Consumers want the benefits of health information exchange, but they also wish to be assured that their personal health information (PHI) will remain private and secure, notes a new issue brief by Consumers Union and the Center for Democracy and Technology (CDT). The report, which was sponsored by the California Healthcare Foundation, recommends several ways to strike an appropriate balance between these objectives and also calls for stricter laws to protect PHI in health information exchanges (HIEs).
The brief suggests that the accountability provisions of federal and state privacy laws be strengthened. In addition, laws that protect electronic health information should be "reassessed" in light of new security challenges and countermeasures such as encryption. And there should be penalties for re-identification of de-identified patient data, the report argues.
In 2010, the brief points out, 16 California consumer, patient and civil rights organizations came together to discuss how PHI could be safeguarded in HIEs. Consumers Union and CDT would like to see widespread adoption of the nine "fair information practices" this group proposed. Among other things, these principles would limit the collection of PHI, require an explanation for the data aggregation, require individual control over the data, and mandate that all "data stewards" be open and transparent about their policies.
A study published in Health Affairs looked at how well several major California healthcare organizations followed these practices in their HIEs. The study found that the provider groups had done little to educate patients about the data available to them or to enable them to control their own data. Moreover, the organizations were not transparent about providers' use of personal health information.
Meanwhile, the "Tiger Team" that advises the Office of the National Coordinator of Health IT (ONC) on security issues recently made several recommendations to tighten security in HIEs. The Tiger Team, chaired by Deven McGraw, director of the Privacy Project at CDT, suggested that patients be given access to their aggregated records, a mechanism to correct inaccurate information, and the opportunity to make "informed decisions" about how their data is collected, used and disclosed.