Health Information & Online Privacy for You & Your Organization Emily J. Hurst, MSLS Technology Coordinator National Network of Libraries of Medicine South Central Region @hurstej @nnlmscr

Health Information Online One in three American adults have gone online to figure out a medical condition. Many people going online to find health information and many more health sites available to online users. Librarians have to keep this in context as we help our library patrons navigate the web for health information. Roles for libraries include helping users find high quality health information and helping users maintain privacy for health topics both online and off. Health Online 2013. Susannah Fox and Maeve Duggan. Pew Research Internet Project. http://www.pewinternet.org/2013/01/15/health-online-2013/

HIPAA Health Insurance Portability and Accountability Act of 1996 (HIPAA) http://www.hhs.gov/ocr/privacy/hipaa/understanding/ Protects Individually identifiable health information (IIHI) Information related to physical or mental condition of the individual The provision of health care to the individual Payment for health care Information that identifies the individual HIPAA Compliant entities: Health Plans Most Health Care Providers Health Care Clearinghouses Business Associates of these entities HIPAA provides federal protections for individually identifiable health information held by covered entities and their business associates and gives patients an array of rights with respect to that information.

Online Health Information Sharing A tremendous amount of health-related information is found on the Internet. Many discussion forums are available for individuals to share information on specific diseases and health conditions. Websites dispense a wide variety of information. There is no guarantee that information you disclose in any of these forums is confidential. Always review the privacy policy of any website you visit. Consumers who come into your library are more likely to disclose their own health information to sites as they look for information, this type of action is not covered by HIPAA. Online health information seekers must use technology literacy to stay maintain privacy online. This includes reading privacy policies. This also applies to many health apps that users my download on their mobile device. Privacy Rights Clearinghouse. Medical Records Privacy. https://www.privacyrights.org/medical-records-privacy

PHRs and Privacy Not all Personal Health Records (PHRs) are mandated to be HIPAA compliant. When selecting a PHR, individuals should evaluate privacy policies to decide if they are comfortable with the protections and rights offered, such as how their information will be safeguarded, for what purposes their information will be used and disclosed, and the extent to which the individual will control access to information in the PHR. Some of the big PHRs such as Health Vault and Dossia are covered by HIPAA in some way. Other PHRs from other vendors may not be. Users must read privacy policies to know. Personal Health Records and the HIPAA Privacy Rule: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/phrs.pdf

Libraries and Privacy Is your organization tracking user behavior on computers? ALA http://www.ala.org/advocacy/intfreedom/librarybill/interpretations/privacy MLA https://www.mlanet.org/about/ethics.html Does your library have an up to date privacy policy? http://www.ala.org/advocacy/privacyconfidentiality/toolkitsprivacy/Developing-or-Revising-a-Library-Privacy-Policy As librarians we have a responsibility to ensure the privacy of our library users. This includes security in online information seeking. Is your privacy policy up to date? Does it include aspects online information seeking? From MLA Ethics: Clients The health sciences librarian works without prejudice to meet the client’s information needs. The health sciences librarian respects the privacy of clients and protects the confidentiality of the client relationship. The health sciences librarian ensures that the best available information is provided to the client.

Disclaimers Consider updating disclaimers to include online privacy statement. Disclaimers have been around for awhile for consumer health collections. Have you updated your disclaimer to include a privacy statement for online resources? Disclaimers, MLA CAPHIS: http://caphis.mlanet.org/chis/disclaimers.html

NLM and Privacy The National Library of Medicine (NLM) does not collect any personally identifiable information (PII) about you when you visit their websites unless you choose to provide that information to them. The NLM privacy policy provides a good example of a privacy policy that includes online security. NLM Privacy Policy. http://www.nlm.nih.gov/privacy.html

Secure Wireless Networks Turn on wireless router’s encryption setting - WPA2 (Wi-Fi Protected Access II) – WEP (Wired Equivalent Privacy) is less secure Change default password Change default network name – Services Set Identifier (SSID) Turn on wireless router’s firewall At Home: Turn off guest access – Turn network name broadcasting off How many of you have wifi in your home or office that is not secure? Can anyone log into your wifi network? Have you used free wifi networks that did not require a password or incription key?

