Open access peer-reviewed chapter
Abstract
In recent years, ensuring patient privacy has become an important part of healthcare and medical research. With the vast amount of healthcare data available for research and the increasing ability to link and combine multiple healthcare datasets to enhance understanding of patient diagnostic and treatment journey, the need for the assessment of analytical datasets and output from the patient privacy side has become yet another step of the study protocol. The types of methods applied in the evaluation vary and include internal evaluation of sensitive personal and healthcare information through a statistical expert determination of the combined dataset. In addition, collaborating with a third-party expert in the privacy area can help ensure an objective assessment of meeting patient privacy requirements. As a result of the importance of patient privacy in healthcare research, this chapter will review the variety of methods leveraged in ensuring patient privacy protection during the healthcare analytics and research journey.
Keywords
- patient privacy
- HIPPA
- healthcare research
- expert determination
- medical records
1. Introduction
An individual privacy is of an immense importance when conducting healthcare and medical research, as it involves sensitive personal information. With the increasing amount of data available for analysis in recent years, the research often involves the collection, storage, and analysis of large amounts of personal health information, which can include sensitive and confidential information, such as medical history, diagnostic and treatment data, insurance remittance, bio-samples and specimens, primary research, patient charts, and other identifying personal information, including patient’s name, birth date, and personal identification numbers. Furthermore, with the increase in research organizations linking and combining a variety of individual-level datasets, the risk of re-identifying an individual has increased, adding to the complexities in personal and healthcare data protection. The unauthorized disclosure or mishandling of this type of information can have profound consequences for impacted individuals, including discrimination, monetary loss, damage to reputation, not receiving the appropriate level of healthcare services, and potentially even a stolen identity [1, 2].
To protect patient privacy, various laws and regulations have been put in place, such as the Health Insurance Portability and Accountability Act (HIPAA) in the United States and the General Data Protection Regulation (GDPR) in Europe. These laws set standards for protecting the confidentiality and security of personal health information and require researchers and healthcare organizations to obtain informed consent from patients before collecting, storing, or using their personal information for research or analytics purposes. Additionally, healthcare organizations often implement strong security measures and data governance policies to manage personal information securely and appropriately. These laws also guide the use of the data and information, creating analytical ready datasets [1, 2].
As a result of the increased scrutiny of the patient privacy topic, this chapter focuses on the importance of preserving and protecting patient rights for privacy of personal and healthcare information. A brief description of the laws and regulations is outlined to provide the current regulations guiding the process. The methods for patient data protection and ways for analyzing data when conducting healthcare and medical research are also presented to ensure no personal data is revealed throughout the process.
2. Patient privacy Laws’ overview
Patient privacy is a major concern when it comes to healthcare and medical research, as well as analytics. Medical research often involves collecting, storing, and analyzing copious amounts of personal health information, which can include sensitive and confidential information, such as genetic data, medical history, healthcare diagnostic and treatment data, insurance remittance, and other identifying personal and healthcare information. If not managed properly, this information can be misused or mishandled, leading to negative consequences for affected patients. In addition, the variety of data sets can be linked and combined to provide additional insights and data granularity, which can lead to an increased risk for identification of personal information, especially in the area of rare diseases, where the patient population is often less than 200,000 lives. Understanding the associated risks and creating mitigation plans is also important to ensuring healthcare and medical research can be conducted safely. The resulting insights and outcomes can enhance knowledge of diagnostic and treatment process, while at the same time protect patients’ rights for anonymity and privacy [1, 2].
The mitigation techniques, such as de-identification, where personal information is removed from data sets, or the use of synthetic data, where the data is artificially generated while preserving the characteristics of the original data, can be used to protect patient privacy and still allow for valuable insights to be gained through analytics. Furthermore, understanding the requirements and guiding rules for healthcare organizations collecting, storing, and analyzing the personal and healthcare data is of a foremost importance to ensure research organizations’ compliance with the laws and regulations put in place by the governing agencies [1, 2].
In this section of the chapter, the two most important patient privacy protection laws are described. The responsibilities of healthcare organizations in complying with these regulations and the resulting consequences are also reviewed.
