Abstract
Health Information Exchanges (HIEs) constitute a powerful mechanism for sharing Electronic Health Records (EHRs) across organizational boundaries in healthcare systems. The electronic sphere of patient data is growing but some patients and medical providers remain hesitant to adopt networked information technology due to privacy and security concerns. The U.S. Government has recognized the importance of safeguarding and preserving the privacy of patient data in HIEs, establishing and endorsing privacy standards and information sharing guidelines. This chapter explores the issues and principles shaping HIE privacy solutions, and discusses emerging trends that will influence the design and implementation of privacy-preserving technologies for HIEs.
Keywords
- Health Information Exchange
- Protected Health Information
- Role Base Access Control
- Personal Health Information
- Covered Entity
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Akinyele, J.A., et al.: Self-protecting electronic medical records using attribute-based encryption Cryptology ePrint Archive, Report 2010/565 (2010). Available from http://eprint.iacr.org/
Alshehri, S., Raj, R.K.: Secure access control for health information sharing systems. In: 2013 IEEE International Conference on Healthcare Informatics (ICHI). IEEE (2013)
Annas, G.J.: HIPAA regulations: a new era of medical-record privacy? N. Engl. J. Med. 348(15), 1486–1490 (2003)
Appari, A., Johnson, M.E.: Information security and privacy in healthcare: current state of research. Int. J. Internet Enterp. Manag. 6(4), 279–314 (2010)
Behavioral Healthcare.: Projects aim to segment data for privacy. http://www.behavioral.net/article/projects-aim-segment-data-privacy (2015)
Bonnici, C.J., Coles-Kemp, L.: Principled electronic consent management: a preliminary research framework. In: International Conference on Emerging Security Technologies. IEEE (2010)
Botsis, T., et al.: Secondary use of EHR: data quality issues and informatics opportunities. In: Proceedings of AMIA Summits on Translational Science, p. 1 (2010)
Brucker, A.D., Petritsch, H.: Extending access control models with break-glass. In: Proceedings of the 14th ACM Symposium on Access Control Models and Technologies. ACM (2009)
Cao, F., Huang, H.K., Zhou, H.Q.: Medical image security in a HIPAA mandated PACS environment. Comput. Med. Imaging Graph. 27(2), 185–196 (2003)
Churches, T., Christen, P.: Some methods for blindfolded record linkage. BMC Med. Inform. Decis. Mak. 4(1), 9 (2004)
Claerhout, B., DeMoor, G.J.E.: Privacy protection for clinical and genomic data: the use of privacy-enhancing techniques in medicine. Int. J. Med. Inform. 74(2), 257–265 (2005)
Daemen, J., Rijmen, V.: The Design of Rijndael: AES-the Advanced Encryption Standard. Springer, New York (2013)
Déglise, C.L., Suggs, S., Odermatt, P.: SMS for disease control in developing countries: a systematic review of mobile health applications. J. Telemed. Telecare 18(5), 273–281 (2012)
DelliFraine, J.L., Dansky, K.H.: Home-based telehealth: a review and meta-analysis. J. Telemed. Telecare 14(2), 62–66 (2008)
Department of Health, Education and Welfare.: Records, computers and the rights of citizens: report of the secretary’s advisory committee on automated personal data systems (1973)
Dierks, T.: The transport layer security (TLS) protocol version 1.2. Internet Engineering Task Force, Networking Group (2008)
Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)
Dixon, B.E., McGowan, J.J., Grannis, S.J.: Electronic laboratory data quality and the value of a health information exchange to support public health reporting processes. In: AMIA Annual Symposium Proceedings, vol. 2011. American Medical Informatics Association (2011)
European Committee for Standardization (CEN).: Interoperability of patient-connected medical devices (INTERMED) (1997)
Federal Register.: 45 CFR Parts 160 and 164 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule (2013)
Fellegi, I.P., Sunter, A.B.: A theory for record linkage. J. Am. Stat. Assoc. 64(328), 1183–1210 (1969)
Ferreira, A., et al.: How to break access control in a controlled manner. In: 19th IEEE International Symposium on Computer-Based Medical Systems (2006)
Ghosh, R., Heit, J., Srinivasan, S.: Telehealth at scale: the need for interoperability and analytics. In: Proceedings of the 1st International Workshop on Managing Interoperability and Complexity in Health Systems (MIXHS ’11), pp. 63–66 (2011)
Glass, M.: ANSI/IEEE 1073: medical information bus (MIB). Health Informatics J. 4(2), 72 (1998)
Goldman, J., Schrenker, R., Jackson, J., Whitehead, S.: Plug-and-play in the operating room of the future. Biomed. Instrum. Technol. 39(3), 194–199 (2005)
Grimes, S.L.: Medical device security. In: 26th Annual International Conference of the IEEE Engineering in Medicine and Biology Society, IEMBS’04, vol. 2 (2004)
