Skip to main content
SpringerLink
Log in

Privacy Considerations for Health Information Exchanges

  • Chapter
Medical Data Privacy Handbook

  • 2614 Accesses

Abstract

Health Information Exchanges (HIEs) constitute a powerful mechanism for sharing Electronic Health Records (EHRs) across organizational boundaries in healthcare systems. The electronic sphere of patient data is growing but some patients and medical providers remain hesitant to adopt networked information technology due to privacy and security concerns. The U.S. Government has recognized the importance of safeguarding and preserving the privacy of patient data in HIEs, establishing and endorsing privacy standards and information sharing guidelines. This chapter explores the issues and principles shaping HIE privacy solutions, and discusses emerging trends that will influence the design and implementation of privacy-preserving technologies for HIEs.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 169.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 299.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Akinyele, J.A., et al.: Self-protecting electronic medical records using attribute-based encryption Cryptology ePrint Archive, Report 2010/565 (2010). Available from http://eprint.iacr.org/

  2. Alshehri, S., Raj, R.K.: Secure access control for health information sharing systems. In: 2013 IEEE International Conference on Healthcare Informatics (ICHI). IEEE (2013)

    Google Scholar 

  3. Annas, G.J.: HIPAA regulations: a new era of medical-record privacy? N. Engl. J. Med. 348(15), 1486–1490 (2003)

    Article  Google Scholar 

  4. Appari, A., Johnson, M.E.: Information security and privacy in healthcare: current state of research. Int. J. Internet Enterp. Manag. 6(4), 279–314 (2010)

    Article  Google Scholar 

  5. Behavioral Healthcare.: Projects aim to segment data for privacy. http://www.behavioral.net/article/projects-aim-segment-data-privacy (2015)

  6. Bonnici, C.J., Coles-Kemp, L.: Principled electronic consent management: a preliminary research framework. In: International Conference on Emerging Security Technologies. IEEE (2010)

    Google Scholar 

  7. Botsis, T., et al.: Secondary use of EHR: data quality issues and informatics opportunities. In: Proceedings of AMIA Summits on Translational Science, p. 1 (2010)

    Google Scholar 

  8. Brucker, A.D., Petritsch, H.: Extending access control models with break-glass. In: Proceedings of the 14th ACM Symposium on Access Control Models and Technologies. ACM (2009)

    Google Scholar 

  9. Cao, F., Huang, H.K., Zhou, H.Q.: Medical image security in a HIPAA mandated PACS environment. Comput. Med. Imaging Graph. 27(2), 185–196 (2003)

    Article  Google Scholar 

  10. Churches, T., Christen, P.: Some methods for blindfolded record linkage. BMC Med. Inform. Decis. Mak. 4(1), 9 (2004)

    Article  Google Scholar 

  11. Claerhout, B., DeMoor, G.J.E.: Privacy protection for clinical and genomic data: the use of privacy-enhancing techniques in medicine. Int. J. Med. Inform. 74(2), 257–265 (2005)

    Article  Google Scholar 

  12. Daemen, J., Rijmen, V.: The Design of Rijndael: AES-the Advanced Encryption Standard. Springer, New York (2013)

    Google Scholar 

  13. Déglise, C.L., Suggs, S., Odermatt, P.: SMS for disease control in developing countries: a systematic review of mobile health applications. J. Telemed. Telecare 18(5), 273–281 (2012)

    Article  Google Scholar 

  14. DelliFraine, J.L., Dansky, K.H.: Home-based telehealth: a review and meta-analysis. J. Telemed. Telecare 14(2), 62–66 (2008)

    Article  Google Scholar 

  15. Department of Health, Education and Welfare.: Records, computers and the rights of citizens: report of the secretary’s advisory committee on automated personal data systems (1973)

    Google Scholar 

  16. Dierks, T.: The transport layer security (TLS) protocol version 1.2. Internet Engineering Task Force, Networking Group (2008)

    Google Scholar 

  17. Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)

    Article  MathSciNet  MATH  Google Scholar 

  18. Dixon, B.E., McGowan, J.J., Grannis, S.J.: Electronic laboratory data quality and the value of a health information exchange to support public health reporting processes. In: AMIA Annual Symposium Proceedings, vol. 2011. American Medical Informatics Association (2011)

    Google Scholar 

  19. European Committee for Standardization (CEN).: Interoperability of patient-connected medical devices (INTERMED) (1997)

