It seems you can’t pick up a newspaper these days without seeing a headline concerning the privacy of health records.
In March, UCLA Medical Center was forced to take disciplinary action against more than a dozen employees for snooping in the electronic health records (EHRs) of pop star Britney Spears. Also in March, legislators in New Hampshire voted down a bill that would have added privacy restrictions and audit trails for EHRs. Other states, such as Nevada, have amended privacy laws to allow patients to opt out of health information exchanges (HIEs), and a bill introduced in Congress (H.R. 5442) proposes to do much the same thing.
Meanwhile, groups funded by grants from the federal Office of the National Coordinator for Health IT (ONCHIT) are seeking to facilitate national standards on privacy and security agreements for HIEs.
“Patient control and patient consent are front and center in the debate now,” says Steve Gravely, a partner in the Richmond, Va., office of law firm Troutman Sanders and co-chair of the Data Use and Reciprocal Support Agreement Workgroup recently established by ONCHIT. “No one has the answer, but at least positions are being made clear and people can argue them.”
One person who thinks she has part of the answer is Deborah Peel, M.D., founder of an Austin, Texas-based watchdog group, Patient Privacy Rights. She has created an offshoot called Privacy Rights Certified, which plans to begin certifying both personal health record (PHR) and EHR software based on privacy and security policies and features. She says several vendors have expressed interest in taking part in the certification process, including Microsoft’s HealthVault PHR platform and the EHR of e-MDs Inc. (Austin, Texas).
The new organization is necessary, Peel says, “because there is so much theft and misuse of health data that current certification organizations don’t address.”
Her group wants software vendors to attest that individuals have the right to control their health information and give informed consent about how it is used. “The system must have an opt-in capability, and a way for people to segment sensitive information, if they choose to,” she says. There also must be a full audit trail to trace how the personal data has flowed, and a policy about reporting any data breaches to the patient.
Many groups have expressed concern about the privacy policies of personal health records as Internet-based businesses not covered by HIPAA begin offering consumers online homes for their health information.
Consumers generally have the impression that their medical records are protected by HIPAA, but these PHRs are not covered by HIPAA, says Robert Gellman, a Washington, D.C.-based privacy and information policy consultant who recently authored a report on PHRs for the World Privacy Forum. There are no privacy standards for them, he says. “Some might say they are HIPAA-compliant, but that is a misleading claim,” he says. “That means nothing.”
Doctors have medical, ethical and legal obligations to protect records and not sell them to marketers, Gellman points out. PHR vendors are under no such obligation. “(If public) their obligation is to shareholders,” he says. “If they are not making money, they will try to find a way. I fear when there’s a shakeout in that market, it will be a race to the bottom.”
Mark Leavitt, M.D., chair of the Certification Commission for Healthcare Information Technology, says consumers may indeed be confused about privacy protections regarding PHRs, and at the request of the American Health Information Community, his organization will begin the process of certifying PHRs this year.
But Leavitt is not thrilled about the idea of a separate group setting up just to certify privacy. “I would not favor multiple groups with single-sided views certifying products,” Leavitt says. “It could cause deadlocks, not solutions.”
He stresses that certifying the privacy policies of EHR products doesn’t make sense. “Those are policy and regulatory issues of whether providers and others can use medical data for things other than direct care,” he says.
But Peel claims that EHR vendors today can set up and run hospital systems and systematically sell their patients’ data. “This is the big unknown that so far most people are unaware of and is putting their privacy at risk,” Peel says.
An example of what Peel is concerned about is illustrated by Perlegen Sciences Inc. (Mountain View, Calif.), which announced it would get data on approximately 4 million patients from an unnamed EHR vendor to identify and develop genetic markers to help predict how patients are likely to respond to specific medical treatments. The company says it would then seek to obtain DNA from these patients in a HIPAA-compliant manner to help physicians address situations in which genetically based predictions about treatment response could improve care. Although Perlegen notes that it will never have access to specific patient identities, groups like Peel’s would like patients to have the ability to opt out of such data mining operations.