User:CelticsFan3/sandbox

Protected health information (PHI) under the U.S. law is any information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity (or a Business Associate of a Covered Entity), and can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient's medical record or payment history.

Instead of being anonymized, PHI is often sought out in datasets for de-identification before researchers share the dataset publicly. Researchers remove individually identifiable PHI from a dataset to preserve privacy for research participants.

There are many forms of PHI, with the most common being physical storage in the form of paper-based personal health records (PHR). Other types of PHI include electronic health records, wearable technology, and mobile applications. In recent years, there has been a growing number of concerns regarding the safety and privacy of PHI.

United States
Under the US Health Insurance Portability and Accountability Act (HIPAA), PHI that is linked based on the following list of 18 identifiers must be treated with special care:


 * 1) Names
 * 2) All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
 * 3) Dates (other than year) directly related to an individual
 * 4) Phone Numbers
 * 5) Fax numbers
 * 6) Email addresses
 * 7) Social Security numbers
 * 8) Medical record numbers
 * 9) Health insurance beneficiary numbers
 * 10) Account numbers
 * 11) Certificate/license numbers
 * 12) Vehicle identifiers and serial numbers, including license plate numbers;
 * 13) Device identifiers and serial numbers;
 * 14) Web Uniform Resource Locators (URLs)
 * 15) Internet Protocol (IP) address numbers
 * 16) Biometric identifiers, including finger, retinal and voice prints
 * 17) Full face photographic images and any comparable images
 * 18) Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

HIPAA Privacy Rule
The HIPAA Privacy Rule addresses the privacy and security aspects of PHI. There are three main purposes which include:


 * 1. To protect and enhance the rights of consumers by providing them access to their health information and controlling the inappropriate use of that information;


 * 2. To improve the quality of health care in the United States by restoring trust in the health care system among consumers, health care professionals, and the multitude of organizations and individuals committed to the delivery of care; and


 * 3. To improve the efficiency and effectiveness of health care delivery by creating a national framework for health privacy protection that builds on efforts by states, health systems, and individual organizations and individuals.

LabMD, Inc. v. Federal Trade Commission
In 2016, the U.S. Circuit Court of Appeals for the Eleventh Circuit overturned the decision in LabMD, Inc. v. Federal Trade Commission (FTC). The FTC filed a complaint against medical testing laboratory LabMD, Inc. alleging that the company failed to reasonably protect the security of consumers’ personal data, including medical information. The FTC alleged that in two separate incidents, LabMD collectively exposed the personal information of approximately 10,000 consumers. The court vacated the original cease-and-desist order, stating that it would "mandate a complete overhaul of LabMD’s data-security program and says little about how this is to be accomplished.”

De-identification versus anonymization
Anonymization is a process in which PHI elements are eliminated or manipulated with the purpose of hindering the possibility of going back to the original data set. This involves removing all identifying data to create unlinkable data. De-identification under the HIPAA Privacy Rule occurs when data has been stripped of common identifiers by two methods:
 * 1. The removal of 18 specific identifiers listed above (Safe Harbor Method)
 * 2. Obtain the expertise of an experienced statistical expert to validate and document the statistical risk of re-identification is very small (Statistical Method).

De-identified data is coded, with a link to the original, fully identified data set kept by an honest broker. Links exist in coded de-identified data making the data considered indirectly identifiable and not anonymized. Coded de-identified data is not protected by the HIPAA Privacy Rule, but is protected under the Common Rule. The purpose of de-identification and anonymization is to use health care data in larger increments, for research purposes. Universities, government agencies, and private health care entities use such data for research, development and marketing purposes.

Covered Entities

In general, US law governing PHI applies to data collected in the course of providing and paying for health care. Privacy and security regulations govern how healthcare professionals, hospitals, health insurers, and other Covered Entities use and protect the data they collect. It is important to understand that the source of the data is as relevant as the data itself when determining if information is PHI under U.S. law. For example, sharing information about someone on the street with an obvious medical condition such as an amputation is not restricted by U.S. law. However, obtaining information about the amputation exclusively from a protected source, such as from an electronic medical record, would breach HIPAA regulations.

