We'll change gears a bit here. Talking about policy and interoperability and data, we'll pop up to talking about things that matter to persons like privacy, confidentiality and security. I wish there was one word for three of these, but there isn't. But, there you go. So first, the one point here is that these two cover this stack, and this is not hard and fast, but I find it useful to think about privacy as a top level of the stack. This is what we promise to people. Security is at the bottom. How do we prevent data from getting out? How do we protect the hardware? Then confidentiality is actually not about work flow. Who is allowed to use? Which human being? Which other system is allowed to gain access to your information? So, we often talk about HIPAA, and it's nice to know that those two syllables, and it's useful to sound like you know you're talking about. But the bottom line is that HIPAA is not the totality of privacy, confidentiality, and security, and it's certainly not as we saw before, the totality of ethics when it comes to health information. Now, let's start off with privacy. Privacy is the right of an individual, the right of a person to keep information about themselves from being disclosed to others. I can keep stuff to myself or to- well, I want to keep it among us folks. All right? So, a core element of privacy is trust, and that's why if an information system or an institution rather has a breach, then we lose trust in that institution, don't we? I think it's helpful to think about regulated privacy, the laws, regulations, the HIPAA, and things that are unregulated, ethical issues, expectations, press itself is not regulated, right? You can't force people to trust you or not. As I told my children throughout their childhood, I can't make you feel anything, I can only put you in a certain environment. So, HIPAA is important. It does defines who has access, and who may see the information. It puts into practice your right from preventing disclosure to others and demands your consent. So, even though it's not the end of the story, it's a huge part of the story. There are what these authors called Fair Information Principles. Unfortunately, the NH has another type of Fair Information Principles that have to do with findability and others, but this is about in the space of privacy and confidentiality. You can see that most of these has nothing to do with technology. So, who's participating, and the limitation, my ability as a person to limit what you can collect about me, that I as a person can limit how you use the information you got from me. The IQ limit, to whom you disclose my information, that you are accountable to me, that is openness in what you're doing, when you were signed in an end-user licensing agreement that you don't read, inside there are explicit statements about what can be done and what cannot be done with your data, and it's part of openness. Finally, data quality. I have an expectation that my data will not be corrupted under your watch. So, that's where we start getting to security aspects in the privacy confidentiality security triad. So, HIPAA applies to what are called covered entities. If you're familiar with little wagons and going out west, that's the stagger wagons of the wild west. Sometimes, I get the thought of thinking about a covered entity. But what they mean is the institution, a business or an entity that is covered by HIPAA, that's a covered entity and you can see that it includes insurance, it includes providers who are called clearing houses. So, when I submit a claim to be paid, I may not send it directly to the insurance company, I might send it to a clearing house, and then send it to the right place. They're all covered. This HIPAA privacy can be overruled, which is important to know. So, if you come in with a gunshot wound, we are now in a criminal lower space and your health privacy does not trump, the justice systems need to figure out who have done it. Similarly, with a stab wound, is about violent from traumas, law enforcement has an interest and society has an interest in seeing a perpetrator treated or apprehended. So, injuries sustained during a crime, again, is law enforcement. Child or elderly abuse is a different type. Again, law enforcement are obviously of a different nature. Here, a lot of us providers have the responsibility to report where we think or see or suspect abuse of both children or the elderly, and then reportable diseases that may have implications for the community- that public health interest trumps your desire to keep things private. So, when your syphilis test comes back positive, the laboratory sends that positive value to the state, and the state starts calling you up and all your social contacts to see if they have syphilis also because they want to protect people from sexually transmitted diseases, which actually is a good thing, even though they may not be or have it with you. It's important to realize that HIPAA does not directly cover particular folks. So, if an employer learns something about you in a legal way, once they learn it, they are no longer covered by HIPAA. There may be some other rules but it's not HIPAA. Similarly, pharmaceutical companies that they can collect information about you in a legal way, there may be some other rules that apply to them, not HIPAA. IT vendors and the HR vendors, they collect the data from use. Social media, what you type in Facebook does not stay in Facebook, you can go anywhere you want to. Research, we need to get your consent, but once we get your consent, yes we are obligated to protect your data, but you give it a consent. We can use your data, we can share it within limitations. I mentioned before that there's no name for private safe confidentiality and security, but at least there is for confidentiality, integrity and availability beside CIA. As I may alluded to before, confidentiality is how the system makes sure that it is complying with your privacy wishes. So, if privacy is what you wish, confidentiality is how the institution honors those wishes. Integrity, I mentioned data quality before. Availability again is the notion that the people who you want to access it can actually access it when they need to access it. Again, another dielectric, right? The most secure data is when it's not available to anybody, and get you want your data seen by care providers because that's why it's in the records, so they take good care of you. It's an insolvable conundrum. So, the patients care about privacy. The institution cares, they care about privacy, but they also care about discoverability, which means, is the opposing lawyer allowed to look at the data, and therefore, they're concerned about litigation and other forms of punishment. There is protection for privacy, confidentiality, and security, each level of the stack. No surprise. So, at the level of the world, we have laws. At the level of the organization, we have business associate agreements. At the level of roles, we have people like Chief Information Security or Chief Privacy Officer as a new type of role. There is information governance to manage the workflow of information, and there are information access policies. Also, within the workflow are audit trails: who is seeing what, when. There's role-based