    Google Scholar 

  20. Federal Register.: 45 CFR Parts 160 and 164 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule (2013)

    Google Scholar 

  21. Fellegi, I.P., Sunter, A.B.: A theory for record linkage. J. Am. Stat. Assoc. 64(328), 1183–1210 (1969)

    Article  Google Scholar 

  22. Ferreira, A., et al.: How to break access control in a controlled manner. In: 19th IEEE International Symposium on Computer-Based Medical Systems (2006)

    Google Scholar 

  23. Ghosh, R., Heit, J., Srinivasan, S.: Telehealth at scale: the need for interoperability and analytics. In: Proceedings of the 1st International Workshop on Managing Interoperability and Complexity in Health Systems (MIXHS ’11), pp. 63–66 (2011)

    Google Scholar 

  24. Glass, M.: ANSI/IEEE 1073: medical information bus (MIB). Health Informatics J. 4(2), 72 (1998)

    Article  Google Scholar 

  25. Goldman, J., Schrenker, R., Jackson, J., Whitehead, S.: Plug-and-play in the operating room of the future. Biomed. Instrum. Technol. 39(3), 194–199 (2005)

    Google Scholar 

  26. Grimes, S.L.: Medical device security. In: 26th Annual International Conference of the IEEE Engineering in Medicine and Biology Society, IEMBS’04, vol. 2 (2004)

    Google Scholar 

  27. Gritzalis, D., Lambrinoudakis, C.: A security architecture for interconnecting health information systems. Int. J. Med. Inform. 73(3), 305–309 (2004)

    Article  Google Scholar 

  28. Gunter, C.A.: Building a smarter health and wellness future: privacy and security challenges. In: ICTs and the Health Sector: Towards Smarter Health and Wellness Models, OECD Publishing, Paris France pp. 141–157 (2013)

    Google Scholar 

  29. Hall, R., Fienberg, S.E.: Privacy-preserving record linkage. In: Privacy in Statistical Databases. Springer, Berlin/Heidelberg (2010)

    Book  Google Scholar 

  30. Halperin, D., et al.: Security and privacy for implantable medical devices. IEEE Pervasive Comput. 7(1), 30–39 (2008)

    Article  MathSciNet  Google Scholar 

  31. Harno, K., et al.: Health information exchange and care integration. Int. J. Adv. Life Sci. 1(1), 46–57 (2009)

    Google Scholar 

  32. Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 (2009)

    Google Scholar 

  33. Health Insurance Portability and Accountability Act of 1996. Public Law No. 104-191, 110 Stat. 1936 (1996)

    Google Scholar 

  34. Heinze, O., et al.: Architecture of a consent management suite and integration into IHE-based regional health information networks. BMC Med. Inform. Decis. Mak. 11(1), 58 (2011)

    Article  MathSciNet  Google Scholar 

  35. Hovenga, E.J.S., Grain, H.: Clinical decision support systems: data quality management and governance. Health Inf. Gov. Digit. Environ. 193, 362 (2013)

    Google Scholar 

  36. Hunkeler, E.M., et al.: Efficacy of nurse telehealth care and peer support in augmenting treatment of depression in primary care. Arch. Fam. Med. 9(8), 700 (2000)

    Article  Google Scholar 

  37. Iakovidis, I.: Towards personal health record: current situation, obstacles and trends in implementation of electronic healthcare record in Europe. Int. J. Med. Inform. 52(1), 105–115 (1998)

    Article  Google Scholar 

  38. ISO/IEEE 11073-10101.: Health Informatics Point-of-Care Medical Device Communication Part 10101: Nomenclature (2004)

    Google Scholar 

  39. ISO/IEEE 11073-10201.: Health Informatics Point-of-Care Medical Device Communication Part 10201: Domain Information Model (2004)

    Google Scholar 

  40. ISO/IEEE 11073-20101:2004.: Health Informatics Point-of-Care Medical Device Communication Part 20101: Application Profile-Base Standard (2004)

    Google Scholar 

  41. ISO/IEEE 11073-30300:2004.: Health Informatics Point-Of-Care Medical Device Communication Part 30300: Transport Profile-Infrared Wireless (2004)

    Google Scholar 

  42. ISO/IEEE 11073-20601:2010.: Health Informatics Personal Health Device Communication Part 20601: Application Profile Optimized Exchange Protocol. (2010)

    Google Scholar 

  43. Istepanian, R., Laxminarayan, S., Pattichis, C.S.: M-Health. Springer, New York (2006)

    Book  Google Scholar 

  44. Jacques, L.B.: Electronic health records and respect for patient privacy: a prescription for compatibility. Vand. J. Entertain. Technol. Law 13, 441 (2010)

