1

Running head: SECURITY AND PRIVACY OF HEALTH DATA

Security and Privacy of Health Data

Course

Name

School
2
Security and Privacy Health Data
Introduction

The research proposal on the security and privacy of health data aims to know the

definition of health data. It seeks to identify when a piece of health-related information is to be

classified as health data and who are the sources and keepers of health data. It also would like to

know the value of security and privacy of one’s health information from the health care provider

and the patients. How important is it for them is ensuring the security and privacy of health data?

This will also look at the legal background of ensuring the security and privacy of health data.

Who are the governing bodies that ensure the health data are secure and the privacy of

information is being checked? Further, the research would want to know the current practices

implemented to support the security and privacy of the data. Finally, the research would like to

find out what challenges have been experienced concerning the implementation of the related

rules and regulations or laws covering the subject. A conclusion and recommendation for the

researcher should cap everything.

There have been several researches conducted on the different aspects of Heath Data. One

such research focused on the value and importance of health information privacy based on the

perspectives of the public, the health care providers and the patients. Health research that utilizes

health information is very important to progress the general health of the community and the

health care is provided. Ethical research needs to preserve the rights of their patients. However, it

is also a well-known fact that the collection of health information in researches will eventually

benefit society when results have been tested. However, privacy should be top-most priority

because the disclosure of someone’s health record could affect his dignity (Institute of Medicine

(US) Committee on Health Research and the Privacy of Health Information).

3
Security and Privacy Health Data
With the advancement of technology, holders of health records have resorted to numerous

digital systems that aim to facilitate the recording and filing of patient’s records. Together with

this issue on how digital information security and privacy have been enforced by the users of the

systems still arises. Current literature on techniques in implementing the security of records for

health care providers using systems to store health data is analyzed and compared (Appari &

Johnson).

Definition of Health Data

According to the McGraw-Hill Concise Dictionary of Modern Science (2002), health data

is any type of data that is related to “health conditions, reproductive outcomes, causes of death,

and quality of life” for a certain population. The General Data Protection Regulation (GDPR)

defines health data as a personal information that reveals information about the health status of

an individual. It further categorizes health data as a type of sensitive information.

To further differentiate health data from other types of data, health data are clinical metrics

as well as socio-economic, environmental, and behavioral information that is associated with

health and wellness. These data are usually collected by health workers such as doctors and

nurses and these would consist of records of services that were received in a specific hospital or

health institution, the conditions of those services, and the clinical outcomes that concern the

services received (Tzourakis, 1996).

Holders of Health Data

While a lot of people would think that the primary owners or holders of health data are the

patients themselves, this is not actually the case. Any medical record would belong to the
4
Security and Privacy Health Data
physician as well as the health facility, institution, or hospital, or clinic where it was created.

This is the main reason why original copies of medical records are usually kept by the health

facility. Moreover, health facilities are mandated by the law to safeguard all original medical

records from damage, loss, or unauthorized use since these are considered legal documents.

Aside from physicians and health facilities, there are other institutions that are considered

holders of health data. This includes insurance companies, pharmaceutical companies, and

academic institutions.

Insurance companies would usually hold claims data which would tell them about their

beneficiaries. Claims data would include patient information such as diagnosis and treatments, as

well as billing codes that pharmacies, physicians, hospitals, and other health care providers

would forward to their payers such as insurance companies (Wilson & Block, 2012).

Pharmaceutical companies are also holders of health data since these health data contain

significant information that would help track how their medicines work. According to Hirschler

(2018), these health data would serve as real-world evidence which manufacturers consider to be

a powerful tool in proving the value of their drugs.

Value of Security and Privacy of Health Data

The conduct of health researches as well as the protection of health data of individuals are

both important to our society. To improve human health and the health care industry, health

researches needs to be conducted. For health researchers to conduct researches they need to

collect specific health data. On the other hand, patients have the right to protect their personal

health information to avoid prejudice. However, it can’t be denied that individuals benefit for

health researches. Take for example when results of these researches facilitated the access new
5
Security and Privacy Health Data
health technologies and diagnostics or more effective ways of preventing or curing an illness

(Institute of Medicine (US) Committee on Health Research and the Privacy of Health

Information).

If it is that important for ethical researchers to collect health data, then why is health data

privacy important? There are several reasons why it is important to protect the confidentiality,

security and privacy of health data. Different theorist has different views on why there is a need

for privacy. Some says that it is a basic right of a person and as such it is an it forms part of the

human well-being. Respecting the privacy is one characteristic of moral uniqueness of humans

that differentiates them to other living creatures (Harris Interactive, 2005). Personal autonomy,

respect, individuality and dignity and worth as human beings are the major reasons why privacy

of health data is regarded with high importance.

