Privacy and Security Risks and Requirements with Healthcare IT: Hitting a Home Run Instead of a Foul Ball

American English
Embargo Lift Date
Committee Members
Degree Year
Journal Title
Journal ISSN
Volume Title
Found At

Using baseball as a metaphor, this practical, engaging session will explore the security and privacy risks with a number of technologies for storing, handling and communicating health information and highlight the legal obligations and technological requirements for collecting, preserving and producing health information as part of an electronic discovery process.

Using baseball as a metaphor, this practical, engaging session will explore the security and privacy risks with a number of technologies for storing, handling and communicating health information. Among the technologies to be discussed that may represent foul balls in the privacy and security arena are social media, cloud computing, mobile and wireless devices and information storage practices. An especially risky approach for collecting, processing and maintaining health information is the increasing trend towards outsourcing these functions, especially by using third-party vendors who are not located within the boundaries of the United States and thus not subject to U.S. laws regarding the use of appropriate privacy and security practices. Although social media offers powerful opportunities for health education and outreach, it presents special risks as well, since the tendency for spontaneous over-sharing of information may mean a breach in the confidentiality of a patient’s information that would result in claims against the health care provider and his or her employer and should result in revisions to an employer’s acceptable use policies. While many health care institutions, practitioners and patients have embraced mobile devices for their convenient size and ready access to information, wireless networks can be notoriously insecure, information on an iPad screen has been shown to be visible from several feet away and laptops and cell phones are frequently misplaced or stolen, putting any information storage on them at risk. Although cloud computing presents some attractive benefits in terms of reducing IT hardware, software and personnel expenses, a well-drafted and comprehensive information security and privacy schedule is recommended as the first step in ensuring that confidential patient information is secure and handled in a manner that is in compliance with federal and state law. Among the issues to be addressed in any kind of cloud computing or outsourcing contract are the security assessment process, specific privacy and security controls, data retention, return and destruction, incident response planning, enforcement rights and liability and notification for security breaches. Concerns with privacy and security of all types of information have resulted in a patchwork of state and national laws intended to address global issues and specific situations, such as the prohibition on the use of social security numbers, the requirement of redacting certain categories of information from court documents and the recent furor over requests for Facebook passwords from job applicants. In the context of health IT, the emphasis is typically on maintaining the confidentiality of health information through proper security and privacy measures, absent either the patient’s consent or as necessary for the provision and payment of health care services. However, there are times when health information must be properly collected, preserved and produced, typically as part of litigation, investigation or audit. This phase of the legal process is known as discovery. Over the past few years, famous legal cases and revisions to the rules of procedure and evidence have resulted in an emerging area within law practice known as electronic discovery. Failure to comply with the requirements in an electronic discovery process has resulted in significant sanctions for parties as well as their attorneys. An organization that has the appropriate policies, procedures and technologies in place for collecting, storing and disposing of its information and can document their approaches has a better chance of responding to electronic discovery requests and in avoiding any claims for sanctions. Although the legal aspects of electronic discovery are primarily the purview of in-house and outside attorneys, readiness and the ability to respond to electronic discovery requests also require the participation of representations from clinical departments, management, IT, vendors and, human resources.
Cite As
Presented at the Midwest HIMSS Fall Technology Conference, Des Moines, Iowa.
Alternative Title
Conference Dates
Conference Host
Conference Location
Conference Name
Conference Panel
Conference Secretariat Location
Full Text Available at
This item is under embargo {{howLong}}