
  8. Accountability and Oversight
  9. Remedies

Together, these nine principles amount to a comprehensive privacy protective architecture that can—and should—be applied in a networked environment.

V. Current Laws and Guidelines and How They Integrate an Architectural Approach

This section includes a brief overview of existing privacy protection laws in the United States. It begins by discussing federal protections, and in particular protections built into the Health Insurance Portability and Accountability Act of 1996 (HIPAA). It then discusses the patchwork of state laws, pointing out that these generally fall into three categories: constitutional protections, common law protections, and statutory protections. Finally, it discusses the emergence of, and potential difficulties and opportunities posed by, new community based health networks.

VI. Conclusion

The conclusion offers a summary of the preceding discussion. In particular, it revisits the nine principles and argues that they need to be considered together, as part of an integrated and comprehensive approach to medical privacy.