Business Associates

Covered Entities often use third parties to provide certain health and business services. If they need to share PHI with those third parties, it is the responsibility of the Covered Entity to put in place a Business Associate Agreement that holds the third party to the same standards of privacy and confidentiality as the Covered Entity.

Protected health information storage
Protected health information can be stored in many different forms. According to HIPAA, there are many requirements and limitations regarding how PHI can be stored.

Physical storage
Until recently, physical storage has been the most common method of storing PHI. Physical safeguards for PHI include storing paper records in locked cabinets and enabling a control over the records. A security authority, PIN pad, or identification card could all be necessary to access physical storage of PHI.

Electronic records
Much of PHI is stored in electronic health records (EHR). Cloud computing and other services allow healthcare providers to store vast amounts of data for easy access. In Australia, over 90% of healthcare institutions have implemented EHRs, in an attempt to improve efficiency. E-health architecture types can either be public, private, hybrid, or community, depending on the data stored. Healthcare providers will often store their data on a vast network of remote servers, proving susceptible to privacy breaches.

Wearable technology
In PHI, wearable technology often comes in the form of smartwatches, ECG monitors, blood pressure monitors, and biosensors. Wearable technology has faced rapid growth with 102.4 million units shipped in 2016, up 25% from the 81.9 million units shipped in 2015. According to Insider Intelligence research, the number of health and fitness app users will remain over 84 million through 2022. Health and fitness tracking capabilities are a target for companies producing wearable technology. Privacy concerns for consumers arise when these technology companies are not considered covered entities or business associates under HIPAA or where the health information collected is not PHI.

Mobile applications
Mobile applications have been proven essential, especially for the elderly or disabled. The adoption of mobile healthcare is said to be attractive due to factors like patient behavior, subjective norm, personal innovativeness, perceived behavioral control, and behavioral intention. The legitimacy of certain mobile applications that store PHI can be determined by the user reviews on the application.

Patient Privacy
In a study conducted by researchers, 14 patients were asked for their opinions on privacy concerns and healthcare perceptions. Researchers found that all participants agreed on the importance of healthcare privacy. Participants demonstrated a vague understanding of the legislated patient privacy rights. There were differing opinions on whose responsibility it should be to protect health information; some thought it was their own responsibility, while others thought that the government was responsible. Consent was rarely brought up within the discussion.

Common Forms of Cybersecurity Attacks on PHI

 * 1) Phishing
 * 2) Eavesdropping
 * 3) Brute-force attacks
 * 4) Selective forwarding
 * 5) Sinkhole threats
 * 6) Sybil attacks
 * 7) Location threats

Attacks on PHI
In 2017, healthcare compliance analytics platform Protenus stated that 477 healthcare breaches were reported to the U.S. Division of Health and Human Services (HHS). Of these, 407 showed that 5.579 million patient records were affected.

The 2018 Verizon Protected Health Information Data Breach Report (PHIDBR) examined 27 countries and 1368 incidents, detailing that the focus of healthcare breaches was mainly the patients, their identities, health histories, and treatment plans.

Health-related fraud is estimated to cost the U.S. nearly $80 billion annually.

Ethical Concerns
In the case of PHI, there are ethical concerns regarding how information is treated on a daily basis by healthcare personnel. According to the utilitarian theory, the sacrifice of an individual's privacy is acceptable if it brings about a positive effect on society. In 1996, the Clinton Administration passed the HIPAA Privacy Rule, limiting a physician's ability to arbitrarily disclose patients’ personal medical records.

As health artificial intelligence (AI) applications are expected to save over $150 billion in annual savings for U.S. healthcare, researchers are studying the risks of potential PHI leaks. Currently, 21% of U.S. consumers or 57 million people, use a quantified self health and fitness tracking (QSHFT) application. In a study conducted by Nancy Brinson and Danielle Rutherford, over 90% of consumers were comfortable with the opportunity to share data with a healthcare provider. However, Brinson and Rutherford claim that consumers fail to make privacy a priority when they choose to share this information. To combat misuse of PHI on mobile healthcare platforms, Brinson and Rutherford suggest the creation of a policy rating system for consumers. A rating system, monitored by the Federal Trade Commission would allow consumers a centralized way to evaluate data collection methods amongst mobile health providers.

