The other shoe has dropped.
Last week, the American Civil Liberties Union sued a state-sanctioned health information exchange in Rhode Island, saying that the pre-operational exchange doesn't have adequate protections for patient privacy. Rules developed by the Rhode Island Department of Health to govern the HIE, called Currentcare, require patients to opt in to the system and control who can access their medical records, but does not allow them to wall off certain data elements, including sensitive information about substance abuse, mental health or HIV status.
The lawsuit, filed June 29 in state court, alleges that the DOH violated the Rhode Island regulatory process by failing to spell out exactly how data sharing will work. "In light of the important privacy and confidentiality issues raised by an EHR system, the legislature clearly envisioned the adoption of detailed regulations through a transparent process of public input," ACLU volunteer attorney Frederic Marzilli told CMIO magazine. "This lawsuit simply seeks to carry out that intent."
The ACLU has been pushing for tight privacy protections on the Rhode Island HIE for some time. "Last year, when the R.I. DOH proposed regulations to implement [a 2008 state law that established Currentcare], the ACLU objected that the proposed regulations 'provided virtually no details as to how the system would actually work, and how it would protect the privacy, confidentiality and informed consent interests of patients,'" Providence-based CMIO reports.
It's possible the ACLU has an axe to grind here. That organization has ground many axes over the years. But the lawsuit illustrates that HIEs, or anyone else charged with handling electronic health data, can't take the issue of privacy lightly. (I'm looking at you, CMS. You're going to have the regulations for meaningful use out next week, and don't think the ACLU or some other privacy or consumer watchdog won't have a team of lawyers combing over every word.)
Rhode Island is a small state. Consider this a relatively inexpensive lesson. If you want to earn the public's trust in the nationwide push to digitize medical records, you must safeguard privacy. Otherwise, the whole effort is going to fail. - Neil