Thursday, August 26, 2010

This Discussion on Privacy Is Worth Following Closely. It Has Implications for OZ.

The following appeared a little while ago.

Health IT group drafts privacy recommendations

By Joseph Conn / HITS staff writer

Posted: August 19, 2010 - 12:30 pm ET

A federally chartered advisory work group charged in June with devising recommendations on privacy and security policies to support the government's electronic health-record system subsidy program presented today its near-final list of guidelines to the Health Information Technology Policy Committee.

The work group, known as the privacy and security tiger team, met Monday and released what amounts to a consensus report on its recommendations, said Deven McGraw, co-chair of the tiger team and director of the Health Privacy Project at the Center for Democracy and Technology, a Washington think tank. The Health IT Policy Committee advises the Office of the National Coordinator for Health Information Technology at HHS.

According to the tiger team's draft document posted on the HIT Policy Committee's website, the team's recommendations are based on "fair information practices," a now globally accepted set of privacy policy guidelines that stems from a 1973 report by the U.S. Department of Health, Education and Welfare.

"All entities involved in health information exchange—including providers and third-party service providers like Health Information Organizations (HIOs) and intermediaries—follow the full complement of fair information practices when handling personally identifiable health information," according to the tiger team proposal.

One fair-information practice incorporated by the tiger team in its recommendations is the requirement that there should be "openness and transparency about policies, procedures and technologies that directly affect individuals and/or their individually identifiable health information."

Another fair-information practice cited in the tiger team recommendations involves individual choice: Individuals, it notes, "should be provided a reasonable opportunity and capability to make informed decisions about the collection, use and disclosure of their individually identifiable health information." (This is commonly referred to as the individual's right to identifiable health information exchange.)

But the tiger team, while pronouncing that patients should have a choice, also made recommendations that either did not support or limited patient choice under an array of common healthcare scenarios.

For example, the tiger team recommended that healthcare providers—as they do now with paper records—bear the responsibility of maintaining the privacy and security of EHRs. Providers that exchange identifiable patient information "should be required to comply with applicable state and federal privacy and security rules," the team wrote. But for what the tiger team members define as "direct exchange" between a patient's treating providers, the tiger team recommended that patient consent not be required, just as it is no longer required under the privacy rule pursuant to the Health Insurance Portability and Accountability Act of 1996.

Nor should a patient consent requirement be triggered by the direct exchange of particularly sensitive healthcare information.

Lots more here:

Now consider what we have from NEHTA – From their 2009 Privacy Fact Sheet.

Six privacy tenets for e-health

1. Commitment to privacy

A commitment to privacy is the starting point for NEHTA initiatives involving the collection and handling of personal/health information.

NEHTA recognises that:

• Privacy is an integral component of a secure and interoperable e-health environment;

• It must be embedded in the design process;

• It must comply with all legal requirements; and

• It should promote privacy-positive approaches.

2. Health-specific focus

All NEHTA initiatives involving the collection and handling of personal/health information are focused on obtaining measurable benefits for individual health consumers and health providers as well as ensuring the improvement of public health outcomes.

3. Individual participation

All relevant NEHTA initiatives will seek to maximise the degree of control individuals may exercise over the collection and handling of their personal/health information.

4. Clarity & transparency of purpose

All NEHTA initiatives involving the collection and handling of personal/health information will seek to articulate their intended purposes transparently and clearly.

5. Data quality, audit & security

All NEHTA initiatives involving the collection and handling of personal/health information will ensure that robust data quality, audit and security measures are put in place.

6. Governance arrangements

All NEHTA initiatives involving the collection and handling of personal/health information will be subject to appropriate governance arrangements designed to ensure, amongst other things, that these privacy tenets are supported and progressed into, and beyond, the implementation phase of each initiative.

----- End Extract.

I don’t know about you but there seems to be a lot of ‘will seek to’, focusing on’ and ‘subject to appropriate’ rather that hard edged precision about what is actually going to be done.

In the past NEHTA has argued that it might just be a bit ‘too hard’ to provide the degree of control over their personal information at least a substantial minority of the population really want.

Just what will be done and how it will work needs to be fully clarified and properly consulted before any technical designs are developed or tenders issued.


No comments: