CSE
5810
Expectations of Health Privacy
and How It’s Protected in
Electronic Systems
Michael Fagan
Fagan-1
Introduction: Problems

CSE
5810
Why do we need medical privacy?
 Ethics
 The right thing to do?

Disclosure to doctors
 Encourage more information sharing

Protection of at risk patients and groups
 STD/HIV test results, mental health records

How do computers affect information security,
particularly in medicine?
 Are patients more or less at risk?
 Since we know digitization is the future…
Fagan-2
EHR Adoption by Office-Based Physicians
CSE
5810

Since we know digitization is the future?
Based on: Hsiao C-J, Hing E. Use and characteristics of electronic health record systems among office-based physician practices: United
States, 2001–2013. NCHS data brief, no 143. Hyattsville, MD: National Center for Health Statistics. 2014.
Fagan-3
EHR Adoption by Office-Based Physicians
CSE
5810

Since we know digitization is the future? present
78% in 2013
Based on: Hsiao C-J, Hing E. Use and characteristics of electronic health record systems among office-based physician practices: United
States, 2001–2013. NCHS data brief, no 143. Hyattsville, MD: National Center for Health Statistics. 2014.
Fagan-4
EHR Adoption by Office-Based Physicians
CSE
5810

But what about patients?
Research Questions:
i. How is their privacy protected?
ii. How much protection do they want?
Fagan-5
In this talk…
1)
CSE
5810
2)
3)
4)
5)
Introduction
Historical Foundations
a) Privacy before the modern age
b) Legal protections of privacy
Computers and Privacy
Privacy Protections in EHRs
What Users Want
Fagan-6
Historical Foundations: Before the Modern Age

CSE
5810

Pre-industrialization’s implicit privacy
 Distance and memory limited how much
information could be collected
The Hippocratic Oath (for Physicians)


“Whatever, in the course of my practice, I may see or hear
(even when not invited), whatever I may happen to obtain
knowledge of, if it be not proper to repeat it, I will keep
sacred and secret within my own breast.”
In 1900, 85% of healthcare from physicians
 Privacy generally protected, but times change…
Fagan-7
Number of US Workers in Healthcare
CSE
5810
Based on: Bureau of Labor Statistics. Occupation Employment Statistics. 1999-2013.
Fagan-8
Historical Foundations: Changes

CSE
5810

Besides more healthcare being offered by more
workers, other challenges to privacy have grown…
New technology
 Imaging (Warren and Brandeis 1890)
Then
Now
Fagan-9
Historical Foundations: Changes

CSE
5810

Besides more healthcare being offered by more
workers, other challenges to privacy have grown…
New technology
 Imaging (Warren and Brandeis 1890)
 Data Storage/Access (Westin 1970s-Now)
Then
(1980s)
Now
Fagan-10
Historical Foundations: Changes

CSE
5810


Besides more healthcare being offered by more
workers, other challenges to privacy have grown…
New technology
 Imaging (Warren and Brandeis 1890)
 Data Storage/Access (Westin 1970s-Now)
Easier access to people
 People have more day to day contact than before
 Including more contact with doctors/health workers

Bigger players, more incentives to push privacy limits
 Governments
 Security/control

Businesses
 Advertising/tracking
Fagan-11
Historical Foundations: Legal Protections

CSE
5810
Griswold v. Connecticut (1965)
 Establishment of patient privacy
Symbol for NY’s branch
of the Comstock Movement
Estelle Griswold in 1963
Fagan-12
Historical Foundations: Legal Protections

CSE
5810


Griswold v. Connecticut (1965)
 Establishment of personal privacy
Privacy Act of 1974
 Regulates government collection and use of data
Health Insurance Portability and Accountability Act
(HIPAA)
 “Privacy Rule” went into effect in 2003
 Effectiveness questioned
Date
December 31, 1974
December 31, 1989
August 21, 1996
April 14, 2003
February 17, 2009
May 19, 2015
Event
Privacy Act of 1974 is enacted.
The Computer Matching and Privacy Protection Act of 1988 amendments to the Privacy Act of 1974 go into
effect, updating it for some emerging technologies. The passage of this act highlights the changing nature of
privacy rights as technology changes.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) is enacted.
Enforcement of the “Privacy Rule” of HIPAA goes into effect.
The Health Information Technology for Economic and Clinical Health Act is enacted under Title XIII of the
American Recovery and Reinvestment Act of 2009. This act, still effect promotes the expansion of HIT systems
and contained privacy provisions.
21st Century Cures Act is presented to Congress. Provisions of the bill, according to some, would weaken
HIPAA privacy protections for research.
Legislation Timeline
Fagan-13
Computers and Privacy

