Abstract
This chapter begins by explaining why health information privacy is important, both to nurses and to patients. The concept of privacy is complex and it is common to think of privacy as interchangeable with security. This is untrue and this chapter will introduce readers to the definitions of privacy, personal health information, health information custodians, and security-related terms such as authentication, authorization, and audit trails. The concept of personal health information (PHI) is explored in relation to its collection, use, disclosure, and retention. The rationale for privacy, implicit and deemed consent, and withholding and revoking consent are also presented. Other approaches to protecting privacy are described, including developing a privacy policy, designating a privacy officer, de-identification of personal information, and pseudonomization. Information security is surveyed, including international standards and current areas of concern. The chapter closes by exploring how nurses can contribute to the protection of privacy.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Note: All web references were last accessed on May 4, 2020.
References
Note: All web references were last accessed on May 4, 2020.
Adapted from Black’s Law Dictionary (9th edition); 2009. ISBN-13: 9780314199492.
Mathews A. Anthem. Hacked database included 78.8 million people. Wall Street Journal, 24 Feb 2015. https://www.wsj.com/articles/anthem-hacked-database-included-78-8-million-people-1424807364.
Cabrera E, Papaevangelou H, Mcparland J. Patient’s autonomy, privacy and informed consent. IOS Press; 2000. ISBN 1586030396, 9781586030391.
Canadian Broadcasting Corporation. B.C. privacy breach shows millions affected. CBC News, 14 Jan 2013. https://www.cbc.ca/news/canada/british-columbia/b-c-privacy-breach-shows-millions-affected-1.1342374.
Canadian Standards Association. Model code for the protection of personal information (CAN/CSA-Q830-96). 1996. https://laws-lois.justice.gc.ca/eng/acts/p-8.6/page-11.html.
Clarke R. Beyond the OECD guidelines: privacy protection for the 21st century. Cyber Security and Information Systems Information Analysis Center (CSIAC). Rolling Meadows, IL: Jan; 2000.
Cloud J. Pedophilia. Time Magazine, 29 April 2002. http://content.time.com/time/magazine/article/0,9171,232584,00.html.
Connolly ML. Belfast Trust fined £225,000 over patient records breach. BBC, 19 Jun 2012. https://www.bbc.com/news/uk-northern-ireland-18497161.
Council of Europe. Convention for the protection of individuals with regard to automatic processing of personal data. Strasbourg; 28 Jan 1981a. https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/108.
Council of Europe. Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data. Strasbourg; 28 Jan 1981b, article 6. https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/108.
Davis J. 417,000 Augusta University Health patient records breached nearly one year ago. Healthcare IT News, 17 Aug 2018. https://www.healthcareitnews.com/news/417000-augusta-university-health-patient-records-breached-nearly-one-year-ago.
European Parliament. General data protection regulation. 27 Apr 2016, Article 8. https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1532348683434&uri=CELEX:02016R0679-20160504.
European Union. Data Protection Directive (95/46/EC), 1995. https://ec.europa.eu/eip/ageing/standards/ict-and-communication/data/directive-9546ec_en.
Federal Trade Commission (US). Fair Information Practice Principles (FIPs), s. 5. Enforcement/Redress. Washington, DC; n.d. https://web.archive.org/web/20090205180646/http://ftc.gov/reports/privacy3/fairinfo.shtm.
Frone MR. Prevalence and distribution of alcohol use and impairment in the workplace: a U.S. national survey. J Stud Alcohol. 2006;67:147–56. https://www.jsad.com/doi/abs/10.15288/jsa.2006.67.147
Gordon E. Aetna agrees to pay $17 million in HIV privacy breach. NPR, 17 Jan 2018. https://www.npr.org/sections/health-shots/2018/01/17/572312972/aetna-agrees-to-pay-17-million-in-hiv-privacy-breach.
Gostin LO. National health information privacy regulations under the health insurance portability and accountability act. JAMA. 2001;285(23):3015–21. https://doi.org/10.1001/jama.285.23.3015. http://jama.jamanetwork.com/article.aspx?articleid=193930
Guardian Government Computing. ICO fines Sussex trust £325,000 for data breach. The Guardian, 1 June 2012. https://www.theguardian.com/government-computing-network/2012/jun/01/ico-data-breach-brighton-nhs.
Hall, et al. Sexual arousal and arousability to pedophilic stimuli in a community sample of normal men. Behav Ther. 1995;26:681–94. http://www.sciencedirect.com/science/article/pii/S0005789405800395
Hare WH. Records, computers and the rights of citizens: Rand Corporation; 1973a. http://www.rand.org/pubs/papers/2008/P5077.pdf
Hare WH. Records, computers and the rights of citizens: Rand Corporation; 1973b. p. 3. http://www.rand.org/pubs/papers/2008/P5077.pdf
Hicks S. Russian hackers hold Gold Coast doctors to ransom. ABC News, 11 Dec 2012. http://www.abc.net.au/news/2012-12-10/hackers-target-gold-coast-medical-centre/4418676.
Holmes N. The right to privacy and parliament. Library of Parliament (Canada); Feb 2006.
Information and Privacy Commissioner of Ontario. Circle of care: sharing personal health information for health-care purposes; Aug 2015. https://www.ipc.on.ca/wp-content/uploads/Resources/circle-of-care.pdf.
ISO 27001: Information technology – Security techniques – Information security management systems – Requirements. International Organization for Standardization; 2013. https://www.iso.org/standard/54534.html.
