Data Privacy and Security

Fraser, Ross

doi:10.1007/978-3-030-58740-6_10

Ross Fraser³

Part of the book series: Health Informatics ((HI))

2097 Accesses

Abstract

This chapter begins by explaining why health information privacy is important, both to nurses and to patients. The concept of privacy is complex and it is common to think of privacy as interchangeable with security. This is untrue and this chapter will introduce readers to the definitions of privacy, personal health information, health information custodians, and security-related terms such as authentication, authorization, and audit trails. The concept of personal health information (PHI) is explored in relation to its collection, use, disclosure, and retention. The rationale for privacy, implicit and deemed consent, and withholding and revoking consent are also presented. Other approaches to protecting privacy are described, including developing a privacy policy, designating a privacy officer, de-identification of personal information, and pseudonomization. Information security is surveyed, including international standards and current areas of concern. The chapter closes by exploring how nurses can contribute to the protection of privacy.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 44.99; Price excludes VAT (USA)

Softcover Book: USD 59.99; Price excludes VAT (USA)

Hardcover Book: USD 84.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

1.
Note: All web references were last accessed on May 4, 2020.

References

Note: All web references were last accessed on May 4, 2020.

Adapted from Black’s Law Dictionary (9th edition); 2009. ISBN-13: 9780314199492.
Google Scholar
Mathews A. Anthem. Hacked database included 78.8 million people. Wall Street Journal, 24 Feb 2015. https://www.wsj.com/articles/anthem-hacked-database-included-78-8-million-people-1424807364.
Cabrera E, Papaevangelou H, Mcparland J. Patient’s autonomy, privacy and informed consent. IOS Press; 2000. ISBN 1586030396, 9781586030391.
Google Scholar
Canadian Broadcasting Corporation. B.C. privacy breach shows millions affected. CBC News, 14 Jan 2013. https://www.cbc.ca/news/canada/british-columbia/b-c-privacy-breach-shows-millions-affected-1.1342374.
Canadian Standards Association. Model code for the protection of personal information (CAN/CSA-Q830-96). 1996. https://laws-lois.justice.gc.ca/eng/acts/p-8.6/page-11.html.
Clarke R. Beyond the OECD guidelines: privacy protection for the 21st century. Cyber Security and Information Systems Information Analysis Center (CSIAC). Rolling Meadows, IL: Jan; 2000.
Google Scholar
Cloud J. Pedophilia. Time Magazine, 29 April 2002. http://content.time.com/time/magazine/article/0,9171,232584,00.html.
Connolly ML. Belfast Trust fined £225,000 over patient records breach. BBC, 19 Jun 2012. https://www.bbc.com/news/uk-northern-ireland-18497161.
Council of Europe. Convention for the protection of individuals with regard to automatic processing of personal data. Strasbourg; 28 Jan 1981a. https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/108.
Council of Europe. Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data. Strasbourg; 28 Jan 1981b, article 6. https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/108.
Davis J. 417,000 Augusta University Health patient records breached nearly one year ago. Healthcare IT News, 17 Aug 2018. https://www.healthcareitnews.com/news/417000-augusta-university-health-patient-records-breached-nearly-one-year-ago.
European Parliament. General data protection regulation. 27 Apr 2016, Article 8. https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1532348683434&uri=CELEX:02016R0679-20160504.
European Union. Data Protection Directive (95/46/EC), 1995. https://ec.europa.eu/eip/ageing/standards/ict-and-communication/data/directive-9546ec_en.
Federal Trade Commission (US). Fair Information Practice Principles (FIPs), s. 5. Enforcement/Redress. Washington, DC; n.d. https://web.archive.org/web/20090205180646/http://ftc.gov/reports/privacy3/fairinfo.shtm.
Frone MR. Prevalence and distribution of alcohol use and impairment in the workplace: a U.S. national survey. J Stud Alcohol. 2006;67:147–56. https://www.jsad.com/doi/abs/10.15288/jsa.2006.67.147
Article Google Scholar
Gordon E. Aetna agrees to pay $17 million in HIV privacy breach. NPR, 17 Jan 2018. https://www.npr.org/sections/health-shots/2018/01/17/572312972/aetna-agrees-to-pay-17-million-in-hiv-privacy-breach.
