1. Health Information Security & Privacy February 9, 2014 ONC Policy HIT Policy Committee Privacy and Security Workgroup Denise Anthony Sociology and ISTS Dartmouth College

2. Acknowledgements Some of the work reported here was supported by NSF grant (CNS-0910842) on Trustworthy Information Systems in Healthcare (TISH), and the SHARPS project, under award HHS 90TR0003/01 from U.S. Department of Health & Human Services. The statements, findings, conclusions, and recommendations are those of the author and do not necessarily reflect the views of the National Science Foundation, or U.S. Department of Health & Human Services. Thanks to many colleagues who are collaborators on some of the work described here: Ajit Appari, Celeste Campos-Castillo, Carl Gunter, Eric Johnson, David Kotz, Sean Smith, Timothy Stablein.

3. EHRs and Privacy, Trust, & Transparency  Many patients value EHRs for themselves and their providers  Positive correlation between EHR use and patient perceptions of quality of care  BUT controlling for quality, patients more likely to withhold information because of concerns about privacy with providers who use an EHR (Campos-Castillo & Anthony 2014)  Particular groups (e.g., those at risk of health-related or other social stigma)  have less trust in physician confidentiality generally  express concerns about disclosure of PHI when EHRs in use (though also see benefits of EHRs) (Teixeira et al 2011; Stablein & Anthony 2012)  willing to disclose when have trusting relationship with a provider Dartmouth

4.  Implications:  EHRs increase patient concerns about information flows (who has access to what; why access), particularly among some groups (e.g., those at risk of stigma)  Doctors and other health care providers can facilitate communication and trust by acknowledging patient privacy concerns and discussing commitment to confidentiality* as part of doctor/provider-patient relationship  Recommendation:  Promote transparency about information flows and commitment to confidentiality through provider communication – more than simply Notice of Privacy Practices EHRs and Privacy, Trust, & Transparency * confidentiality: expectation that personal information is protected and used appropriately; a set of rules that governs access to and use of information. Dartmouth

5.  2014 national random probability sample of continental US residential population of adults, n=784 Sample CharacteristicsWeighted Mean or Percentage %Female51.1 %Race/ethnicity White82.9 Black7.7 Hispanic5.6 Other4.2 %U.S. Immigrant9.1 Mean household income (dollars)85,304 %Education High school or less14.9 Some college28.2 College35.9 Graduate21.0 % Employed67.8 Mean age48.3 % Private Health insurance79.4 %Made health care visit past year87.1 %Has regular provider77.5 %Provider uses EHR60.2 Dartmouth What are consumer expectations about disclosure of PHI?

6. What do consumers think about EHRs? Agree Strongly Agree TOTAL Agree It is important for my doctor to have an electronic record of me. 37%22%59% Doctors and other health care providers should be able to share my medical info electronically. 32%22%54% It is important for me to be able to get my medical information electronically. 37%35%72% Dartmouth

7. What do consumers expect about transparency of PHI disclosure? Agree Strongly Agree TOTAL Agree It is important for me to find out who has looked at my medical records. 44%22%66% I should be able to find out who my doctor discloses my medical information to. 42%49%91% Dartmouth

8. Very Confident Somewhat Confident Not Confident I have some say in who is allowed to collect, use, and share my medical information. 33%49%18% I have some say in whether my medical information is shared with anyone other than my doctor/provider. 36%45%19% Safeguards (including the use of technology) are in place to protect my medical records from being seen by people who aren’t authorized to see them 31%52%17% How confident are consumers in control over and protection of their PHI? Dartmouth

9.  Implications:  Patients expect that they can find out who looks at their medical records, and to whom their doctor discloses their PHI  At least some patients feel confident that they have some say over disclosure of their PHI, and that safeguards are in place to protect PHI from unauthorized access  Recommendation:  Promote transparency about information flows by facilitating patients’ right to receive an accounting of disclosures  Provide information/tools for how to do so  Follow basic FIPPs and Security & Privacy “by design” principles to build on foundation of patient expectations and promote trust in system through increased transparency Patient expectations about disclosure of PHI Dartmouth

10. Note: HIPAA = Health Insurance Portability and Accountability Act. * Non-federal, acute care hospitals with 50 or more beds. † For-profit hospitals are significantly more likely than Non-Profit hospitals to be in compliance with the mandatory HIPAA Privacy Rule. ‡ For-profit hospitals are significantly less likely than Non-Profit hospitals to be in compliance with the voluntary (in 2003) HIPAA Security Rule. WHY DO HOSPITALS COMPLY WITH HIPAA REGULATIONS AND WHAT DOES IT MEAN FOR US HEALTH CARE? DOI: 10.1177/0022146513520431 Hospitals comply with HIPAA regulations: At different rates In different ways For different reasons Denise L. Anthony, Ajit Appari, M. Eric Johnson. 2014. Journal of Health & Social Behavior.

11.  Implications:  Despite ongoing regulatory efforts and incentives, IT systems and resources vary significantly across hospitals and other health care providers  Providers implement and follow regulations in different ways, so patients experience IT and information flows differently across providers  Recommendation:  FIPPs, and Security & Privacy “by design” principles provide common baseline despite variation in applications, systems, devices, as well as provider structures and practices Health IT, security and regulation Dartmouth

12. Thoughts on “big” data and mobile data  Delivery of health care (versus medical research) unlikely to require sharing of “big” data  Major advances possible from research using “big” data, and combining multiple types of data, but unlikely need to be in real time  Delivery of health care may soon require (or at least benefit from) sharing mobile health data  Consumers will continue to demand access to medical records, and ability to combine medical records with personal health data  Access to and use of mobile health devices and data varies across population  Essential to require FIPPs principles in mobile apps/devices Dartmouth