November 6, 2009

Informatics for Consumer Health: Privacy, Security and Confidentiality

Informatics for Consumer Health: Summit for Communication, Collaboration, and Quality

As the internet and electronic data collection provide easier access to and dissemination of health information, and as more health information becomes available in electronic form, the need to protect consumer privacy, security and confidentiality remains, but the methods and policies to meeting those needs must change and evolve in order to realize the full benefit.

The goal of this panel is to provide an open discussion of the challenges and opportunities of the new electronic health care environment as it relates to Privacy, Security and Confidentiality for consumer health and the current activities aimed at addressing these issues.

For purposes of this panel discussion only, we are adopting the definition of privacy crafted from the ONC framework (issued December 2008) and security, which includes confidentiality, integrity and availability, codified in Federal Information Processing Standard 199 and the Federal Information Security Management Act, Federal Law (passed in 2002).  We acknowledge that how these terms are defined in a policy context is somewhat controversial.  Consequently, we are relying on these definitions to level-set the discussion we are having today.

These definitions are:

Privacy – an individual’s interest in protecting his or her individually identifiable health information and the corresponding obligation of those persons and entities accessing, using, or disclosing that information to respect those interests through fair information practices.

Security – protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide

  • Integrity – guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity;
  • Confidentiality – preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information;
  • Availability – ensuring timely and reliable access to and use of information.

 

Presenters, sector represented and area of focus

  • David Fenstermacher, Ph.D., Chair and Executive Director, Department of Biomedical Informatics, H. Lee Moffitt Cancer Center and Research Institute

    The Healthcare sector panel topic will focus on the collection and dissemination of electronic health information throughout a person’s lifetime including prevention and surveillance, disease management and survivorship.  Challenges discussed will include applications of personalized medicine, comparative effectiveness research, patient portals and data representation within the context of policies and technologies that form the framework of an informatics-based healthcare network.

 

  • Susannah Fox , Associate Director, Pew Internet & American Life Project

    Research sector:  The internet has become a primary source of health information in the U.S., a trend that is accelerating as broadband and wireless access increases.  Consumers go online to gather, share, and create health resources on topics such as treatment options, hospital/doctor ratings, and symptom tracking.  Social media is simply the current expression of patient activation and engagement.  But this time patients and caregivers are part of a larger cultural change that assumes access to information, enables communication among disparate groups, and expects progress.  Attitudes and actions related to privacy, security, and confidentiality are constantly being negotiated as consumers adapt to the new opportunities available to them.

  • Deven McGraw, J.D., L.L.M., M.P.H., Director, Health Privacy Project, Center for Democracy and Technology

    Wellness/Advocacy sector:  Assuring appropriate privacy, confidentiality, and security protections is critical to building public trust in electronic health tools that can help consumers take greater control over their own health care.  Today, the law provides protections only when those tools are offered by entities in the traditional health care system – consumers using Internet-based tools are less likely to be protected.  We need a comprehensive privacy, confidentiality and security framework that provides a baseline of protections regardless of the status of the entity offering the tool – but it is also likely that the “rules” surrounding use will have to vary somewhat based on whether the consumer’s use of the tool is voluntary or not (with voluntary uses relying more on consent).

  • Jodi Daniel, J.D., M.P.H., Director of the Office of Policy and Research, Office of the National Coordinator (ONC)

    Government sector:  As we promote adoption of health information technology and electronic health information exchange, there are growing opportunities for consumer engagement in their health and health care.  To maximize consumer use of health information, it is important to assure they have appropriate and timely access to such information and that this information is protected.  This shift requires new policy thinking to maximize access and protections, including improving consumers with information to enhance their understanding of uses and protections of their information.  HHS–and particularly ONC–is focused on consumer access, protections, and transparency and this discussion will focus on the efforts underway to address them.

  • Matt Scholl, Health IT Security Program Manager, Security Management and Assurance Group, Computer Security Division National Institute of Standards and Technology (NIST)

    Government sector:  The changing electronic media and technologies for storing, exchanging and aggregating information require security that continues to meet consumer’s expectations; especially now as these changes introduce new sets of risks to our health information.  We will discuss these new technologies, how they are used now, what are the anticipated technologies of the future and what security mechanisms can be used to ensure the security of both the information and the systems on which they depend.

  • Lisa Gallagher, Senior Director of Privacy & Security, Healthcare Information and Management Systems Security

    IT sector:  Health data protection is a complex endeavor for most health care organizations. The statutory and regulatory landscape for most organizations often goes well beyond HIPAA and ARRA, to include many other laws, regulations and standards.  In addition, business requirements have also increased the need for more stringent data protection approaches requiring healthcare security and IT professionals to communicate to their organization’s management about their security program in terms consistent with the organization’s business requirements and strategic goals.  The discussion will cover the challenges faced by healthcare organizations today, and present some data on where they feel their organizations are with respect to security implementation.