Thursday, January 17, 2013

Some Thoughtful Points On Why It Is Patient Health Information Privacy Matters.

The appeared over the break.

Q&A: Privacy maven Deborah Peel, MD

By Anthony Brino, Associate Editor, Healthcare Payer News and Government Health IT
Created 01/03/2013
Deborah Peel, MD, was trained as a Freudian psychoanalyst and worked as a psychiatrist in Austin, Texas, for nearly three decades before becoming a privacy activist, founding the group Patient Privacy Rights in 2006 after being appalled by HIPAA’s evolution into what she sees as a weak baseline for privacy and security.
Equally skeptical of both private industry and the government, Peel’s views and policy proposals diverge sharply from myriad health IT leaders in a lot of ways. But she shares many of their goals, and the optimism that technology and patient engagement can improve American healthcare systems.
Recently, Patient Privacy Rights urged the Department of Health and Human Services to regulate cloud computing as hosted data services grow and data breaches continue to plague health organizations. In a wide-ranging iinterview, Peel talked about her background as a mental health provider, how healthcare organizations can build patient trust, her ideal model for information sharing consent and more.
Q: How did your view of privacy and patient rights develop?
A: It really grew out of my long-term practice as a boarded psychiatrist and a Freudian psychoanalyst. Literally the first week I hung out my shingle in the late ‘70s, people came in and they said “If we pay you cash, will you keep our records private?” This is a problem that predates electronic health records. Health information doesn’t stay in the doctor’s office. What happened then was information on paper would get sent to pay claims, and it was very detailed and the claims information would many times be shared with employers. That can happen because under ERISA (the Employee Retirement and Income Security Act), if you’re in an ERISA employer-based health plan, they frankly have the right to see your information. Many companies say they don’t do that but it’s a widespread practice. I learned from my patients that if you use any third parties then the privacy of your sensitive information is at risk.
I really learned that there were significant numbers of people who will not get treatment unless they know it’s private.This is long-standing problem that predated electronic health records, but if you think about the scale of things, it’s very different.
Q: Did you know of mental health patients whose employers learned of their conditions and discriminated against them?
A: Absolutely, not only discriminating against them. Another very common complaint would be, “I applied for life insurance or long-term disability insurance, and I’ve been denied.” They would look into it and it would be because of psychiatric records. I wrote many a letter that said, “This person has never been suicidal. This person has not been on medication. They’ve been in therapy; they’ve managed their problems very well.”
It’s my opinion that insurers have long discriminated against anyone with mental health diagnosis, and I don’t believe it’s actually accurate actuarially. I don’t actuarially believe that there’s a basis for discriminating against anyone who has any mental illness or addiction diagnosis. If you think about it, the ones that do well are actually the ones that come in for treatment. These are people that are going to do well and get better, not create major burdens for the insurance industry.
I do have a pretty negative view of the insurance industry and the managed care industry. Insurers, when we had an indemnity model, all they got to pay claims was the diagnosis, the date of treatment, the place of treatment, the type of treatment and the cost — five elements. Their corporate mandate is to return money to shareholders. So they began to think of ways to ratchet down what they were paying out. Insurers began to demand copies of records as a condition for paying claims, and then they would use whatever they found to collect more information about individuals, and also to find ways to deny and limit payments and claims. Insurers began to require that you sign every year a blanket advance consent that in order to pay a claim that your doctor would send records of the treatment to them. They now pore over people’s records to look for ways to take back payments that have already been made, to claim that something was not revealed earlier that would’ve caused you to be denied.
Much more of the interview found here:
I think this is a very useful summary of a considered view of what harms can come from breeches (or breaches - grin) and what might be done about it.
Well worth a read.
David.

10 comments:

Paul Fitzgerald said...

David, I have worn breeches for years when I used to compete in 2 and 3 day eventing - they never caused any harm, I promise. :-)

Bernard Robertson-Dunn said...

A good example of how implementing an IT system changes the problem.

As with the PCEHR, when you make access to information much easier, you have to work very hard to make sure that people who shouldn't see the information don't.

Not only that, but because access to lots of information is now possible, people who weren't interested in trying to get at it before, because it was so difficult (like insurance companies, employers, the media - think phone hacking - criminals, pharmaceutical companies etc etc), suddenly become very interested.