What is the public view, health care provider’s point of view and patient’s point of view

about the value of privacy and security of health data? A study conducted by Forrester Research

in 1999 found out that three out of four persons says that the confidentiality and privacy of their

medical records is very important to them. In a more recent research conducted by the same

agency, 67 percent of the respondents say that the Health Insurance Portability and

Accountability Act (HIPAA) Privacy rule is not yet fully implemented and that they are have

concerns regarding the privacy of their medical records (Institute of Medicine (US) Committee

on Health Research and the Privacy of Health Information).

Another research conducted by Harris Interactive in 2007 showed that the respondents

believed that there has been a lot of improvement in the handling of medical records of

individuals in different organizations holding health data. However, the privacy and

confidentiality of their health records remains to be a concern because more that half of their
6
Security and Privacy Health Data
respondents thought that “Patients have lost all control today over how their medical records are

obtained and used by organizations outside the direct patient health care such as life insurers,

employers, and government health agencies.” (Harris Interactive, 2007)

Based on these different studies, it seems that the public is concerned that their health records

will be accessed companies or organizations working in the various heath care industries without

them knowing it and utilized the data for their own benefit or even service discrimination.

On the part of the patients themselves, a study conducted in 2018 found out that the

respondents (who are patients) preferred that they be given access to their medical data and

would not want their data to be shared to both health insurance and pharmaceutical companies.

When asked if they want to add lifestyle data to their medical records to supplement what data is

regularly recorded, majority of them does not want to. In addition, the patients wanted to access

and control to their data, but they have limited knowledge to the concern on privacy and

confidentiality of their data (Wetzels, 2018). The last finding that the patients have limited

knowledge to privacy and confidentiality of their health data could be a concern. An enhanced

explanation of the privacy rights to a patient can be helpful.

In another study, it shows that there have been limited studies on patient perspectives in

relation to the Privacy Rule. However, surveys conducted also reveals that patients are not

comfortable when their health information is used for health research with the exception when

necessary notice or consent is given. In contradiction, a separate survey conducted reveals that

63% of the respondents says that consents can be forgo when it is for specific health researches

and the researcher can ensure that no personally identifiable information would be released. In

yet another study, 70% of the respondents says that they trust the health researches to keep their

health data confidential and private when used in health researches. (Westin, 2007).
7
Security and Privacy Health Data
To summarize, there have been limited studies to access the effectiveness or the value of the

HIPAA Privacy Rule, although some studies have revealed that privacy and confidentiality of

health data has improved since its implementation. Generally, the patients do not oppose that use

of personal health records in conducting ethical heath researches, however, the researchers

should ensure the privacy and confidentiality of the data they collected. On the other hand, the

patients are not amendable to the idea of giving their health data to insurance and

pharmacological companies. However, the ultimate decision of the patient to provide health data

sometime depends on the patient’s trust to the researcher that the privacy and confidentiality of

the patient’s data will be protected.

Legal Background

There have been several laws that tries to regulate privacy and confidentiality of health data.

Although some of the laws offer patient protection, most of them are implemented to ensure that

the health care industry has the information they need rather than making sure that health data of

patients are kept private and confidential.

The main law that governs the privacy of health data is the Privacy Law of the Health

Insurance Portability and Accountability Act (HIPAA) which was implemented staring April 14,

2003. Basically, the privacy law “creates a structure for how personal health information may be

disclosed and establishes the rights individuals have concerning their health information, sets out

security standards for maintaining and transmitting electronic patient information, and requires a

common format and data structure for the electronic exchange of health information” (Electronic

Frontier Foundation, 2020).

8
Security and Privacy Health Data
It was updated in 2013 with the introduction of the HITECH Omnibus Rule which extended

the protection and control of protected health information (PHI). It specifically extended the

“disclosure requirements and associated liabilities under HIPAA to business associates” (HIM

Body of Knowledge, 2020). It consolidated the state and federal rules and “strengthened the

privacy and security requirements and broadened patient rights to accessing and restricting the

uses and disclosures of PHI.” (HIM Body of Knowledge, 2020)

The implementation or enforcement of HIPAA is done by the Department of Health and

Human Services’ Office for Civil Rights.

The Health Information Technology for Economic and Clinical Health Act (HITECH)

Omnibus Rule is a defined section of the American Recovery and Reinvestment Act (ARRA)

that is focused mainly on health information communication and technology. Its main content

focused on the strengthening of privacy rules protection. Among the highlights of the Omnibus

Rule are the provision of limitations on the use and disclosure of health information used in

marketing and fund-raising purposes, barring the sale of protected information without consent

of the owner, and the expansion of an individual’s rights to access ones electronic health data

(HIM Body of Knowledge, 2020).

