November 1, 2010

Tom Sullivan, M.D.

Privacy, Confidentiality, and Security….. One, Two, and, Three….. Me, Us, and, Them….. Do you see the relationships?

Although the terms Privacy, Confidentiality, and Security have been in the vernacular for a long time, they have been rising in importance and public awareness since 1996 when the HIPAA law was passed by Congress and the “Privacy rule” was first proposed in 1998 by the Department of Health and Human Services (HHS) – when, after two years’ of debate, Congress failed to reach a political agreement on how to define and manage Privacy for American citizens.
Currently, there is not a week that passes when we don’t hear of some breach of confidentiality or violation of an individual’s privacy in the area of finance or other personal information, including what the federal government within the HIPAA context describes as “Protected Health Information” or PHI.
Obviously, this is a large and complex problem that defies a simple solution. Additionally, it is a dynamically changing issue. It will be with us forever in an age that defines an important element of progress in public health as the capacity and willingness to share limited personal information rapidly, securely and appropriately for everyone’s benefit. The federal code words for this initiative are Health Information Exchanges (HIE), aka Health Information Exchange Organizations (HIO), guided by principles from the Nationwide Health Information Network (NHIN).
Here are some generally accepted definitions from a HIPAA perspective:
Privacy – For purposes of the HIPAA Privacy Rule, privacy means an individual’s interest in limiting who has access to PHI.
Confidentiality – The ethical principle or legal right that a physician or other health professional will hold secret all information relating to a patient, unless the patient gives consent permitting disclosure.
Security – The HIPAA Security Rule establishes national standards to protect individuals’ electronic PHI that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI.
Let’s briefly explore in more historic detail how these terms differ and are yet related to deeply ingrained human and cultural influences that are fundamental elements of both primitive and highly civilized societies, irrespective of the existence of an online and electronically connected environment.
It is widely accepted that developments in spoken language and the creation of specific vocabularies stem from the human evolutionary experience and awareness of distinctive body parts and functions, familial and social relations, local geography, and climatic influence. Verbal expressions and primitive syntax date back at least 100,000 years before the appearance of the written word in Mesopotamia, circa 3,400 BCE – the Babylonian Cuneiform. However, the creation of a system of counting and numbers that first found its expression in clay tablets started somewhat earlier in the “Fertile Crescent” and is estimated at 8,000 BCE.
Today we still can find primitive tribes, particularly in Brazil’s Amazonia, who see no compelling need to count accurately beyond the numbers three to five. These tribes have no clocks or sense of time and urgency that is more complex than the daily and seasonal movements of the sun, moon and stars. Much of this counting ability and history is chronicled in a recent fascinating book about numbers, Here’s Looking at Euclid. Its author is a British mathematician, Alex Bellos.
I digressed to make the point that although the 21st century legal concepts of Privacy, Confidentiality and Security are used more formally and precisely than in the past, they relate to primitive needs that become much more relevant as a society expands beyond the simple numbers one, two and three. In the creation of linguistic terms that are more sophisticated than the vocabulary words for numbers and the need to count, the categories of personal pronouns in most contemporary languages fit very nicely with the Privacy, Confidentiality, and Security definitions. They incorporate a distinction between:
Me …the one most important person guided by a sense of caution, personal self control and self interest. “I want to be in control of my Privacy and I will define it”
Us …originally meant to be two persons guided by a sense of trust and accountability. “I want you to keep this information confidential and I’m sharing it with you because I trust you and know you will respect my wish.” Hippocrates strongly highlighted the importance of Confidentiality in his Oath.
Them … implies or includes three or more individuals representing a foreign, unfamiliar and much less manageable group compared to “Us”. The three or more could be hundreds, thousands or even greater numbers. Therein lays the need for Security … a system of rules, policies and procedures, to act as a guide that helps establish and enforce “Trust.”
Wrapping it all up in one package…..
…. My medical history is a private affair and I am willing to share it in a confidential manner with those whom I trust to use it appropriately. The security standards surrounding exactly how and when my medical history is shared gives me confidence that my privacy will be protected.
Thomas E Sullivan, MD
Chief Strategic Officer, DrFirst

About Tom Sullivan, M.D.

Thomas E. Sullivan, M.D is a board-certified specialist in cardiology and internal medicine with over 40 years of clinical practice. He currently works for DrFirst and sees patients part-time in Massachusetts. His expertise in the application of information technology to health care has helped to create an international standard (ASTM) for the exchange of medical record information called the Continuity of Care Record (CCR). With AMA, he was founding chair of their e-Medicine Advisory Committee, worked with the Physician Consortium for Performance Improvement, represented the AMA and helped create the Physician EHR Coalition and is past chair of the AMA Council on Medical Service.