• We are sorry, but NCBI web applications do not support your browser and may not function properly. More information
Logo of phimLink to Publisher's site
Perspect Health Inf Manag. 2007; 4: 5.
Published online Jun 1, 2007.
PMCID: PMC2047293

Protective Measures for Private Health Information

Rachelle S Stewart, DrPH, RHIA, clinical associate professor

Abstract

This study measured attitudes about patient privacy. Participants ranked a collection of 25 patient- specific health information protection measures that have been established as a part of the Health Insurance Portability and Accountability Act (HIPAA), effective in April 2003. Individual points of view were surveyed to determine which information protection measures patients felt to be least effective and most effective with regard to protection of patient privacy. The researcher, being interested in subjects with the human immuno deficiency virus (HIV), conducted an exploratory Q-Methodology study to capture individual participants' points of view. A by-person factor analysis was performed on the intercorrelated Q-sort matrix. The subjects clustered into three groups; however, the concern for privacy was similar for subjects with and without HIV. Recommendations for policy changes are discussed for four areas: usage of the “Notice of Privacy Practices,” patient sign-in procedures, the role of the privacy officer, and staff education.

Key words: Protective Measures, Privacy, Health Information, HIPAA, Confidentiality, HIV

Introduction

In 1996, Congress proposed a broad law that would help individuals transfer their health insurance benefits when they changed jobs. In addition, the law encouraged electronic transactions that would allow healthcare providers to more easily share information. The new law was known as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In order to enact the new law, the U.S. Department of Health and Human Services (HHS) was required to issue the first ever federal regulations that gave all patients extensive protections over the privacy of their medical records. The final privacy rule was published in December 2000 and amended through February 16, 2006.1

The privacy rule gave patients assurances concerning the disclosure of their protected health information (PHI). These rules were designed to protect the confidentiality and security of health information. Those responsible to comply included most health insurers, pharmacies, clinicians and other individual, group, and organized healthcare providers together with health care plans and healthcare clearinghouses. The privacy rule also requires any healthcare entity who conducts financial and administrative transactions electronically to comply with the provisions and mandates of the law. Most entities affected by HIPAA were required to have privacy practices in place by April 2003.2

Research Question

The purpose of this exploratory study was to identify the measures or sanctions of HIPAA that make HIV patients and others feel more confident about the handling of private information. The survey captured individuals' points of view to determine the attributes or measures considered least effective and most effective with regard to protection of patient privacy.

Frame of Reference

The privacy laws of HIPAA became effective in April 2003; however, at the time of the study there had not been sufficient time to examine the influence of the new laws in terms of effectiveness or practice gaps. Although there were two public comment periods on HIPAA privacy regulations, most of the 63,000 comments were from providers, related organizations, and others required to comply with the healthcare legislation. Patient comments represented a small percentage of responses, and it is not known if any of these were representative of the sensitive populations. The assumption of this study was that patients with HIV had a high degree of concern about privacy, given the stigmatic nature of the disease.

What makes HIPAA different from other laws is the degree of the penalties and sanctions involved with the breach of confidentiality. It also states who can receive PHI with or without an authorization. Since HIPAA is a federal law, it eliminates the variance of interpretation from state to state. Given the recent implementation of HIPAA, it would be helpful to know what sanctions or protections (if any) provide the most confidence to HIV patients concerning their private health information.

Literature Review

Privacy of health information is a concern for most sensitive populations. Unauthorized disclosure poses social, financial, and privacy concerns. Current prenatal care involves testing for HIV along with other potential diseases. Many women will avoid prenatal care and testing due to concerns about privacy. They fear perceptions of risk, denial of healthcare, and loss of confidentiality if certain healthcare factors are known.3,4

Prisoners represent another sensitive population concerning privacy issues. A study in Scotland found that of 65,171 inmates diagnosed as HIV positive, two-thirds accepted confidential counseling and were further identified as injection drug users.5 It is possible that the information concerning injection drug usage was revealed only because of the confidential counseling.

