Wednesday, April 10, 2013

A New Framework For Health Information Privacy - An Important Set Of Actionable Principles.

This article appeared a few days ago.

New Framework Details 15 Core Health Privacy Principles

APR 3, 2013 5:30pm ET
Advocacy organization Patient Privacy Rights has published the Privacy Rights Framework, with 15 core principals comprising more than 75 auditable criteria to measure and align privacy policies to acceptable business practices.
The Framework is designed to help measure and test whether health information systems and research projects comply with best privacy practices in such areas as whether patients have control over their protected health information, an organization obtains meaningful consent before disclosing data and obtains new consent before secondary data use occurs, patients have the ability to selectively share data, and the organization uses servers housed in the United States, among other factors.
The framework is available now for all stakeholders. However, Patient Privacy Rights will develop a system to permit licensing for entities that want to be formally approved by the organization to enable consumers “to tell the good guys from the bad guys.”
This article is found here:
The framework is available here.
The core privacy principals from the .pdf are:
Principle 1: Patients can easily find, review and understand the privacy policy.
Principle 2: The privacy policy fully discloses how personal health information will and will not be used by the organization. Patients’ information is never shared or sold without patients’ explicit permission.
Principle 3: Patients decide if they want to participate.
Principle 4: Patients are clearly warned before any outside organization that does not fully comply with the privacy policy can access their information.
Principle 5: Patients decide and actively indicate if they want to be profiled, tracked or targeted.
Principle 6: Patients decide how and if their sensitive information is shared.
Principle 7: Patients are able to change any information that they input themselves.
Principle 8: Patients decide who can access their information.
Principle 9:  Patients with disabilities are able to manage their information while maintaining privacy.
Principle 10: Patients can easily find out who has accessed or used their information.
Principle 11: Patients are notified promptly if their information is lost, stolen or improperly accessed.
Principle 12: Patients can easily report concerns and get answers.
Principle 13: Patients can expect the organization to punish any employee or contractor that misuses patient information.
Principle 14: Patients can expect their data to be secure.
Principle 15: Patients can expect to receive a copy of all disclosures of their information.
A description of the approach is here:

Trust Framework

What is the PPR Framework?

The PPR Framework is a set of 75+ auditable criteria that measure how much technology protects data privacy. It can offer ALL health care consumers the ability to control their most sensitive and sacred personal information by empowering patients to make meaningful choices about HIT systems and products based on attestation to the tough privacy principles and criteria they expect for health information.

Who developed the PPR Framework?

PPR and the bipartisan Coalition for Patient Privacy, in concert with Microsoft and PricewaterhouseCoopers (PwC), developed and tested a set of privacy principles and standards, operationalized in criteria that should be built into all electronic systems, platforms, and applications that handle personal health data in order to prove that they are worthy of trust.

What is PPR Framework based on?

The PPR Framework is grounded in American’s longstanding civil, human, and ethical rights to health information privacy. It is based on the bipartisan consumer privacy policies and principles established by members of the Coalition for Patient Privacy in 2007.

What does the PPR Framework test?

The PPR Framework tests whether health IT, platforms, applications, and research projects comply with the gold-standard privacy principles the bipartisan Coalition for Patient Privacy established in 2007-2008 over a period of 18 months. A patent is pending to assure that this system can be widely used to measure how closely systems, platforms, and applications meet patients’ expectations for control over personal data, and expectations of state-of-the art data security.

Who will benefit?

Developers of health IT systems, platforms, applications, and organizations that claim to be committed to privacy should be able to outwardly reflect that avowed commitment. Privacy seals could be awarded for compliance with the PPR Trust Framework and would distinguish trustworthy organizations that are truly making a full and good-faith effort to honor individuals’ right to privacy from all the rest. Patients are the greatest beneficiaries of the PPR Trust Framework. They should be able to protect themselves and easily see which electronic records systems, applications, and websites to avoid. Restoring patient control will offer consumers the ability to reap the rewards of health IT by enabling them to select systems worthy of trust.