Gritzalis, D., Lambrinoudakis, C.: A security architecture for interconnecting health information systems. Int. J. Med. Inform. 73(3), 305–309 (2004)
Gunter, C.A.: Building a smarter health and wellness future: privacy and security challenges. In: ICTs and the Health Sector: Towards Smarter Health and Wellness Models, OECD Publishing, Paris France pp. 141–157 (2013)
Hall, R., Fienberg, S.E.: Privacy-preserving record linkage. In: Privacy in Statistical Databases. Springer, Berlin/Heidelberg (2010)
Halperin, D., et al.: Security and privacy for implantable medical devices. IEEE Pervasive Comput. 7(1), 30–39 (2008)
Harno, K., et al.: Health information exchange and care integration. Int. J. Adv. Life Sci. 1(1), 46–57 (2009)
Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 (2009)
Health Insurance Portability and Accountability Act of 1996. Public Law No. 104-191, 110 Stat. 1936 (1996)
Heinze, O., et al.: Architecture of a consent management suite and integration into IHE-based regional health information networks. BMC Med. Inform. Decis. Mak. 11(1), 58 (2011)
Hovenga, E.J.S., Grain, H.: Clinical decision support systems: data quality management and governance. Health Inf. Gov. Digit. Environ. 193, 362 (2013)
Hunkeler, E.M., et al.: Efficacy of nurse telehealth care and peer support in augmenting treatment of depression in primary care. Arch. Fam. Med. 9(8), 700 (2000)
Iakovidis, I.: Towards personal health record: current situation, obstacles and trends in implementation of electronic healthcare record in Europe. Int. J. Med. Inform. 52(1), 105–115 (1998)
ISO/IEEE 11073-10101.: Health Informatics Point-of-Care Medical Device Communication Part 10101: Nomenclature (2004)
ISO/IEEE 11073-10201.: Health Informatics Point-of-Care Medical Device Communication Part 10201: Domain Information Model (2004)
ISO/IEEE 11073-20101:2004.: Health Informatics Point-of-Care Medical Device Communication Part 20101: Application Profile-Base Standard (2004)
ISO/IEEE 11073-30300:2004.: Health Informatics Point-Of-Care Medical Device Communication Part 30300: Transport Profile-Infrared Wireless (2004)
ISO/IEEE 11073-20601:2010.: Health Informatics Personal Health Device Communication Part 20601: Application Profile Optimized Exchange Protocol. (2010)
Istepanian, R., Laxminarayan, S., Pattichis, C.S.: M-Health. Springer, New York (2006)
Jacques, L.B.: Electronic health records and respect for patient privacy: a prescription for compatibility. Vand. J. Entertain. Technol. Law 13, 441 (2010)
Jha, A.K., et al.: Use of electronic health records in US hospitals. N. Engl. J. Med. 360(16), 1628–1638 (2009)
Källander, K., et al.: Mobile health (mHealth) approaches and lessons for increased performance and retention of community health workers in low-and middle-income countries: a review. J. Med. Internet Res. 15(1), e17 (2013)
Kotz, D.: A threat taxonomy for mHealth privacy. In: COMSNETS (2011)
Kulynych, J.: Legal and ethical issues in neuroimaging research: human subjects protection, medical privacy, and the public communication of research results. Brain Cogn. 50(3), 345–357 (2002)
Li, M., Poovendran, R., Narayanan, S.: Protecting patient privacy against unauthorized release of medical images in a group communication environment. Comput. Med. Imaging Graph. 29(5), 367–383 (2005)
Li, M., et al.: Scalable and secure sharing of personal health records in cloud computing using attribute-based encryption. IEEE Trans. Parallel Distrib. Syst. 24(1), 131–143 (2013)
Lin, Z., Owen, A.B., Altman, R.B.: Genomic research and human subject privacy. Science - New York Then Washington 305, 183 (2004)
Lowrance, W.W., Collins, F.: Identifiability in genomic research. Science 317, 600–602 (2007)
Markle Foundation.: Common framework for networked personal health information: overview and principles. Connecting For Health (2008)
Newcombe, H.B., et al.: Automatic linkage of vital records computers can be used to extract “follow-up” statistics of families from files of routine records. Science 130(3381), 954–959 (1959)
Office for Civil Rights.: The HIPAA Privacy Rule and Electronic Health Information Exchange in a Networked Environment: Collection, Use, and Disclosure Limitation (2013)
Office for Civil Rights.: Guide to Privacy and Security of Electronic Health Information, Department of Health and Human Services (2014)
Office for Civil Rights.: HIPAA Privacy Rule and Sharing Information Related to Mental Health (2014)
Office of the National Coordinator.: Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information (2008)
Office of the National Coordinator.: Connecting Health and Care for the Nation; A Shared Nationwide Interoperability Roadmap (2014)
Office of the National Coordinator.: Privacy & Security Tiger Team. http://www.healthit.gov/facas/health-it-policy-committee/hitpc-workgroups/privacy-security-tiger-team (2015)
