What Health Information (HI) Workers Should Know About Patient Privacy Rights
Search For Schools
When you click on a sponsoring school or program advertised on our site, or fill out a form to request information from a sponsoring school, we may earn a commission. View our advertising disclosure for more details.
“Ultimately it’s not machines and algorithms we need to be concerned with; it’s people, and people’s actions, and people’s behavior,” Swirsky says. “And that’s something that we can work with.”
Eric Swirsky, JD, Clinical Associate Professor, Department of Biomedical and Health Information Sciences, University of Illinois Chicago (UIC)
The concept of patient privacy is at least as old as the Hippocratic Oath, fragments of which date back to the third century. Today, it is as relevant as ever. Not only does privacy remain fundamental to patient-provider trust, but it’s also taken on new meanings. Health apps, fitness trackers, and electronic health records (EHRs) are all part of an explosion of health-related technology that, unified by the internet, has created a torrent of personal health data stored in various states of security.
Health information workers have a critical and complex role in managing the collection, storage, access, and release of patients’ private information. In addition to their technical responsibilities, there is also the need for patient education; while some states have enacted laws that regulate the flow of private patient data, the proliferation of consumer-centric health applications mean that patients themselves are more in control than they’ve ever been.
Health data, if used safely and responsibly, can help increase health access and improve health outcomes. But it can also be misused, especially if left unguarded. Read on to learn more about the state of patient privacy today and where it’s going.
Meet the Expert: Eric Swirsky, JD, MA, MHPE
Eric Swirsky is a clinical associate professor, director of graduate studies, and PhD program director in the College of Applied Health Sciences, Department of Biomedical and Health Information Sciences at the University of Illinois Chicago (UIC). He has created and delivered ethics and professionalism curricula from the baccalaureate to post-doctoral levels with multiple teaching appointments across disciplines.
Swirsky serves on numerous health and education-related boards, including contributions to the editorial board of The American Journal of Bioethics, the Chicagoland Covid-19 Pandemic Response Commons, and the Board of Directors of the Council on Accreditation of Nurse Anesthesia Educational Programs. His current research involves testing the construct validity of an instrument measuring variables related to moral distress resulting from the hidden curriculum of undergraduate medical education.
The State of Patient Privacy Today
“Health data is the dark matter of healthcare,” Swirsky says. “It touches everything.”
As stewards of health data, health information workers are responsible for patient privacy and confidentiality. In the wrong hands, health data can be used for nefarious ends, enabling fraud, blackmail, and discrimination. Even without ill-intent, unsecured health data can have deleterious effects: the recent Dobbs ruling by the Supreme Court means that some forms of healthcare may be legal in one state and illegal in another.
“Many times, privacy gets narrowed down and thought of to be just this area of personal data, but there are more issues,” Swirsky says. “It’s important for managers to know that the scope of what they do, and what they think they can do, may be different from what they presuppose and/or what they were trained to do.”
At the core of many health data privacy issues are the competing incentives of the corporate and medical worlds. Health data is valuable, and corporations are obligated to their shareholders to meet a bottom line; simultaneously, the healthcare system is tasked with caring for patients and protecting their personal information. In other industries, the dollarization of data is not in dispute, but in healthcare, it must be.
“Since the inception of electronic health records (EHRs), billing has been a primary factor in system architecture,” Swirsky says. “It’s what computers are good at: capturing charges. So there needs to be a fundamental shift in the mindset behind these systems, in what their purpose is, and how they function. They need to be oriented more towards the care of patients. If they were, they’d focus on privacy and confidentiality as a primary concern, not as an afterthought.”
How HI Workers Can Help Protect Patient Privacy
HI workers help protect patient privacy in several ways, both directly and indirectly. The most important is adherence to national, professional, and organizational privacy standards. Adherence to those standards isn’t always straightforward, however. HI workers will need to be adept at moving between domains that are covered by HIPAA and those that are not. They will also need to interpret state and federal laws that may appear to conflict.
Best practices related to security are a must for health information workers. It starts at a personal level, by utilizing encryption and two-factor authentication, and extends to the organizational level, setting a culture of security for providers as well as new vendors of software and hardware applications.
“Digital hygiene standards are low, even for professionals who are trained in it,” Swirsky says. “For ordinary people, it’s even worse. There’s so little in the way of patient education when it comes to this.”
Public education is a critical new responsibility for HI workers in fostering a culture of security, privacy, and confidentiality when it comes to health data. Many health-focused apps leave complex (and sometimes purposefully convoluted) choices around data use up to the patients themselves. These apps may exist outside the domain of HIPAA rules.
HI workers don’t have to do it alone. Many government-sponsored resources exist to assist in patient education and promoting a patient-centric vision of health data privacy. The Office of the National Coordinator (ONC) for Health Information Technology (HIT) has a Seven Step Plan for implementing a security management process. The Department of Health and Human Services (HHS) has a tool that outlines how HIPAA rules apply (or don’t) to third-party applications. And the Federal Trade Commission (FTC) offers consumer-focused tips for protecting one’s privacy when using apps.
The Future of Patient Privacy Rights
The US lacks a national framework for patient privacy, especially one that takes into account the proliferation of patient data across multiple applications and domains. The American Health Information Management Association (AHIMA) and other professional organizations continue to advocate for precisely such a law. In its absence, some states have passed their own patient privacy regulations. But the result is less of a tapestry, Swirsky says, and more of a patchwork.
“We have to develop policies, and then the policies actually need to be enforced,” Swirsky says. “And not in terms of finding people to blame, but in making sure there is institutional accountability.”
Modern healthcare is facing its own crisis of ethics. On one hand is the commoditization of health data, along with the insight, accessibility, and potential revenue it brings. On the other hand is the ethics of the healthcare profession, and its commitment to the security, privacy, and confidentiality of health data. While technological advances can make the dilemma seem firmly planted in the present, if not the future, this is actually an ancient debate that goes back to the beginnings of medicine. Seeing it in the latter’s light can help inform potential solutions.
“Ultimately it’s not machines and algorithms we need to be concerned with; it’s people, and people’s actions, and people’s behavior,” Swirsky says. “And that’s something that we can work with.”