Another law that touches on the privacy and confidentiality of data is the Privacy Act of 1974

which was primarily enacted to provide some sort of control of the information collected from

the people by the government agencies. However, only health care institutions under the federal

government are governed by this Act (HIM Body of Knowledge, 2020).

The Patriot Act or the Uniting and Strengthening America by Providing Appropriate Tools

Required to Intercept and Obstruct Terrorism Act is used by the US Government to enhance its

ability to monitor activities that are terrorism related. It does not particularly focused of the
9
Security and Privacy Health Data
protected health information, however, a demand for PHI data maybe made during investigation

processes (HIM Body of Knowledge, 2020).

The provision on the Confidentiality of Alcohol and Drug Abuse patient Records provides

for “additional privacy provisions for records of the identity, diagnosis, prognosis, or treatment

of patients maintained in connection with a federally assisted drug of alcohol abuse program”

(HIM Body of Knowledge, 2020). However, if the rules are less severe that those found the

privacy rule, the final privacy rule is followed.

There are still several “smaller” laws that may not directly affect the privacy and security of

health data but are relevant to, however, with the HIPAA and HITECH, anything that does not

conform with the set rules of these two will not prevail.

Current State and Practices

Data breaches are a very common occurrence in the health care industry today. In fact,

according to the HIPAA Journal, there has been an upward trend in the number of data breaches

in the last 10 years. It started with just 18 instances of data breaches in 2009, which then quickly

jumped to 199 the following year. By year 2019, it has already climbed up to 510 instances of

data breaches and a total of 3,054 data breaches in the healthcare industry during the whole

duration of 10 years. This translates to the exposure, loss, theft, or impermissible disclosure of

around 230, 954,151 health records, which is almost 70% of the U.S. population.

The causes of these breaches have also been changing throughout the years. During the

first six years, between 2009 to 2015, the popular cause of breach was the loss or theft of health

records and electronic health data. Since 2016, the main cause of data breach has shifted to

hacking and IT-related incidents, as well as unauthorized access and disclosures. This new trend
10
Security and Privacy Health Data
is mainly because healthcare facilities have been creating better policies in protecting electronic

data which involves the use of encryption. However, at the same time, those individuals who are

trying to steal data have also upgraded their skills and are now resorting to hacking.

Some of the largest data breaches that occurred in the last 10 years include the hacking

incident of Anthem, Inc in 2015 which affected 78,800,000 individuals. That same year, there

was another hacking incident that involved Premera Blue Cross which affected 11,000,000

individuals. In 2019, there was another hacking incident that involved American Medical

Collection Agency which affected 26,059,725 individuals.

Because of these chain of incidents, it is critical to come up with solutions to maintain the

security of health information, and there have been several ways that healthcare facilities have

implemented to do that.

One way to secure healthcare data is to control data accessibility. According to past

researches, more than half of data breach incidents are inside jobs. This is why it is very

important that this health information is made available only to the concerned individual like the

physician. Otherwise, this information should be restricted to other people in the organization

(Keller, 2020).

Another way is to train employees to recognize if there is an impending attack. While

making policies and procedures are important to comply with the digitalization, it is important

that the employees are also well trained to use these new policies and procedures. It has been

noted that 36% of data breaches unintentionally done by employees who are not well-trained or

equipped to use these new procedures (Keller, 2020).

Another way to secure healthcare data is to secure the organization’s messaging systems as

well as wireless networks. For example, if the health facility has a practice of giving out free Wi-
11
Security and Privacy Health Data
fi access to its patients or clients, it will make their data become vulnerable to hacking (Keller,

2020).

Lastly, health institutions should also look into their paper records as these can also be

easily stolen. To protect these paper records, employees should be trained properly on securing

them. For example, if they leave a file open in the front desk, it will make that information

vulnerable to anyone who enters that health facility (Keller, 2020).

Challenges Met in Ensuring Privacy of Health Data

According to Virtru (2020) there are several challenges in healthcare data security today,

and this has stemmed from the many changes that it has gone through in the last few years. One

of the main challenges involves the easy sharing of patient information. In 2009, legislator have

passed the Health Information Technology for Economic and Clinical Health (HITECH) Act

which advocates the use of health information exchanges (HIEs) and electronic health records

(EHRs). While this is helpful for both patient and physician as it allows easier communication

exchanges, this is also a chance for hackers to easily access health records (Vitru, 2020).

Another challenge is user error when it comes to technology adoption, especially when it

comes to accessing to electronic health records. Not all patients are familiar with digital

technology, and they are prone to committing errors. Once they access their electronic data

online, the security of that data depends on their hands. Some patients would commit the error of

not encrypting their data which makes it susceptible for data thefts. Thus, even if healthcare

providers are following strict procedures against data breach, if the patients themselves expose

their data, the providers won’t be able to do anything (Vitru, 2020).