ISO 27002. Information technology – security techniques – code of practice for information security controls. International Organization for Standardization. 2013; https://www.iso.org/standard/54533.html
ISO 27799: Health informatics – Information security management in health using ISO/IEC 27002. International Organization for Standardization, 2016. https://www.iso.org/standard/62777.html.
ISO/TS 14265: Health Informatics – Classification of purposes for processing personal health information. International Organization for Standardization; 2011. https://www.iso.org/standard/54547.html.
Jurgens R. HIV testing and confidentiality: final report. Canadian HIV/AIDS Legal Network & Canadian AIDS Society. 2001; http://www.aidslaw.ca/site/hiv-testing-and-confidentiality-final-report/?lang=en
Krebs B. Hackers break into Virginia health professions database, Demand Ransom. Washington Post, 4 May 2009. http://voices.washingtonpost.com/securityfix/2009/05/hackers_break_into_virginia_he.html.
National Conference of State Legislatures. Security Breach Notification Laws. 8 Mar 2020. https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
Office of the Australian Information Commissioner. Notifiable data breaches; n.d. https://www.oaic.gov.au/privacy/notifiable-data-breaches/.
Organization for Economic Co-Operation and Development. Guidelines on the protection of privacy and transborder flows of personal data. Last modified Jan 1999. http://www.oecd.org/internet/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm.
Pew Research Center. Public opinion on abortion: views on abortion, 1995–2019. Pew Research Center; 29 Aug 2019. https://www.pewforum.org/fact-sheet/public-opinion-on-abortion/.
Privacy Commissioner of Canada. What you need to know about mandatory reporting of breaches of security safeguards. Oct 2018. https://www.priv.gc.ca/en/privacy-topics/business-privacy/safeguards-and-breaches/privacy-breaches/respond-to-a-privacy-breach-at-your-business/gd_pb_201810/.
Smith GK. Privacy in the information age: De Montfort University; Apr 1994.
Srinivas R. 7 times ransomware became a major healthcare hazard. CISO Magazine, 14 Nov 2019. https://www.cisomag.com/7-times-ransomware-became-a-major-healthcare-hazard/.
Stein L. The electronic medical record: promises and threats; web security: a matter of trust. Web J. 1997;2(3) https://dl.acm.org/doi/abs/10.5555/275079.275101
Terhune C. Patient data outage exposes risks of electronic medical records. Los Angeles Times, 3 Aug 2012. http://articles.latimes.com/2012/aug/03/business/la-fi-hospital-data-outage-20120803.
US Government Printing Office. Health insurance portability and accountability act, 1996. https://www.govinfo.gov/content/pkg/PLAW-104publ191/html/PLAW-104publ191.htm.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
10.1 Electronic Supplementary Material
Data 1
Educational Template (PPTX 48 kb)
Glossary
- Access control
-
The identification of users during user registration, the assignment of access privileges that determine which information resources and services these users can access, their subsequent authentication during log in, and their authorisation prior to being granted access to specific services and data
- Anonymity
-
Term used which allows the subjects in a database to remain nameless and unidentified
- Audit
-
Auditing is done by keeping audit log files (sometimes referred to as an audit trail) that record which users have done what (accessed information or performed actions on information on specific patient records) and when (date of access; number of times record was accessed).
- Circle of care
-
A term used which refers to the persons participating in, and the activities related to, the provision of health care to the patient
- Consent
-
An agreement, approval, or permission given voluntarily by a competent person that permits some act(s) for some stated purpose(s). Adapted from Black’s Law Dictionary (9th edition), 2009
- GDPR
-
European General Data Protection Regulation (GDPR), a European Union directive that, 20 years after the Canadian principles were written, expanded upon these privacy principles and added several new principles relevant to healthcare and the protection of personal health information
- Health information custodian
-
A health information custodian (sometimes called a data steward) is an individual or organization that collects, uses, or discloses personal health information for the purposes of patient treatment and care, medical billing, health system planning and management, or health research
- PHI
-
Personal health information
- Privacy
-
The right of individuals and organizations to decide for themselves when, how, and to what extent information about them is transmitted to others NI Conference 2013 Toronto
- Pseudonymity
-
A term used which allows the subjects in a database to be tracked over time while at the same time remaining nameless
- Pseudonyms
-
Term used such as patient x or patient y which are attached to records instead of names, addresses and other public identifiers.
- Ransomware
-
A form of computer virus that encrypts the data in a system to make it inaccessible to the system’s users. System administrators are then met with a ransom demand to unlock the data.
- Security
-
Physical protection of data using such means as firewalls, encryption, user credentials, and other physical means
- User authentication
-
User authorization attempts to securely verify the identify of the person logging into the system
- User enrolment
-
User enrolment registers each person for specific functionality in an online service or computer program within an organization that a registered user is authorized to access. Once enrolled, a user has the authorization to access the relevant data or services. Not all users will have access to all modules or components of a service or program as access is typically based on the “need to know” principle.
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Fraser, R. (2021). Data Privacy and Security. In: Hussey, P., Kennedy, M.A. (eds) Introduction to Nursing Informatics. Health Informatics. Springer, Cham. https://doi.org/10.1007/978-3-030-58740-6_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-58740-6_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-58739-0
Online ISBN: 978-3-030-58740-6
eBook Packages: MedicineMedicine (R0)