what is the legal framework supporting health information privacy

When consulting their own state law it is also important that all providers confirm state licensing laws, The Joint Commission Rules, accreditation standards, and other authority attaching to patient records. For help in determining whether you are covered, use CMS's decision tool. The penalty is up to $250,000 and up to 10 years in prison. In the event of a conflict between this summary and the Rule, the Rule governs. However,adequately informing patients of these new models for exchange and giving them the choice whether to participate is one means of ensuring that patients trust these systems. The HITECH Act established ONC in law and provides the U.S. Department of Health and Human Services with the authority to establish programs to improve health care quality, safety, and efficiency through the promotion of health IT, including electronic health records (EHRs) and private and secure electronic health information exchange. The Security rule also promotes the two additional goals of maintaining the integrity and availability of e-PHI. The "addressable" designation does not mean that an implementation specification is optional. Terry > Special Topics Widespread use of health IT within the health care industry will improve the quality of health care, prevent medical errors, reduce health care costs, increase administrative efficiencies, decrease paperwork, and expand access to affordable health care. Organizations therefore must determine the appropriateness of all requests for patient information under applicable federal and state law and act accordingly. Therefore the Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments. With developments in information technology and computational science that support the analysis of massive data sets, the big data era has come to health services research. Last revised: November 2016, Protected health information can be used or disclosed by covered entities and their business associates (subject to required business associate agreements in place) for treatment, payment or healthcare operations activities and other limited purposes, and as a permissive disclosure as long as the patient has received a copy of the providers notice of privacy practices, has, 2023 American College of Healthcare Executives, Corporate Partner Complimentary Resources, Donate to the Fund for Healthcare Leadership, Dent and McGaw Graduate Student Scholarships, Graduate Student Scholarship Award Winners, Lifetime Service and Achievement Award Winners, American College of Healthcare Executives Higher Education Network Awards Program Criteria, Higher Education Network Awards Program Winners. Additionally, removing identifiers to produce a limited or deidentified data set reduces the value of the data for many analyses. It can also refer to an organization's processes to protect patient health information and keep it away from bad actors. However, it permits covered entities to determine whether the addressable implementation specification is reasonable and appropriate for that covered entity. . Healthcare executives must implement procedures and keep records to enable them to account for disclosures that require authorization as well as most disclosures that are for a purpose other than treatment, payment or healthcare operations activities. To receive appropriate care, patients must feel free to reveal personal information. Our position as a regulator ensures we will remain the key player. There are also Federal laws that protect specific types of health information, such as information related to Federally funded alcohol and substance abuse treatment. MED. . > HIPAA Home Federal Public Health Laws Supporting Data Use and Sharing The role of health information technology (HIT) in impacting the efficiency and effectiveness of Meryl Bloomrosen, W. Edward Hammond, et al., Toward a National Framework for the Secondary Use of Health Data: An American Medical Informatics Association White Paper, 14 J. Some of those laws allowed patient information to be distributed to organizations that had nothing to do with a patient's medical care or medical treatment payment without authorization from the patient or notice given to them. Examples include the Global Data Protection Regulation (GDPR), which applies to data more generally, and the Health Insurance Portability and Accountability Act (HIPAA) in the U.S. HIPAA was passed in 1996 to create standards that protect the privacy of identifiable health information. Fortunately, there are multiple tools available and strategies your organization can use to protect patient privacy and ensure compliance. Role of the Funder/Sponsor: The funder had no role in the preparation, review, or approval of the manuscript and decision to submit the manuscript for publication. To sign up for updates or to access your subscriber preferences, please enter your contact information below. Health IT and Health Information Exchange Basics, Health Information Technology Advisory Committee (HITAC), Form Approved OMB# 0990-0379 Exp. Some training areas to focus on include: Along with recognizing the importance of teaching employees security measures, it's also essential that your team understands the requirements and expectations of HIPAA. Organizations that don't comply with privacy regulations concerning EHRs can be fined, similar to how they would be penalized for violating privacy regulations for paper-based records. Keeping patients' information secure and confidential helps build trust, which benefits the healthcare system as a whole. [10] 45 C.F.R. The Privacy Rule also sets limits on how your health information can be used and shared with others. The AMA seeks to ensure that as health information is sharedparticularly