Outline/Contributions to Protected Health Information
The current PHI page is lacking lots of information, so I will do my best to add information effectively and concisely. From the annotations done so far, I can add information on covered entities and business associates. I will also use sources to explain court cases and legal examples of when PHI was in question or at risk.


 * Add more to the covered entities and business associates section
 * Give a solid definition of protected health information; strengthen the lede

HIPAA

 * more on how HIPAA affects PHI
 * current standards and regulations that serve to protect PHI
 * Privacy Rule and Security Rule

Attacks on PHI

 * include facts/history on data breaches of PHI
 * $80 bil loss annually in US due to healthcare breaches

Common Forms of Cybersecurity Attacks on PHI

 * phishing, eavesdropping, brute-force attack, selective forwarding, sinkhole threats, Sybil attack, and location threats, etc.

Ethics in PHI

 * ethical concerns of PHI; sources/data on how it leaves decision up to physician, lots of human error

Annotation/Critique
Information privacy: Lead section includes an introductory sentence that is concise and provides a clear overview on the topic. In terms of tone, I have concerns or doubts about this sentence: "Data privacy is challenging since it attempts to use data while protecting an individual's privacy preferences and personally identifiable information". Looking at the sources used, it seems like most of them are over a decade old and may be outdated. Most of the sources are from news media sites or government websites, but there are a few from academic journals. In terms of content, the article does delve into different types of information privacy and the protection of info privacy. There are no images included. There are hyperlinks to related topics listed at the bottom of the article. One suggestion is to expand on the different types of information privacy and to keep them all relatively the same in length. As of now, the internet privacy section is the longest by far, but it does make sense considering how monumental it is.

Financial privacy laws in the United States: The lead is pretty concise and offers a brief description of the article's major sections. It lists some of the major privacy laws which are later talked about individually as the article progresses. I would say that the lead may be overly detailed. The majority of the laws which are listed are from the 1970-80s, which is concerning, but that may just be a result of no new laws being passed recently. The very end of the article includes a few paragraphs on the major regulatory agencies which may not be necessary for this article. Instead, it could've included a sentence or two that linked it to that agency's Wikipedia page. The content all follows a similar structure and writing style and leaves out any bias. The tone seems to be from a neutral point of view. There are no images. There are not many links included to the sources, but the ones that are work. If I had to give one suggestion, it'd be to update the article with any new financial privacy laws.

Protected Health Information Annotations

 * 1) “Commentary on ‘Electronic Communication of Protected Health Information: Privacy, Security, and HIPAA Compliance’” is an article from The Journal of Hand Surgery. The purpose of the article was to evaluate hand surgeons’ knowledge of security methods when utilizing electronic communication through text messaging. Specifically, the article targets the cross-sectional survey of the American Society for Surgery of the Hand membership. The results of the survey revealed that 63% of surgeons did not believe that text messaging did not meet HIPAA standards, yet only 37% of surgeons could confirm that they did not use text messaging to discuss protected health information. Although communication by text message isn’t prohibited by HIPAA, it must be used with utmost security in mind. Studies have shown that the usage of text messaging between patient and doctor has dramatically improved communication and provides many advantages. The article then goes on to talk about how many healthcare staff are in fact breaching protected health information (PHI) and that there are safeguards and deterrents set in place to protect PHI. Other results from the survey showed that there is a positive correlation between the age of surgeon and frequency of using text messaging to communicate with patients. Finally, ambiguity from the Department of Health and Human Services on the usage of text messaging has led to the frequent usage of texting for patient communication. This source is reliable as it comes from a reputable peer-reviewed journal. One concern with this article is the low response rate in the survey that was conducted. Another concern or limitation is that the survey was only towards hand surgeons; thus, it may not be wise to generalize this to the entire medical or health professional community. The reading difficulty is not very high and so this could be targeted toward any demographic. However, because it is in a research journal, I can only see other medical professionals reading this source. The article has pointed out some great flaws in the handling of PHI on the behalf of medical professionals but largely the Department of Health and Human Services. The data from the survey has also shown that healthcare staff should be more well-trained when it comes to handling PHI and extra security measures should be taken.