PPR Trust Framework

Today’s data-rich networked society makes deployment of trusted electronic systems practical and painless. PPR believes organizations can earn public trust by attesting and adhering to the principles outlined in its Trust Framework and privacy certification process. In 2008, PPR, PwC, and Microsoft developed and tested this robust privacy certification program on HealthVault. Several key consumer organizations, inducing the ACLU and Consumer-Action, participated in the development and testing of the PPR Trust Framework.
PPR’s Trust Framework could be used for a formal privacy certification process. It differs from other health IT certification processes because it is designed specifically to enhance consumer engagement, education, and trust in electronic systems, platforms, and applications that hold individuals’ personal health information.
Public awareness of privacy-positive companies and organizations would be a very significant step and create pressure to restore privacy and the Constitutional liberties and freedoms that the Digital Age has violated. As more and more consumers – of healthcare and other products and services – become better educated about their privacy rights and the existing and growing threats to those rights, they will look for privacy-committed companies with which they can do business. Consumers will reward good business practices by participating in systems or projects that are publically committed to operate in compliance with the Trust Framework’s privacy principles.
The PPR Framework can play an integral role in building a vibrant, trusted research ecosystem. In general, the public is altruistic and willing to participate in research, provided that they know they have control over their information and can choose the type of research in which they participate. Furthermore, they want to know that the platforms and applications they donate their information to are trustworthy and secure. The Trust Framework offers research organizations and institutions the opportunity to demonstrate their commitment to informed consent and strong data security and data privacy protections.
Click here for a nutshell overview of Principle 1 of PPR’s Trust Framework.
Click here to read more about the Framework criteria
This page is found here:
It should be noted that the intent of these principles and the auditable points apply to all those who handle health information electronically. While I can see some obvious areas where the NEHRS may not comply it is also clear there will be many medical practices and facilities who are not quite up to scratch.
There is no doubt these requirements set a high bar - but I think we should be working towards them if we are to ensure patient trust.


Paul Fitzgerald said...

Agree entirely David. I don't believe we have such a strong patient advocacy body here in Australia, though. With NeHTA/DoHA "staff" trolling the corridors of hospitals to sign up unsuspecting citizens, it is hard to see how these principles could be followed.

Bernard Robertson-Dunn said...

Health Information Privacy is a step in the right direction towards good information management but privacy is not the only issue.

The statement "PPR’s Trust Framework could be used for a formal privacy certification process. It differs from other health IT certification processes because it is designed specifically to enhance consumer engagement, education, and trust in electronic systems, platforms, and applications that hold individuals’ personal health information.", implies that trust will flow from implementing the 15 privacy principles.

I suggest that such trust will only come from implementing a larger set of principles than just privacy principles.

An example is the issue of data accuracy. I would like to see some principles that addressed the matter of the information on a patient being both accurate and timely. I wouldn't want someone else's data to be included in my health record; I would like to be confident that any changes in the real world were reflected in the data. There's also the matter of fixing errors - who is responsible and what's the process?

I'd also want to know the processes for resolving disputes between the patient and health professionals and between health professionals that impact a patient's health information.

Three comments:

1. Information management is more than privacy.
2. Privacy is not the same as security.
3. You should start with information management principles before building IT systems. Retrofitting them is almost impossible.

Anonymous said...

This is an American standard, so while interesting and nicely presented, is not of real value in Australia.

However, it would be a shame to miss a chance to highlight the limited value that NEHTA's privacy team brings to eHealth in Australia. Although the people are knowledgeable and well informed, their remit seems to be extremely hard limited to ONLY providing internal advice to internal programs and NOT to health organisations who might have to actually comply with privacy legislation when adopting ehealth programs.

There were some brave souls in the early days who did produce documents for external consumption, but this got stomped out pretty firmly when the regime changed. The onus is now on health organisations to undertake their own PIAs and to hope that they can manage the changes...

Another missed opportunity to better inform the broader Aust ehealth community on a complex and important policy area with REAL consequences for mishandling. Sigh.

Anonymous said...

Yes, patient and sensitive information is going to be an issue for many Australian healthcare professionals and providers into the future, and is not the only issue as Bernard points out. There are many others.

However in saying this, with the beefed up Privacy Act Amendments and discussions about mandatory breach notification laws awaiting passage, healthcare professionals will have to re-assess their exposure to cyber threats and risks, or not only face regulatory penalties but potential class actions from patients for remediation services like credit file monitoring.

This equates based on market estimates at around $200 per record. The math is simple 1,000 patients x $200 = $200,000

This alone can not only damage brand reputation but potentially put GP’s and practices out of business.

It is time for people in health to start to take notice about good data security and governance, but also put plans in place, and review existing systems and policies.

Otherwise if neglected or set aside for another day, face the penalties, just like the GP practice on the Gold Coast for lax policies.

It may cost a few dollars today, but potentially save many more down the track.

Privacy Paul