2.1 Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act, otherwise known as HIPAA, is a federal law in the United States that establishes standards for protecting the privacy and security of personal health information. HIPAA applies to covered entities, which often include healthcare providers, health plans, and healthcare clearinghouses. The regulation is governed by the Department of Health and Human Services, working closely with the Department of Justice as well as the Office of Civil Rights [1, 3].
HIPAA has several provisions that are relevant to healthcare and medical research. The Privacy Rule, for example, establishes standards for protecting the privacy of protected health information (PHI) and requires covered entities to obtain patient consent before using or disclosing PHI for research purposes. The Security Rule, on the other hand, establishes standards for protecting the security of electronic PHI (ePHI) and requires covered entities to implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI [3].
HIPAA also includes a provision known as the “minimum necessary” standard, which requires covered entities to make reasonable efforts to limit the use and disclosure of PHI to the minimum necessary to accomplish the intended purpose. This provision applies to healthcare research and requires researchers to limit the amount of PHI they use; track sample sizes and data elements leveraged; or disclose what is necessary to conduct their studies [3].
The Office of Civil Rights is the governing organization that ensures compliance with HIPAA regulations and ensures investigating and conducting reviews of any violations and breaches. The governing body might select to conduct audits and investigations when suspecting violations and insufficient protections applied by a healthcare organization as noted by the “minimum necessary” standards [3].
To ensure no personal information is shared and revealed, a variety of techniques and methods are applied when conducting healthcare and medical research. For example, patients are asked for consent for their information to be used, or statistical expert determinations are performed on data sets compiled from a variety of healthcare sources to ensure no sensitive information is included and no identifying information can be established from the research [3].
2.1.1 Personal information breach
When personal or sensitive information is disclosed, the covered entities need to follow the HIPAA Breach Notification Rule. The rule requires covered entities and their business associates to provide notification to impacted individuals, following a breach. Business associates are often defined as a person or entity who manages, transfers, or analyzes data with PHI, on behalf of the covered entity [3].
A breach is often defined as “an impermissible use or disclosure that compromises the security or privacy of the protected health information” [3]. The following factors may help define a breach:
The PHI was shared with other unauthorized individuals or entities. Or there is a substantial risk of re-identifying an individual [3].
The unauthorized person used the individual’s protected health information or shared the information with [3].
There is a need for confirmation of the PHI being acquired or viewed [3].
The risk mitigation level to protected health needs to be understood and analyzed [3].
All covered entities and business associates must report privacy breaches. They can choose to provide the required breach notifications without performing a risk assessment; however, it is advised to perform a risk evaluation to determine the probability of the protected personal and health information being compromised. There is a clear pathway for reporting and mitigating the breach and how the breach must be communicated to the affected individuals [3].
2.1.2 Reporting a breach
Following a breach of protected health information, covered entities must notify affected individuals, the government, and, where applicable, the media [3].
Covered entities must provide the breach notice either in a written form by mail or by e-mail if the affected individuals agreed to electronic communication [3]. If the covered entity is not able to reach impacted persons due to outdated or insufficient information for ten (10) or more individuals, the covered entity must post the notice on their home page or website for at least 90 days or by providing the notice in major print or broadcast media where the affected individuals reside [3].
These individual notifications must be provided without a significant delay and no later than 60 days following the discovery of a breach [3]. They must include a brief description of the breach, a description of the types of information involved, and the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, and to prevent breaches in the future, and finally the contact information for the covered entity [3].
Covered entities that experience a breach affecting more than five hundred (500) residents in a specific area like State or pre-defined jurisdiction, in addition to notifying the affected individuals, must provide notice to media outlets [3].
In addition to notifying affected individuals and the media as applicable, covered entities must notify the Department of Health and Human Services by visiting the HHS website and filling out and electronically submitting a breach report form [3].