Other sensitive populations are also concerned about privacy in cases where recommended or mandatory health screening is involved. Partners of persons with HIV are considered a high risk group. In a comparison study done at HIV test sites in Colorado, there was a 30 to 50 percent greater response of named, notified, and counseled in-state partners among confidential site index cases, than in anonymous site index cases.6 This response suggests that there is a stronger perception of protection for privacy in sites where confidentiality is upheld. In 1985, the State of Illinois mandated premarital testing for AIDS prevention. The law was repealed in 1989 due to concerns about cost and possible invasion of privacy.7

Burris explored the social risks of HIV and concludes that the risk is more social than medical.8 Some social risks include surveillance, mandatory testing, partner notification, and poor handling of medical records. There is seemingly an overall stigma associated with being HIV positive or even in being tested for the disease.

Presently, there are an estimated 200,000 people in the United States who are unaware that they are HIV positive, and many at-risk individuals do not seek out routine HIV counseling and testing services.9 The majority of testing for HIV in the U.S. is voluntary, while anonymous testing is an available option for those who have fears about a positive test result or the possibility of discrimination.10 Testing for HIV, however, is now required for most healthcare workers.

Methodology

A qualitative method known as the Q-Methodology was selected for use. Q-Methodology, known also as the Q-sorting technique, uses psychometric principles combined with statistical applications of correlational and factor-analytical techniques to provide a quantitative analytical method for guiding the examination of human subjectivity.11 Q-Methodology is useful to identify the presence of patterns of individual opinions. Specifically, it is concerned with how perceptions of groups cluster on one or more issues, also known as intersubjectivity. Q-Methodology is less concerned with participant sampling techniques and is not intended to generalize to a larger group.12 A convenience sample of 40 subjects were recruited by random selection from the Outpatient Care Center (OCC), Infectious Disease Clinic at the University of Illinois Medical Center (UICMC) in Chicago, IL. This location was selected to ensure HIV subject responses in the results. A few subjects were also randomly selected at locations outside of the clinic.

The study subjects ranked 25 privacy measures or sanction statements taken from the HIPAA privacy regulations that were rephrased for easier understanding (see Appendix A). The statements were pilot tested by a nurse practitioner with specialist training in HIV, two college students, and the research committee. The research project was approved by the University of Illinois Institutional Review Board (IRB) #2004-0141, using an expedited review process.

Subjects were required to be at least 18 years of age and were paid $10 in cash at the completion of the survey. The result of each individual ranking was grouped by similarity of viewpoints (factors) using the PQMethod (version 2.11) software. The factors (viewpoints) were further examined to gain insights about individual preferences on privacy protections.

The study's major limitation was that it was done at a major academic medical center, as opposed to a public clinic. Another limitation was the inability to collect age-related data. This restriction was imposed by the IRB due to the sensitive nature of HIV. A third limitation was that subjects may not have been fully aware of the provisions of HIPAA at the time of the study.

Results

Data collection for this study began on March 29, 2004, and concluded on April 29, 2004. The study was conducted on a total of 15 days, at four locations, for a total of 39 hours. A total of 40 subjects completed the study. Thirty-two surveys were completed at the OCC, eight were done at other locations. Most subjects requested some assistance with the survey.

The responses were entered in the PQMethod (2.11) software. The statistical output was analyzed for significance and validity. The data suggested that there were three factors or stories that explained the views of the sample populations regarding the HIPAA privacy measures and sanctions (see Table Table11).

Table 1
Three Factor Matrix with Number of Defining Q-Sorts

Factor 1 (Table (Table2).2). The distinguishing statements are indicated with an asterisk. The 21 subjects associated with the distinguishing statements 3, 1, and 2 suggest that they are reassured by the privacy measures related to punishment and personal control. As evidenced by the statements selected as “most likely to protect my information,” these subjects were highly aligned with the fact that those who violate patient privacy will receive fines ranging from $100 to $50,000, plus prison time, and must be reported to authorities. Conversely, these same subjects do not trust those who have access to their information. Based on the statements selected as “least likely to protect my information,” they did not like the fact that companies that process bills can review their information. Furthermore, they did not like the fact that the hospital lawyer can review their information as can a healthcare oversight group. As a result of the story that this data provided the researcher, Factor 1 was named “Punishment for Violators.”

