We are at an important juncture in our efforts to build a patient –centered health care ecosystem powered by information technology. Failure to maintain the public trust in the collection, storage, and sharing of electronic health information will doom our efforts to leverage digital technology and improve the delivery of health care for all citizens.
Fundamental to this issue are concerns about privacy and confidentiality of our health information. Federal health privacy laws enacted by Congress, as a part of the American Recovery and Reinvestment Act, strengthened the penalties already in place in the HIPAA Privacy Rule that provides federal protections for individually identifiable health information held by covered entities and their business associates. (physicians, payers, medical institutions, etc.) This legislation gives patients an array of rights with respect to that information, including:
• The right to find out how your information may be used;
• The ability to obtain a copy of your records and request corrections;
• The right to see and/or obtain a copy of your medical record;
• Permission to correct mistakes in your health information;
• An obligation to receive notice about how your health information is used and shared;
• The right to determine how and where you want to be contacted by your health care provider;
• The right to file a complaint if you think any of these rights have been violated, at the website: www.hhs.gov/ocr.
There have been many studies among doctors and patients regarding the need for safeguarding health information. In general, a majority of respondents believe that requiring protection and safeguards for patient privacy is important. At the same time nearly two-thirds of consumers polled by California Health Foundation believe that, “privacy concerns should not stop the progress of health IT initiatives.”
On the other hand, one in six adult patients in a study conducted by New London Consulting commissioned by FairWarning®, a vendor of breach detection software, said they withhold information from their health providers due to worries about how the medical data might be disclosed; 10% of these respondents stated they would withhold information from their care provider based on privacy concerns; 27.6% said they would postpone seeking care for a sensitive medical condition due to privacy concerns; 50% said they would seek care outside of their community due to privacy concerns; 35% said they would drive more than 50 miles to seek care.
The consequences of this climate of fear are significant and impact the quality of care these patients receive, as well as their providers’ ability to diagnose and treat them. Additionally, the cost of care escalates when patients are reluctant to seek care in traditional settings.
Enter the exploding world of m-health apps – nearly 40,000 – currently available across various platforms and projected to grow 25 percent annually over the next five years. Now we face the additional concern of protecting our personal health information on our mobile devices. To state the obvious, smartphones can be lost or stolen and are often passed around to share photos and games. However, most of us would be appalled to think we are passing around our medical records that reside on these phones in various apps.
In a recent study, the Privacy Rights Clearinghouse found that 72%, of the popular health and fitness apps, both free and paid and on Android and Apple platforms, present medium to high risk regarding personal privacy – far greater privacy risk than patients realize. Many of these apps send unencrypted data without user knowledge. Other apps connect to third-party sites without user knowledge. These apps are not covered by HIPAA until the data that is collected is shared with a physician or healthcare professional. As an empowered patient, you need to be aware of what you can do to protect the privacy and confidentiality of your health information, including the following:
1. Practice privacy by design. Be proactive. Ask the important questions of your providers and health insurers about what precautions they take to protect the privacy of your health information.
2. Try to determine whether your health information, when transmitted, is encrypted or at the very least password protected.
3. Think about whether or not your providers empower and enable you with choices and controls about the way your data is collected and used. Do they explain what data they are collecting, how they are using it, and with whom they share it?
4. Be wary about sharing any of the health information stored on your mobile device via email which is not secure.
6. If you believe that your health information privacy rights have been violated, HIPAA and the Privacy Rule includes your right to file a complaint with your provider, health insurer, or the U.S. Department of Health and Human Services (HHS). The easiest way to file a complaint is to go through the HHS Office for Civil Rights.