2.1.3 Breach penalties
Depending on the severity violation of the HIPPA regulation, there might be financial penalties placed on the covered entity. The Office of Civil Rights usually prefers to resolve HIPAA violations using non-punitive measures, including voluntary compliance, or issuing technical guidance to help address areas of concern. The Office of Civil Rights considers a few factors when assessing the penalties and mitigation tactics. These factors include being unaware of a potential violation happening and taking the minimum steps abiding by the HIPAA Rules or having a violation as a direct result of “willful neglect” with limited or no attempts to correcting the violation within 30 days of occurrence [4].
In the case of unknown violations, where the covered entity could not have been expected to avoid a data breach, financial penalties are usually not assessed [4]. On the other hand, the penalty cannot be avoided if the violation involves intentional neglect of the Privacy, Security, and Breach Notification Rules [4].
When assessing the penalty for violation, the Office of Civil Rights considers several factors, including the length of time for a violation, the number of people affected, and the nature of the data exposed. These factors can affect the amount of the financial penalty. In addition, the Office of Civil Rights takes into consideration the covered entity’s prior history, financial condition, and the level of damage caused by the breach. Examples of penalties include a minimum fine of $100 per violation with up to a fine of $50,000 per violation [3, 4].
2.2 General data Protection regulation (GDPR)
The General Data Protection Regulations, otherwise known as GDPR, establishes the general obligations of data controllers and of those processing personal data on their behalf in Europe. These include the obligation to implement appropriate security measures, according to the risk involved in their data processing operations [5].
Furthermore, GDPR presents a firm stance on data privacy and security to ensure the protection of individuals’ information and how their data is used, including types of analysis that the data can support. The regulation itself is large, far-reaching, and provides limited details on what is expected, making GDPR compliance complicated, especially for small and medium-sized enterprises (SMEs), which might not have the needed resources to apply, comply with, and track the changing regulations and amendments [5].
In Europe, the financial penalties for violating the GDPR are high, especially when comparing to the United States. There are two types of penalties, which max out at €20 million or 4% of global revenue, whichever is higher. In addition, individuals impacted by the breach have the right to seek compensation for damages from the organizations that violated the regulation [2, 6].
Since this chapter focuses on the US application of the patient privacy regulations in healthcare and medical research, the overview of GDPR noted above is the only mention of the prevailing law and applications in Europe.
3. Healthcare data Protection and risk mitigation strategies
Ensuring patient privacy has become a crucial aspect of healthcare and medical research in recent years. With the vast amount of healthcare data available for research, and the increasing ability to link and combine multiple healthcare datasets to enhance understanding of the patient diagnostic and treatment journey, the need for the assessment of analytical datasets and output from the patient privacy side has become a crucial step in the study protocol. The methods applied in the evaluation vary and include internal evaluation of sensitive personal and healthcare information through a third-party experts’ statistical expert determination of the combined dataset. Collaborating with an expert in the privacy area can help ensure an objective assessment of meeting patient privacy requirements. In addition to expert determination, other methods are used to ensure patient privacy in healthcare research. These techniques often applied by healthcare organizations collecting the data include de-identification, anonymization, informed consent, and data security. These methods are crucial to protecting patients’ sensitive information and provide a venue to ensure the safe collection, storage, and analysis of sensitive information. In addition, internal policies and governing rules designed by internal privacy and security experts help support organizational compliance [3].
This section of the chapter presents various methods and techniques to provide a deep understanding of what is available and how it can be applied when collecting, storing, and analyzing healthcare data and information.
3.1 Collecting and securing medical records
Protecting patient privacy when using medical records, claims data, pharmacy records, insurance remittance data, patient charts, etc., is crucial in healthcare and medical research, resulting in analytics and insight dissemination. There are several ways to ensure patient privacy when working with healthcare information and data, including [3]:
De-identification: This process removes personal identifiers such as names, addresses, and social security numbers from the data. This step makes it more difficult to link the data back to an individual patient while protecting the patients’ rights for privacy [3].
Anonymization: This step is a more advanced form of de-identification, which involves removing all identifying information from the data, making it impossible to link the data back to an individual patient [3].
Informed consent: Researchers obtain informed consent from patients before using their medical records for research purposes. This ensures that patients are aware of how their data will be used and have given their permission for inclusion in a variety of purposes. This step becomes especially important in research, as pending the patient’s consent only the data sources noted can be leveraged for analysis [3, 7].
