Confidentiality, privacy and

security of health information:

Balancing interests
SOURCE: https://healthinformatics.uic.edu/blog/confidentiality-privacy-and-security-of-
health-information-balancing-interests/

View all blog posts underArticles

Written by Valerie S. Prater, MBA, RHIA,

Clinical Assistant Professor
Biomedical and Health Information Sciences
University of Illinois at Chicago
December 8, 2014
Three important and related concepts are often used interchangeably
in discussing protection of health information within the U.S.
healthcare system: confidentiality, privacy and security.  Yet, each of
these concepts has a different fundamental meaning and unique role.
Most frequently “HIPAA” comes to mind when health information
privacy is discussed; however, the concept of patient confidentiality
has been around for much longer. This article will briefly explore
differences in meaning of privacy, security and confidentiality of
health information. Selected examples of sources of law and
guidelines will be offered with respect to these concepts.  Challenges
in balancing interests of individuals, healthcare providers and the
public will be noted, as will the role of health information management
professionals.

Confidentiality
Confidentiality in health care refers to the obligation
of professionals who have access to patient records or
communication to hold that information in confidence.  Rooted in
confidentiality of the patient-provider relationship that can be traced
back to the fourth century BC and the Oath of Hippocrates, this
concept is foundational to medical professionals’ guidelines for
confidentiality (McWay, 2010, p. 174).  This professional obligation to
keep health information confidential is supported in professional
association codes of ethics, as can be seen in principle I of the
American Health Information Management Association Code of Ethics,
“Advocate, uphold, and defend the individual’s right to privacy and the
doctrine of confidentiality in the use and disclosure of information”
(AHIMA, 2011).
Confidentiality is recognized by law as privileged communication
between two parties in a professional relationship, such as with a
patient and a physician, a nurse or other clinical professional (Brodnik,
Rinehart-Thompson, Reynolds, 2012).  As patients, we’ve come to
expect confidential communication in these relationships. While
application in legal proceedings is subject to evidentiary rules and
consideration of the public need for information, support of privileged
communication can be seen in case law.  An example is the
landmark Jaffee v. Redmond decision where the U.S. Supreme Court
upheld a therapist’s refusal to disclose sensitive client information
during trial (Beyer, 2000). In writing the majority opinion, Justice
Stevens said:
Effective psychotherapy… depends upon an
atmosphere of confidence and trust in which
the patient is willing to make a frank and
complete disclosure…The psychotherapist
privilege serves the public interest by
facilitating the provision of appropriate
treatment for individuals suffering the effects
of a mental or emotional problem (Jaffee v.
Redmond, 1996, p. 9).
When considering sensitive health information requiring special layers
of confidentiality, such as with mental health treatment, state statutes
provide guidance for health information management professionals.
In Illinois, for example, the Mental Health and Developmental
Disabilities Confidentiality Act offers detailed requirements for access,
use and disclosure of confidential patient information including for
legal proceedings (MHDDCA, 1997).

Privacy
Privacy, as distinct from confidentiality, is viewed as the right of the
individual client or patient to be let alone and to make decisions
about how personal information is shared (Brodnik, 2012).  Even
though the U.S. Constitution does not specify a “right to privacy”,
privacy rights with respect to individual healthcare decisions and
health information have been outlined in court decisions, in federal
and state statutes, accrediting organization guidelines and
professional codes of ethics.
The top-of-mind example is the federal HIPAA Privacy Rule,
establishing national standards for health information privacy
protection and defining “protected health information” (HHSa, 2003, p.
1). A stated purpose of the HIPAA Privacy Rule “…is to define and limit
the circumstances in which an individual’s protected heath
information may be used or disclosed…”(HHSa, 2003, p. 4).
Established pursuant to the broader Health Insurance Portability and
Accountability Act of 1996 (HIPAA),  as described by the U.S.
Department of Health and Human Services (HHS), the Privacy Rule, “…
strikes a balance that permits important uses of information, while
protecting the privacy of people who seek care and healing” (HHSa,
2003, p. 1).  Individuals are provided some elements of control, such
as the right to access their own health information in most cases and
the right to request amendment of inaccurate health information
(HHSa, 2003, pp. 12-13).  However, in that attempt to strike a balance,
the Rule provides numerous exceptions to use and disclosure of
protected health information without patient authorization, including
for treatment, payment, health organization operations and for certain
public health activities (HHSa, 2003, pp. 4-7).

