Documente Academic
Documente Profesional
Documente Cultură
Course
Name
School
2
Security and Privacy Health Data
Introduction
The research proposal on the security and privacy of health data aims to know the
classified as health data and who are the sources and keepers of health data. It also would like to
know the value of security and privacy of one’s health information from the health care provider
and the patients. How important is it for them is ensuring the security and privacy of health data?
This will also look at the legal background of ensuring the security and privacy of health data.
Who are the governing bodies that ensure the health data are secure and the privacy of
information is being checked? Further, the research would want to know the current practices
implemented to support the security and privacy of the data. Finally, the research would like to
find out what challenges have been experienced concerning the implementation of the related
rules and regulations or laws covering the subject. A conclusion and recommendation for the
There have been several researches conducted on the different aspects of Heath Data. One
such research focused on the value and importance of health information privacy based on the
perspectives of the public, the health care providers and the patients. Health research that utilizes
health information is very important to progress the general health of the community and the
health care is provided. Ethical research needs to preserve the rights of their patients. However, it
is also a well-known fact that the collection of health information in researches will eventually
benefit society when results have been tested. However, privacy should be top-most priority
because the disclosure of someone’s health record could affect his dignity (Institute of Medicine
digital systems that aim to facilitate the recording and filing of patient’s records. Together with
this issue on how digital information security and privacy have been enforced by the users of the
systems still arises. Current literature on techniques in implementing the security of records for
health care providers using systems to store health data is analyzed and compared (Appari &
Johnson).
According to the McGraw-Hill Concise Dictionary of Modern Science (2002), health data
is any type of data that is related to “health conditions, reproductive outcomes, causes of death,
and quality of life” for a certain population. The General Data Protection Regulation (GDPR)
defines health data as a personal information that reveals information about the health status of
To further differentiate health data from other types of data, health data are clinical metrics
health and wellness. These data are usually collected by health workers such as doctors and
nurses and these would consist of records of services that were received in a specific hospital or
health institution, the conditions of those services, and the clinical outcomes that concern the
While a lot of people would think that the primary owners or holders of health data are the
patients themselves, this is not actually the case. Any medical record would belong to the
4
Security and Privacy Health Data
physician as well as the health facility, institution, or hospital, or clinic where it was created.
This is the main reason why original copies of medical records are usually kept by the health
facility. Moreover, health facilities are mandated by the law to safeguard all original medical
records from damage, loss, or unauthorized use since these are considered legal documents.
Aside from physicians and health facilities, there are other institutions that are considered
holders of health data. This includes insurance companies, pharmaceutical companies, and
academic institutions.
Insurance companies would usually hold claims data which would tell them about their
beneficiaries. Claims data would include patient information such as diagnosis and treatments, as
well as billing codes that pharmacies, physicians, hospitals, and other health care providers
would forward to their payers such as insurance companies (Wilson & Block, 2012).
Pharmaceutical companies are also holders of health data since these health data contain
significant information that would help track how their medicines work. According to Hirschler
(2018), these health data would serve as real-world evidence which manufacturers consider to be
The conduct of health researches as well as the protection of health data of individuals are
both important to our society. To improve human health and the health care industry, health
researches needs to be conducted. For health researchers to conduct researches they need to
collect specific health data. On the other hand, patients have the right to protect their personal
health information to avoid prejudice. However, it can’t be denied that individuals benefit for
health researches. Take for example when results of these researches facilitated the access new
5
Security and Privacy Health Data
health technologies and diagnostics or more effective ways of preventing or curing an illness
(Institute of Medicine (US) Committee on Health Research and the Privacy of Health
Information).
