It seems you can't pick up a newspaper these days without seeing a headline concerning the privacy of health records.
In March, UCLA Medical Center was forced to take disciplinary action against more than a dozen employees for snooping in the electronic medical records (EMRs) of pop star Britney Spears. Also in March, legislators in New Hampshire voted down a bill that would have added privacy restrictions and audit trails for EMRs. Other states, such as Nevada, have amended privacy laws to allow patients to opt out of health information exchanges (HIEs), and a bill introduced in Congress (H.R. 5442) proposes to do much the same thing.
Meanwhile, groups funded by grants from the federal Office of the National Coordinator for Health IT (ONCHIT) are seeking to facilitate national standards on privacy and security agreements for HIEs.
“Patient control and patient consent are front and center in the debate now,” says Steve Gravely, a partner in the Richmond, Va., office of law firm Troutman Sanders and co-chair of the Data Use and Reciprocal Support Agreement Workgroup recently established by ONCHIT. “No one has the answer, but at least positions are being made clear and people can argue them.”
One person who thinks she has part of the answer is Deborah Peel, M.D., founder of an Austin, Texas-based watchdog group, Patient Privacy Rights. Peel has created an offshoot called Privacy Rights Certified, which plans to begin certifying both personal health record (PHR) and EHR software based on privacy and security policies and features. She says several vendors have expressed interest in taking part in the certification process, including Microsoft's HealthVault PHR platform and the EMR of e-MDs Inc. (Austin, Texas).
The new organization is necessary, Peel says, “Because there is so much theft and misuse of health data that current certification organizations don't address.”
Her group wants software vendors to attest that individuals have the right to control their health information and give informed consent about how it is used. “The system must have an opt-in capability and a way for people to segment sensitive information, if they choose to,” she says. There also must be a full audit trail to trace how the personal data has flowed, and a policy about reporting any data breaches to the patient.
Many groups have expressed concern about the privacy policies of personal health records as Internet-based businesses not covered by HIPAA begin offering consumers online homes for their health information.
Consumers generally have the impression that their medical records are protected by HIPAA, but these PHRs are not, says Robert Gellman, a Washington, D.C.-based privacy and information policy consultant who recently authored a report on PHRs for the World Privacy Forum. According to Gellman, there are no privacy standards for them. “Some might say they are HIPAA-compliant, but that is a misleading claim,” he says. “That means nothing.”
Doctors have medical, ethical and legal obligations to protect records and not sell them to marketers, Gellman points out. PHR vendors are under no such obligation. “(If public), their obligation is to shareholders,” he says. “If they are not making money, they will try to find a way. I fear when there's a shakeout in that market, it will be a race to the bottom.”
Mark Leavitt, M.D., chair of the Certification Commission for Healthcare Information Technology, says consumers may indeed be confused about privacy protections regarding PHRs and, at the request of the American Health Information Community, his organization will begin the process of certifying PHRs this year.
But Leavitt is not thrilled about the idea of a separate group setting up just to certify privacy. “I would not favor multiple groups with single-sided views certifying products,” Leavitt says. “It could cause deadlocks, not solutions.”
Leavitt stresses that certifying the privacy policies of EMR products doesn't make sense. “Those are policy and regulatory issues of whether providers and others can use medical data for things other than direct care,” he says.
But Peel claims that EMR vendors today can set up and run hospital systems and systematically sell their patients' data. “This is the big unknown that so far most people are unaware of and is putting their privacy at risk,” Peel says.
An example of what Peel is concerned about is illustrated by Perlegen Sciences Inc. (Mountain View, Calif.), which announced it would get data on approximately 4 million patients from an unnamed EMR vendor to identify and develop genetic markers to help predict how patients are likely to respond to specific medical treatments. The company says it would then seek to obtain DNA from these patients in a HIPAA-compliant manner to help physicians address situations in which genetically based predictions about treatment response could improve care. Although Perlegen notes that it will never have access to specific patient identities, groups like Peel's would like patients to have the ability to opt out of such data mining operations.
Attorney Gravely says traditional roles concerning access and control of data may get blurred if a vendor is involved in setting up an HIE and hosting servers where data is exchanged, but he adds that it is up to entities covered by HIPAA to write agreements making clear the limitations on what vendors can do with the data.
Gravely adds that as their organizations move toward participation in HIEs, CIOs should do internal assessments of policies, procedures and protocols regarding controlling data. “It is an opportunity to re-analyze the strengths and weaknesses of their own internal operations,” he says. “It's best to get your own house in order before embarking on something like this.”
Joy Pritts, research associate professor in the Health Policy Institute at Georgetown University in Washington, says United States policymakers should study developments in Canada and Europe, which have worked through many of the privacy issues the United States is just starting to grapple with. “The broad lesson we can learn from looking at these other countries is that some degree of control by patients is possible,” she says. “We often hear from the health community here that they can't do it, or it's too complicated or the technology doesn't exist. But they have already been doing it in some countries, such as Canada, for a number of years.”
Besides, Pritts says, HIEs must come to terms with the patchwork of existing state laws on sharing mental health or AIDS-related information. “They will either have to exclude all sensitive data,” she says, “or give patients the control over releasing that information.”
As to certifying products based on privacy policies, Peel believes public support is building. “Just like you see corporations trying to prove how green they are now, it's going to be the same with privacy,” she states. “They'll all be trying to prove that they can do a better job of taking care of the privacy of your data. It's the wave of the future.”
Others believe that the emphasis on privacy comes at a cost.
CCHIT's Leavitt has his own concerns. “Many privacy concerns are valid, but they can be used as hot-button issues to stop health IT in its tracks,” he says. “We need advocates and we need neutral groups to assess products, but the two don't mix very well.”