So what was, supposedly, a relatively simple problem of building a database now becomes a difficult exercise in data protection, potentially requiring legislation. And we know how quickly legislation gets passed, never mind developing the right legislation and legislation that covers all issues.

And relying on legislation is not a good strategy, on it's own. Access to health information needs to be carefully managed, controlled and monitored, at multiple system levels.

And that, IMHO, is the Achilles heel of the PCEHR: that, not so well known, IT system.

Tom Bowden said...

I fully agree with your comments Bernard. I think it is essential that the industry grasps the importance of designing systems that minimize any form of patient data aggregation except where ABSOLUTELY necessary.

My colleagues and I are very focused on query-based systems, that provide information, from source systems, on an as needed basis.

I believe that is the future.

All the best for the year ahead,

Tom

Paul Fitzgerald said...

This also highlights why secure messaging is not sufficient. It only ensures delivery from place to place, not to an individual. The majority of breaches come from employees, so it becomes apparent that if I want a specific clinician to see results, or receive a discharge summary etc, then I need to ensure delivery to that clinician. That way, if it comes to the privacy commissioner asking questions, I can put hand on heart and say "it went to Dr/Nurse X, and s/he opened the document..." and I can prove it was that person.

Trevor3130 said...

Here's four (more) examples of the breadth & depth of work being done in relation to Health IT in the North.
One, Nate Silver asked What Is Driving Growth in Government Spending? He has presented a superb series of graphical data, beautiful to behold, but the answer is "Entitlement programs". Health care spending increased at 5.7 percent per year. The message from this is twofold - Australian healthcare practices will follow those of the US; there are lots of "winners" making large $$$ who will resist any change in the direction of "efficiency", you know, the magic promised by eHealth.
Two, ONCHIT launched their Standards and Interoperability (S&I) Framework. See the wiki for impressive depth.
Three, the UK Government Digital Office published Government transaction costs – the story behind the data. Seems like citizens will be able to see real costs of transactions. Will that extend to costs of transferring healthcare treatments from public to private? I doubt, because that's where the gold is buried.
Four, WSJ looked at Spotty Records Weaken Background Checks that bears precisely on issues relating to public safety and healthcare data, weaknesses shared with Australian records-keeping.
[Sorry for length :) ]

Anonymous said...

minimize any form of patient data aggregation except where ABSOLUTELY necessary.

What precisely does this mean Tom?

Data is aggregated in a discharge summary, in cumulative biochemistry and haematology reports, in the medication record and so on. Doctors make informed decisions based, not on isolated information, but on aggregated information which the need to consider for evidence of trends and changes from the baseline over time and so on. In short, contrary to your non clinical perspective aggregated data is very important.

Anonymous said...

Tom Bowden probably meant to say that the extent / degree of data AGGREGATION must be determined by the clinician (ie the person who wants access to the data) in order to make a clinical decision.

Simply AGGREGATING all data will just serve to swamp / hide the relevant data in a barrage of STUFF and that is dangerous.

The computer system must have a capability for the person requesting some specific data to be able to specify the degree to which that data is required to be AGGREGATED.

I want ALL Haematology results over a particular date range, show only abnormals, or show only normals, or show normal and abnormal in ascending or descending chronological order.

Bernard Robertson-Dunn said...

Anonymous said...

"The computer system must have a capability for the person requesting some specific data to be able to specify the degree to which that data is required to be AGGREGATED."

Are you suggesting that they should have analysed the information needs of the stakeholders, users and patients, before designing and implementing the system?

That's a bit radical isn't it?

That's "radical" in the sense that it doesn't happen in most IT systems - and didn't seem to happen in the case of the PCEHR.

Anonymous said...

I did not suggest that Bernard. It is not rocket science to capture and record the data even though it comes from multiple, disparate sources. Standard formats, APIs and filing the data in a standard organized manner which is accessible notwithstanding. That, I believe is what NEHTA has been busy endeavouring to do for some years.

HOWEVER it is the logic and flexibility designed into the system at the user interface that makes the difference between whether one user or another can access the data stored in the system in the way that they want that makes the difference. Sloppy user interface design is all too common rendering a good system frustrating and useless.

Bernard Robertson-Dunn said...

Anonymous said...

I did not suggest that Bernard.

I know. I was being sarcastic, sometimes a dangerous thing to be in the internet.