While debate continues as to whether the HIPAA Privacy Rule has

substantially strengthened individual privacy rights, it has certainly
increased awareness of the topic of health information privacy, of
issues surrounding its protection and of the patient’s role in the
process.  There is no question that health information management
professionals’ roles have been impacted by responsibilities for HIPAA
Privacy Rule compliance.  In reflecting on the Privacy Rule’s tenth
anniversary and its more recent amendments pursuant to theHealth
Information Technology for Economic and Clinical Health (HITECH)
Act, Daniel Solove noted:

HIPAA has evolved during the past decade and

was greatly fortified by the 2009 HITECH Act
and its HIPAA modification regulations
released in January 2013. Whatever one might
think about HIPAA, it is hard to dispute that it
has had a vast impact on patients, the
healthcare industry, and many others over the
last 10 years—and will continue to shape
healthcare and HIM professionals for many
more years to come. (Solove, 2013)
Even before the healthcare privacy conversation was dominated by
HIPAA, an important Supreme Court decision, Whalen v. Roe,
recognized the right to health information privacy (1977).  This case
considered a state statute requiring that physicians report for entry
into a New York Department of Health computerized database
information on prescription of certain types of drugs likely to be
abused or over-prescribed; information included patient, physician and
pharmacy name, and drug dosage (McWay, 2010, p. 176).  A group of
patients and two physician associations filed suit, saying this violated
the protected physician-patient relationship (Whalen v. Roe, 1977). In
upholding this law, the Court recognized the individual’s interest in
privacy protection while giving greater weight to the state’s right to
address an issue of public concern; procedures in place at the
Department of Health to protect information privacy were also noted
as a factor in the decision (Whalen v. Roe, 1977).
The Supreme Court’s holding in Whalen v. Roe addressed the notion
of balanced interest seen in the later HIPAA Privacy Rule.  In saying
“…disclosures of private medical information to doctors, to hospital
personnel, to insurance companies, and to public health agencies are
often an essential part of modern medical practice”, the court did not
give individuals absolute control over sharing of their own health
information  (Whalen v. Roe,  1977). Interestingly, the Whalen decision
also noted growing concern with collection of private information in
electronic format, and the role of regulatory guidelines.  As stated by
the Justices:
We are not unaware of the threat to privacy
implicit in the accumulation of vast amounts of
personal information in computerized data
banks….The right to collect and use such data
for public purposes is typically accompanied
by a concomitant statutory or regulatory duty
to   avoid unwarranted disclosures (Whalen v.
Roe, 1977).

Security
Security refers directly to  protection, and specifically to the means
used to protect the privacy of health information and support
professionals in holding that information in confidence.   The concept
of security has long applied to health records in paper form; locked file
cabinets are a simple example. As use of electronic health record
systems grew, and transmission of health data to support billing
became the norm, the need for regulatory guidelines specific to
electronic health information became more apparent.   The HIPAA
Security Rule provided the first national standards for protection of
health information.  Addressing technical and administrative
safeguards, the HIPAA Security Rule’s stated goal is to protect
individually identifiable information in electronic form—a subset of
information covered by the Privacy Rule—while allowing healthcare
providers appropriate access to information and flexibility in adoption
of technology (HHS, 2003b).  Again, that notion of balance appears in
the law:  necessary access by healthcare providers vs. protection of
individuals’ health information.
Breaches to confidentiality now face more serious penalties given
modifications to both the HIPAA Privacy and Security Rules following
publication of final rule provisions of the HITECH Act.   In announcing
publication of these changes, known collectively as the Omnibus Rule,
then HHS Secretary Kathleen Sebelius acknowledged change
impacting health care since initial enactment of HIPAA:  “The new
rule will help protect patient privacy and safeguard patients’ health
information in an ever expanding digital age” (HHS, 2013).

Conclusion
The sources of law and guidelines noted here are only samples of
many considerations in health information confidentiality, privacy and
security.  Managing electronic health information presents unique
challenges for regulatory compliance, for ethical considerations and
ultimately for quality of care.  As electronic health record system
“meaningful use” expands, and more data are collected, such as from
mobile health devices, that challenge for healthcare organizations
expands.

A response to the challenge is information governance, described as

the strategic management of enterprise-wide information including
policies and procedures related to health information confidentiality,
privacy and security; this includes the role of stewardship
(Washington, 2010). Health information managers are uniquely
qualified to serve as health information stewards, with an appreciation
of the various interests in that information, and knowledge of the laws
and guidelines speaking to confidentiality privacy and security. The
role of the steward encompasses not only ensuring the accuracy and
completeness of the record, but also protecting its privacy and
security (Washington, 2010).

All who work with health information— health informatics and health
information management professionals, clinicians, researchers,
business administrators and others— have responsibility to respect
that information.  And as patients, we have privacy rights with regard
to our own health information and an expectation that our information
be held in confidence and protected.  As citizens, our public interest
in health information may prevail, such as in situations involving public
health or crime.  Balancing the various interests in health information
and upholding its confidentiality, privacy and security present ongoing
and important challenges within the U.S. healthcare and legal
systems, and career opportunities for health information management
professionals.
References
AHIMA. (2011). American Health Information Management Association
Code of Ethics.
http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_02
4277.hcsp?dDocName=bok1_024277
Beyer, Karen. (2000). “First Person: Jaffee v. Redmond  Therapist
Speaks.” American Psychoanalyst,
Volume 34, no. 3. Retrieved from http://jaffee-
redmond.org/articles/beyer.htm
Brodnik, M., L.  Rinehart-Thompson and R. Reynolds (2012). 
Fundamentals of Law for Health Informatics
and Information Management Professionals. Chicago: AHIMA Press. 
Chapter 1.
Jaffee v. Redmond.  518 U.S. 1; 116 S. Ct. 1923; 135 L. Ed. 2d 337
(1996). LEXIS 3879. Retrieved from
http://www.lexisnexis.com/hottopics/lnacademic.
Mental Health and Developmental Disabilities Confidentiality Act
(MHDDCA) (740 ILCS 110). Effective
July 1, 1997. Illinois General Assembly. Retrieved from
http://www.ilga.gov/legislation/ilcs/ilcs3.asp?
ActID=2043&ChapAct=740%26nbsp%3BILCS%26n        bsp
%3B110%2F&ChapterID=57&ChapterName=CIVIL+LIABILITIES&ActNa
me=Mental+Health+and+Developmental+Disabilities+Confidentiality+A
ct%2E

McWay, Dana. (2010). Legal and Ethical Aspects of Health

Information, Third Edition.  New York: Cengage Learning.  Chapter 9.
Solove, D. (2013).HIPAA Turns 10. Analyzing the Past, Present and
Future Impact.  Journal of AHIMA 84, no.4 (April 2013): 22-28.

The American Psychoanalytic Association. (2014). Landmark

Cases.  Retrieved from
http://apsa.org/Programs/Advocacy/Landmark_Cases.aspx
U.S. Department of Health and Human Services (HHSa), Office for Civil
Rights. (2003). Summary of the HIPAA Privacy Rule. Retrieved from
http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacys
ummary.pdf
U.S. Department of Health and Human Services (HHSb), Office for Civil
Rights. (2003). Summary of the HIPAA Security Rule. Retrieved from
http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html
U.S. Department of Health and Human Services (HHS), Office for Civil
Rights. (2013). Omnibus HIPAA
Rulemaking, http://www.hhs.gov/ocr/privacy/hipaa/administrative/omni
bus/index.html
Washington, L. (2010). “From Custodian to Steward: Evolving Roles in
the E-HIM Transition.”
Journal of AHIMA. (Volume 81, no.5: 42-43).
Whalen v. Roe.  429 U.S. 589; 97 S. Ct. 869; 51 L. Ed. 2d 64 (1977).
LEXIS 42. Retrieved from
http://www.lexisnexis.com/hottopics/lnacademic.