access to information that are implemented by rules embedded inside the information systems. At Johns Hopkins, we have 250 different roles, different mixes of who's allowed to see what type of information. Going further down, you have multi-authentication login, username, password, and then, something that you had to type in from somewhere else. We may have a little [inaudible]. At the technology level, we have encryption, and finally, we have things like virtual private networks. Obviously, not an exhaustive list, but, again, to give you the flavor that if you want to protect the system, just like interoperability happens at each level, so does protection. I will go through this as well, but the HIPAA Security Rule can be mapped as well to the stack, and it might help you remember what contents of the Security Rule are. I said that there is a little bit beyond HIPAA. Just want to point out a couple of concepts. HIPAA is kind of redolent with the notion of de-identification, the idea that, okay, you have a record. If I take certain information out of your record, maybe other people can see it and not identify you, but it would still be helpful to you. So, maybe there is a pathologist in another state. I don't want them to know who I am, but I'll send my record out to them. They can come back and maybe give my doctor advice. That's not a great example because that pathologist still has a treating relationship with you, but you can imagine there are times, certainly, if you're doing population health or you're doing research, you might want a de-identified set of data. So, there are these 18 data elements like your name, social security number, your IP address, your email address, anything that can identify you. Your birth date, your visit date with all three elements; month, day, and year, those are ideas that if you take those elements out of a clinical note, out of a record, you now can give that record to somebody else and HIPAA no longer applies. So, there are things called limited data set when some of those safe harbor items are there, but you can still see that you're pretty much not identifiable. The problem is that if you go, it turns out that there are data beyond those 18 that can still identify you. A new example, for instance, is facial CT. So, even though a CT of the head is about the skull, it's been shown that there's enough information about the soft tissues, what we call your face, that it could be reconstructed. It's not easy, but it can be reconstructed. Clinical notes, we feel, at this point, that it's impossible to fully de-identify progress notes, discharge notes, anything about you, without a manual review of the note itself. It's an active area of research, but it's tough. So, when people come to Johns Hopkins and say, please give us a bunch of de-identified data so we can run some really nifty algorithm, or, we'll pay you for it because we want to learn about how our drugs are being used, it's not clear whether we have de-identifiable data. At the same time, if there's a data breach of 500 or more patients, the law comes down on you pretty swiftly and pretty unforgivingly, and so do the newspapers. I'll point that it's interesting that the penalties are not levied by CMS, they're not levied by the LNC, they're levied by the Office for Civil Rights. There's this other concept of anonymization, which sounds like de-identification, but it's a little different. Can you make a data set that's anonymous? Maybe by de-identifying, maybe some other mechanism. For instance, there's this fun thing called salting, where you put fake data into the record, and you'll hear this more and more, because there is pressure to submit data from research studies paid for the NIH, let's say, or from other sources. So, that's one area where you want to make data available. Another area is in research. All these people wanting to run deep learning, machine learning algorithms on clinical data, it's really hard to get a database of data that is real and usable for those purposes. So, I've listed here, just as I listed the ongoing issues for interoperability, there are ongoing issues for privacy, confidentiality, and security. Who owns the data is a perpetual thing. If the drug company comes to the hospital, the hospital gives it anonymized data set that the drug company then uses to figure out something nifty and cool about it's drugs, do you, as a patient whose data is in that data set, should you get compensated in some way? What to do about adolescents? Are they children? Are they adults? You may remember the 2,000 Year Old Man comedy routine. He says he loves the nectarine because [inaudible]. It's not a plum, it's not a peach, it's a wonderful thing. Adolescents are not wonderful things, they're hard to deal with. What do you do about family members at risk of a disease? Do you share data? Do not share data? How do you deal with that? The European Union, you may know, in 2018, put together the General Data Protection Regulation. Everybody, in 2018, was getting a notification: do you know that we're collecting cookies on you, and things of that nature. Well, what happens after that? Is the HR another place for cookies? I won't pretend to be able to use simple answers today. We mentioned law enforcement in number of areas. I've had calls from health centers catering to poor people worried that law enforcement wanted their clinical records ostensibly for opiate and for blunting the effect of opiates in a community, but the providers were worried that they're going to use it to arrest people. How does that work out? Whose interest is more important? We say that you, as a patient and a person, would want to know who is looking at your data, when, and why, but it's really, really hard for a hospital, where any information system, maybe except for Google, to know when somebody has looked at your data. If you have a screen full of data, you've seen screens full of data. If only one section is protected health information that they shouldn't be seeing, are they seeing your data, or has just flown by them? What about non-health data? Is a criminal conviction health data? Well, if you were in jail, I want to know that about your health, but that's not classic health information, is it? What about patient-generated health data that comes from apps and such? Would you be protected? Currently, not protected by HIPAA. So, what is the proper way that we, as a society, should deal with all this? So, I hope you learned at least that privacy, confidentiality is not just HIPAA. Beyond those issues that within HIPAA, then it goes even further. Big data, cyber security, I've already alluded to personal devices, laws in other domains, the Fair Credit Reporting restricts use of consumer data, what does it have to do with this health app data, and obviously, evolving technologies for privacy and security, and evolving consumer attitudes. Are young people today like frogs in the pot being heated slowly and losing all sense of privacy? Or are they, in fact, going to get even more and more demanding, that they expect that their privacy will be respected. So, we're not giving you answers all the time. I hope that a lot of parts of this course teach you questions to be asking and to be looking for and to be learning as you go on.
