Technology and HIPAA Privacy Regulations - Term Paper Example

? TECHNOLOGY AND HIPAA PRIVACY REGULATIONS: THE PROBLEM BECOMING THE SOLUTION. Department TABLE OF CONTENTS PAGE EXECUTIVE SUMMARY...............................................4 Introduction...........................................................4 History...................................................................7 Impact on Technology............................................7 Conclusion..............................................................11 GLOSSARY OF TERMS.....................................................12 APPENDIX 1.......................................................................13 APPENDIX 2........................................................................15 List of Figures 1. Health Information Security System Architecture. Executive Summary The Health Insurance Portability and Accountability Act (HIPAA) of 1996 has been a great leap forward in protecting the patients' rights by putting restrictions on the health data flow and usage. The renewed sense of privacy and security in health care sector attributed to it by this new legislation had its unique impact on technology as well. A whole set of technological applications evolved making possible a new way of handling data. But the threats to privacy and security that emerged from the very use of this new technologies, has to be addressed by technology itself. In this manner, health care information architecture and technology are seen as co-evolving to provide quality and ethical health care to all. To cope with the re-identification risk, more technological improvements have to be looked at. Technology and HIPAA Privacy Regulations: The Problem Becoming the Solution Introduction The Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the Privacy and Security Rules under it, are meant to protect the many aspects of privacy and security of the health care services customer.1 The rules which protect privacy under this act are, the HIPAA Privacy Rule, that takes care of the privacy of the “individually identifiable health information”, the HIPAA Security Rule, that has delineated certain country-level standards for keeping secure “electronic protected health information”, and thirdly, the rules regarding the maintenance of confidentiality in accordance with the Patient Safety Rule.2 The HIPAA Privacy Rule is actually a sub-clause of the Administrative Simplification Subtitle, that comes under HIPAA.3 The Protected Health Information (PHI) of a patient are “patient's name, address, contact number and the information related to the medical record.”4 Similarly, the security regulations under HIPAA promise that patients have the right to know how their individually identifiable health information are stored and used, technologies like encryption are used while processing and transmitting such data, and patients are given the “cryptographic keys” to their such personal data, “data integrity” is maintained strictly.5 Below given is a health system security architecture that gives a general view of how it is maintained in many health system information processing systems: Figure.1: Health information security system architecture.6 As shown in the above figure, the corporate networks, data bases and the Internet together are handling the individually identifiable health data of each and every patient. As it is evident that each of these interfaces pose a potential threat to data skimming and eavesdropping, there is a need to foolproof technology and go on updating the process. History The whole discourse regarding privacy in health care sector started when the industry shifted to storing all patient data and transactions electronically so as to attain a considerable reduction on expenditure side.7 There have been a number of incidents in which computers that stored health data were either “stolen or misplaced.”8 The privacy rule has strict provisions to regulate how “personally identifiable health information” is used, and to whom it is disclosed, in the process of health data transactions as well as research.9 The HIPAA rules have made it mandatory that “individually identifiable health information” is disclosed only in the “context of treatment.”10 Also, the rules ensure that patients have full access to their medical records except in some very rare situations.11 For the rules, the Office of Civil Rights is the enforcement agency.12 Impact on Technology The major technologies that have happened in health care sector are “Electronic Patient Records (EPR) and the use of sensor networks for remote patient monitoring.”13 The need for storing and processing individually identifiable health data has resulted in the development of Integrated Digital Hospital (IDH) by Intel.14 This is a technology that helps to provide better health care services through “linking people, processes, and technologies.”15 This technology is a combination of “mobile point-of-care (MPOC) and other information technology.”16 Yet another technology development project is, The Information Technology for Assisted Living at Home (ITALH).17 This ongoing project is being carried out at University of California with an objective to enable monitoring of patients at home using “sensor networks”, that incorporate especially, “wearable sensors”.18 Another wearable sensor model being developed by Kansas State University is described as “Wide Area Body Networks (WABN) Infrastructure.”19 These are envisaged to be used for monitoring patients at home.20 All these new uses of information technology have been highly useful in improving patient care and better handling of patient data but also has given rise to a new set of privacy and security concerns.21 One recent development in the medical field has been the availability of genomic data and their entry into medical records.22 But it has been already pointed out that the existing privacy protection technologies are insufficient to ensure the desired level of privacy under the HIPAA rules.23 This applies to other categories of health data as well. The impact of HIPAA privacy rules