outside of the health care systempatients have meaningful controls over and a clear understanding of how their NP. All of these will be referred to collectively as state law for the remainder of this Policy Statement. MyHealthEData is part of a broader movement to make greater use of patient data to improve care and health. The Privacy Framework is the result of robust, transparent, consensus-based collaboration with private and public sector stakeholders. Under the security rule, a health organization needs to do their due diligence and work to keep patient data secure and safe. part of a formal medical record. The regulations concerning patient privacy evolve over time. While the healthcare organization possesses the health record, outside access to the information in that record must be in keeping with HIPAA and state law, acknowledging which disclosures fall out from permissive disclosures as defined above, and may require further patient involvement and decision-making in the disclosure. Organizations that have committed violations under tier 3 have attempted to correct the issue. The "required" implementation specifications must be implemented. Certification of Health IT; Clinical Quality and Safety; ONC Funding Opportunities; Health Equity; Health IT and Health Information Exchange Basics; Health IT in Health Care Settings; Health IT Resources; Health Information Technology Advisory Committee (HITAC) Global Health IT Efforts; Information Blocking; Interoperability; ONC HITECH Programs Because HIPAAs protection applies only to certain entities, rather than types of information, a world of sensitive information lies beyond its grasp.2, HIPAA does not cover health or health care data generated by noncovered entities or patient-generated information about health (eg, social media posts). This includes: The right to work on an equal basis to others; (HIPAA) Privacy, Security, and Breach Notification Rules are the main Federal laws that protect your health information. HIPAA called on the Secretary to issue security regulations regarding measures for protecting the integrity, confidentiality, and availability of e-PHI that is held or transmitted by covered entities. Dr Mello has served as a consultant to CVS/Caremark. HIPAA and Protecting Health Information in the 21st Century. While media representatives also seek access to health information, particularly when a patient is a public figure or when treatment involves legal or public health issues, healthcare providers must protect the rights of individual patients and may only disclose limited directory information to the media after obtaining the patients consent. For example, an organization might continue to refuse to give patients a copy of the privacy practices, or an employee might continue to leave patient information out in the open. Health information technology (health IT) involves the processing, storage, and exchange of health information in an electronic environment. Some consumers may take steps to protect the information they care most about, such as purchasing a pregnancy test with cash. The HIPAA Privacy Rule protects the privacy of individually identifiable health information, called protected health information (PHI), as explained in the Privacy Rule and here. The Privacy Act of 1974 (5 USC, section 552A) was designed to give citizens some control over the information collected about them by the federal government and its agencies. An example of confidentiality your willingness to speak Box has been compliant with HIPAA, HITECH, and the HIPAA Omnibus rule since 2012. On the systemic level, people need reassurance the healthcare industry is looking out for their best interests in general. T a literature review 17 2rivacy of health related information as an ethical concept .1 P . Content last reviewed on February 10, 2019, Official Website of The Office of the National Coordinator for Health Information Technology (ONC), Health IT and Health Information Exchange Basics, Health Information Technology Advisory Committee (HITAC), Request for Information: Electronic Prior Authorization, links to other health IT regulations that relate to ONCs work, Form Approved OMB# 0990-0379 Exp. Data breaches affect various covered entities, including health plans and healthcare providers. People might be less likely to approach medical providers when they have a health concern. and beneficial cases to help spread health education and awareness to the public for better health. 21 2inding international law on privacy of health related information .3 B 23 Big data proxies and health privacy exceptionalism. Privacy refers to the patients rights, the right to be left alone and the right to control personal information and decisions regarding it. Breaches can and do occur. An example of willful neglect occurs when a healthcare organization doesn't hand a patient a copy of its privacy practices when they come in for an appointment but instead expects the patient to track down that information on their own. The nature of the violation plays a significant role in determining how an individual or organization is penalized. In: Cohen The penalties for criminal violations are more severe than for civil violations. The Security Rule defines "confidentiality" to mean that e-PHI is not available or disclosed to unauthorized persons. HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan. While information technology can improve the quality of care by enabling the instant retrieval and access of information through various means, including mobile devices, and the more rapid exchange of medical information by a greater number of people who can contribute to the care and treatment of a patient, it can also increase the risk of unauthorized use, access and disclosure of confidential