    Google Scholar 

  45. Jha, A.K., et al.: Use of electronic health records in US hospitals. N. Engl. J. Med. 360(16), 1628–1638 (2009)

    Article  Google Scholar 

  46. Källander, K., et al.: Mobile health (mHealth) approaches and lessons for increased performance and retention of community health workers in low-and middle-income countries: a review. J. Med. Internet Res. 15(1), e17 (2013)

    Article  Google Scholar 

  47. Kotz, D.: A threat taxonomy for mHealth privacy. In: COMSNETS (2011)

    Book  Google Scholar 

  48. Kulynych, J.: Legal and ethical issues in neuroimaging research: human subjects protection, medical privacy, and the public communication of research results. Brain Cogn. 50(3), 345–357 (2002)

    Article  Google Scholar 

  49. Li, M., Poovendran, R., Narayanan, S.: Protecting patient privacy against unauthorized release of medical images in a group communication environment. Comput. Med. Imaging Graph. 29(5), 367–383 (2005)

    Article  Google Scholar 

  50. Li, M., et al.: Scalable and secure sharing of personal health records in cloud computing using attribute-based encryption. IEEE Trans. Parallel Distrib. Syst. 24(1), 131–143 (2013)

    Article  Google Scholar 

  51. Lin, Z., Owen, A.B., Altman, R.B.: Genomic research and human subject privacy. Science - New York Then Washington 305, 183 (2004)

    Article  Google Scholar 

  52. Lowrance, W.W., Collins, F.: Identifiability in genomic research. Science 317, 600–602 (2007)

    Article  Google Scholar 

  53. Markle Foundation.: Common framework for networked personal health information: overview and principles. Connecting For Health (2008)

    Google Scholar 

  54. Newcombe, H.B., et al.: Automatic linkage of vital records computers can be used to extract “follow-up” statistics of families from files of routine records. Science 130(3381), 954–959 (1959)

    Article  Google Scholar 

  55. Office for Civil Rights.: The HIPAA Privacy Rule and Electronic Health Information Exchange in a Networked Environment: Collection, Use, and Disclosure Limitation (2013)

    Google Scholar 

  56. Office for Civil Rights.: Guide to Privacy and Security of Electronic Health Information, Department of Health and Human Services (2014)

    Google Scholar 

  57. Office for Civil Rights.: HIPAA Privacy Rule and Sharing Information Related to Mental Health (2014)

    Google Scholar 

  58. Office of the National Coordinator.: Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information (2008)

    Google Scholar 

  59. Office of the National Coordinator.: Connecting Health and Care for the Nation; A Shared Nationwide Interoperability Roadmap (2014)

    Google Scholar 

  60. Office of the National Coordinator.: Privacy & Security Tiger Team. http://www.healthit.gov/facas/health-it-policy-committee/hitpc-workgroups/privacy-security-tiger-team (2015)

  61. Office of the National Coordinator.: Patient consent for electronic health information exchange. http://www.healthit.gov/providers-professionals/patient-consent-electronic-health-information-exchange (2015)

  62. Office of the National Coordinator.: First annual summary of privacy and security tiger team activities: July 1, 2010 through September 30, 2013. http://www.healthit.gov/sites/default/files/privacysecurityteamannualsummarybriefing2010_2013.pdf (2015)

  63. Office of the National Coordinator for Health Information Technology (ONC).: Governance Framework for Trusted Electronic Health Information Exchange (2013)

    Google Scholar 

  64. Office of the National Coordinator for Health Information Technology (ONC).: Federal Health Information Technology Strategic Plan, Department of Health & Human Services (2014)

    Google Scholar 

  65. Pajic, M., et al.: Model-driven safety analysis of closed-loop medical systems. IEEE Trans. Ind. Inf. 10(1), 3–16 (2014)

    Article  Google Scholar 

  66. Paszko, C., Turner, E.: Laboratory Information Management Systems. CRC Press, Boca Raton (2001)

    Google Scholar 

  67. Reichertz, P.L.: Hospital information systems – past, present, future. Int. J. Med. Inform. 75(3), 282–299 (2006)

    Article  Google Scholar 

  68. Rudin, R.S., et al.: Understanding the decisions and values of stakeholders in health information exchanges: experiences from Massachusetts. Am. J. Public Health 99(5), 950 (2009)

    Article  Google Scholar 

  69. Russello, G., Changyu, D., Dul, N.: Consent-based workflows for healthcare management. In: Policies for Distributed Systems and Networks, 2008. IEEE Workshop on POLICY 2008 (2008)

    Google Scholar 

  70. Sankararaman, S., et al.: Genomic privacy and limits of individual detection in a pool. Nat. Genet. 41(9), 965–967 (2009)

