Protection of Health Information Privacy

Protection of Health Information Privacy The Necessity of Developing a National legal Framework Introduction: A concise factual review of â€Å"privacy† indicates this concept accentuated since Hippocrate, s affidavit, firstly (1ØŒ 2). afterwards, defined by Samuel Warren and Louis Brandies as â€Å"the right to be let alone† in 1890s, subsequently, evolved as â€Å"informational privacy,† defined by Allen Westine considering as individual’s right to control personal information(3). Generally, privacy covers intermixed concepts including confidentiality and security of Personal health information (4). .Patients have an expectation of appreciation of privacy and security in connection with health information(5). Further, patient-provider reciprocal confidence form a cornerstone of medicine and privacy has the main role in this regard(1). Protecting information privacy is imperative since health records whether paper-based or electronic, encompass crucial information such as demographic, occupational, social, financial and personal information simplifying individuals, recognition(6). Moreover, it becomes paramount with the influx of an immense number of computers and information systems in health care industry, the growth of health research needs as well as the increase of information demands (7). Unfortunately, confidentiality may be exposed chiefly due to staff imprudent behaviors out of curiosity than malice(8). Studies reveals that some providers may violate confidentiality whenever speaking about a known case loudly with other colleague riding elevators or walking across the passage ways(9). Personal health information Security breach influential in patients and health care organizations so that according to literature, medical identity theft, inflict over 7 billion $ on U.S. health care industry every year. Further, victims may be high sensitive regarding confidential records and be doubtful about information piracy(10). Moreover, the disclosure of personal health information may impose economic losses and psychological influence on patients. in addition, sociological status may be at stake(11ØŒ 12). Remarkably, serious effects may be shown as the negligence of privacy protection by health care providers resulting in partly concealment of medical history; patient reluctance to go to physician; an increase of anxiety and aggressive behaviors(13) particularly in regard to growing trend in digitized health data (14). This study was investigated legal frameworks in relation to personal health information in leading countries to develop a customized national framework treating sensitive health information aptly. Methods: This study was performed as a preliminary step of a multi-stage research to develop a national framework on protection of the privacy health information. It sought the existing legal frameworks in leading countries such as Canada, Australia, United States, and European Unions to provide the insight into the necessity of development of legal framework governing the conservation of health information privacy in management information cycle consists of data collection; storage; retention; use and disclosure and destruction. The study environment has been selected for the precedence and perfection of privacy activities. Two approaches were used to locate relevant literature. Firstly, we search PubMed-Medline and Science direct (by September 2014) and Scientific Information Distribution database. Separated searches were carried out using following terms â€Å"principle†, â€Å"Act†, â€Å"Law†, â€Å"regulation† AND â€Å"framework†, â€Å"model† AND â€Å"health information†, â€Å"health data†, â€Å"medical information†, â€Å"medical data†, â€Å"patient information†, â€Å"patient data† AND â€Å"privacy† framework†. Secondly, a search was conducted on the internet search engine using the free text â€Å"health information privacy Act† AND â€Å"Personal Health Information Act†. Out of extracted literature the most prevalent frameworks investigated. Results: The considerable findings have outlined in three following tables which the first one indicates sequential review of Privacy legislation in general and particularly in health information among the selected countries. As seen in Table 1, these countries are the pioneers of law making apropos of health information privacy protection. furthermore, literature review suggested several protection of health information privacy Acts in federal and provincial levels Table 2 (15-17). Likewise, a number of guidelines, policies and frameworks developed as self-regulatory effort Table 3 (18-31). Generally, free information Act passed in 1966 in The U.S justifying individual’s right to request information from federal institutions, considers nine exceptions regarding to records generated in federal organizations which the sixth one relates to personal and medical information considering unjustifiable privacy breaches as disclosed. The privacy Act has enacted in 1974 in order to protect patient confidentiality in governmental health care institutions (e.g. institutions affiliated Veterans Affairs). Policies and laws on disclosure of health information in response to jurisdiction requests are under part 164/512 Code Federal Regulation and Health Insurance Portability and Accountability Act(32). Entirely, in Canada, privacy Act have enacted in 1983, while, the history of the concept of privacy of the personal information date back in 1997, when the Royal Commission of Inquiry investigated privacy of personal information in reply to police request for having access to medical records free from obtaining individuals informed consent(33). The concept of privacy has originated in the ratification of the Freedom of information Act in 1982(34) and Privacy Act in 1988 in Australia. Along with, The common wealth’s Information Privacy Principles has been set out to protect personal information from potential threats which may be occurred during collection or storage based on Section 14 of the Privacy Act in 1988 and â€Å"The Australian Standard AS 4400 