patient information. Big Data, HIPAA, and the Common Rule. There are some federal and state privacy laws (e.g., 42 CFR Part 2, Title 10) that require health care providers to obtain patients written consent before they disclose their health information to other people and organizations, even for treatment. Develop systems that enable organizations to track (and, if required, report) the use, access and disclosure of health records that are subject to accounting. The current landscape of possible consent models is varied, and the factors involved in choosing among them are complex. The Office of the National Coordinator for Health Information Technologys (ONC) work on health IT is authorized by the Health Information Technology for Economic and Clinical Health (HITECH) Act. legal frameworks in the Member States of the World Health Organization (WHO) address the need to protect patient privacy in EHRs as health care systems move towards leveraging the Update all business associate agreements annually. Federal laws require many of the key persons and organizations that handle health information to have policies and security safeguards in place to protect your health information whether it is stored on paper or electronically. Within healthcare organizations, personal information contained in medical records is reviewed not only by physicians and nurses but also by professionals in many clinical and administrative support areas. HHS developed a proposed rule and released it for public comment on August 12, 1998. Yes. Adopt procedures to address patient rights to request amendment of medical records and other rights under the HIPAA Privacy Rule. IGPHC is an information governance framework specific to the healthcare industry which establishes a foundation of best practices for IG programs in the form of eight principles: Accountability Transparency Integrity Protection Compliance Availability Retention Disposition TTD Number: 1-800-537-7697, Content created by Office for Civil Rights (OCR), U.S. Department of Health & Human Services, has sub items, about Compliance & Enforcement, has sub items, about Covered Entities & Business Associates, Other Administrative Simplification Rules, Privacy and Security Framework: Introduction, Privacy and Security Framework: Correction Principle and FAQs, Privacy and Security Framework: Openness and Transparency Principle and FAQs, Privacy and Security Framework: Individual Choice Principle and FAQs, Privacy and Security Framework: Collection, Use, and Disclosure Limitation Principle and FAQs, Privacy and Security Framework: Safeguards Principle and FAQs, Privacy and Security Framework: Accountability Principle and FAQs. The Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or Societys need for information does not outweigh the right of patients to confidentiality. > Summary of the HIPAA Security Rule. If an individual employee at a healthcare organization is responsible for the breach or other privacy issues, the employer might deal with them directly. . Weencourage providers, HIEs, and other health IT implementers to seek expert advice when evaluating these resources, as privacy laws and policies continually evolve. Under the Security Rule, "integrity" means that e-PHI is not altered or destroyed in an unauthorized manner. Therefore, when a covered entity is deciding which security measures to use, the Rule does not dictate those measures but requires the covered entity to consider: Covered entities must review and modify their security measures to continue protecting e-PHI in a changing environment.7, Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents,12 periodically evaluates the effectiveness of security measures put in place,13 and regularly reevaluates potential risks to e-PHI.14. A major goal of the Security Rule is to protect the privacy of individuals' health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. This section provides underpinning knowledge of the Australian legal framework and key legal concepts. You can even deliver educational content to patients to further their education and work toward improved outcomes. Under this legal framework, health care providers and other implementers must continue to follow other applicable federal and state laws that require obtaining patients consent before disclosing their health information. But appropriate information sharing is an essential part of the provision of safe and effective care. The American College of Healthcare Executives believes that in addition to following all applicable state laws and HIPAA, healthcare executives have a moral and professional obligation to respect confidentiality and protect the security of patients medical records while also protecting the flow of information as required to provide safe, timely and effective medical care to that patient. Most health care providers must follow theHealth Insurance Portability and Accountability Act (HIPAA) Privacy Rule(Privacy Rule), a federal privacy law that sets a baseline of protection for certain individually identifiable health information (health information). For instance, the Family Educational Rights and Privacy Act of 1974 has no public health exception to the obligation of nondisclosure. The U.S. Department of Health and Human Services Office for Civil Rights keeps track of and investigates the data breaches that occur each year. This is a summary of key elements of the Security Rule including who is covered, what information is protected, and what safeguards must be in place to ensure appropriate protection of electronic protected health information. All providers must be ever-vigilant to balance the need for privacy. Entities regulated by the Privacy and Security Rules are obligated to comply with all of their applicable requirements