Standards and Best Practices for Confidentiality of Electronic Health Records
1. Primer:
Standards and Best Practices
for Confidentiality of
Electronic Health Records
Manish Kumar
Sam Wambugu
MEASURE Evaluation
September28, 2015
Informatics Webinar
2. Outline
1. Context
2. Situation in lower- and middle-income
countries (LMIC)
3. Information systems for electronic health
records (EHR)
4. Key concepts
5. Security, confidentiality, and privacy analysis
6. Global standards
3. To describe key concepts, outline global
standards, and suggest key steps for
organizations to protect and manage
access to and use of individual health
information in electronic health records.
Purpose
4. “Ensuring the information is
processed lawfully and fairly,
and is kept secure, is a
common value of everyone
involved in health care.”
− Policy Engagement Network
IDRC − 2010
5. Context
Strong health information systems (HIS)
are critical for health systems
strengthening
EHR systems are used for:
improving quality of care
reducing cost
enhancing patient mobility
better record keeping
enabling evidence-based medicine
6. Context, cont.
Transition from paper-based to EHR poses
challenges for privacy and confidentiality,
security, and data integrity
Expertise on privacy and security aspects
of eHealth systems in LMIC is lacking
Understanding of key concepts, standards,
and security management practices is
necessary
7. Situation in LMIC
Most of the scientific literature is from developed
country experiences
LMICs tend to lack legal and regulatory safeguards
International treaties and conventions may have
been signed, but they are not enacted into laws
Where laws exist, regulations that give life to laws
are absent
eHealth is not getting the same legislative
momentum as e-Commerce and e-Government
8. Method
• Reviewed secondary literature
• Literature search was limited to literature
published in English and accessible through
scientific databases. We used:
PubMed
MeSH (medical subject headings) for “Electronic Health
Records” together with other pertinent keywords: privacy,
security, confidentiality, protected health information,
personally identifiable information
9. eHealth systems
1. Electronic health records
and electronic medical
records that capture and
store patient information
2. Laboratory information
management systems
3. Prescription information
systems within hospitals
4. Patient registration and
scheduling systems
5. Systems for aggregating and
reporting information, monitoring
health programs, and tracking
patients’ status
6. Clinical decision support systems
7. Patient reminder systems
(for example: for prompting
patients to take medications or visit
a clinic) − mHealth
8. Systems for medical research
Electronic systems with patient-identifiable information:
10. Key concepts in EHR (1)
Electronic Health Records
Personal Health Information
Individual Identifiable Health
Information
Privacy
Security
Confidentiality
11. Key concepts in EHR (2)
1. Electronic health record (EHR)
“One or more repositories, physically or virtually integrated, of
information in computer processable form, relevant to the wellness,
health, and healthcare of an individual, capable of being stored and
communicated securely and of being accessible by multiple
authorized users, represented according to a standardized or
commonly agreed logical information model…” ISO 18308:2011
2. Personal health information
“Personal health information is information about an identifiable
person which relates to the physical or mental health of the
individual, or to provision of health services to the individual…”
ISO 27799
12. Key concepts in EHR (3)
3. Individually identifiable health information
“Information, including demographic information that
relates to:
the individual’s past, present, or future physical or
mental health or condition,
the provision of healthcare to the individual, or
the past, present, or future payment for the provision
of healthcare to the individual…”
−Health Insurance Portability and Accountability Act
(HIPAA) of 1996
13. Key concepts in EHR (4)
4. Privacy = individual’s right to decide about access to their
personal information: what information to share, with whom to share,
and how to share
5. Security = protection measures and tools that safeguards health
information and health information systems from any unauthorized
access to or modification of information, denial of service to
authorized users, and provision of service to unauthorized users
6. Confidentiality is intertwined with privacy and security. It is
a tool to protect privacy or an act of limiting disclosure of private
matters.
15. Ensuring privacy, security,
and confidentiality
• Even though technology and standards are integral
to security and privacy of health information in
EHR, healthcare providers have the prime
responsibility
• Information security involves a number of non-
technical factors:
• organizational policy
• human resources
• communication networks
• roles and processes
• monitoring and compliance
16. Global standards (1)
• Health informatics standards are set by both
international and national standard organizations.
ISO is the global authority for standards
European Committee for Standardization (CEN) is the
European authority for standards
American National Standards Institute (ANSI), approves
official national standards in the United States
• Work of these standard organizations inform and
influence each others’ standard development
processes.
• Adoption, implementation, and compliance to
standards in a healthcare system is context-specific.
17. Global standards (2)
Availability of international and national health
informatics standards is critical but not enough
to protect individual health information.
Information security involves a number of non-technical
factors such as organizational policy, human resource,
communication networks, roles and processes, monitoring
and compliance
Inadequate identification and authentication of users,
unauthorized access and inadequate monitoring of user
activity, inappropriate disclosure, reporting requirements,
and poor security are key sources of privacy breaches
(Neame 2014)
18. Conclusion
• While EHR systems are vital to improved and continuity of
care data privacy, security and confidentiality issues can
create hurdles
• To be effective, the principles of privacy, confidentiality, and
security in the eHealth environment must be supported by
local awareness and a strong national legal and regulatory
footing
• Awareness and understanding of related key concepts can
create an enabling environment
• National and international health informatics standards and
legislation are essential
19. MEASURE Evaluation is funded by the U.S. Agency
for International Development (USAID) under terms
of Cooperative Agreement AID-OAA-L-14-00004 and
implemented by the Carolina Population Center, University
of North Carolina at Chapel Hill in partnership with ICF
International, John Snow, Inc., Management Sciences for
Health, Palladium Group, and Tulane University. The views
expressed in this presentation do not necessarily reflect
the views of USAID or the United States government.
www.measureevaluation.org
For more information on MEASURE Evaluation’s work in health
informatics, visit: www.cpc.unc.edu/measure/publications/fs-15-141