This is an open-access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/2.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work, first published in JMIR Medical Informatics, is properly cited. The complete bibliographic information, a link to the original publication on http://medinform.jmir.org/, as well as this copyright and license information must be included.
Whether it is the result of a tragic news story, a thoughtful commentary, or a segment on the entertainment networks, patient privacy rights are never far from the top of our minds. The Privacy and Security Rules contained in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) represent a concerted effort to protect the privacy and security of the volumes of patient data generated by the health care system. However, the last twenty years has seen innovations and advancements in health information technology that were unimaginable at that time. It is time for innovation to the Privacy and Security Rules. We offer a common and relatable scenario as proof that certain Privacy and Security Rules can tie the hands of educators and innovators and need to be transformed.
Recently we came across an art exhibit hosted by a prestigious American school in which a portable printer was set to download the messages sent through a hospital’s digital pager system. We understand the artist stumbled upon the messages innocently one day while scanning various radio frequencies. The realization that pager data was so easily accessible prompted the artist to create the unique installation. This bold and creative act calls our attention to the abundance of intricate technology in our health care system, the lack of intention to the unintended consequences of its use, and the need we have to deploy technology safely. In other words, there is an innovation gap in play.
Weiss and Legrand (2011) define the innovation gap as the difference between the stated importance of innovation and the actual results achieved in an organization [
Yet every week, the headlines online and in the papers discuss significant HIPAA infractions. The US Office for Civil Rights maintains a website dedicated to the public reporting of breaches affecting 500 or more individuals [
We wrestle within our own organizations to make sense of HIPAA and to deploy its requirements responsibly while rolling out the next generation of health information technology (HIT), like real-time clinical dashboards and apps. Some have argued the iniquitousness of a rule that applies to health care apps but not consumer apps, even when they contain similar information [
We propose that health care leaders consider the significance of the innovation gap by deliberating a common scenario, one encountered by the authors on a regular basis: the EHR demonstration. Leaders in health care facilities who are justifiably proud of their EHR system are often approached by colleagues, educators, and vendor prospects to give demonstrations. Demonstrations are conducted for a variety of purposes: to show a colleague something that is especially fantastic or problematic with a particular system, to train health care providers, clinicians, or support staff, or to close a big sale. While the opportunity to showcase a beautiful system seems like a helpful thing to do – a professional courtesy of sorts – the facility (“covered entity”) ought to carefully consider its responsibilities under the Act before agreeing to provide a demonstration.
Recently, one of the authors attended three different EHR demonstrations alongside a group of health care administration graduate students. Each of the demonstrations was given in a live production database and two out of the three used real patient encounters to demonstrate various scheduling, registration, billing, and clinical documentation scenarios. One student whose wife was a patient in one of the practices spent the entire session overwhelmed with anxiety that the next record revealed would be one with which he was intimately familiar. This viewpoint provides health care leaders with a short review of HIPAA essentials, offers a compelling scenario suggesting the need for innovation, and provides suggested approaches to protecting patient privacy, working within the current confines of the HIPAA Privacy and Security Rules.
Protected health information (PHI) includes all individually identifiable health information held or transmitted by a covered entity (or its business associates) in any form. Individually, identifiable health information is that which is created or received by a health care provider, health plan, employer, or health care clearinghouse which (1) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and (2) either identifies the individual or can be used to identify the individual. Electronic protected health information (e-PHI) is PHI that is maintained or transmitted in an electronic media, such as an EHR or practice management system and is afforded the same protections.
The Privacy Rule prohibits covered entities from using and disclosing PHI (including e-PHI), except as permitted or required by the Rule. The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards to protect e-PHI. For example, a covered entity must ensure the confidentiality of, anticipate threats to, and protect against impermissible uses and disclosures of e-PHI that resides in an EHR or practice management system by using safeguards such as complex and changing passwords, firewalls, and locking the server room. Failing to comply with the Privacy or Security Rule may result in civil monetary and criminal penalties. In addition, violations of the Privacy Rule may require written notifications of the impermissible use or disclosure to the affected individual(s), the Office for Civil Rights, and the media.
Generally speaking, the Privacy Rule prohibits covered entities from using or disclosing an individual’s PHI without first obtaining the individual’s prior written authorization. However, there are a number of exceptions to this Rule (
1. Giving information to the individual.
2. For treatment, payment, and health care operations (see [
3. To persons involved in the individual’s care after providing the individual with an opportunity to verbally agree or object, except in emergencies (eg, using the individual’s name in a facility directory, paying a spouse’s bill, and picking up a prescription for a family member).
4. Incidental disclosures of PHI resulting from a permitted use or disclosure (eg, a person glimpses another patient’s name on a sign-in sheet).
5. For certain public interest purposes, such as disclosures that are required by law (eg, communicable diseases or child abuse).
At best, it is unclear whether a covered entity can disclose PHI during a demonstration. If a health care facility was under investigation for a violation, you might retrospectively argue that the Privacy Rule’s definition of “health care operations” includes “training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers” and “training of non-health care professionals”. After all, a reasonable person may question how we plan to adequately train a new generation of programmers, information technology professionals, data scientists, business administration, and clinical students without acquainting them with one of health care’s most powerful tools. However, we would
Tips that can help you prepare for a satisfying EHR demonstration while fulfilling your obligations under the Privacy and Security Rules are shown in
It is important to remember that innovation does not simply happen once. A learning organization will revisit their policies and procedures related to the protection of data at least annually, or when a change in infrastructure demands (another requirement of the Act). Furthermore, we ought to consider that an Act that was innovative in 1996 may no longer solve the problems it was created to address, partly because the nature of the problem has changed. Academia has a desperate need to train students on the optimal use of EHR and practice management systems, which are commonplace across the country and represent the new standard of care. Health care businesses have an urgent need to partner with professionals and scholars who can analyze and make sense of their own EHR data. Industry could innovate and invent solutions to pressing and costly problems with adequate access to information. However, health professions training, big data, pharmacogenetics, and the re-selling of health care datasets are issues scantly addressed by the Act. We are well served to remember that innovation is best thought of as a process, not an outcome, that occurs within social environments that are dynamic and constantly changing [
Develop a policy and procedure for your HIPAA Privacy and Security set to explain the rules governing demonstrations of your EHR or practice management systems.
Educate staff on the Privacy and Security Rules and your privacy and security policies and procedures (eg, be clear about what constitutes PHI, such as names on schedules).
Always demo out of a test, build, or train (non-production) database.
Ensure that the demo database does not contain actual PHI (sometimes configuration databases are back-loaded with real patient data from the live system).
If you do not have a unique demo database:
Make sure there is a unique demo user login to your production database that does not have access to live patient data (eg, tasks, documents, and labs to review) and instead, demo test patients (eg, Donald Duck, James Cerner, and Abbey Allscripts).
Consider preparing a demo using screen shots (PHI redacted) on PowerPoint slides instead of using your production EHR. This is especially effective with “live” technologies such as telemedicine systems or state-run drug database inquiries.
If appropriate to your situation, ensure your guests have signed a business associate agreement.
Keep a log of dates and times when demos were provided and the names of attendees.
Ask attendees to put mobile phones and tablets (eg, devices with cameras) in a basket before the demo begins and give them back when the demo is complete.
electronic health record
electronic protected health information
Health Insurance Portability and Accountability Act
protected health information
The authors wish to acknowledge their colleagues with whom animated debate occurred around the ethics of the EHR demonstration and need for change, including Cathy Lalley, Kathy Malloch, and Dan Simonson.
None declared