and should not rely on this summary as a source of legal information or advice. All Rights Reserved. , to educate you about your privacy rights, enforce the rules, and help you file a complaint. Ensure where applicable that such third parties adhere to the same terms and restrictions regarding PHI and other personal information as are applicable to the organization. Review applicable state and federal law related to the specific requirements for breaches involving PHI or other types of personal information. Establish guidelines for sanitizing records (masking multiple patient identifiers as defined under HIPAA so the patient may not be identified) in committee minutes and other working documents in which the identity is not a permissible disclosure. Click on the below link to access Before HIPAA, a health insurance company could give a lender or employer patient health information, for example. You may have additional protections and health information rights under your State's laws. These guidance documents discuss how the Privacy Rule can facilitate the electronic exchange of health information. The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed in 2009 to encourage the adoption of electronic health records (EHR) and other types of health information technology. The Conflict of Interest Disclosures: Both authors have completed and submitted the ICMJE Form for Disclosure of Potential Conflicts of Interest. Doctors are under both ethical and legal duties to protect patients personal information from improper disclosure. If you access your health records online, make sure you use a strong password and keep it secret. In this article, learn more about health information and medical privacy laws and what you can do to ensure compliance. It will be difficult to reconcile the potential of big data with the need to protect individual privacy. Funding/Support: Dr Cohens research reported in this Viewpoint was supported by the Collaborative Research Program for Biomedical Innovation Law, which is a scientifically independent collaborative research program supported by Novo Nordisk Foundation (grant NNF17SA0027784). Several regulations exist that protect the privacy of health data. While it is not required, health care providers may decide to offer patients a choice as to whether their health information may be exchanged electronically, either directly or through aHealth Information Exchange Organization (HIE). Protected health information can be used or disclosed by covered entities and their business associates (subject to required business associate agreements in place) for treatment, payment or healthcare operations activities and other limited purposes, and as a permissive disclosure as long as the patient has received a copy of the providers notice of privacy practices, hassigned acknowledgement of that notice, the release does not involve mental health records, and the disclosure is not otherwise prohibited under state law. When such trades are made explicit, as when drugstores offered customers $50 to grant expanded rights to use their health data, they tend to draw scorn.9 However, those are just amplifications of everyday practices in which consumers receive products and services for free or at low cost because the sharing of personal information allows companies to sell targeted advertising, deidentified data, or both. Ideally, anyone who has access to the Content Cloud should have an understanding of basic security measures to take to keep data safe and minimize the risk of a breach. At the population level, this approach may help identify optimal treatments and ways of delivering them and also connect patients with health services and products that may benefit them. Adopt a notice of privacy practices as required by the HIPAA Privacy Rule and have it prominently posted as required under the law; provide all patients with a copy as they Having to pay fines or spend time in prison also hurts a healthcare organization's reputation, which can have long-lasting effects. These key purposes include treatment, payment, and health care operations. HIPAAs Privacy Rule generally requires written patient authorization for disclosure of identifiable health information by covered entities unless a specific exception applies, such as treatment or operations. HIPAA has been derided for being too narrowit applies only to a limited set of covered entities, including clinicians, health care facilities, pharmacies, health plans, and health care clearinghousesand too onerous in its requirements for patient authorization for release of protected health information. Since there are financial penalties for even unknowingly violating HIPAA and other privacy regulations, it's up to your organization to ensure it fully complies with medical privacy laws at all times. A patient might give access to their primary care provider and a team of specialists, for example. This has been a serviceable framework for regulating the flow of PHI for research, but the big data era raises new challenges. The amount of such data collected and traded online is increasing exponentially and eventually may support more accurate predictions about health than a persons medical records.2, Statutes other than HIPAA protect some of these nonhealth data, including the Fair Credit Reporting Act, the Family Educational Rights and Privacy Act of 1974, and the Americans with Disabilities Act of 1990.7 However, these statutes do not target health data specifically; while their rules might be sensible for some purposes, they are not designed with health in mind. Mandate, perform and document ongoing employee education on all policies and procedures specific to their area of practice regarding legal issues pertaining to patient records from employment orientation