Office of the National Coordinator.: Patient consent for electronic health information exchange. http://www.healthit.gov/providers-professionals/patient-consent-electronic-health-information-exchange (2015)
Office of the National Coordinator.: First annual summary of privacy and security tiger team activities: July 1, 2010 through September 30, 2013. http://www.healthit.gov/sites/default/files/privacysecurityteamannualsummarybriefing2010_2013.pdf (2015)
Office of the National Coordinator for Health Information Technology (ONC).: Governance Framework for Trusted Electronic Health Information Exchange (2013)
Office of the National Coordinator for Health Information Technology (ONC).: Federal Health Information Technology Strategic Plan, Department of Health & Human Services (2014)
Pajic, M., et al.: Model-driven safety analysis of closed-loop medical systems. IEEE Trans. Ind. Inf. 10(1), 3–16 (2014)
Paszko, C., Turner, E.: Laboratory Information Management Systems. CRC Press, Boca Raton (2001)
Reichertz, P.L.: Hospital information systems – past, present, future. Int. J. Med. Inform. 75(3), 282–299 (2006)
Rudin, R.S., et al.: Understanding the decisions and values of stakeholders in health information exchanges: experiences from Massachusetts. Am. J. Public Health 99(5), 950 (2009)
Russello, G., Changyu, D., Dul, N.: Consent-based workflows for healthcare management. In: Policies for Distributed Systems and Networks, 2008. IEEE Workshop on POLICY 2008 (2008)
Sankararaman, S., et al.: Genomic privacy and limits of individual detection in a pool. Nat. Genet. 41(9), 965–967 (2009)
Schimke, N., Kuehler, M., Hale, J.: Preserving privacy in structural neuroimages. In: Data and Applications Security and Privacy, vol. XXV, pp. 301–308. Springer, Berlin/Heidelberg (2011)
Schnell, R., Bachteler, T., Reiher, J.: Privacy-preserving record linkage using Bloom filters. BMC Med. Inform. Decis. Mak. 9(1), 41 (2009)
Schneier, B.: Applied Cryptography: Protocols, Algorithms, and Source Code in C. Wiley, New York (2007)
Scholl, M., et al.: NIST SP 800 - 66 Rev1: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, National Institute of Standards and Technology (2008)
Shoniregun, C.A., Dube, K., Mtenzi, F.: Secure e-healthcare information systems. In: Electronic Healthcare Information Security, pp. 101–121. Springer, Berlin (2010)
Solo, D., Housley, R., Ford, W.: Internet X. 509 public key infrastructure certificate and CRL profile. Internet Engineering Task Force, Networking Group (1999)
Standards for Privacy of Individually Identifiable Health Information (PIHI), Federal Register. (codified at 45 CFR. 164.502(b)(1)) (2002)
Standards for Privacy of Individually Identifiable Health Information (PIHI), Federal Register. (codified at 45 CFR. 164.502(b)(2)) (2002)
Standards for Privacy of Individually Identifiable Health Information (PIHI), Federal Register. (codified at 45 CFR. 164.514(d)) (2002)
Substance Abuse and Confidentiality, Federal Register. (codified at 42 CFR. Part 2) (2014)
Substance Abuse and Mental Health Services Administration: Consent2Share Project. http://www.wiki.siframework.org/SAMHSA+Consent2Share+Project (2015)
Van der Linden, H., et al.: Inter-organizational future proof EHR systems: a review of the security and privacy related issues. Int. J. Med. Inform. 78(3), 141–160 (2009)
Vest, J.R., Gamm, L.D.: Health information exchange: persistent challenges and new strategies. J. Am. Med. Inform. Assoc. 17(3), 288–294 (2010)
Wang, Q., Hongxia, J..: An analytical solution for consent management in patient privacy preservation. In: Proceedings of the 2nd ACM SIGHIT International Health Informatics Symposium. ACM (2012)
West, D.: How mobile devices are transforming healthcare. Issues Technol. Innov. 18(1), 1–14 (2012)
White, P.: Privacy and security issues in teleradiology. In: Seminars in Ultrasound, CT and MRI, vol. 25(5) (2004)
Wilcox, A., et al.: Architectural strategies and issues with health information exchange. In: AMIA Annual Symposium Proceedings, vol. 2006. American Medical Informatics Association (2006)
Zafar, A., Dixon, B.E.: Pulling back the covers: technical lessons of a real-world health information exchange vol. 129 (Pt 1), 488–492 (2007)
Zhang, W., et al.: Role prediction using electronic medical record system audits. In: AMIA Annual Symposium Proceedings, pp. 858–867 (2011)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Hill, D., Walker, J., Hale, J. (2015). Privacy Considerations for Health Information Exchanges. In: Gkoulalas-Divanis, A., Loukides, G. (eds) Medical Data Privacy Handbook. Springer, Cham. https://doi.org/10.1007/978-3-319-23633-9_12
Download citation
DOI: https://doi.org/10.1007/978-3-319-23633-9_12
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-23632-2
Online ISBN: 978-3-319-23633-9
eBook Packages: Computer ScienceComputer Science (R0)