Nextgov: Ensuring Security in Health IT


“Health information privacy is an individual’s right to control the acquisition, uses, or disclosures of his or her identifiable health data.”

-NCVHS 2006


Fair Information Practices

Fair Information Practices (FIPs) must be universally and consistently adopted and applied to ALL electronic systems to ensure online privacy (control over personal information). FIPs should be build into all electronic systems, processes, and programs.

In brief, the FIPs are:

  • Transparency
  • Individual Participation
  • Purpose Specification
  • Data Minimization
  • Use Limitation
  • Data Quality and Integrity
  • Security
  • Accountability and Auditing

“Organizations should involve the individual in the process of using PII and, to the extent practicable, seek individual consent for the collection, use, dissemination, and maintenance of PII.”

Visit to view a full list of FIPs developed by the National Strategy for Trusted Identities in Cyberspace.


Zones of PrivacyZonesChart2

Click here to view larger and as a pdf


Two Factor Auth (2FA) tracks sites that support two factor authentication, which is an additional level of security beyond username and password.  The site has all the specifics for you, but what’s important is to see the overwhelming lack of support of healthcare organizations (including for this security.  You can also compare the healthcare list with other sites, such as security, and finance.


The following is the summary for healthcare organizations:
2 Factor Auth for Healthcare Organizations



theDataMap™  documents the flows of personal data. The goal is to produce a detailed description of personal data flows in the United States.

A comprehensive data map will encourage new uses of personal data, help innovators find new data sources, educate the public, and inform policy makers about data sharing practices so society can act responsibly to reap benefits from sharing while addressing risks for harm.

An example: Matching Known Patients to Health Records in Washington State Data

Step 1

Information from news accident reports uniquely and exactly matched medical records in publicly available Washington State health data in 43% of the cases, thereby putting names to patient records. See map of 33 states that sell or give away personal health data at:


IMS Health

On January 2, 2014, IMS Health Holdings announced it will sell stock on the New York Stock Exchange. IMS joins other major NYSE-listed corporations that derive significant revenue from selling sensitive personal health data, including General Electric, IBM, United Health Group, CVS Caremark, Medco Health Solutions, Express Scripts, and Quest Diagnostics.

Quotes from IMS Health Holding’s SEC filing:

  • “We have one of the largest and most comprehensive collections of healthcare information in the world, spanning sales, prescription and promotional data, medical claims, electronic medical records and social media. Our scaled and growing data set, containing over 10 petabytes of unique data, includes over 85% of the world’s prescriptions by sales revenue and approximately 400 million comprehensive, longitudinal, anonymous patient records.”
  • IMS buys “proprietary data sourced from over 100,000 data suppliers covering over 780,000 data feeds globally.
  • And IMS Health Holdings sells health data to “5,000 clients,” including the US Government.All purchases and subsequent sales of personal health records are hidden from patients. Patients are not asked for informed consent or given meaningful notice.


2014 Health Privacy Summit

The 4th International Summit on the Future of Health Privacy

Controlling Your Personal Health Information: Now Is the Time


The 2014 Health Privacy Summit brings together a diverse group of professionals for two days of lively intellectual exchange.

Healthcare providers, IT innovators, national and international privacy experts from academia, industry, and government will gather to hear insights, ideas, and analysis from leaders in the health privacy community.  The program includes a variety of guest speakers and keynotes to provide expert advice and practical recommendations related to the future of health privacy.

June 4 – 5, 2014

Hart Auditorium, McDonough Hall
Georgetown Law Center
600 New Jersey Ave NW
Washington, District of Columbia 20001

Save the date and visit our registration page NOW!