There is some interesting work going on in the US on patient control of personal health information.
The US debate does need to be put into context however. Because of the absolutely labyrinthine system of healthcare financing and re-imbursement all sorts of information flows from providers to insurers and this information flow is neither control by or consented for by the patient.
There is now considerable enthusiasm on the part of a good section of the American populace to find out just who had their identifiable health information and what they are doing with it!
Now read on.
August 17, 2011, 1:55 pm
Dr. Farzad Mostashari / National Coordinator for Health Information Technology
Those of you keeping a close eye on the Office of the National Coordinator for Health Information Technology (ONC) and its activities might have noticed the advance notice of proposed rulemaking (ANPRM) that was published on Tuesday, August 9, 2011, requesting public input on a set of proposed metadata standards recommended to ONC by the HIT Standards Committee.
The immediate focus of the ANPRM is the association of metadata with summary care records, but we also welcome input on the use of metadata relative to other electronic health information contexts. To better inform future proposals, we expressed our interest in learning about stakeholders’ relevant metadata implementation experience and requested public comment on the results of any real-life testing or use of the metadata standards discussed the ANPRM. The ANPRM builds upon the recommendations of the Health IT Policy and Standards Committees, which put forth analysis on how ONC could accelerate health information exchange consistent with the vision laid out by the President’s Council of Advisors on Science and Technology (PCAST) in the report it issued in December 2010. The PCAST report envisions a robust health information exchange ecosystem in which patients and providers are able to privately and securely exchange health information across organizational boundaries.
ONC is considering a series of prototypes and pilots to put some of our recommendations to the test. Two of these initiatives – the Query Health initiative and the Data Segmentation initiative – are slated to launch through the Standards and Interoperability (S&I) framework this fall. These initiatives have the potential to improve the quality, safety and coordination of health and health care. Information can be found on the S&I Framework wiki and will be updated frequently so check back often!
- Query Health initiative: The Query Health initiative aims to define and deliver the standards and services for distributed population health queries from certified electronic health records (EHRs) and community records originating in the routine course of patient care. As a result, requesters will be able to create and securely distribute queries to network data partners who subscribe to the published queries. Network data partners will execute the query against a standard clinical information model and securely return the results of the query to the requester. Standards will also include sustainability and extensibility for the clinical information model, as well as the terminology that enable the queries and results expression. Ultimately, this initiative will enable population analyses to inform both clinical and payment strategies for their health systems and practices, in alignment with the HITECH and Affordable Care Acts. Providers will be able to calculate quality measures for populations. From a HITECH perspective, Query Health will leverage the standards and policies that enable the Meaningful Use of patient care and health information exchange.
- Data Segmentation initiative: The ONC Offices of the Chief Privacy Officer and Standards and Interoperability are currently planning an initiative on data segmentation of sensitive information. This project aims to make progress on the persistent privacy issues raised in the PCAST report. The goal of this project is to enable the implementation and management of health information disclosure policies originating from a patient’s request, statutory and regulatory authority or organizational disclosure requirements. The project aims to examine and evaluate the standards needed for sharing individually identifiable health information (including standards recommended by the Health IT Standards Committee through the use of metadata tagging of privacy attributes in standard clinical and policy records and record segments). The initiative will develop use cases that define the current need for data protection services, such as a patient’s directive not to disclose substance abuse records in accordance with 42 CFR Part 2, and will then extend current standards-based software models to demonstrate interoperability. Testing will be based on a reference model aligned with a set of use cases and functional requirements developed by the S&I community.
Read more here:
Here is a press announcement of the plan.
HDM Breaking News, August 18, 2011
The Office of the National Coordinator for Health Information Technology this fall will launch two pilot projects covering the use of metadata to support the electronic exchange of health information.
The pilots follow ONC's publication of an advance notice of rulemaking on August 9 to lay out its initial thoughts and seek public comment prior to development of a proposed rule.
I have to say I do so much like the approach of actually getting out and funding proper pilot studies to prove up concepts and make sure they really work .
There is also some discussion of the topic here:
By Joseph Conn
The Office of the National Coordinator for Health Information Technology is asking as many questions as it is giving directives in its unusual “advance notice” of proposed rule making (PDF) regarding some of the recommendations for health information exchange issued late last year by a White House advisory panel.
The President's Council of Advisors on Science and Technology, or PCAST, told HHS to come up with a scheme to attach metadata tags to clinical information to facilitate search, research and privacy protection.
Regarding privacy, the ONC rule makers noted that some industry commenters “supported the concept of giving patients granular consent as envisioned in the PCAST report.” What the presidential advisers had in mind was attaching a patient's privacy preferences for individual data elements, say a positive lab result for HIV, or entire encounter records, such as treatment for drug or alcohol dependency. But the ONC also noted there has been industry pushback as well.
