Abstract
Health IT is the use of Information Technology (IT) in healthcare to improve patients' experience, enable quality care, efficiency, speed, and security of the collection, exchange, sharing, and storage of sensitive personal information. But Health IT faces a number of notable challenges ranging from privacy risks to trust and confidence in the use of EHRs. In this chapter, a framework for conducting Privacy Impact Assessment (PIA) of Health IT projects is discussed. Privacy impact assessment is a process through which privacy risks are assessed. The chapter includes recommendations for mitigating identified risks and ensuring compliance to policy and processes for handling and processing of highly sensitive and Personally Identifiable Information (PII).
TopIntroduction
In 2009 the US government signed the passage of the Health Information Technology for Economic and Clinical Health Act (HITECH Act, 2009), a federal initiative that seeks to improve American health care delivery and patient care through an unprecedented investment in Health Information Technology (Health IT). Simply, Health IT is the use of IT in healthcare to improve patients’ experience, enable quality care, efficiency, speed and security of personal information collection, exchange, sharing and storage. So Health IT encourages and incentivizes the use of electronic health records (EHRs) instead of paper medical records to maintain people’s health information, the secure use and sharing of health information, and the use of IT to improve the quality and efficiency of care.
The goals of Health IT were pretty clear – to convince all physicians and hospitals to adopt EHRs, incentivize care service providers to adopt EHRs and to use them in ways that improves patients experience, quality and efficiency of care. But five years down the line, have these goals been realised? What have improved, and what haven’t? What are perceived major drawbacks, and what could be done to improve?
The use of IT in Health to improve patients experience, improve quality of care, reduce delays in treatment, and improve healthcare standards as a whole is a welcome development and should be encouraged. Lessons learnt from other countries that currently use EHR information systems attest to impressive results, improvements in patient care experience, overall healthcare efficiency as seen with lower levels of drug error rates in Europe. For example, Denmark has the lowest rate of inappropriate medication in eight European countries (Denmark, the Netherlands, the UK, Iceland, Norway, Finland, Italy and the Czech Republic) – a 5.8 percent rate, compared to 19.8 percent in these countries on average (Lesk, 2013). Meanwhile, the US is still struggling to reduce errors. According to the 2000 National Research Council report (Grady, 2010) estimated that approximately 100,000 deaths resulted from medical errors each year; this figure has not improved over a decade later (Lesk, 2013).
Unfortunately, IT in Health comes with some challenges, especially, when use of IT in health is going to fundamentally and radically change existing healthcare practices such as use of EHRs for patient information record management, culture change in terms of electronic use, sharing and transmission of patients’ information. As with any change, both patients and practitioners are going to react to this change one way or another. Similarly, the implementation and operation of Health IT in accordance to the HITECH Act are going to be challenging, too. These challenges are going to be multifaceted, including but not limited to technical, policy, interoperability, interface, privacy, security and data formatting and presentation issues. This thought is not radical, as the Office of the National Coordinator for Health Information Technology (ONC) itself had envisaged this, leading to the initiation of the Strategic Health IT Advanced Research Projects (SHARP), a program researching into, and addressing some of the perceived challenges in four specific areas – security and health information technology, patient-centered cognitive support, health care application and network design and secondary use of EHR information (Office of the National Coordinator for Health Information Technology, 2010).
Key Terms in this Chapter
Personal Identifiable Data (PID): These are sensitive and personal data that can be used to identify an individual. Personal identifiable data is the same as Personally Identifiable Information (PII), while the former is associated to Europe; the latter is associated with America. Examples of PII include a combination of one or more personal identifiers such as full face photographic images and any comparable images plus name, or date of birth plus address and health records. A full list of personal identifiers is shown in Table 1 .
Sensitive Personal Data: These are identifiable personal data whose release would put those persons at significant risk of harm or distress, unless otherwise disclosed by the persons. For example, a person’s medical records, bank details, social insurance number (national insurance) or tax records, etc.
Personal Data: Personal data is data that relates to a living person who can be identified by those data, or from those data plus other information which is in the possession of, or is likely to come into the possession of, the data controller. For example, first name, last name or/and date of birth of a living person.
Data Protection Act (DPA): This is a piece of legislation that governs how personal information of living individuals is processed. Processing of personal information means, how personal information are obtained, shared, recorded or stored (held). This piece of legislation was enacted in 1998 in the United Kingdom (UK).