Introduction
Most citizens will end up being a patient at some point in their lives, so we may use the terms patient privacy and consumer health privacy interchangeably for purposes of our Wiki presentation. In general, patients have no idea that their personal and protected health information (PHI) is SO widely shared amongst a lot of different places in our health care system. The American Health Information Management Assn (AHIMA) created a diagram that depicts a high-level overview of this sharing. The real challenge for consumers is to figure out how to balance their need for privacy with the benefits of sharing health data that could be used to care for them, especially in the case of a life-threatening emergency. Believe it or not, there are consumers who would rather die than reveal personal secrets! How do we respect those views when our own value systems are in conflict? And how do we, as informatics nurse specialists, help educate consumers and coach/support them in finding their own levels of comfort in that benefit/privacy balancing process?
The North Carolina Health Information and Communications Alliance (NCHICA) has a Consumer Advisory Council for Health Information Technology (CACHIT) that Dr. G helped launch in 2006 and currently co-chairs. The goal of this group is to help educate consumers and help find a balance between patients' need for privacy and the benefits that HIT and sharing patient data can provide. It has been surprisingly difficult to get consumers actively involved and engaged in this effort! Many people feel powerless, helpless, and hopeless about having any control over, or input into, their health records. HIPAA was supposed to have protected and improved things, but the enormous push-back and lobbying by AMA, AHA, and the big insurors gutted the original language and now renders the regulations expensive and mostly worthless. There has been no punishment for HIPAA offenders, even though thousands of cases have been reported to the Dept of Justice (DOJ) who was tasked with prosecuting offenders. Examples that sometimes appear in the media are usually individuals who deliberately abused patient privacy and are being prosecuted through state laws, which can be more stringent than HIPAA. The message this sends to our contemporary health care system is that HIPAA is not being enforced, there are no real penalties for violation, and compliance doesn't matter. Clearly the problem of patient privacy still lurks... So we see ongoing and continued efforts at additional legislation to address this issue. But the lobbyists are powerful and politicians dance to many different drummers, and the problem is enormously complex... Patient Privacy Rights (organization founded by Deb Peel, a psychiatrist from Austin, TX) provides a brief description and links for additional info that describe all the major consumer health surveys conducted to better understand US consumers' views of health privacy. A high-level summary of these finds that a majority of those polled believe electronic records and data sharing could benefit their health but they simultaneously remain concerned about their privacy and skeptical about electronic health data sharing. A small few take extreme measures, such as providing a false name or SSN, paying for private care out-of-pocket to avoid the billing disclosures, or (even worse) refusing to seek care altogether. Consumer health privacy polls: http://www.patientprivacyrights.org/site/PageServer?pagename=Polls
and a March 2008 poll in California http://www.chcf.org/topics/view.cfm?itemID=133592
Ethical Principles
At
the root of patient privacy issues are ethical principles of autonomy
(self-determination), informed consent, and non-maleficence (do no
harm). Historically, health care honored these principles, but in
today's commercialized system these principles have been violated on a
grand scheme and patient trust has been eroded. One of our roles
as informatics nurse specialists is to hold these principles in the
forefront of our awareness and practice, role model them for others,
advocate for patients (according also to ANA ethics standards), and to
educate health care providers as well as patients on the importance of
ethical principles in protecting patient privacy and
building/maintaining patient trust. The link below gives an
example of why patient trust is eroding, and one (of thousands) of
examples where the offenders have gone unpunished. The
culture change in health care will be infinitely more difficult than
the technology ones! Ethical principles cannot be built into a
computer... (at least not yet!)
http://www.pittsburghlive.com/x/pittsburghtrib/news/cityregion/s_502469.html
Fairly Credible Consumer Web Resources for Health Privacy (note many other sources are posted by fanatics that are not so credible!)
http://www.healthprivacy.org This site and organization was originally founded by well-known Janlori Goldman who was at Georgetown. Finding out where she went and what happened have not been productive, but rumor has it that she became quite fed up with the lack of patient privacy progress, and the lack of collective will within the federal government, so she is now at Columbia University and working behind the scenes on patient privacy issues.
http://www.patientprivacyrights.org This site and organization are the work of Deb Peel (a psychiatrist) from Austin, TX who has become probably the strongest patient privacy advocate in this country.
http://www.cdc.gov/mmwr/preview/mmwrhtml/m2e411a1.htm This CDC site is a fairly sophisticated reading level but nicely summarizes HIPAA and also explains how patient data can serve the common good from a public health standpoint.
The federal HIPAA health privacy regulation implemented on April 14, 2003, requires healthcare providers and health plans to notify the patients how the entities plan to use their medical records (GTU, 2006). The patients should be prompted by the healthcare workers to ask questions if they do not understand the information provided to them at the time of admission. The provider has an ethical obligation to help the patient understand the lawful limits of healthcare information confidentiality. As of April 14, 2003, the consumers have a federal right to read their medical information, treatment plans, goals, surgical interventions and outcomes (GTU, 2006). The patients also need to be notified that their medical records will be shared with other affiliates if the provider works for a healthcare organization with several subsidiaries (GTU, 2006).
The American Nurses’ Association (ANA) have their own opinion regarding patient privacy. A formal privacy position statement published by ANA (2006) states the advances in technology, such as EMR, health system database, Internet and telehealth have invited the intentional and unintentional contravene of privacy and confidentiality of patient privacy. “Protection of privacy/confidentiality is essential to the trusting relationship between health care providers and patient” (ANA, 2006).
The Joint Commission Accreditation of Healthcare Organizations (JCAHO) has published a report for the congressional requesters (2006) for information system privacy. This report re-visited the firewall and related policies between 1987 and 2006, and met with the senior information executives, compliance officers responsible for protecting patient privacy. The guidelines published by JCAHO (2006) insist on two common principles of adequate compliance program, first to prevent and detect criminal conduct, and second to promote an organizational culture of ethics and compliance described within the law (GAO, 2006).
The individuals as patients have a right to privacy over any personal and sensitive healthcare data. Traditionally, patients would talk to a clinician in confidence and assume that the associated healthcare organization would also protect their privacy adequately. The knowledge needed to keep the computer system secure is extensive and often beyond that of the healthcare practitioner. The privacy and security boundaries are being breached consistently in healthcare industry. The designers need to keep in mind consumer privacy as they move towards designing next generation of computers (Croll, 2008).
The privacy redisclosure by HIPAA (1996) states once the patient data has been released to a third party, it is no longer protected and can potentially be released. HIPAA supports patients requesting revision to the records, and this amendment is also required of those to whom the record has been released. The consumer must remember the third party entities are not obligated to oblige in implementing amendments to the health records (Noblin, 2007).
References
Croll, P. (2008). Special Issue: Privacy and health security. Electronic Journal of Health Informatics, 3(1), 1-3. Retrieved March 31, from www.ejhi.net
Georgetown University. (2006). Patient privacy rules. Retrieved March 25, 2008,from www.georgetownuniversityhospital.org
Government Accountability Office. (2006). A Report to Congressional Requesters: Hospital accreditation. Retrieved March 28, 2008, from www.gao.gov/new.items
Noblin, A. (2007). Privacy policy analysis for health information networks and regional health information organizations. The Health Care Manager, 26(4), 331-340.