Table 2
Significant Normalized Factor Scores—Factor 1 “Punishment for Violators”

Factor 2 (Table (Table3).3). The distinguishing statements for Factor 2 are indicated with an asterisk. Unlike those in Factor 1, the eight persons associated with the distinguishing statements 3, 14, 7, and 24 suggest that they feel protected by those who watch over their private information. These subjects associated more with the fact that fines with prison time, their attorney, and healthcare oversight groups, will help to protect them from those who violate their private health information. They seemed reassured to know that physicians who do wrong can be punished. Conversely, these same subjects associated with the distinguishing statements 1 and 19 do not feel reassured by some of the safeguards in the system. As evidenced by the statements selected as “least likely to protect my information,” they did not feel that employees who violate patient privacy would be punished or believe that employees have only a limited view of patient information. They also don't feel comfortable knowing that the hospital lawyer can review their information. Factor 2 was named “Authorities Will Protect Privacy.”

Table 3
Significant Normalized Factor Scores—Factor 2 “Authorities Will Protect Privacy”

Factor 3 (Table (Table4).4). The distinguishing statements are indicated with an asterisk. The eight subjects associated with the distinguishing statements 6 and 8 suggest that they feel self-empowered with the new privacy law to make the system work. As indicated by the statements selected as “most likely to protect my information,” these subjects have control by signing all requests for their information and knowing that they can review their medical record. Conversely, these same subjects associated with the distinguishing statements 7 and 4 are not reassured by the punitive measures, nor do they believe that external parties will protect their privacy, even when if they have a legitimate need to access their information. Furthermore, these subjects do not believe that sending private information to a different address or email would protect them or that physicians will lose their reputation or practice for violating patient privacy. Factor 3 was named “Self-Empowerment.”

Table 4
Significant Normalized Factor Scores—Factor 3 “Self-Empowerment”

Table Table55 provides a description of the coding used for subject attributes (HIV status, sex, race, highest level of education and concern about privacy) with corresponding percentages. Table Table66 provides a listing of all subjects with individual attributes for Factors 1, 2, and 3, respectively. Subjects are counted only once.

Table 5
Subject Attributes
Table 6
Subject Attribute Demographics by Factor

Three subjects 3, 24, and 28 are not included in the three factors discussed above and are shown separately in Table Table77 because they co-loaded on more than one factor. Their stories reflected a combination of the factors.

Table 7
Attributes of Subjects Who Co-loaded on Factors

HIV Status

Twenty-two subjects (55 percent) self reported their health status as HIV positive. Of those self reported, six subjects were male and 16 (73 percent) were females. One subject was American Indian/Alaskan Islander, two were Hispanic, 15 (68 percent) were black and 3 were white. One subject had only a grade school education, 14 (64 percent) had completed high school, 6 had completed some college and one was a college graduate. Privacy concerns varied: one subject had no concern, one had little concern, 5 had some concern and 15 (68 percent) had extreme concerns about privacy (see Table Table88).

Table 8
Attributes of HIV-Positive Subjects by Factor

Eighteen subjects (45 percent) identified as HIV negative or unknown. This group consisted of 6 males and 12 (67 percent) females. 13 subjects (72 percent) were black, four (22 percent) were white, and one responded as Other race. seven subjects (39 percent) had completed high school, three had completed some college; and eight (44 percent) were college graduates. Privacy concerns also varied: one subject had no concern, two had little concern, five had some concern, and 10 (55 percent) had extreme concerns about privacy (see Table Table99).

Table 9
Attributes of HIV-Negative or Unknown Subjects by Factor

Discussion

The 40 subjects in the study expressed variable opinions about the measures in HIPAA. The subjects divided into three factors on this issue. Subjects in Factor 1 favored the strong measures and punishments of the law. Subjects in Factor 2 favored the internal enforcements in HIPAA and felt that authority figures would protect their information. Subjects in Factor 3 favored the benefits for patients and felt empowered to use the new law to protect their information.

The three separate stories in this study suggest that there are different needs with respect to handling private information. The majority of subjects in Factor 1 were college graduates, while the majority for Factors 2 and 3 were high school grads.

HIV subjects were divided fairly evenly among the three factors as well as those subjects that were co-loaders. HIV subjects represented 52 percent of subjects in Factor 1, 62 percent of subjects in Factor 2, and 50 percent of subjects in Factor 3. Of the three subjects that were co-loaders, two reported as HIV positive. This data imply that HIV subjects loaded on the three factors as strongly as or even stronger than non-HIV patients. The results of the study strongly indicate that there is an extreme concern for privacy in all three factors (stories), regardless of HIV status. This supports the notion that privacy is an important issue; those in healthcare just need to find satisfactory ways to make patients feel assured.

Literature suggests that adherence to privacy protection measures has a positive link to HIV identification and treatment, as well as general patient care. This premise implies that the government and others who deliver and oversee healthcare should take measures to educate employees and patients about the new privacy practices required by HIPAA. In addition, these groups must make the practice of privacy a top priority if they want the public to feel they are sincere about health information privacy. Health information management (HIM) professionals are responsible for safeguarding patient information and are well versed on HIPAA. They are knowledgeable about health information systems and work with various members in health care to deliver timely and accurate information. HIM professionals have been involved with the implementation of the privacy law at most facilities. These individuals play a key role in addressing the privacy concerns in this study. Four areas for improvement are discussed.

Notice of Privacy Practice

Many subjects indicated that they were aware of the Notice of Privacy Practices (NPP) form, but they were unfamiliar with the overall provisions of HIPAA or with the role of a privacy officer. Some patients did not know that they could request a copy of their own medical record. Many facilities have developed a brochure on their privacy practices, but this is not consistent across healthcare. Some facilities simply ask patients to sign the Privacy Practice form, but do not take the time to explain its provisions. The NPP is an informational document that must be explained at the initial point of patient contact with a facility. Patients must be aware that it is possible to obtain a copy of their record and receive an accounting of disclosures, in addition to other provisions of the law.

Based on the privacy measures most disliked in this study, the NPP form must have improved information concerning the role of billing companies, auditors and hospital lawyers. Patients in this study expressed an overall mistrust of these groups. Their mistrust may be due to a lack of understanding about their function in healthcare. The NPP form language must also consider the audience who will read it. In some facilities, a second set of materials may be needed for patients who are high school graduates or less. The NPP must also be available in multiple languages, as needed.

Patient Sign-in Procedures

The study results also suggested that the subjects were not comfortable with the clinic sign-in procedures. If a paper sign-in chart is used at the facility, there is the possibility of others knowing who is present. It is time to automate this function or individualize it to improve confidentiality and privacy. HIM professionals should work with staff in information technology to develop solutions that can replace the common practice of sign-in sheets. An interim solution could be to have patients sign an individual sheet that would be used by the staff to complete the sign-in process. A long-term solution, however, is needed.

Privacy Officer

The role of the privacy officer must be expanded and supported. Facilities covered by HIPAA are required to designate a privacy officer in the federal regulations. Many HIM professionals have assumed some if not total responsibility for this role. An assessment done by Carol of the first year of privacy implementation found that privacy officers could spend up to one quarter of their time with incidents or investigating complaints.13 Other duties involve training, auditing, and monitoring; staying current with relevant state laws; and providing advice for others. Privacy officers can be a major catalyst for patient and staff education. It is important that detailed information is kept concerning incidents, so specific training can occur where needed. Additionally, the privacy officer role must be visible to patients so they are clear about where to get assistance or how to report violations. Effective staff education will help to minimize patient complaints about privacy concerns. If patients feel assured overall about privacy issues, the benefits will include patient satisfaction and improved patient care.

Education

There is also a need to educate providers and staff not only about the HIPAA privacy rules, but more importantly, how to make patients feel they can trust them. This is an important element that, unfortunately, is not understood or practiced by all individuals. Professionals must be diligent in offering the same reassurances to patients on every service day, with common courtesies, professional behavior, adherence to privacy measures, and a demonstration of empathy. Despite the routine nature of patient care, physicians and staff members must be careful to treat each episode of care with the highest degree of privacy. Some individuals may naturally have the skills needed to make patients feel assured of privacy; however, all individuals can learn skills that will help them to make a difference with patient care. The element of trust is essential for both privacy and healthcare.

