Our report and the privacy policy itself deal with the confidentiality of health information. In the context of personal data, the concepts of privacy are closely linked to those of confidentiality and security. Although privacy is often used interchangeably with the terms «confidentiality» and «security,» they have different meanings. Privacy deals with the question of who has access to personal data under what conditions. Privacy deals with the collection, storage and use of personal data and examines whether data may be collected, as well as, if so, the justifications under which data collected for specific purposes may be used for other (secondary) purposes 2. An important question in the analysis of privacy is whether the individual has authorized certain uses of his or her personal information (Westin, 1967). Protecting data security in health research is important because health research requires the collection, storage and use of large amounts of personal health information, many of which can be sensitive and potentially embarrassing. When security is breached, individuals whose health information has been inappropriately accessed face a range of potential harms. Disclosure of personal data can cause inherent harm simply because that private information is known to others (Saver, 2006). Another potential danger is economic damage.

Individuals could lose their jobs, health insurance or housing if the wrong type of information is known to the public. Individuals could also suffer social or psychological harm. For example, revealing that a person is infected with HIV or another type of sexually transmitted infection can cause social isolation and/or other psychologically harmful consequences (Gostin, 2008). Finally, security breaches could put individuals at risk of identity theft (Pritts, 2008). These are, as indicated in the definition, policies and procedures that determine what the affected company is doing to protect its PSRs. Instead of physical safeguards or actual technical requirements, these requirements include training and procedures for company employees, whether or not they have direct access to PSR. Given these concerns, it`s time to re-examine the relevance of the Health Insurance Portability and Accountability Act (HIPAA), the nation`s primary legal protection against unauthorized disclosure and use of health information. Is HIPAA up to the task of protecting health information in the 21st century? HIPAA, combined with harsh penalties for violations, can cause centers and practices to deny vital information to those who may be entitled to and need it at a critical time. Through the HIPAA privacy rule, the U.S.

Government Accountability Office found that healthcare providers «are uncertain about their legal privacy obligations and often respond with an overly cautious approach to information disclosure. Ultimately, the solution is to train all health professionals and their auxiliaries to fully understand when protected health information can be legally disclosed. The framework within which detailed legal and regulatory privacy protections emerged was the 1973 report of an advisory committee to the U.S. Department of Health, Education, and Welfare (HEW), «which aimed to draw attention to issues of record-keeping practice in the computer age that may be of great importance to all of us» (HEW, 1973). The Principles should «provide a basis for establishing procedures that guarantee individuals the right to participate in meaningful decisions about what is included in their records and how that information should be used» (HEW, 1973). In addition to granting individuals a meaningful right to control the collection, use and disclosure of their information, fair information practices also impose a positive responsibility to protect the information they collect (reviewed by Pritts, 2008). Ethical health research and privacy both offer valuable benefits to society. Health research is essential to improving human health and health care. Protecting patients involved in research from harm and respecting their rights is essential for ethical research.

The main justification for privacy is to protect the interests of the individual. On the other hand, the primary rationale for collecting personally identifiable health information for health research purposes is to benefit society. However, it is important to emphasize that privacy also has value at the societal level, as it allows complex activities, including research and public health, to be carried out in a way that protects the dignity of the individual. At the same time, health research can benefit individuals, for example by facilitating access to new therapies, improved diagnostics and more effective ways to prevent and treat diseases. The Centers for Medicare & Medicaid Services (CMS) has the authority to enforce the HIPAA safety rule and has received 378 safety complaints by 2008 without imposing fines or penalties. A recent report by the HHS Office of the Inspector General assessed CMS`s oversight and enforcement of the HIPAA safety rule and «noted that CMS has taken limited steps to ensure that relevant organizations adequately implement security protection» (OIG, 2008). However, a resolution agreement signed in 2008 by the U.S. Department of Health and Human Services (HHS) and CMS with Seattle-based Providence Health & Services for violations of HIPAA privacy and security rules could suggest that CMS is starting to take a more positive approach to enforcement. The agreement requires Providence Health & Services to pay $100,000 and implement a corrective action plan to ensure that electronic patient information is adequately protected against future security breaches (OCR, 2008). In addition, CMS recently partnered with PricewaterhouseCoopers to conduct security audits of affected companies to assess the extent to which they are implementing the requirements of the HIPAA security rule.

Ten to 20 evaluations are planned for 2008 (Conn, 2008). Together, these measures can have a positive impact on the percentage of companies surveyed that fully comply with the HIPAA security rule. Technological protection measures include the control of access to computer systems and the protection of communications containing PSRs transmitted electronically over open networks. A review of 43 national health protection surveys conducted between 1993 and September 2007 revealed 9 surveys6 with one or more questions on health research and data protection (Westin, 2007). In some cases, the majority of respondents did not feel comfortable with their health information being made available to health research except with explicit notice and consent. But in others, the majority of respondents were willing to forego notification and consent when different protections and specific types of research were offered. For example, a recent Harris survey found that 63% of respondents would generally agree with the use of their medical records for research as long as there were guarantees that no personally identifiable health information from such studies would be published (Harris Interactive, 2007). This is comparable to the percentage of people who are willing to participate in a «clinical research study» (Research! America, 2007; Woolley and Provost, 2005) (see also Chapter 3). A 2006 survey in the United Kingdom also found strong support for the use of personal data without consent for public health research and surveillance through the National Cancer Registry (Barrett et al., 2007). Technical safeguards also include the technology, as well as the policies and procedures for its use, that protect ePHI and control access to it.

They are often the most difficult to understand and implement (45 CFR §164.312). Physical security measures include access to both the physical structures of a registered business and its electronic devices (45 CFR § 164.310). the ePHI and the computer systems in which it resides must be protected against unauthorized access in accordance with the policies and procedures defined. Some of these requirements can be met through the use of electronic security systems, but physicians should not rely on the use of Certified Electronic Health Record (CEHRT) technology to meet their obligations to comply with security rules. The safety rules consist of a 3-step system of requirements. First of all, there are a number of standards, legal requirements expected by all companies. Second, there may be implementation specifications that provide detailed instructions and steps to follow to comply with the standard. The bioethical principle of respect for people also emphasizes individual autonomy, which allows individuals to make decisions on issues important to their own well-being without coercion. American society also places great importance on individual autonomy, and one way to respect individuals and improve individual autonomy is to ensure that people can choose when and whether personal information (especially sensitive information) can be shared with others. Whether or not the HIPAA security rule is actively enforced, the other gaps in protecting personal health data through the HIPAA security rule are problematic because enhanced security is needed to reduce the risk of data theft and increase public trust in the research community by reducing concerns about the potential for unintentional disclosure of information. Therefore, the IOM Committee recommends that all institutions (covered and uncovered entities) of the health research community involved in the collection, use and disclosure of personally identifiable health information take strict measures to ensure the security of health data.