    Article  Google Scholar 

  71. Schimke, N., Kuehler, M., Hale, J.: Preserving privacy in structural neuroimages. In: Data and Applications Security and Privacy, vol. XXV, pp. 301–308. Springer, Berlin/Heidelberg (2011)

    Google Scholar 

  72. Schnell, R., Bachteler, T., Reiher, J.: Privacy-preserving record linkage using Bloom filters. BMC Med. Inform. Decis. Mak. 9(1), 41 (2009)

    Article  Google Scholar 

  73. Schneier, B.: Applied Cryptography: Protocols, Algorithms, and Source Code in C. Wiley, New York (2007)

    Google Scholar 

  74. Scholl, M., et al.: NIST SP 800 - 66 Rev1: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, National Institute of Standards and Technology (2008)

    Google Scholar 

  75. Shoniregun, C.A., Dube, K., Mtenzi, F.: Secure e-healthcare information systems. In: Electronic Healthcare Information Security, pp. 101–121. Springer, Berlin (2010)

    Google Scholar 

  76. Solo, D., Housley, R., Ford, W.: Internet X. 509 public key infrastructure certificate and CRL profile. Internet Engineering Task Force, Networking Group (1999)

    Google Scholar 

  77. Standards for Privacy of Individually Identifiable Health Information (PIHI), Federal Register. (codified at 45 CFR. 164.502(b)(1)) (2002)

    Google Scholar 

  78. Standards for Privacy of Individually Identifiable Health Information (PIHI), Federal Register. (codified at 45 CFR. 164.502(b)(2)) (2002)

    Google Scholar 

  79. Standards for Privacy of Individually Identifiable Health Information (PIHI), Federal Register. (codified at 45 CFR. 164.514(d)) (2002)

    Google Scholar 

  80. Substance Abuse and Confidentiality, Federal Register. (codified at 42 CFR. Part 2) (2014)

    Google Scholar 

  81. Substance Abuse and Mental Health Services Administration: Consent2Share Project. http://www.wiki.siframework.org/SAMHSA+Consent2Share+Project (2015)

  82. Van der Linden, H., et al.: Inter-organizational future proof EHR systems: a review of the security and privacy related issues. Int. J. Med. Inform. 78(3), 141–160 (2009)

    Article  MathSciNet  Google Scholar 

  83. Vest, J.R., Gamm, L.D.: Health information exchange: persistent challenges and new strategies. J. Am. Med. Inform. Assoc. 17(3), 288–294 (2010)

    Article  Google Scholar 

  84. Wang, Q., Hongxia, J..: An analytical solution for consent management in patient privacy preservation. In: Proceedings of the 2nd ACM SIGHIT International Health Informatics Symposium. ACM (2012)

    Google Scholar 

  85. West, D.: How mobile devices are transforming healthcare. Issues Technol. Innov. 18(1), 1–14 (2012)

    Google Scholar 

  86. White, P.: Privacy and security issues in teleradiology. In: Seminars in Ultrasound, CT and MRI, vol. 25(5) (2004)

    Google Scholar 

  87. Wilcox, A., et al.: Architectural strategies and issues with health information exchange. In: AMIA Annual Symposium Proceedings, vol. 2006. American Medical Informatics Association (2006)

    Google Scholar 

  88. Zafar, A., Dixon, B.E.: Pulling back the covers: technical lessons of a real-world health information exchange vol. 129 (Pt 1), 488–492 (2007)

    Google Scholar 

  89. Zhang, W., et al.: Role prediction using electronic medical record system audits. In: AMIA Annual Symposium Proceedings, pp. 858–867 (2011)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Tandy School of Computer Science, The University of Tulsa, Tulsa, OK, USA

    Dalvin Hill & John Hale

  2. MyHealth Access Network, Tulsa, OK, USA

    Joseph Walker

Authors
  1. Dalvin Hill
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Joseph Walker
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. John Hale
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to John Hale .

Editor information

Editors and Affiliations

  1. IBM Research - Ireland, Mulhuddart, Dublin, Ireland

    Aris Gkoulalas-Divanis

  2. Cardiff University, Cardiff, United Kingdom

    Grigorios Loukides

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this chapter

Cite this chapter

Hill, D., Walker, J., Hale, J. (2015). Privacy Considerations for Health Information Exchanges. In: Gkoulalas-Divanis, A., Loukides, G. (eds) Medical Data Privacy Handbook. Springer, Cham. https://doi.org/10.1007/978-3-319-23633-9_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-23633-9_12

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-23632-2

  • Online ISBN: 978-3-319-23633-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation