Wednesday, November 21, 2012

What Is The Story Regarding The Privacy Of Your Information From Government If Held In A NEHRS?

I was alerted to this issue by a report from the US:
Monday, November 12, 2012

Despite ONC's Effort, Comparing PHR Privacy Policies Still Challenging

by Kate Ackerman, iHealthBeat Managing Editor
To date, personal health record adoption has been somewhat limited, but the market is expected to get a big boost from Stage 2 of the meaningful use incentive program.
Deven McGraw -- director of the Health Privacy Project at the Center for Democracy & Technology -- said, "The market for those tools has been a little soft I think because people have really had to hand enter in the data or scan [them] in, as opposed to being able to feed [the information] directly from a provider's electronic health record, unless they happen to be a patient at Kaiser or part of a system that already offers them that tool." However, she said, "That's going to change in 2014 when a lot of the early adopters in the HITECH incentive program begin Stage 2 and start actively encouraging patients to view and potentially download and transmit their data."
But is the industry ready when it comes to privacy and security regulations?
Survey data show that consumers routinely cite privacy and security as top barriers to personal health record adoption. A 2010 survey from the California HealthCare Foundation found that 75% of U.S. adults without a PHR cited concerns about the privacy of their information as the top barrier to using a PHR. CHCF publishes iHealthBeat.
Jeff Donnell, president of PHR provider NoMoreClipboard, noted that consumers have been exposed to privacy and security issues in the financial services industry. He said, "So they take a look at that and recognize, 'Okay, often times information is used for nefarious purposes,' and people want to make absolutely certain that their data [do not] somehow get stolen or wiped and end up being used by identity thieves." He added, "It's not uncommon to hear about ... a major breach where thousands or hundreds of thousands or in some cases even millions of patient records walk out of an office on a laptop or unencrypted disc, and then those things disappear or get stolen. ... And, that gives people cause for concern."
Further, when consumers are considering PHRs sponsored by health plans or employers, they want to "make absolutely certain" that their data is not visible to their boss and that their health plan cannot use their information to deny coverage, according to Donnell.
Despite the survey data, McGraw said that in practice, convenience and usefulness -- not privacy -- are likely top of mind when consumers are deciding which PHR tool to adopt.
Donnell agreed. "Certainly there are going to be some people who rightfully are going to be very concerned about why would someone want my health information. You know, if I'm George Clooney or Brittney Spears, I'd be worried because I know people are going to try to get at that data," he said. 
However, he said, "If I'm an individual with diabetes or I'm taking care of an aging parent with congestive heart failure, you know what? I'm not all that worried about privacy and security. I'm worried about making sure that I have ready access to information that I'm able to easily manage it, share it with the people who need the data to properly care for me or my family member. So all of a sudden, those privacy concerns while they don't go away, they become very, very minimal in terms of importance."
Donnell said that the data analytics on NoMoreClipboard's website and application show that fewer than 1% of users actually take the time to click through and read the firm's privacy policy.
"Are Personal Health Records Safe? A Review of Free Web-Accessible Personal Health Record Privacy Policies" (Carrión Señor, Journal of Medical Internet Research, August 2012)
Lots more here:
A point made here is that information held in your PHR may - or may not - be safe from your employer or insurer.
After something of a hunt I tracked down the NEHRS Privacy Statement.
You can follow these links.
This then points to this:
While I am no lawyer it does not seem there is much in the way of barriers for the use of information in the NEHRS by those in DoHA and the Department of Human Services - who choose to do so - given the things like my evolving name changes and so on - as reported last week on the blog.
See here:
I think the general approach of only providing information you are happy to see on the front page at makes a great deal of sense in terms of what you put in you NEHRS. You just never know when some information you provide trustingly can come back to bite you!
Remember once information escapes - no matter how - it is very hard to get back.


Anonymous said...

Yes Privacy is going to play a significant role in all aspect of NEHRS.

The new privacy act amendments are going to make all parties better stewards of personal information because of the fact that civil penalties will now apply to both individuals and organisations for data breaches.

Although healthcare providers have always been under the auspice of the Privacy Act they will now have to be additionally diligent on how they store data, how they manage data and how they distribute data.

Food for thought

Privacy Paul

Paul Fitzgerald said...

Did I mention that there is a locally developed solution for this issue? :-)
it may not be "approved" by NeHTA, but they may not be here soon....

Trevor3130 said...

Privacy is tightly bound to authentication.
Dave Birch & team punting for Layered Approach.
There is no silver bullet for authentication, not even biometrics, but some intelligent multi-modal application can quickly shift authentication into a sweet spot for most transactions, most of the time. Buy a pack of gum, tap. Buy a pair of shoes, chip and PIN. Buy a car, chip and PIN and fingerprint. Buy a house, chip, PIN, fingerprint and voiceprint. Launch nuclear missile, chip, PIN, fingerprint, voiceprint and DNA.
It's a crying shame that Australian Government dropped the ball on identity management, and left Health IT wallowing in the doldrums.

Anonymous said...

Trevor a layer approached is a good way to do things, there is an Australian product that takes this approach through security markings and multi-factor authentication, where person is present and combines email and SMS OTP's, challenge response using PIN and voice comparators as different factor options. A further point on this is that it does it all at object level, so no Honeypot for hackers, as they would have to crack every record.

Unfortunately I believe that NEHTA did not wish to use this type of technology as it did not conform with the standards that they had developed for authentication and messaging.