Conclusion

Time will be required to determine if the HIPAA privacy measures are effective to protect patient information. The 40 subjects in this study voiced an overall distrust of the privacy protection measures in the HIPAA law. In all three stories (factor solutions), patients responded with some distrust to most of the measures, but with more approval of strong sanctions or penalties. The response of HIV subjects was similar to that of non-HIV subjects. The HIPAA privacy law serves as a legal blueprint to establish policy practices, but the application of and education about the law may require various strategies. Different approaches are needed for various patient groups as well as health care workers at various locations of care. Recent studies on privacy confirm the findings of this study. A survey conducted by the California HealthCare Foundation (CHCF) found that 67 percent of Americans are concerned about the privacy of their health information. Additionally, they are also unaware of their rights to privacy.14 Another study of 1,117 privacy and security officers conducted by the American Health Information Management Association (AHIMA) found that patients are asking more questions about their health information (29.7 percent) and nearly one-quarter (22 percent) decline to sign release of information forms.15 These findings not only support the findings of this study but also suggest that the mandate of HIPAA has not significantly altered the concerns patients have about the handling of private health information. There are obviously some good indicators, but more time is needed to evaluate the impact of HIPAA.

Acknowledgments

The author extends special thanks to the following individuals who served on the dissertation committee for this research project: Edward K. Mensah, PhD, chair; Robert Mrtek, PhD; Walter B. Panko, PhD; Bernard J. Turnock, MD, MPH; Annette L. Valenta, DrPH; and Jonathan Uy, MD.

Appendix A

Protective Measures for Private Health Information

  1. If any employee misuses my private information, it must be reported to an official.
    45 C.F.R. §164.530(d)(1)
  2. Fines of $100-$25,000 will be charged for privacy violations, if non-intentional.
    Pub. L. 104-191; 42 U.S.C. §1320d-5
  3. A fine of $50,000 and up, plus prison time will be charged for privacy violations that are intentional.
    Pub. L. 104-191; 42 U.S. C. §1320d-6
  4. My physician will possibly lose his/her reputation and business if they violate my privacy.
    45 C.F.R. §164.530(e)(1)
  5. I will sign a “Notice of Privacy Practice” form that will explain who can see my information.
    45 C.F.R. §164.520(a)(1)
  6. If my information is needed for things other than treatment, payment of my bills and normal organizational operations, it can only be released with my signed authorization.
    45 C.F.R. §164.506(c)
  7. I can send my health information to a different address or e-mail.
    45 C.F.R. §164.522(b)(1)(i)
  8. I can review the information in my medical record.
    45 C.F.R. §164.520 (b)(1)(iv)(c)
  9. I can request a copy of my health record.
    45 C.F.R. §164.520(b)(1)(iv)(c)
  10. I can request changes or updates to my health information.
    45 C.F.R. §164.526(a)(1)
  11. I can find out who has received my information and why they needed it.
    45 C.F.R. §164.528(a)(1)
  12. Each facility has someone called the privacy officer who is responsible to oversee private health information.
    45 C.F.R. §164.530(a)(1)
  13. Sign-in sheets with patient information are not left in the open at the registration desk.
    45 C.F.R. §164.502(a)(1)(iii)
  14. My lawyer can receive a copy of my health information.
    45 C.F.R. §164.530(g)(2)
  15. The hospital lawyer can review my health information.
    45 C.F.R. §164.502(j)(1)(B)
  16. The hospital auditors (those who review quality) can review my health information.
    45 C.F.R. §164.506(c)(4)(ii)
  17. The company that processes bills for the hospital receives my information.
    45 C.F.R. §164.506(c)(3)
  18. A consulting physician who is called by my doctor can review my information.
    45 C.F.R. §164.506(c)(2)
  19. Employees will have limited access to my information, based on their job titles.
    45 C.F.R. §164.514(d)(2)(ii)
  20. My health information can be used in research projects only if the identifying information is not used.
    45 C.F.R. §164.512(i)(1)(i)
  21. I will not receive any healthcare advertising unless I sign an authorization.
    45 C.F.R. §164.508(a)(3)
  22. The local health department may have access to my health information if routine reporting is required.
    45 C.F.R. §164.512(b)
  23. I can request to be excluded from the hospital directory. No information will be given out about me.
    45 C.F.R. §164.510(a)
  24. My information can be reviewed by an oversight group, which inspects the facility for appropriate practice (hospital licensing).
    45 C.F.R. §164.512(d)
  25. My information can be released if I am a victim of a crime.
    45 C.F.R. §164.512(f)(3)