If it is that important for ethical researchers to collect health data, then why is health data
privacy important? There are several reasons why it is important to protect the confidentiality,
security and privacy of health data. Different theorist has different views on why there is a need
for privacy. Some says that it is a basic right of a person and as such it is an it forms part of the
human well-being. Respecting the privacy is one characteristic of moral uniqueness of humans
that differentiates them to other living creatures (Harris Interactive, 2005). Personal autonomy,
respect, individuality and dignity and worth as human beings are the major reasons why privacy
What is the public view, health care provider’s point of view and patient’s point of view
about the value of privacy and security of health data? A study conducted by Forrester Research
in 1999 found out that three out of four persons says that the confidentiality and privacy of their
medical records is very important to them. In a more recent research conducted by the same
agency, 67 percent of the respondents say that the Health Insurance Portability and
Accountability Act (HIPAA) Privacy rule is not yet fully implemented and that they are have
concerns regarding the privacy of their medical records (Institute of Medicine (US) Committee
Another research conducted by Harris Interactive in 2007 showed that the respondents
believed that there has been a lot of improvement in the handling of medical records of
individuals in different organizations holding health data. However, the privacy and
confidentiality of their health records remains to be a concern because more that half of their
6
Security and Privacy Health Data
respondents thought that “Patients have lost all control today over how their medical records are
obtained and used by organizations outside the direct patient health care such as life insurers,
Based on these different studies, it seems that the public is concerned that their health records
will be accessed companies or organizations working in the various heath care industries without
them knowing it and utilized the data for their own benefit or even service discrimination.
On the part of the patients themselves, a study conducted in 2018 found out that the
respondents (who are patients) preferred that they be given access to their medical data and
would not want their data to be shared to both health insurance and pharmaceutical companies.
When asked if they want to add lifestyle data to their medical records to supplement what data is
regularly recorded, majority of them does not want to. In addition, the patients wanted to access
and control to their data, but they have limited knowledge to the concern on privacy and
confidentiality of their data (Wetzels, 2018). The last finding that the patients have limited
knowledge to privacy and confidentiality of their health data could be a concern. An enhanced
In another study, it shows that there have been limited studies on patient perspectives in
relation to the Privacy Rule. However, surveys conducted also reveals that patients are not
comfortable when their health information is used for health research with the exception when
necessary notice or consent is given. In contradiction, a separate survey conducted reveals that
63% of the respondents says that consents can be forgo when it is for specific health researches
and the researcher can ensure that no personally identifiable information would be released. In
yet another study, 70% of the respondents says that they trust the health researches to keep their
health data confidential and private when used in health researches. (Westin, 2007).
7
Security and Privacy Health Data
To summarize, there have been limited studies to access the effectiveness or the value of the
HIPAA Privacy Rule, although some studies have revealed that privacy and confidentiality of
health data has improved since its implementation. Generally, the patients do not oppose that use
of personal health records in conducting ethical heath researches, however, the researchers
should ensure the privacy and confidentiality of the data they collected. On the other hand, the
patients are not amendable to the idea of giving their health data to insurance and
pharmacological companies. However, the ultimate decision of the patient to provide health data
sometime depends on the patient’s trust to the researcher that the privacy and confidentiality of
Legal Background
There have been several laws that tries to regulate privacy and confidentiality of health data.
Although some of the laws offer patient protection, most of them are implemented to ensure that
the health care industry has the information they need rather than making sure that health data of
The main law that governs the privacy of health data is the Privacy Law of the Health
Insurance Portability and Accountability Act (HIPAA) which was implemented staring April 14,
2003. Basically, the privacy law “creates a structure for how personal health information may be
disclosed and establishes the rights individuals have concerning their health information, sets out
security standards for maintaining and transmitting electronic patient information, and requires a
common format and data structure for the electronic exchange of health information” (Electronic
the protection and control of protected health information (PHI). It specifically extended the
“disclosure requirements and associated liabilities under HIPAA to business associates” (HIM
Body of Knowledge, 2020). It consolidated the state and federal rules and “strengthened the
privacy and security requirements and broadened patient rights to accessing and restricting the
The Health Information Technology for Economic and Clinical Health Act (HITECH)
Omnibus Rule is a defined section of the American Recovery and Reinvestment Act (ARRA)
that is focused mainly on health information communication and technology. Its main content
focused on the strengthening of privacy rules protection. Among the highlights of the Omnibus
Rule are the provision of limitations on the use and disclosure of health information used in
marketing and fund-raising purposes, barring the sale of protected information without consent
of the owner, and the expansion of an individual’s rights to access ones electronic health data
Another law that touches on the privacy and confidentiality of data is the Privacy Act of 1974
which was primarily enacted to provide some sort of control of the information collected from
the people by the government agencies. However, only health care institutions under the federal
The Patriot Act or the Uniting and Strengthening America by Providing Appropriate Tools
Required to Intercept and Obstruct Terrorism Act is used by the US Government to enhance its
ability to monitor activities that are terrorism related. It does not particularly focused of the
9
Security and Privacy Health Data
protected health information, however, a demand for PHI data maybe made during investigation
The provision on the Confidentiality of Alcohol and Drug Abuse patient Records provides
for “additional privacy provisions for records of the identity, diagnosis, prognosis, or treatment
of patients maintained in connection with a federally assisted drug of alcohol abuse program”
(HIM Body of Knowledge, 2020). However, if the rules are less severe that those found the
There are still several “smaller” laws that may not directly affect the privacy and security of
health data but are relevant to, however, with the HIPAA and HITECH, anything that does not
conform with the set rules of these two will not prevail.