12
Security and Privacy Health Data
Another challenge that we have now is the increasing number of hacking cases. Earlier,

we have discussed about the continuous upward trend in data breaches and during the last three

years, hacking has been the main causes of data breaches (Vitru, 2020).

Now, a lot of hospitals and healthcare facilities have taken advantage of cloud and mobile

technology – which is actually very helpful for providers and patients. However, the challenge

with this is that, again, patient data becomes more vulnerable to hacking. Stored data can be

easily encrypted, however, data that is currently used by an app poses challenges when it comes

to encryption (Vitru, 2020)

Outdated technology is another challenge in data security. While a lot of hospitals have

become well-equipped and have adapted well to new technology, it is hard for some hospitals to

keep up with the costs needed to upgrade their technology, especially that they also have to think

about prioritizing equipment or the needs of their staff, and this usually leaves them with no

budget for IT (Vitru, 2020).

Conclusions and Recommendations

Digital technology has allowed easier access to health data in the past few years. But

while this promised more convenience on the part of the health provider and the patient, it has

also come with increasing threat involving the stealing of personal information which is shown

by the upward trend on data breaches. Fortunately, the government seemed to respond well to

this growing threat in the healthcare industry by coming up with legal acts to ensure data

security. However, with the ever-changing technology, there threats to data security are also

evolving. With every new technology that is being introduced which is used to store healthcare
13
Security and Privacy Health Data
data, it presents a new opportunity for data thefts to get into those medical records and steal those

information.

Because of this, it is essential for all healthcare facilities to be extra vigilant when it

comes to their data security. Aside from making sure that they are up-to-date with technology

and that they are following all the recommended policies and procedures in ensuring health data

security, they should also invest on training their employees as well as their patients on the

proper of accessing information to make sure that precious information will not be stolen.
14
Security and Privacy Health Data
References

Appari, Ajit & Johnson, M. (2010). Information Security and Privacy in Healthcare: Current

State of Research1. International Journal of Internet and Enterprise Management. 6. 279-

314. 10.1504/IJIEM.2010.035624.

Electronic Frontier Foundation. (2020). “The Law and Medical Privacy.” Retrieved from

https://www.eff.org/issues/law-and-medical-privacy

Institute of Medicine (US) Committee on Health Research and the Privacy of Health

Information: The HIPAA Privacy Rule; Nass SJ, Levit LA, Gostin LO, editors. Beyond

the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research.

Washington (DC): National Academies Press (US); 2009. 2, The Value and Importance

of Health Information Privacy. Retrieved 13 March 2020 from

https://www.ncbi.nlm.nih.gov/books/NBK9579/

Hirschler, B. (2018). "Big pharma, big data: why drugmakers want your health records." Reuters.

Retrieved from https://www.reuters.com/article/us-pharmaceuticals-data/big-pharma-big-

data-why-drugmakers-want-your-health-records-idUSKCN1GD4MM

Harris Interactive. Health Information Privacy (HIPAA) notices have improved public’s

confidence that their medical information is being handled properly. 2005. [accessed

April 3, 2007]. http://www.harrisinteractive.com/news/printerfriend/index.asp?

NewsID=849 .

Harris Interactive. Many U.S. adults are satisfied with use of their personal health

information. 2007. [accessed May 15,

2007]. http://www.harrisinteractive.com/harris_poll/index.asp?PID=743 .
15
Security and Privacy Health Data
HIM Body of Knowledge. (2020). “Laws and Regulations Governing the Disclosure of Health

Information (2014 update).” Retrieved from http://bok.ahima.org/doc?

oid=300245#.XoCVsYgzaUk

McGraw-Hill Concise Dictionary of Modern Medicine. “Healthcare Data.” McGraw-Hill. 2002.

Tzourakis, Melissa (1996). Richard Y. Wang (ed.). The Healthcare Industry and Data Quality

(PDF). International Conference on Information Quality.

Wetzels, Mart et. al. (2018). “Patients Perspectives on Health Data Privacy and Management:

“Where is my data and Whose Is It?” Retrieved from

http://downloads.hindawi.com/journals/ijta/2018/3838747.pdf

Westin A. How the public views privacy and health research. Institute of Medicine; 2007.

[accessed November 11,

2007]. http://www.iom.edu/Object.File/Master/48/528/%20Westin%20IOM%20Srvy

%20Rept%2011-1107.pdf 

Wilson, J. and Block, A. (2012). "The benefit of using both claims data and electronic

medical record data in health care analysis." Retrieved from

https://www.optum.com/content/dam/optum/resources/whitePapers/Benefits-of-using-

both-claims-and-EMR-data-in-HC-analysis-WhitePaper-ACS.pdf