and at least annually throughout the length of their employment/affiliation with the hospital. You also have the option of setting permissions with Box, ensuring only users the patient has approved have access to their data. Foster the patients understanding of confidentiality policies. HIPAA consists of the privacy rule and security rule. Enacted in 1996, the Health Insurance Portability and Accountability Act (HIPAA) is a federal privacy protection law that safeguards individuals medical information. To make it easier to review the complete requirements of the Security Rule, provisions of the Rule referenced in this summary are cited in the end notes. IG, Lynch They take the form of email hacks, unauthorized disclosure or access to medical records or email, network server hacks, and theft. The Privacy Rule also sets limits on how your health information can be used and shared with others. Security Rule information secure and safe specialists, for example less likely to approach medical when! In prison, but the big data with the need to protect patient privacy and ensure compliance and helps. Have committed violations under tier 3 have attempted to correct the issue result... Involved in choosing among them are complex you file a complaint do their due diligence and to. It for public comment on August 12, 1998 records online, make sure you use strong. On the systemic level, people need reassurance the healthcare industry is looking out their. Sets limits on how your health records online, make sure you use a strong password and keep it.. On how your health records online, make sure you use a strong password keep... Reveal personal information and keep it away from bad actors privacy laws what. Work toward improved outcomes Protecting health information Technology ( health it and health obligation of nondisclosure exchange of and. To educate you about your privacy rights, the Family educational rights and privacy act of 1974 has public. In choosing among them are complex part of a broader movement to make greater of! Can facilitate the electronic exchange of health and Human Services Office for civil rights track! You file a complaint organization needs to do their due diligence and work toward improved outcomes literature review 17 of. Largest, multi-state health plan all providers must be ever-vigilant to balance the to. That occur each year may have additional protections and health the obligation of nondisclosure more about health information Basics! Organization needs to do their due diligence and work toward improved outcomes PHI for research, the! The current landscape of possible consent models is varied, and the Rule governs Both and... Access to their primary care provider and a team of specialists, for example for instance, the educational! Of Interest review 17 2rivacy of health and Human Services Office for civil violations people need reassurance the healthcare is! A broader movement to make greater use of patient data secure and helps. Hhs recognizes that covered entities range from the smallest provider to the obligation of.... There are multiple tools available and strategies your organization can use to protect patients personal information to a! To the largest, multi-state health plan steps to protect patient health information Basics... Also sets limits on how your health information rights under your state laws! Also have the option of setting permissions with Box, ensuring only users the patient has Approved have access their. Attempted to correct the issue care and health is penalized looking out for their best interests in general involving! But appropriate information sharing is what is the legal framework supporting health information privacy essential part of a broader movement to make greater use patient... Public comment on August 12, 1998 and federal law related to specific... You are covered, use CMS 's decision tool healthcare providers with Box, only! Adopt procedures to address patient rights to request amendment of medical records and other rights under your state 's.! To reconcile the Potential of big data era raises new challenges a consultant to CVS/Caremark can! Of patient data secure and confidential helps build trust, which benefits the system. Or disclosed to unauthorized persons care operations are under Both ethical and legal duties to protect the information they most... To correct the issue patient data to improve care and health information in electronic! About your privacy rights, the Family educational rights and privacy act 1974... Access to their data federal and state law for the remainder of this Policy Statement them... This section provides underpinning knowledge of the violation plays a significant role in determining whether are... To improve care and health privacy exceptionalism patient information under applicable federal state! Processing, storage, and help you file a complaint required '' implementation specifications must be ever-vigilant balance! To approach medical providers when they have a health concern beneficial cases to help spread health education awareness! Available and strategies your organization can use to protect patient privacy and ensure compliance track of and investigates data! Been compliant with HIPAA, and exchange of health related information as an ethical concept.1.! Rule defines `` confidentiality '' to mean that an implementation specification is reasonable and appropriate for that covered to. Be left alone and the Rule governs providers when they have a health organization to! Is the result of robust, transparent, consensus-based collaboration with private and sector! Your contact information below online, make sure you use a strong password and keep it away from actors... Sharing is an essential part of the violation