Data breaches are a very common occurrence in the health care industry today. In fact,
according to the HIPAA Journal, there has been an upward trend in the number of data breaches
in the last 10 years. It started with just 18 instances of data breaches in 2009, which then quickly
jumped to 199 the following year. By year 2019, it has already climbed up to 510 instances of
data breaches and a total of 3,054 data breaches in the healthcare industry during the whole
duration of 10 years. This translates to the exposure, loss, theft, or impermissible disclosure of
around 230, 954,151 health records, which is almost 70% of the U.S. population.
The causes of these breaches have also been changing throughout the years. During the
first six years, between 2009 to 2015, the popular cause of breach was the loss or theft of health
records and electronic health data. Since 2016, the main cause of data breach has shifted to
hacking and IT-related incidents, as well as unauthorized access and disclosures. This new trend
10
Security and Privacy Health Data
is mainly because healthcare facilities have been creating better policies in protecting electronic
data which involves the use of encryption. However, at the same time, those individuals who are
trying to steal data have also upgraded their skills and are now resorting to hacking.
Some of the largest data breaches that occurred in the last 10 years include the hacking
incident of Anthem, Inc in 2015 which affected 78,800,000 individuals. That same year, there
was another hacking incident that involved Premera Blue Cross which affected 11,000,000
individuals. In 2019, there was another hacking incident that involved American Medical
Because of these chain of incidents, it is critical to come up with solutions to maintain the
security of health information, and there have been several ways that healthcare facilities have
implemented to do that.
One way to secure healthcare data is to control data accessibility. According to past
researches, more than half of data breach incidents are inside jobs. This is why it is very
important that this health information is made available only to the concerned individual like the
physician. Otherwise, this information should be restricted to other people in the organization
(Keller, 2020).
making policies and procedures are important to comply with the digitalization, it is important
that the employees are also well trained to use these new policies and procedures. It has been
noted that 36% of data breaches unintentionally done by employees who are not well-trained or
Another way to secure healthcare data is to secure the organization’s messaging systems as
well as wireless networks. For example, if the health facility has a practice of giving out free Wi-
11
Security and Privacy Health Data
fi access to its patients or clients, it will make their data become vulnerable to hacking (Keller,
2020).
Lastly, health institutions should also look into their paper records as these can also be
easily stolen. To protect these paper records, employees should be trained properly on securing
them. For example, if they leave a file open in the front desk, it will make that information
According to Virtru (2020) there are several challenges in healthcare data security today,
and this has stemmed from the many changes that it has gone through in the last few years. One
of the main challenges involves the easy sharing of patient information. In 2009, legislator have
passed the Health Information Technology for Economic and Clinical Health (HITECH) Act
which advocates the use of health information exchanges (HIEs) and electronic health records
(EHRs). While this is helpful for both patient and physician as it allows easier communication
exchanges, this is also a chance for hackers to easily access health records (Vitru, 2020).