Personal Privacy Protection in Healthcare Information System† defined requirements protecting PHI integrity and confidentiality in health information system usable for anybody involve in Health information systems development and implementation. It is developed based on the common wealth’s information privacy principles, Organization Economic Cooperation Development (OECD) guidelines with regard to privacy protection and concerning council of Europe conventions and regulations(35). As with U.S. and Canada, many Australian legislations govern on personal information collection, use and disclosure(36). For instance, 10th and 11th principles of Information Privacy Principles (IPPs) and 2nd principle of National Privacy Principles (NPPs) govern information use and disclosure. According to the 10th IPPS information use especially health information use is permissible in terms of the purposes for which data was collected, otherwise obtaining an informed consent is compulsory. Furthermore, with reference to 11th IPPs, notifying people about the probability of information exchange among individuals and organizations is required before the disclosure, albeit, some exceptions are made regarding permissible conditions for information disclosure(37). Further, supplementary activities were conducted in this regard, for example; Royal Australian College of Physicians published a manual of health information management useable for private practice properly modelling best practices related to respect for legal and ethical requirements of health information privacy and confidentiality. In addition, The Australian Commission on Safety and Quality in Health Care bills of right was approved by Health Department which on the basis of one of them, protection of health information privacy and confidentiality is a must(38). Data protection in the EU enacted in 1995 due to different laws related to protect data privacy throughout the EU and the lack of pertinent laws among some members(39). It approved since enacted Organization of economic cooperation and Development principles towards data protection in 1980 were not imperative in legal view. EU directive 95/46 is not a part of national regulation on privacy but it is actionable on the basis of national regulations(40). Overall, These principles categorized in five groups specifying principles governs data quality, determination the scope of purposes of data collection and use, protection of data security, explicitness, and responsibility to control conditions in terms of measures relevant to each principles purposes of data use, minimal limitation implemented in nationwide and cooperated in the globe. with reference to Article 8 EU/directive 95/46 health information is among protected information and processing them is not permissible except for speci fied conditions(41). In electronic environment provision of health care services and products needs more data processing activities, therefore, sensitive personal information should be processed under both directives of data protection and electronic privacy to ensure the respect for individual right to privacy and network security and communication. In this particular case, a guideline relevance to patient privacy in Transborder health care environment issued to e-health care providers comply with EU directive requirements(42). In Iran, the right of privacy is not determined clearly either in the constitutional laws or the common laws, but achievable through laws interpretation. conservation of medical information during storage, process and dissemination in cyber space has been determined merely in Electronic Commerce law(43) privacy has been expressed in 3rd paragraph of patients’ bill of rights accordingly, individuals have right to request their own crucial diagnostic, therapeutic information directly. Patients have right to ensure that their medical records (e.g. the results of examination and clinical consultation) retained confidentially and their privacy protected. Furthermore, patients have the right to access complete medical records; request a copy of medical information and correction of the mistakes(44). Discussion: Individual health information (e.g. medical records) is declared highly sensitive personal information in Supreme Court of Canada view and under the Australian Privacy legislations, therefore, individuals could control over their own information (15ØŒ 45). The findings indicate peculiar Acts regulate sensitive health information. Nonetheless, internal literature indicate that respect for confidentiality principles is required in view of the significance of medical records confidentiality and broad use of medical records in legal and jurisdictional domains(46). According to literature, the enactment of different laws for ensuring the confidentiality of medical records is a must. Furthermore, national official authorities have major role in setting out clear rules pertinent to patient data access; announcing them as actionable directives to all health care organizations as well as determining criminal and civil penalties for disrespect for patent records confidentiality and unauthorized disclosure and also data breaches(47). Given the aforementioned, considering the national requirements in regard to maintain the patients right of privacy and confidentiality of health information, health care workers both clinical and administrative staff should comply with a general framework guiding collect, use or disclose health information in a safe manner. Development of this framework illuminates the pathways for better health information management and lower patients concerns about health data breach. For this end, formation of a multidisciplinary team composed of health information managers; medical laws and ethics and experienced health information custodians is required. Normally, executive health care administrators, health policymakers influence on appropriate and actionable policy making or develop a comprehensive framework. In summary, review of the pioneers’ legislations is enlightening in this regard.