Data security: Researchers must establish strict data security protocols to ensure that the medical records are only accessible to authorized personnel and to prevent unauthorized access, use, or disclosure of the data [3].
Compliance with regulations: As described above, researchers must comply with regulations such as HIPAA, which sets standards for protecting the privacy and security of personal health information. Internal privacy and security experts create the data management and security policies and guidelines that help meeting the set-forth requirements [3].
Synthetic data: Healthcare research organizations can create synthetic data sets that preserve the characteristics of the studied population but in the process, eliminate the risk of releasing and sharing PHI or other identifying sensitive information or data elements [3].
The above techniques and steps provide a way to ensure patient privacy but also ensure that when combining and linking data as well as analyzing the resulting datasets, the level of information that can be used and sources of data that can be leveraged to answer healthcare and medical questions are clearly presented, analyzed, and understood by the individuals, patients, and collecting healthcare data organizations and covered entities. Internal governing data policies can help establish a compliance-driven environment and support the mission of data privacy protection.
As noted above, for example, patients might provide consent for combining and linking their information across a variety of data sets. On the other hand, individuals might restrict connecting selective information, such as their genetic or bio-sample data, with these datasets, which must be abided by when developing a comprehensive analytics-ready data set. Patients might also remove their consent for any data being used for future studies.
Recently more states are working or planning to establish state-level regulations that could further protect patient rights and allow them to decide their personal and healthcare information use in research. For example, in January 2020, California put in place a California Consumer Privacy Act (CCPA), allowing individuals to review their collected data and request that their information is removed and deleted from their databases [8]. Furthermore, individuals can ask that no personal information be used and sold in the future. The continued State-level-changing policies affect the process of data review and design of compliance and mitigation policies for healthcare organizations, forcing more healthcare organizations to employ experts in the privacy and security area to guide the necessary internal policies and data governing requirements [8].
Overall, protecting patient privacy when using medical records is essential in healthcare analytics research, as it ensures that patients’ sensitive information is kept confidential and prevents future damage, discrimination, or harm.
3.2 Expert determination
Privacy and expert determination are related to protecting sensitive information and ensuring proper oversight. In the context of the expert determination, privacy concerns may arise when an expert is appointed to opine on a matter that involves private or confidential information. For example, in a legal dispute, an expert may be appointed to evaluate evidence that includes private medical records or financial information [3].
To protect privacy in these situations, the selected third-party experts must adhere to strict confidentiality agreements and may have to take additional measures to safeguard the information they are reviewing. For example, they may have to use secure methods of communication and storage, and to redact or anonymize sensitive information before sharing it with entities involved in the research. Additionally, experts should be aware of and comply with any relevant laws and regulations related to privacy and data protection, including State-level regulations. Often third-party experts are annotated as business associates to ensure that they can take in personal and healthcare information and analyze all information available for the research. Please note that healthcare organizations can have their internal privacy experts perform statistical determination on the studied data, but it is often recommended to collaborate with external experts to ensure objectivity in the review process [3].
Expert determination is important in evaluating real-world data (RWD) in the healthcare analytics research because the data is often complex and multifaceted. The information can come from various sources, such as electronic health or medical records, claims data, bio-samples, and specimens, as well as patient-generated data, and may include both structured and unstructured formats. The information may also be incomplete or have errors [3].
Expert determination can help to ensure the accuracy and validity of real-world data and information by supplying a thorough understanding of the data source, the data collection process, and the potential biases or limitations of the data. They use statistical methods to evaluate the level of risk for the re-identification of patients and their information, as well as provide recommendations for mitigation steps and tasks to be implemented to lower or mitigate the risk all together. Experts can also provide insights into how to best analyze and interpret the data to extract meaningful insights without increasing the risk of re-identification of an individual [3].
Additionally, expert determination can help to ensure that healthcare data is used in compliance with relevant regulations and ethical guidelines, such as HIPAA, in the US. This can help to protect patient privacy and ensure that the data is used in a suitable and responsible manner [3].