on technology are manifold. One development has been that a demand for “privacy-enhancing techniques” is raised from various circles.24 While using any technology for the purpose of storing and processing health data, it become mandatory that “data security standards” are formulated and adhered to.25 For example, a need arose for all the computers and all the crucial data inside them to have some kind of “encryption”.26 Encrypting data at both “hardware” and “software” levels can ensure that there is no “eavesdropping and skimming” of data.27 TiniSec is one such encryption technology that has been used by “many medical sensor systems.”28 Another technological improvement that was brought about by the need for privacy and security of individually identifiable health data is “authentication algorithms developed such as passwords, digital signatures, and challenge-response authentication protocol.”29 A hybrid public key infrastructure (HPKI) solution has been proposed by Jiankun Hu, Hsiao-Hwa Chen and Ting-Wei Hou (2010) to technologically implement the privacy and security regulations under HIPAA.30 This is yet another technological evolution that has been made as a response to the privacy needs in health sector. This system includes, a registration mechanism by which , a smart card would be issued to the patient “which contains the patient's private-public key pair and other basic data.”31 It is also being suggested that for greater privacy and security, “a biometric authentication system” can be incorporated into this smart card.32 In the same manner, the medical personnel who handle this data will also be given a key pair through a similar process of registration.33 The future in this regard has been proposed to have better methodologies including separation of textual data and image data within a given Personal Health Information data set.34 When using cloud computing for data storage and transmission also, new challenges had emerged regarding privacy and security. As cloud computing is a shared data storage mechanism, and also because the data is stored in a remote location server, the danger of breeches are high.35 The system designers, in this context, have been asked to keep in mind the “privacy practices”, namely, keep as little personal information as possible in the cloud, ensure maximum security to whatever personal information is stored in the cloud, have provisions for maximum command ensured for the user, make it flexible enough for the user to have choices, set specific parametres for data use, and have provisions for feedback.36 Privacy Enhancing Technologies (PETs) have also been in use to enhance security in cloud computing.37 But it has been acknowledged that “more fluid design specifications” are needed to address the issue in totality. Conclusion The HIPAA privacy and security rules have been proved a catalyst for a whole series of technological improvements in data storing, processing and transmission. When in the future, more crucial health data related to areas like genome identification and stem cell technologies emerge, higher would be the need to fool proof those technologies. The impact of HIPAA privacy and security rules on technology will continue to endure. Glossary of Terms HIPAA: The Health Insurance Portability and Accountability Act is a legislation made in 1996 by the US Congress to protect the health insurance coverage of workers when they shifted jobs from one firm to another. This act has also provisions under it that ensure privacy and security of personally identifiable health data. EPR: Electronic Patient record – patient data stored in digital form and managed through electronic systems and networks. PHI: Protected Health Information – Data of patients that is personally identifiable. IDH: Integrated Digital Hospital- Interoperable, standards-based digital technology that provides complete solution to health data processing needs. MPOC: Mobile point-of-care- Integrated computing system that makes available immediate information at the point of care. ITALH: Information Technology for Assisted Living at Home- Computing network for monitoring patients at home. WABN: Wide Area Body Networks- Computing systems connected to wearable devices for monitoring patients in mobility. HPKI: Hybrid Public Key in Infrastructure- Network system that ensures maximum security in storing and processing personal data. PET: Privacy Enhancing Technology- Tools, applications and mechanisms that can be built into online networks to ensure privacy and security. Appendix 1 Bibliography Annas, George J., “HIPAA Regulations: A New Era of Medical-Record Privacy?”, The New England Journal of Medicine, 348.15. (2003): 1487. “Health Information Privacy”, US Department of Health and Human Services, http://www.hhs.gov/ocr/privacy/ Hu, Jiankun, Hsiao-Hwa Chen and Ting-Wei Hou, “A Hybrid Public Key Infrastructure Solution (HPKI) for HIPAA Privacy/Security Regulations”, Computer Standards & Interfaces, 32. (2010): 274-280. Malin, Bradley A., “An Evaluation of the Current State of Genomic Data Privacy Protection Technology and a Road Map for the Future”, Journal of American Medical Information Association, 12. (2005): 28-34. Meingast, Marci, Tanya Roosta and Shankar Sastri, “Security and Privacy Issues With Health Care Information Technology”, (paper presented at the 28th Annual International Conference of the IEEE, New York, 30 August 2006- 3 September 2006). Nass, Sharyll J., Laura A. Levitt and Lawrence Ogalthorpe Gostin, Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research, (Washington D.C.: National Academies Press, 2009), 56. Pearson, Siani, “Taking Account of Privacy When Designing Cloud Computing Services”, (paper presented at the ICSE Workshop on Software Engineering Challenges of Cloud Computing, Vancouver, 23 May, 2009). Rockel, Kathy, Stedman's Guide to the HIPAA Privacy Rule, (Philadelphia: Lippincott Williams & Wilkins, 2005), 3. Appendix 2 Web Site Resource Summary – URL, Site name, content summary, company or org. 1. US Department of Health and Human Services website http://www.hhs.gov/ocr/privacy/ Read More