Privacy and consent are critical aspects of health and human services information technology. In1996, Congress passed the Health Information Portability and Accountability Act (HIPAA). The HIPAA Privacy Rule defines protected health information (PHI) including demographic information, which relates to the individual’s past, present, or future physical or mental health or condition, the provision of health care to the individual and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Beyond health conditions, PHI also includes many common identifiers when they can be associated with the individual’s health information.
The Privacy Rule assigns individuals with specific rights to their PHI. The Privacy Rule requires all healthcare organizations and partners to protect individuals’ health records and other identifiable health information by establishing privacy protection safeguards as well as conditions and limits on the appropriate usage and disclosures of PHI. The Privacy Rule warrants that everyone’s health information is protected, especially during the ongoing flow of health information needed to provide quality health care and to protect public health. The Privacy Rule is especially challenging to enforce when PHI is exchanged beyond the boundaries of health information systems, such as health information exchanged with a human services agency information system.
To deal with these challenges we need to address both dynamic real-time consents to share and static data segmentation for privacy/security marking systems. Finally, most human services information domains lack the specific rules, regulations, and IT system mechanisms for protecting privacy and confidentiality of personal and sensitive human services information.