e3-02: Patient Confidentiality & Information Technology

The ancient ethical obligation to protect the privacy of our patients takes on new importance in the setting of digital health information. The same ability to make health information universally available that is at the heart of health information technology's power entrains our commitment to patient privacy in new and more urgent ways. From a legal perspective, in the United States, the security and privacy rules of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act place important requirements on the individual clinician and group to ensure the security of electronic protected health information, and several states have enacted more restrictive measures.

E-mail transmitted over the Internet by many commercial providers is entirely unsecure, and interception of unsecure e-mail by a malicious third party is easily accomplished with freely available software. Clinicians often implicitly assume if an e-mail exchange containing protected health information was initiated by the patient, the patient has “consented” to this unsecure communication. However, HIPAA and its related regulations contain no provision for “consenting” to communications that violate its security rule, and patients have no power to relieve clinicians of their obligations under these federal regulations. Further, using a commercial e-mail service for patient communication constitutes a disclosure of that information to that e-mail service provider, itself a privacy violation.

In addition, HIPAA requires not only secure transmission of protected health information but also secure storage. Health information stored on a computer, especially a laptop or tablet, is vulnerable to theft either physically or remotely over networks. The potential penalties and costs of remediation, such as notifying affected patients, are significant. Widely reported serious incidents of electronic theft of health information continue notwithstanding public awareness of these risks. Furthermore, some jurisdictions (prominently the Veterans' Health Administration and the state of California) have imposed stricter requirements and higher fines than provided in federal law. Federal regulations make clear that the individual clinician is directly liable for civil and criminal penalties, even if they are acting as the agent or employee of a health system.

Clinicians must take several steps to minimize these risks. First, clinicians must never use poorly secured, unencrypted e-mail to exchange protected health information, even if the exchange is initiated by a patient. The preferred solution is to keep electronic exchanges with patients inside a secure electronic health record that provides a portal for the patient to send and receive messages. In the absence of an electronic health record, numerous commercial services developed for health care for secure, private exchange of e-mail are available.

Second, any clinical information stored electronically outside of an enterprise clinical system, such as on an individual computer, laptop, or mobile device, must be both electronically and physically secure. Electronic security includes the correct use of strong passwords, preferably with multi-factor authentication, such as biometrics, network firewalls, virus protection, spyware protection, and full-disk data encryption. The security inherent to most consumer-oriented computer hardware and operating systems is not sufficient, and proper security requires considerable technical sophistication. Almost all clinicians should rely on professional services to ensure the security of their computer hardware and data.

Physical security includes preventing direct access to computers or mobile devices that contain health information by unauthorized individuals. Laptop computers are especially risky in this regard, and loss or theft of a laptop containing clinical information, even if only in the form of incidental e-mails, can have far-reaching legal and financial consequences for an individual clinician and the clinician's employer. Many laptops have the ability to physically encrypt the entire hard drive and require biometric authentication, such as a fingerprint, to gain access. These can offer valuable risk mitigation if laptops are used for clinical work.

Third, the importance of network security continues to be highlighted by high-profile “phishing,” “ransomware,” and other attacks against organizations' information infrastructure, including high-profile attacks on health care delivery institutions of all sizes. Again, clinicians should rely on professional services to ensure the security of any computer networks for which they have responsibility.

Last, wireless networks in the home or public places are often entirely unsecure, and malicious interception of wireless network traffic is technologically trivial and widely available. Clinicians should never do any clinical work using publicly accessible wireless networks, such as in airports, hotels, or cafés, without an additional layer of network security such as a virtual private network (VPN). At home, clinicians must take appropriate steps to secure a home wireless network before using it for clinical work, which may involve professional consultation with the Internet services provider.