Another challenge is user error when it comes to technology adoption, especially when it
comes to accessing to electronic health records. Not all patients are familiar with digital
technology, and they are prone to committing errors. Once they access their electronic data
online, the security of that data depends on their hands. Some patients would commit the error of
not encrypting their data which makes it susceptible for data thefts. Thus, even if healthcare
providers are following strict procedures against data breach, if the patients themselves expose
we have discussed about the continuous upward trend in data breaches and during the last three
years, hacking has been the main causes of data breaches (Vitru, 2020).
Now, a lot of hospitals and healthcare facilities have taken advantage of cloud and mobile
technology – which is actually very helpful for providers and patients. However, the challenge
with this is that, again, patient data becomes more vulnerable to hacking. Stored data can be
easily encrypted, however, data that is currently used by an app poses challenges when it comes
Outdated technology is another challenge in data security. While a lot of hospitals have
become well-equipped and have adapted well to new technology, it is hard for some hospitals to
keep up with the costs needed to upgrade their technology, especially that they also have to think
about prioritizing equipment or the needs of their staff, and this usually leaves them with no
Digital technology has allowed easier access to health data in the past few years. But
while this promised more convenience on the part of the health provider and the patient, it has
also come with increasing threat involving the stealing of personal information which is shown
by the upward trend on data breaches. Fortunately, the government seemed to respond well to
this growing threat in the healthcare industry by coming up with legal acts to ensure data
security. However, with the ever-changing technology, there threats to data security are also
evolving. With every new technology that is being introduced which is used to store healthcare
13
Security and Privacy Health Data
data, it presents a new opportunity for data thefts to get into those medical records and steal those
information.
Because of this, it is essential for all healthcare facilities to be extra vigilant when it
comes to their data security. Aside from making sure that they are up-to-date with technology
and that they are following all the recommended policies and procedures in ensuring health data
security, they should also invest on training their employees as well as their patients on the
proper of accessing information to make sure that precious information will not be stolen.
14
Security and Privacy Health Data
References
Appari, Ajit & Johnson, M. (2010). Information Security and Privacy in Healthcare: Current
314. 10.1504/IJIEM.2010.035624.
Electronic Frontier Foundation. (2020). “The Law and Medical Privacy.” Retrieved from
https://www.eff.org/issues/law-and-medical-privacy
Institute of Medicine (US) Committee on Health Research and the Privacy of Health
Information: The HIPAA Privacy Rule; Nass SJ, Levit LA, Gostin LO, editors. Beyond
the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research.
Washington (DC): National Academies Press (US); 2009. 2, The Value and Importance
https://www.ncbi.nlm.nih.gov/books/NBK9579/
Hirschler, B. (2018). "Big pharma, big data: why drugmakers want your health records." Reuters.
data-why-drugmakers-want-your-health-records-idUSKCN1GD4MM
April 3, 2007]. http://www.harrisinteractive.com/news/printerfriend/index.asp?
NewsID=849 .
Harris Interactive. Many U.S. adults are satisfied with use of their personal health
2007]. http://www.harrisinteractive.com/harris_poll/index.asp?PID=743 .
15
Security and Privacy Health Data
HIM Body of Knowledge. (2020). “Laws and Regulations Governing the Disclosure of Health
oid=300245#.XoCVsYgzaUk
Tzourakis, Melissa (1996). Richard Y. Wang (ed.). The Healthcare Industry and Data Quality
Wetzels, Mart et. al. (2018). “Patients Perspectives on Health Data Privacy and Management:
http://downloads.hindawi.com/journals/ijta/2018/3838747.pdf
Westin A. How the public views privacy and health research. Institute of Medicine; 2007.
2007]. http://www.iom.edu/Object.File/Master/48/528/%20Westin%20IOM%20Srvy
%20Rept%2011-1107.pdf
Wilson, J. and Block, A. (2012). "The benefit of using both claims data and electronic
https://www.optum.com/content/dam/optum/resources/whitePapers/Benefits-of-using-
both-claims-and-EMR-data-in-HC-analysis-WhitePaper-ACS.pdf