Along with this we also have the following issue being raised in the US.
For 15 years, the Health Insurance Portability and Accountability Act (HIPAA) has given patients a variety of privacy protections for personal health information obtained by medical providers. Unbeknownst to many, though, the same protections do not apply to records controlled by consumers. Privacy advocates say it’s time that stricter standards apply to those records — but efforts to do just that have gone nowhere in Washington, and Congressionally mandated recommendations on how to make it happen are already 18 months late.
The regulatory void amplifies the dangers that exist when people post their health information online — to social networking sites, discussion boards, mobile technologies and personal health record-keeping systems, privacy experts say.
HIPAA, the law that outlines how doctors, hospitals and insurance companies are supposed to handle patient health information, dates to 1996, but was amended most recently in the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act portion of the president’s economic stimulus legislation. HITECH set aside $27 billion to encourage doctors and hospitals to convert paper records to digital form, and Congress amended HIPAA to provide additional protections, since so much more data was likely to be exchanged electronically.
But HIPAA doesn’t cover so-called personal health records, which are patient-managed medical records, and other related technologies, including mobile applications and social media, where people sometimes store or publish details about their health. Personal health records are typically provided for free online — by firms like Google Health, Microsoft HealthVault and Dossia — and include services that allow patients to record their health information, set health goals, list medications, communicate with doctors and track their progress. They also often provide access to medical search engines and discussion groups.
“There is a strange perception in the public that all health information is under HIPAA, but it’s not,” said Pam Dixon, executive director of the World Privacy Forum , a nonprofit public research interest group. “People are taken by surprise that there is no legal regulation.”
Depending on company privacy policies, health records outside of HIPAA’s purview can be bought and sold, shared with merchants and even disclosed to employers, according to the World Privacy Forum . Privacy policies and consent forms have become so complex and ubiquitous that privacy advocates fear consumers are not adequately reviewing them.
“If consents are made too complex, many will click ‘Yes.’ They've simply become so overwhelmed by lengthy online notices. Yet the risks of medical data disclosures exceed those of financial breaches, and the damage may simply be irreparable,” said William Pewen, former senior health policy adviser to Sen. Olympia J. Snowe, R-Maine, who helped draft the HIPAA legislation.
“Too few realize that social networking sites can utilize such information for commercial purposes, or that some disease-related sites have ties to drug manufacturers who might exploit the medical data one shares.”
There is a lot more here:
And for good measure we also had this appear.
The Atlanta Journal-Constitution
4:56 a.m. Tuesday, August 16, 2011
Taking control of your health -- from organizing medical records and lab results following doctor visits to logging efforts for dropping those few extra pounds -- one day might be as easy and intuitive as online banking.
A groundbreaking project in northwest Georgia soon will encourage consumers to play a bigger role in their health care by creating electronic personal health records, uploading medical information and images into one easy-to-access location a button click away.
Earlier this year, the Georgia Cancer Coalition and state Department of Community Health received a $1.7 million federal grant – one of 10 awarded nationwide – to create a patient-focused health information exchange in the Rome area.
While states have developed ways for hospitals, doctors and other providers to electronically share information, the Georgia effort to create a more consumer-focused system could result in a national trend, said Farzad Mostashari, National Coordinator for Health Information Technology.
“Implementing technology can be difficult,” Mostashari said. “It’s changing not only the tools you use but more fundamentally the way we take care of patients.”
Still in the beginning stages, Georgia organizers are exploring technology options but haven't established yet exactly how the electronic system will work or what features it will include. The possibilities, however, are abundant.
Patients could send secure emails with questions to doctors or nurses. Mothers could use their personal health records to store their children’s immunization records. Diabetics could record daily blood sugar readings for doctors to examine.
People would be able to choose who gets access to the information, from family members to emergency room doctors. Privacy protections will be of the utmost concern.
The exchange initially will be available to cancer patients with complex diagnoses and treatments, people who now must navigate a dizzying array of specialist visits , lab tests, chemotherapy sessions and medications. The coalition will work with three medical providers, Harbin Clinic, Floyd Medical Center and Redmond Regional Medical Center.
The big picture here to me is that we are still learning just how we can address patient privacy concerns with respect to ‘hidden’ information flows while at the same time also not really being sure just what model of Personal Health Record (PHR) will most assist patients best involve themselves in their care.
The issues are linked as choosing to have a PHR will be in part modified by how confident a patient is that their privacy will be properly protected and that, where reasonable, they will have control as to who has access to their information.
There is also a need to balance the importance of clinical information flows against the need for patient control of their own information. I have to say that ‘common sense’ and application of professional ethics should ensure things work reasonably.
Difficult stuff, and I am not sure it will ever be possible to make everybody happy!