Note: The statements above were rephrased in a self-referent manner from actual statements in the U.S. HIPAA legislation documents: 45 Code of Federal Regulations and Public Law 104-191; 42 United States Code.

Notes

1. U.S. Department of Health and Human Services, Office for Civil Rights. 2003a. Regulation Text (Unofficial Version), 45 CDR, Parts 160 and 164.
2. U.S. Department of Health and Human Services, Office for Civil Rights. Protecting the Privacy of Patients' Health Information 2003. Available at www.hhs.gov/news/facts/privacy.html (accessed November 13, 2003).
3. Lester P, Partridge J.C, Chesney M.A, Cooke M. The Consequences of a Positive Prenatal HIV Antibody Test for Women. Journal of Acquired Immune Deficiency Syndromes and Human Retrovirology. 1995;10(3):341–349. [PubMed]
4. Napravnik S, Royce R, Walter E, Lim W. HIV-1 Infected Women and Prenatal Care Utilization: Barriers and Facilitators. AIDS Patient Care and STD's. 2000;14(8):411–420. [PubMed]
5. Gore S.M, Basson J, Bird A.G, Goldberg D.J. Uptake of Confidential, Named HIV Testing in Scottish Prisons. Letter to the Editor. The Lancet. 1992;340(8824):907–908. [PubMed]
6. Hoffman R, Spencer N, Miller L. Comparison of Partner Notification at Anonymous and Confidential HIV Test Sites in Colorado. Journal of Acquired Immune Deficiency Syndrome and Human Retrovirology. 1995;8(4):406–410. [PubMed]
7. Flarey D. Legal and Ethical Issues in HIV Testing, Part 1. Journal of Nursing Administration. 1992;22(10):14–20. [PubMed]
8. Burris S. Surveillance, Social Risk, and Symbolism: Framing the Analysis for Research and Policy. Journal of Acquired Immune Deficiency Syndromes. 2000;2(Suppl. 25):S120–S127. [PubMed]
9. Summers T, Spielberg F, Collins C, Coates T. Voluntary Counseling, Testing, and Referral for HIV: New Technologies, Research Findings Create Dynamic Opportunities. Journal of Acquired Immune Deficiency Syndromes. 2000;2(Suppl. 25):S128–S135. [PubMed]
10. McWay D. Legal Aspects of Health Information Management. 2 ed. Clifton Park, NY: Thomson Learning (Delmar); 2003.
11. McKeown B, Thomas D. Q Methodology. Newbury Park, CA: Sage Publications, Inc.; 1988.
12. Brown M. Illuminating Patterns of Perception: An Overview of Q Methodology. The Software Engineering Institute, Carnegie Mellon University; 2004.
13. Carol R. Busier Than Ever: Privacy Officers One Year Later. Journal of the American Health Information Management Association. 2004;75(4):20–23. [PubMed]
14. California Health Care Foundation. “National Consumer Health Privacy Survey 2005.” November 2005. Available at http://www.chcf.org/topics/view.cfm?itemID=115694 Accessed March 28, 2007.
15. American Health Information Management Association. “The State of HIPAA Privacy and Security Compliance.” April 2006. Available at http://www.ahima.org/emerging_issues/2006StateofHIPAACompliance.pdf Accessed April 17, 2006.

Articles from Perspectives in Health Information Management are provided here courtesy of American Health Information Management Association
PubReader format: click here to try

Formats:

Related citations in PubMed

See reviews...See all...

Cited by other articles in PMC

See all...

Links

  • PubMed
    PubMed
    PubMed citations for these articles

Recent Activity

Your browsing activity is empty.

Activity recording is turned off.

Turn recording back on

See more...