CSE
5810



Many worried about data digitization from the start
 Westin
 Hiller and Beyda (1981)
HIPAA is a response, but not complete
 Re-identification risks
 Big Data
Are properly implemented EHRs the answer?
 Users can have more control
 Standards help keep privacy even when sharing
EHRs are the focus of many digitization efforts
 Recall…
Fagan-14
Computers and Privacy
CSE
5810
…EHRs have been rapidly adopted…
78% in 2013
Based on: Hsiao C-J, Hing E. Use and characteristics of electronic health record systems among office-based physician practices: United
States, 2001–2013. NCHS data brief, no 143. Hyattsville, MD: National Center for Health Statistics. 2014.
Fagan-15
Computers and Privacy: So far we know…
1.
CSE
5810
2.
3.
Many moral/legal motivations to protect privacy
1. That have been tailored for the times
EHRs are being adopted quickly
1. With no signs of slowing
EHRs, if used right can help make data more available
while maintaining or increasing privacy
1. Though there are some risks to data digitization
Fagan-16
Computers and Privacy: So far we know…
1.
CSE
5810
2.
3.
Many moral/legal motivations to protect privacy
1. That have been tailored for the times
EHRs are being adopted quickly
1. With no signs of slowing
EHRs, if used right can help make data more available
while maintaining or increasing privacy
1. Though there are some risks to data digitization
BUT, do EHRs currently protect privacy and if so, how?
AND, what are patient’s perceptions, more specifically,
are their expectations being met?
Fagan-17
Privacy Protections in EHRs

CSE
5810



Focus on standards
 HIPAA
 EU Data Protection Directive 96/46/EC
 NIST/ISO
Encryption and Access Control
 Rules may need to be violated
 Lack of a broad, standard solution
Fringe risks are only sometimes addressed
 But can impact privacy significantly
 Examples: system user training, auditing
A balance of usefulness with privacy…
Fagan-18
What Users Want

CSE
5810



Trust of EHRs is related to trust of organizations
 Users don’t like sharing with places they distrust
Users want control of EHR data…
 Want to know who is/can access some of the data
…but don’t have or don’t know how to use control
Privacy concerns with EHRs can hurt disclosure
 This has a ripple effect on medicine
Fagan-19
What Users Want

CSE
5810



Trust of EHRs is related to trust of organizations
 Users don’t like sharing with places they distrust
Users want control of EHR data…
 Want to know who is/can access some of the data
…but don’t have or don’t know how to use control
Privacy concerns with EHRs can hurt disclosure
 This has a ripple effect on medicine
Users want control, but do not feel they
currently have it, which encourages them to
withhold valuable information!
Fagan-20
Conclusion

CSE
5810
Current standards are a start, but more to be done:
1. Organizations need to be trustworthy
A. The wrong record holder or accessing party can ruin
the trust of the entire system for some
2.
More education is needed
A. How to use
–
For users in healthcare and beyond
B. How it works
–
3.
For patients to help towards trust
Better systems/standards are needed
A. But…
Fagan-21
Conclusion

CSE
5810
Implementing/designing new standards/systems is hard:
1.
2.
3.
Many stakeholders
Many needs
Many wants
11.8 Million US
healthcare
workers in 2014
17.1% of US GDP (~$3 Trillion)
spent on healthcare in 2014
83.2% of US adults had contact with a
healthcare professional in 2013
Fagan-22
Key References
Annas, George J. "HIPAA regulations-a new era of medical-record privacy?." New England Journal of Medicine 348.15 (2003): 1486-1490.
CSE
5810
Roraback, Catherine G. "Griswold v. Connecticut: A Brief Case History." Ohio NUL Rev. 16 (1989): 395.
US Department of Justice (USDOJ), Office of Privacy and Civil Liberties. Overview of the Privacy Act of 1974. 2015.
Warren, Samuel D., and Louis D. Brandeis. "The right to privacy." Harvard law review (1890): 193-220.
Westin, Alan F. "Science, privacy, and freedom: Issues and proposals for the 1970's. Part I--The current impact of surveillance on privacy."
Columbia Law Review (1966): 1003-1050.
Hiller, Marc D., and Vivian Beyda. "Computers, medical records, and the right to privacy." Journal of health politics, policy and law 6.3 (1981): 463487.
Fernández-Alemán, José Luis, et al. "Security and privacy in electronic health records: A systematic literature review." Journal of biomedical
informatics 46.3 (2013): 541-562.
Kupwade Patil, Harsh, and Ravi Seshadri. "Big data security and privacy issues in healthcare." Big Data (BigData Congress), 2014 IEEE
International Congress on. IEEE, 2014.
Ray, Pradeep, and Jaminda Wimalasiri. "The need for technical solutions for maintaining the privacy of EHR." Engineering in Medicine and Biology
Society, 2006. EMBS'06. 28th Annual International Conference of the IEEE. IEEE, 2006.
Campos-Castillo, Celeste, and Denise L. Anthony. "The double-edged sword of electronic health records: implications for patient disclosure."
Journal of the American Medical Informatics Association 22.e1 (2015): e130-e140.
Dinev, Tamara, et al. "Individuals’ Attitudes Towards Electronic Health Records: A Privacy Calculus Perspective." Advances in Healthcare
Informatics and Analytics. Springer International Publishing, 2016. 19-50.
Eikey, Elizabeth V., et al. "Designing for privacy management in hospitals: Understanding the gap between user activities and IT staff’s
understandings." International journal of medical informatics 84.12 (2015): 1065-1075.
Papoutsi, Chrysanthi, et al. "Patient and public views about the security and privacy of Electronic Health Records (EHRs) in the UK: results from a
mixed methods study." BMC medical informatics and decision making 15.1 (2015): 1.
Fagan-23
Questions
CSE
5810
Fagan-24
Other References
Rothstein, Mark A. "The End of the HIPAA Privacy Rule?." Journal of Law, Medicine and Ethics 44.2 (2016).
CSE
5810
US Privacy Protection Study Commission. Personal Privacy in an Information Society-the Report of the Privacy Protection Study Commission. 1977.
Wilson, Jennifer Fisher. "Health Insurance Portability and Accountability Act privacy rule causes ongoing concerns among clinicians and
researchers." Annals of internal medicine 145.4 (2006): 313-316.
Benitez, Kathleen, and Bradley Malin. "Evaluating re-identification risks with respect to the HIPAA privacy rule." Journal of the American Medical
Informatics Association 17.2 (2010): 169-177.
Boyer, Barry B. "Computerized medical records and the right to privacy: the emerging federal response." Buff. L. Rev. 25 (1975): 37.
Kahn, Stasia, and Vikram Sheshadri. "Medical record privacy and security in a digital environment." IT professional 10.2 (2008): 46-52.
Sokolova, Marina, and Stan Matwin. "Personal Privacy Protection in Time of Big Data." Challenges in Computational Statistics and Data Mining.
Springer International Publishing, 2016. 365-380.
Acharya, Subrata, et al. "Secure electronic health record exchange: achieving the meaningful use objectives." System Sciences (HICSS), 2013 46th
Hawaii International Conference on. IEEE, 2013.
Rezaeibagha, Fatemeh, Khin Than Win, and Willy Susilo. "A systematic literature review on security and privacy of electronic health record
systems: technical perspectives." Health Information Management Journal 44.3 (2015): 23.
Rodrigues, Joel JPC, et al. "Analysis of the security and privacy requirements of cloud-based electronic health records systems." Journal of medical
Internet research 15.8 (2013): e186.
Theoharidou, Marianthi, Nikos Tsalis, and Dimitris Gritzalis. "Smart home solutions for healthcare: privacy in ubiquitous computing infrastructures."
Handbook of smart homes, health care and well-being (2014).
Caine, Kelly, et al. "Designing a patient-centered user interface for access decisions about EHR data: Implications from patient interviews." Journal
of general internal medicine 30.1 (2015): 7-16.
Kim, George R., Krysia Warren Hudson, and Colette Ann Miller. "The Evolution of EHR-S Functionality for Care and Coordination." Healthcare
Information Management Systems. Springer International Publishing, 2016. 73-99. (Maybe)
Li, He, et al. "Examining Individuals’ Adoption of Healthcare Wearable Devices: An Empirical Study from Privacy Calculus Perspective."
International Journal of Medical Informatics (2016).
Fagan-25