With the National Health Information Network Direct (NHIN Direct) working to create a standard for the transfer of Electronic Health Records (EHRs), the need for segmented and secure patient records is becoming apparent to all who are working on this technology. A segmented EHR would allow for providers with different roles to access only the portions of the EHR relevant to their task. Protecting personal health information through the use of data segmentation is partially rooted in state and federal privacy laws addressing abuse of information.
Such laws include: HIPAA – Privacy Rule, HIPAA – Security Rule, the federal Confidentiality of Alcohol, and GW SPHHS Department of Health Policy ES-1 Drug Abuse Patient Records regulations (Part 2). These laws protect the exchange of health information without patient consent.
Lesser-known but equally stringent state laws protect a broad range of information. For example, health data related to minors or incidents of sexual violence1. Other justifications for the use of data segmentation in protecting health data include established principles of patient autonomy and the need to encourage greater patient trust and participation in the health care system.
Data segmentation provides the potential means of protecting specific elements of health information. Both within an EHR and in broader electronic exchange environments, segmentation can prove useful in implementing current legal requirements and honoring patient choice.
Most patients want to control access to their medical records, and restrict which parts of their medical record are accessed. Not all health providers need access to the patient’s full record (for example, billing clerks and X-Ray technicians), but they do require access to portions of the record.
This capability for patients to have complete control over their EHR is slightly ahead of the current US law. However, it is likely that this capability will become law, as Federal legislation has been moving consistently in that direction (HIPAA, etc). Other western democracies already have such laws. The Netherlands, Sweden, Canada and the United Kingdom are currently standardizing health records and implementing laws and information technology systems to facilitate automated data sharing of segmented information with strict privacy controls.
Additionally, adding logging to the data segmentation will enhance security and serve as a deterrent to bad actors. Through detailed logging, each individual access to the record will be recorded.
Goal III of the National Coordinator for Health Information Technology (ONC) Federal Health Information Technology Strategic Plan 2011 – 2015 is to Inspire Confidence and Trust in Health IT by protecting confidentiality, integrity and availability of health information. Adding data segmentation and logging to standard EHR development will go a long way to making Goal III a reality.
1Data Segmentation in Electronic Health Information Exchange: Policy Considerations and Analysis – September 29, 2010 – Melissa M. Goldstein, JD and Alison L. Rein, MS