Expert determination should be used in healthcare analytics research in several situations:
Data complexity: Healthcare data can be complex, multifaceted, and come from a variety of sources, such as electronic health and medical records, claims data, and patient-generated data [3].
Data quality: Healthcare data may be incomplete and have errors or inconsistencies. Third-party experts can help with naming and addressing data quality issues [3].
Compliance with regulations: Healthcare data analysis should comply with relevant regulations and ethical guidelines. Experts can help to ensure that the data is used in compliance with these regulations and guidelines, and that patient privacy is protected [3].
Study design and analysis: Experts can help with designing and implementing a proper study design and analysis plan [3].
Interpreting results: Experts can help with interpreting and communicating the results of the analysis in a meaningful and actionable way [3].
Combined and linked data sets: Experts can advise on the data elements and sub-groups that should be revised or removed to ensure the combined data sets support the HIPAA research requirements [3].
Overall, expert determination should be used when evaluating healthcare and medical data to ensure the accuracy, validity, and compliance of the data, help with study design and analysis, and interpret the results in a meaningful way. Releasing data sets or insights that have not been evaluated by an expert or follow privacy guidelines can result in data breaches and cause lasting damage and harm to the affected individuals.
4. Conclusions
Patient privacy is of the utmost importance in healthcare and medical research, as it helps to protect the rights and dignity of individuals who take part in research studies. Without proper safeguards for patient privacy, individuals may be hesitant to participate in research, which can hinder the advancement of medical knowledge and the development of new treatments. Additionally, breaches of patient privacy can lead to a loss of trust in the healthcare system and potentially cause harm to individuals whose personal information is compromised. To protect patient privacy in healthcare and medical research, researchers must adhere to strict ethical guidelines and regulations, such as obtaining informed consent from participants and implementing secure data storage and sharing practices. Furthermore, collaborating with third-party experts can help in ensuring that resulting data sets leveraged for healthcare research are compliant with all regulations and do not increase risk for re-identifying an individual in the process. All these steps and mitigation methods are important to moving the medical field forward, improving healthcare access and treatment, while ensuring that patients’ rights to privacy are preserved.
Acknowledgments
The chapter author would like to thank James Strout for his review of the article.
Nomenclature
| CCPA | California Consumer Privacy Act) |
| ePHI | Electronic protected health information |
| HIPAA | Health Insurance Portability and Accountability Act |
| GDPR | General Data Protection Regulation |
| PHI | Protected health information |
| RWD | Real-world data |
| SMEs | Small and medium-sized enterprises |
References
- 1.
Privacy 24.0 Use and Disclosure of PHI. Universal Health Services. 2017. Available from: https://www.uhsinc.com/wp-content/uploads/2017/10/Privacy-24.0-Use-and-Disclosure-of-PHI.pdf . Accessed on January 15, 2023 - 2.
Data Protection. Eujus. 2022 . Available from: https://www.eujus.eu/practice/data-protection/ - 3.
Health Information Privacy. HHS.gov . 2022 . Available from:https://www.hhs.gov/hipaa/for-professionals/index.html . Accessed on January 15, 2023 - 4.
What are the Penalties for HIPAA Violations?. HIPPA Journal. 2023. Available from: https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/ . Accessed on January 15, 2023 - 5.
What is GDPR, the EU’s new data protection law?. GDPR.EU. 2022. Available from:https://gdpr.eu/what-is-gdpr/ . Accessed on January 15, 2023 - 6.
GDPR Fines Increase. IMA Business. 2021Available from: https://imacorp.com/business/news/gdpr-fines-increase/ . Accessed on January 15, 2023 - 7.
Patient Consent for Electronic Health Information Exchange. HealthIT.gov . 2022. Available from:https://www.healthit.gov/topic/patient-consent-electronic-health-information-exchange . Accessed on January 15, 2023 - 8.
Bonta R. California Consumer Privacy Act (CCPA). State of California Department of Justice . 2022 . Available from:https://oag.ca.gov/privacy/ccpa . Accessed on January 15, 2023