In this chapter, you will learn to
Recognize the influence of data ownership rights in healthcare
Comprehend the intertwined relationship between privacy and security in healthcare organizations
Understand information protection challenges of electronic health records
Identify information security concerns about medical devices relative to patient safety
Appreciate the risk of medical and financial identity theft, and understand patient care issues related to data breach
In this chapter, you will learn how privacy and information security are separate disciplines that work very much together. In markets and industries, such as the military or industrial corporations, as in healthcare, privacy and security goals are often implemented for different purposes. Outside of healthcare, privacy controls are often implemented more for compliance with protecting employee or customer information the organization collects for business purposes than about protection of individual rights. Security controls are sometimes focused more on protecting the assets of the organization, rather than the individual's personal information. In the healthcare field, however, this is not true; security is tasked with the goal of protecting healthcare information both as a business product of the healthcare provider or facility and as a privacy right of individuals. The practice of each discipline brings together various workforce personnel in the healthcare organization. Within the complex computing environment that is healthcare information technology, many special types of equipment, systems, and applications are considered business critical and clinically essential. In fact, in the United States, the entire healthcare network is deemed critical infrastructure, so privacy and information security concerns have a direct and often dramatic impact on the healthcare organization.
Ownership of Healthcare Information
When it comes to healthcare, traditional expertise grew independently around privacy (for example, protecting identity) and information security (for example, protecting resources). Over time, both disciplines evolved and developed into specific competencies found in the workforce. Today that reality has changed. Privacy and security have integrated into an almost singular competency that every person handling protected health information (PHI) or personally identifiable information (PII) requires. The reasons for the integration have been discussed already—the digitization of health information, networking of medical systems and devices, and regulatory pressures to safeguard health information, to review a few. This is a global reality. We begin this chapter with a quick look at privacy and security of health information according to international law and customs, and focus on the key concern of ownership of the information once it is collected by a healthcare organization. This concern is addressed differently in different countries, based on the country's own views on data ownership and laws. Recognizing how authorities view this concern helps explain how relevant guidelines, laws, and customs can help make sense of the overall privacy and security approaches the country expects healthcare organizations (or data collectors) to take.
True ownership of health information is hard to determine. If we try ...