In the last few weeks there has been a considerable amount of work being undertaken in thinking about what is needed to protect individual privacy of health information in the US. There are some issues worth considering for Australia as well.
First we have this:
By Mary Mosquera
Wednesday, August 04, 2010
The Privacy and Security Tiger Team yesterday began exploring how current technologies can help patients make decisions on consent and access to their electronic health records when more sensitive patient data is involved.
The team, composed of government and private sector healthcare privacy experts, teed up questions related to how to accommodate patients who might want to exercise highly-selective levels of control over electronic versions of their personal health information or portions of that data.
Although the direct exchange of patient data between providers for treatment purposes does not require patient consent beyond what is covered in existing law and fair information practices, some patients may want to exercise more choice in consultation with their providers about how their sensitive data is handled, the experts noted.
“We want to honor patient preferences from the policy perspective and determine if technology supports it,” said Deven McGraw, the chair of the tiger team, who is also director of the Health Privacy Project at the Center for Democracy and Technology, at the Aug. 3 meeting.
The group’s general mission is to come up with solutions to thorny privacy and security challenges related to health information exchange and make recommendations to the Office of the National Coordinator for Health IT.
More useful material here:
The same issues are also covered here:
Posted: August 5, 2010 - 12:45 pm ET
A federal advisory panel stepped back on a proposed recommendation that patients have the opportunity to control the direct exchange of their sensitive personal health information absent federal or state laws mandating patient consent.
The proposed federal health information technology policy recommendation came Tuesday during a meeting of the privacy and security tiger team of the federally charted Health IT Policy Committee.
The tiger team has been meeting as often as twice a week since June to try to quickly develop healthcare IT privacy and security policy recommendations in the run-up to the implementation of a massive federal subsidy program for health IT under the American Recovery and Reinvestment Act of 2009. The first "payment year" of the federal IT subsidy program starts Oct. 1 for hospitals and Jan. 1, 2011, for office-based physicians.
One of the subsidy program's eligibility requirements is that healthcare providers be able to demonstrate that they're successfully using health IT to exchange patient information. The tiger team has focused its deliberations on policies governing such "meaningful-use" information exchanges.
In 2000, in the waning days of the Clinton administration, HHS issued its first HIPAA privacy rule, which mandated that healthcare providers and other so-called covered entities obtain patient consent before exchanging protected healthcare information for treatment, payment and specific list of "other" healthcare operations. In 2003, however, the Bush administration amended the HIPAA privacy rule and gave "regulatory permission" for covered entities to disclose the same sort of patient information for treatment, payment and other healthcare operations without a patient's consent. Consent, or the lack thereof, has remained a thorny issue in health IT ever since.
Previously, the tiger team reported to the Health IT Policy Committee a recommendation that patient consent not be required for what it called "directed exchange"—transactions limited to the exchange of information between providers for treatment of a specific patient. Based on this recommendation, patient consent would not be required in the event of a primary-care physician sharing patient information with a specialist as part of a referral, for example.
But the tiger team also suggested that there be six specific "trigger" conditions in which HHS might want to use its influence to require consent before patient information was exchanged. These trigger conditions were presented to the HIT Policy Committee in a progress report on the tiger team's activities during a committee meeting July 21.
According to the tiger team's original recommendations, one of the six specific conditions that should trigger a patient-consent requirement is the exchange of information "that is often perceived to be more sensitive than other types of information"—behavioral-health and substance-abuse information, for example, as the National Committee on Vital and Health Statistics defines these and other types of information as sensitive.
The tiger-team recommendations were accepted by the Health IT Policy Committee with the provision that they could be changed when a full set of recommendations is resubmitted to the committee by the tiger team in a month or so. Created under the American Recovery and Reinvestment Act of 2009, the Health IT Policy Committee makes recommendations to the Office of the National Coordinator for Health Information Technology at HHS.
It was the trigger for “more sensitive” information that was stepped back by the tiger team on Tuesday as members sought to answer this question: “For directed exchange, is the presence of sensitive data in the information being exchanged a trigger for requiring consent?”
The new answer they came up with is no.
Tiger team Co-chair Deven McGraw said members based their discussions and ultimate recommendation on a straw proposal (PowerPoint) that was not “word for word” but “close” to the content of an e-mail drafted last week by tiger team member Wes Rishel. McGraw is the director of the Health Privacy Project at Center for Democracy and Technology, a Washington-based think tank. Rishel is a vice president and distinguished analyst in the healthcare provider research practice of Gartner, an IT market research firm.
According to the straw proposal:
- All health information is sensitive, and what patients deem to be sensitive is likely to be dependent on their own circumstances.
- However, some federal and state laws recognize some categories of data as being more sensitive than others.
- Unless otherwise required by law, with respect to direct exchange for treatment, the presence of sensitive data in the information being exchanged does not trigger a requirement to obtain the patient's consent in the course of treating a patient.
The straw proposal, however, carried its own caveat: that the policy recommendation "does not change the patient-provider relationship," which the tiger team suggests must provide a foundation of trust for the patient as a prerequisite for health information technology use to be successful.
"When information is transmitted by a provider as a direct exchange for a specific treatment purpose, clinicians should take into account and honor, to the extent possible, patients' expressed or likely concerns for privacy and also ensure the patient understands the information the receiving clinician will likely need in order to provide safe, effective care," according to the proposal.
Lots more discussion here:
We also have this commentary;
Health Data Management Blogs, July 23, 2010
You have zero privacy anyway. Get over it.” I'm not defending this quip by the master quipster, founder and former CEO of Sun Microsystem, Scott McNealy, but is this the de facto consequence of the mad dash to implement EHRs and HIEs?
Lately, my e-mail inbox is full of stories about hospitals fined for what looks like minor breaches of patient privacy. In one case, a California hospital was dinged $25,000 for two employees accessing three patients’ health information. Fines for more “egregious” breaches have been higher.
Really, how in the world can a medical facility ensure that there will be no unauthorized viewing of health information given the state of EHR’s internal data privacy, and given the fact that much of this information is now being more widely distributed via HIEs? Clearly, busting employers on a HIPAA beef is not working to prevent employees from accessing or leaking out personal health information.
I suppose the first question is: Do patients really care about keeping their health information private? One would think so based on the way the public reacts to stories about the information that they voluntarily post on Facebook getting out. But on the other hand, physicians, HIE advocates, and the government would like to have all information about the patient readily available to assist in diagnosis and treatment.
So who decides how much information is open to whom?
And is it possible to provide a more granular access to patient information and restrict just what information goes to which interested party and controlled pretty much completely by the patient?
The answer to the second question is, of course.
We do this every day with our financial information. We gladly hand over our credit card to a waitress anywhere in the world in order get an authorization to charge the restaurant bill to the card. When we lease or finance a car, we permit a one-time access of our credit history and credit score for the dealer. My county property tax records are online. Anyone can easily see out how much property tax I pay each year, but not what I had for dinner or how I paid the taxman (check, credit card, or cash). We do not permit the real estate agent, car salesman, or waitress to roam about in our financial records freely.
There is a well-defined set of discrete transactional access paths to our financial information and we restrict the access to these paths to certain individuals and institutions for a specific time period for a specific use.
Why can’t we do the same thing with our health information?
We might be OK with pretty much everyone knowing what we are allergic to. We certainly want the health insurance company to get sufficient information to pay the claim (most of the time). We might want to restrict information about our orthopedic work to our primary care doc and the orthopedist who did the work, but not share it with a clerk at a different orthopedist office who may be in the same HIE. A patient may want to restrict mental health records to only the psychiatrist who treats them and no one else.
There is a solution. There is a considerable amount of standards work, reference models, demonstration products, and a handful of software companies with technology for sale that enable patient controlled consent over just what health information gets out and where it goes.
For those specifically interested in healthcare consumer privacy and consent management the May and June presentations to the Privacy and Security Workgroup are enlightening.
The May meeting lays out the consent management model in detail. Click here for the PowerPoint document that explains the model. The June meeting shows an example implementation at the Veterans Administration (click here). And for those interested in all the gritty details I would point you to the HL7 collaborative care model page as a starting point.
More indeed here:
There is no real way to summarise all this. It is clear some serious thought is being given as to how best provide patient confidence in the protection of their sensitive information (as they perceive it) while making sure providers have reasonable access to the information needed for care.
If the Personally Controlled EHR is to be anything more than spin some people at DoHA and NEHTA are going to similarly have to work to address these issues in ways at everyone is happy with.
The presentations linked in the text will give those interested a flavour of just how complex this may very well turn out to be. They are well worth a read!