The ancient ethical obligation to protect the privacy of our patients takes on new importance in the setting of digital health information. The same ability to make health information universally available that is at the heart of health information technology's power entrains our commitment to patient privacy in new and more urgent ways. From a legal perspective, in the United States, the security and privacy rules of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act place important requirements on the individual clinician and group to ensure the security of electronic protected health information, and several states have enacted more restrictive measures.
E-mail transmitted over the Internet by many commercial providers is entirely unsecure, and interception of unsecure e-mail by a malicious third party is easily accomplished with freely available software. Clinicians often implicitly assume if an e-mail exchange containing protected health information was initiated by the patient, the patient has “consented” to this unsecure communication. However, HIPAA and its related regulations contain no provision for “consenting” to communications that violate its security rule, and patients have no power to relieve clinicians of their obligations under these federal regulations. Further, using a commercial e-mail service for patient communication constitutes a disclosure of that information to that e-mail service provider, itself a privacy violation.
In addition, HIPAA requires not only secure transmission of protected health information but also secure storage. Health information stored on a computer, especially a laptop or tablet, is vulnerable to theft either physically or remotely over networks. The potential penalties and costs of remediation, such as notifying affected patients, are significant. Widely reported serious incidents of electronic theft of health information continue notwithstanding public awareness of these risks. Furthermore, some jurisdictions (prominently the Veterans' Health Administration and the state of California) have imposed stricter requirements and higher fines than provided in federal law. Federal regulations make clear that the individual clinician is directly liable for civil and criminal penalties, even if they are acting as the agent or employee of a health system.
Clinicians must take several steps to minimize these risks. First, clinicians must never use poorly secured, unencrypted e-mail to exchange protected health information, even if the exchange is initiated by a patient. The preferred solution is to keep electronic exchanges with patients inside a secure electronic health record that provides a portal for the patient to send and receive messages. In the absence of an electronic health record, numerous commercial services developed for health care for secure, private exchange of e-mail are available.
Second, any clinical information stored electronically outside of an enterprise clinical system, such as on an individual computer, laptop, or mobile device, must be both electronically and physically secure. Electronic security includes the correct use of strong passwords preferably with multi-factor authentication, network firewalls, virus protection, spyware protection, and full-disk data encryption. The security inherent ...