Gostin LO. National health information privacy regulations under the health insurance portability and accountability act. JAMA. 2001;285(23):3015–21. https://doi.org/10.1001/jama.285.23.3015. http://jama.jamanetwork.com/article.aspx?articleid=193930
Article CAS PubMed Google Scholar
Guardian Government Computing. ICO fines Sussex trust £325,000 for data breach. The Guardian, 1 June 2012. https://www.theguardian.com/government-computing-network/2012/jun/01/ico-data-breach-brighton-nhs.
Hall, et al. Sexual arousal and arousability to pedophilic stimuli in a community sample of normal men. Behav Ther. 1995;26:681–94. http://www.sciencedirect.com/science/article/pii/S0005789405800395
Article Google Scholar
Hare WH. Records, computers and the rights of citizens: Rand Corporation; 1973a. http://www.rand.org/pubs/papers/2008/P5077.pdf
Hare WH. Records, computers and the rights of citizens: Rand Corporation; 1973b. p. 3. http://www.rand.org/pubs/papers/2008/P5077.pdf
Hicks S. Russian hackers hold Gold Coast doctors to ransom. ABC News, 11 Dec 2012. http://www.abc.net.au/news/2012-12-10/hackers-target-gold-coast-medical-centre/4418676.
Holmes N. The right to privacy and parliament. Library of Parliament (Canada); Feb 2006.
Google Scholar
Information and Privacy Commissioner of Ontario. Circle of care: sharing personal health information for health-care purposes; Aug 2015. https://www.ipc.on.ca/wp-content/uploads/Resources/circle-of-care.pdf.
ISO 27001: Information technology – Security techniques – Information security management systems – Requirements. International Organization for Standardization; 2013. https://www.iso.org/standard/54534.html.
ISO 27002. Information technology – security techniques – code of practice for information security controls. International Organization for Standardization. 2013; https://www.iso.org/standard/54533.html
ISO 27799: Health informatics – Information security management in health using ISO/IEC 27002. International Organization for Standardization, 2016. https://www.iso.org/standard/62777.html.
ISO/TS 14265: Health Informatics – Classification of purposes for processing personal health information. International Organization for Standardization; 2011. https://www.iso.org/standard/54547.html.
Jurgens R. HIV testing and confidentiality: final report. Canadian HIV/AIDS Legal Network & Canadian AIDS Society. 2001; http://www.aidslaw.ca/site/hiv-testing-and-confidentiality-final-report/?lang=en
Krebs B. Hackers break into Virginia health professions database, Demand Ransom. Washington Post, 4 May 2009. http://voices.washingtonpost.com/securityfix/2009/05/hackers_break_into_virginia_he.html.
National Conference of State Legislatures. Security Breach Notification Laws. 8 Mar 2020. https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
Office of the Australian Information Commissioner. Notifiable data breaches; n.d. https://www.oaic.gov.au/privacy/notifiable-data-breaches/.
Organization for Economic Co-Operation and Development. Guidelines on the protection of privacy and transborder flows of personal data. Last modified Jan 1999. http://www.oecd.org/internet/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm.
Pew Research Center. Public opinion on abortion: views on abortion, 1995–2019. Pew Research Center; 29 Aug 2019. https://www.pewforum.org/fact-sheet/public-opinion-on-abortion/.
Privacy Commissioner of Canada. What you need to know about mandatory reporting of breaches of security safeguards. Oct 2018. https://www.priv.gc.ca/en/privacy-topics/business-privacy/safeguards-and-breaches/privacy-breaches/respond-to-a-privacy-breach-at-your-business/gd_pb_201810/.
Smith GK. Privacy in the information age: De Montfort University; Apr 1994.
Google Scholar
Srinivas R. 7 times ransomware became a major healthcare hazard. CISO Magazine, 14 Nov 2019. https://www.cisomag.com/7-times-ransomware-became-a-major-healthcare-hazard/.
Stein L. The electronic medical record: promises and threats; web security: a matter of trust. Web J. 1997;2(3) https://dl.acm.org/doi/abs/10.5555/275079.275101
Terhune C. Patient data outage exposes risks of electronic medical records. Los Angeles Times, 3 Aug 2012. http://articles.latimes.com/2012/aug/03/business/la-fi-hospital-data-outage-20120803.
US Government Printing Office. Health insurance portability and accountability act, 1996. https://www.govinfo.gov/content/pkg/PLAW-104publ191/html/PLAW-104publ191.htm.

