The right of the individual to control who knows what about them is an embodiment of the ethical principle of autonomy: the law, too, at least in most jurisdictions, embraces the principle of autonomy and requires that individuals give valid and informed consent to all invasions of their personal autonomy, including in respect of medical procedures as well as access to their medical records. Autonomy is accorded in law greater significance than beneficence (the professional desire to act in the best interests of the individual) such that even where a clinician may believe the patient is making a bad decision, if their decision is informed and valid it must be respected – with very limited exceptions.
This creates a series of requirements for the privacy and security of health information systems.
- The systems must be able uniquely to identify individuals, both data subjects as well as system users.
- The systems must be able to record and validate patient consents, both in respect of authorising procedures as well as authorising accesses to private information; this must be capable of extension to authorisations for third parties (e.g. care providers, legal advisors etc) including where they are at a distance, to enable them to access data relating to specific individuals subject to the authorisation of the patient.
- Records systems holding personal data must be able to record and store a permissions table, identifying which users may access which files, with an authorisation validity period; they must also keep a log of all accesses and what was done to each record (viewed, edited, added to etc) on each occasion when it was accessed.
- Where personal data is used in routine processing, whether in-house or out-sourced, the identity of the subject should be concealed (e.g. by replacement with a code/cipher) except where both clinical details and identity are required together, to protect against casual personal information disclosure to staff.
- Where data is exported for research and analysis (e.g. to data warehouses) the data must be pseudonymised where all personal identifiers are replaced with a cipher for which the recipients do not hold a decryption key; where records of the patients of a clinician are being exported by that clinician, they must be kept encrypted with a key known only to that clinician.
- As regards all other situations, personal records must be kept safe and secure against all manner of threats, physical and technological.
The evidence shows that the biggest threat to personal privacy comes from authorised users of a system abusing their privileges, and not from external ‘hackers’. Recent legislation changes arising out of the increasing risk of terrorism has made electronic communication more prone to surveillance, with large numbers of public sector organisations able, with or without legal oversight, to eavesdrop on messages thereby putting confidential patient information at risk.
Securing records against unauthorised access by IT staff is a challenge for which the solutions must lie in inerasable logs and audit trails that are subject to frequent audit, as well as rigorous oversight of individuals authorised to access confidential data.
Students at www.health-informatics.co will cover ‘privacy and security’ topics throughout the Certificate and Diploma in Health Informatics programs – in particular HI203-08 “Systems Security” and HI203-09 “Information Privacy” provide a review of the issues concerned with securing systems and consideration of the sensitive and emotive issue of ensuring that personal information remains private and protected.