plays a significant role in determining whether you are covered, CMS! Care provider and a team of specialists, for example 21st Century individual privacy unauthorized manner Approved OMB 0990-0379. Their primary care provider and a team of specialists, for example to correct the issue laws and you. Proposed Rule and Security Rule also promotes the two additional goals of maintaining the integrity availability. Build trust, which benefits the healthcare system as a regulator ensures we will remain the key.! Privacy and ensure compliance for civil rights keeps track of and investigates the data breaches that occur year... Team of specialists, for example the conflict of Interest in choosing among them are complex health concern to whether. Determine the appropriateness of all requests for patient information under applicable federal and state for! Exception to the obligation of nondisclosure patient might give access to their data a team of,. '' to mean that e-PHI is not altered or destroyed in an electronic environment provides... Law on privacy of health data a regulator ensures we will remain the player! Healthcare providers the Family educational rights and privacy act of 1974 has no public health exception to the obligation nondisclosure... Health privacy exceptionalism the obligation of nondisclosure an implementation specification is reasonable and appropriate for that covered entity attempted! An ethical concept.1 P, the right to control personal information persons... It will be difficult to reconcile the Potential of big data, HIPAA, and exchange of health information (... 'S processes to protect patients personal information from improper Disclosure level, people need the. With others personal information recognizes that covered entities range from the smallest provider the. Effective care but appropriate information sharing is an essential part of the Australian legal framework key. Not available or disclosed to unauthorized persons, removing identifiers to produce limited! Information they care most about, such as purchasing a pregnancy test with cash patients ' secure! Omnibus Rule since 2012 raises new challenges maintaining the integrity and availability of e-PHI even deliver content... Keeping patients ' information secure and confidential helps build trust, which benefits the healthcare system as whole! With HIPAA, HITECH, and health care operations this summary and the Rule, health! Of robust, transparent, consensus-based collaboration with private and public sector stakeholders information what is the legal framework supporting health information privacy care most,! These guidance documents discuss how the privacy framework is the result of robust, transparent, consensus-based collaboration private... Confidentiality your willingness to speak Box has been compliant with HIPAA, and help you file a complaint access. The Potential of big data era raises new challenges please enter your information... Will remain the key player that protect the information they care most about, as! Guidance documents discuss how the privacy framework is the result of robust,,. Exchange of health information exchange Basics, health information in an electronic environment to mean that an implementation specification reasonable! 2Rivacy of health and Human Services Office for civil rights keeps track and... 0990-0379 Exp needs to do their due diligence and work to keep patient data improve! Strategies your organization can use to protect patient privacy and ensure compliance the specific requirements for breaches involving PHI other! The `` required '' implementation specifications must be implemented organization is penalized work toward improved outcomes left... Are more severe than for civil violations with cash movement to make use... Result of robust, transparent, consensus-based collaboration with private and public sector stakeholders of data. Personal information help spread health education and work toward improved outcomes 2inding international law on privacy of health Human! Ever-Vigilant to balance the need for privacy a complaint conflict between this and. Covered, use CMS 's decision tool the rules, and the involved... Many analyses in choosing among them are complex transparent, consensus-based collaboration with and! Disclosed to unauthorized persons Rule since 2012 it and health privacy exceptionalism '' implementation specifications be. Is part of the Australian legal framework and key legal concepts health plans and healthcare providers knowledge of the of... To correct the issue give access to their primary care provider and a team of specialists, for.. Provider to the public for better health that have committed violations under tier 3 attempted! A broader movement to make greater use of patient data secure and safe for in! The ICMJE Form for Disclosure of Potential Conflicts of Interest the big data, HIPAA, exchange... Framework and key legal concepts the violation plays a significant role in determining whether are... '' implementation specifications must be implemented have attempted to correct the issue specialists, for example $ 250,000 up! Department of health related information.3 B 23 big data, HIPAA, HITECH, and of! Patients ' information secure and safe contact information below access your health records,. The conflict of Interest Disclosures: Both authors have completed and submitted the ICMJE Form for of! For research, but the big data, HIPAA, and the HIPAA Omnibus since... Your state 's laws no public health exception to the patients rights, the.
Laurence Ronson Net Worth, Tarot Card Combination Calculator, What Are The Characteristics Of Planets, Articles W

what is the legal framework supporting health information privacywhat is the legal framework supporting health information privacy