Download references

Author information

Authors and Affiliations

Sextant Inc., Toronto, ON, Canada
Ross Fraser

Authors

Ross Fraser
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ross Fraser .

Editor information

Editors and Affiliations

School of Nursing, Psychotherapy and Community Health, Center of eIntegrated Care, Dublin City University, Dublin, Ireland
Pamela Hussey
Center of Excellence, Gevity Consulting Inc and Kennedy Health Informatics Inc, Halifax, NS, Canada
Margaret Ann Kennedy

10.1 Electronic Supplementary Material

Data 1

Educational Template (PPTX 48 kb)

Glossary

Access control: The identification of users during user registration, the assignment of access privileges that determine which information resources and services these users can access, their subsequent authentication during log in, and their authorisation prior to being granted access to specific services and data
Anonymity: Term used which allows the subjects in a database to remain nameless and unidentified
Audit: Auditing is done by keeping audit log files (sometimes referred to as an audit trail) that record which users have done what (accessed information or performed actions on information on specific patient records) and when (date of access; number of times record was accessed).
Circle of care: A term used which refers to the persons participating in, and the activities related to, the provision of health care to the patient
Consent: An agreement, approval, or permission given voluntarily by a competent person that permits some act(s) for some stated purpose(s). Adapted from Black’s Law Dictionary (9th edition), 2009
GDPR: European General Data Protection Regulation (GDPR), a European Union directive that, 20 years after the Canadian principles were written, expanded upon these privacy principles and added several new principles relevant to healthcare and the protection of personal health information
Health information custodian: A health information custodian (sometimes called a data steward) is an individual or organization that collects, uses, or discloses personal health information for the purposes of patient treatment and care, medical billing, health system planning and management, or health research
PHI: Personal health information
Privacy: The right of individuals and organizations to decide for themselves when, how, and to what extent information about them is transmitted to others NI Conference 2013 Toronto
Pseudonymity: A term used which allows the subjects in a database to be tracked over time while at the same time remaining nameless
Pseudonyms: Term used such as patient x or patient y which are attached to records instead of names, addresses and other public identifiers.
Ransomware: A form of computer virus that encrypts the data in a system to make it inaccessible to the system’s users. System administrators are then met with a ransom demand to unlock the data.
Security: Physical protection of data using such means as firewalls, encryption, user credentials, and other physical means
User authentication: User authorization attempts to securely verify the identify of the person logging into the system
User enrolment: User enrolment registers each person for specific functionality in an online service or computer program within an organization that a registered user is authorized to access. Once enrolled, a user has the authorization to access the relevant data or services. Not all users will have access to all modules or components of a service or program as access is typically based on the “need to know” principle.

Rights and permissions

Reprints and permissions

Copyright information

About this chapter

Cite this chapter

Fraser, R. (2021). Data Privacy and Security. In: Hussey, P., Kennedy, M.A. (eds) Introduction to Nursing Informatics. Health Informatics. Springer, Cham. https://doi.org/10.1007/978-3-030-58740-6_10

Download citation

DOI: https://doi.org/10.1007/978-3-030-58740-6_10
Published: 05 January 2021
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-58739-0
Online ISBN: 978-3-030-58740-6
eBook Packages: MedicineMedicine (R0)

Publish with us

Policies and ethics