Encourage Encryption Hypertext Transfer Protocol Secure (HTTPS) provides secure communication over a computer network. Protects against: Forging Eavesdroppers Man-in-the-Middle attacks HTTPS is not an anonymity tool What libraries can do: Enable HTTPS on your website Educate/Encourage patrons to use HTTPS for secure online communications Encouraging the use of HTTPS is important when exchanging sensitive information online. Check for HTTPS in the URL of the site you are visiting. HTTPS Everywhere FAQ: https://www.eff.org/https-everywhere/faq

Privacy Protecting Search Tools DuckDuckGo https://duckduckgo.com/ Startpage https://www.startpage.com/ Blekko http://blekko.com/ Deletes personally identifiable information (PII) within 48 hours The search engines listed on this slide do not track or collect user activity. Encouraging library patron’s to use these search engines may provide more sense of security or online health searching. DuckDuckGo doesn’t use cookies to identify you, and it discards user agents and IP addresses from its server logs. DuckDuckGo doesn’t event attempt to generate an anonymized identifier to tie searches together – DuckDuckGo has no way of knowing whether two searches even came from the same computer. Startpage searches Google for you – when you submit a search, Startpage submits the search to Google and returns the results to you. All Google sees is a large amount of searches coming from Startpage’s servers – they can’t tie any searches to you or track your searches. Startpage discards all personally identifiable information. Like DuckDuckGo, Startpage doesn’t use cookies, it immediately discards IP addresses, and it doesn’t keep a record of searches performed. Blekko does log personally identifiable information, but deletes it within 48 hours.

Passwords Create strong passwords Avoid using: At least 8 characters long Combination of upper case, lower case, special characters and numbers Avoid using: Names of family members or pets Real words with numbers or special characters replacing some or part of the word Sequences Personal information How Strong Is Your Password? https://www.microsoft.com/en-gb/security/pc-security/password-checker.aspx 8 = 8 characters minimum length 4 = 1 lower case + 1 upper case + 1 number + 1 special character.

Password Management Tools LastPass 3.0 https://lastpass.com/ Free browser extension or $12.00/year Dashlane 2.0 https://www.dashlane.com Free or $29.99/year KeePass http://keepass.info/ Free

Mobile Device Security Remove unnecessary data from your devices Social Security Number Credit Card Numbers Bank Accounts Set passcode or fingerprint lock Enable idle timeout lock Download apps only from trusted sources Encrypt data Enroll with a trusted service such as Find My iPhone Keep operating system (OS) up to date My smartphone is so smart!

What Else Is There? Antivirus System restore software (Deep Freeze) Privacy/Protective monitor screens Private area for reviewing online health information User training Online Security Reliable Online Health Resources There are a number of things that libraries can do to provide more security for their patrons who are looking for health information.

Resources – Online Health Info The Medical Library Association Guide to Providing Consumer and Patient Health Information. Edited by Michele Spatz. Personal Health Records and the HIPAA Privacy Rule: http://library.ahima.org/xpedio/groups/public/documents/government/bok1_042307.pdf#page%3D1 When HIPAA applies to mobile applications: http://mobihealthnews.com/11261/when-hipaa-applies-to-mobile-applications/ Find and Evaluate Health Information on the Web: https://www.mlanet.org/resources/userguide.html The Consumer Health Reference Interview and Ethical Issues: http://nnlm.gov/outreach/consumer/ethics.html Health Information in Libraries (ALA): http://www.ala.org/tools/atoz/health-information-libraries The resources provided here provide more information on the topics addressed in this presentation.

Resources - Technology Protecting Your Wireless Network: http://www.fcc.gov/guides/protecting-your-wireless-network The Ultimate Guide for Creating Strong Passwords: http://www.thegeekstuff.com/2008/06/the-ultimate-guide-for-creating-strong-passwords Guidelines for Securing Mobile Computing Devices: http://web.stanford.edu/group/security/securecomputing/mobile_devices.html The Best Antivirus for 2014: http://www.pcmag.com/article2/0,2817,2372364,00.asp

Contact Emily J. Hurst, MSLS Technology Coordinator National Network of Libraries of Medicine South Central Region emily.hurst@exch.library.tmc.edu (800) 338.7657 (Toll Free) You can contact the presenter at anytime via email if you have any questions about the presentation. The 1800 number is toll free and will connect you with your NN/LM office. This project has been funded in whole or in part with Federal funds from the National Library of Medicine, National Institutes of Health, under Contract No. HHSN-276-2011-00007-C with the Houston Academy of Medicine-Texas Medical Center Library.

1 Hour MLA CE https://www.surveymonkey.com/s/july2014scr Complete by August 1, 2014

Join Us Next Time! Wednesday, August 20, 2014 Topic: Metadata: The Key to Linking Data Speaker: Guest Speakers: Dick Miller, Thea S. Allen & Joanne Banko from Lane Medical Library, Stanford University