Health privacy issues can be resolved without obstructing care


At times, it seems like concerns about the security and privacy of healthcare data have catapulted into overdrive: For instance, it recently was predicted that healthcare spending on security would hit $70 billion a year by 2015--enough to cover the majority of the uninsured. Sure, there are plenty of security breaches--some of them serious enough to attract public attention. But as a few recent cases show, universal encryption of data (some forms of which may soon be required under the latest HIPAA rules) could eliminate the biggest source of security breaches. Also, with the advent of virtual desktop infrastructure, there's no reason to store any personal health information on end-user devices.

As for hacking, the Eastern European thieves who are suspected of hacking into Utah's Medicaid system recently were not after the details of Aunt Tilly's hip operation; they wanted her Social Security number. The only cure for that--regardless of how much is spent on security--is to replace the "social" with a national patient identifier. Unfortunately, that's still the impossible dream, ironically because of privacy concerns.

Another challenge in the security arena is giving consumers the ability to control who sees their records. While most physicians now have their patients sign HIPAA forms so that they can share data with other providers, the advent of electronic health information exchange (HIE) has greatly increased access to a wide range of individually identifiable data from a variety of sources. And patients may not want everyone who treats them to know, for example, that they have seen a psychiatrist.

study recently published in Health Affairs documents the extent to which five California healthcare organizations follow principles for protection of patient information that were developed by consumer groups and other stakeholders. Although the healthcare providers took privacy and security seriously, the report said, "none of the organizations did much to educate consumers about the data available about them or to enable them to control their data."

The organizations were not transparent about providers' use of patient data, the study noted. They maintained audit trails, for instance, but didn't tell patients about them. And, while they had patients sign HIPAA privacy notices, they didn't inform them that their data from various providers would be collected and aggregated.

"What's important is that people understand how their data are being used," Robert Miller, the study's lead author and a professor of health economics at the University of California San Francisco, said in an interview with FierceHealthIT. "It's like an informed consent. People need to better understand why it's important for their data to be available to a wide range of people who participate in their care. At the same time, they need to see that this is how their data are being used and not used."

The tricky part is ensuring that patients have some control of their personal health information without making it too difficult for providers to exchange data with each other. The big question is whether patients should have to opt in or opt out of consent to have their data exchanged. In California, Consumers Union senior attorney Mark Savage told FierceHealthIT, the solution has been "to limit the use of HIE to treatment by trusted doctors, with strong security protocols. In that context, opt-out has been an OK solution for us, because the structure built around the consent mechanism is strong enough to protect consumer privacy."

The "Tiger Team" that advises the Office of the National Coordinator for Health IT (ONC) on security matters recently proposed several principles for HIE. These include patient access to their aggregated records, a mechanism to correct inaccurate information, the opportunity to make "informed decisions" about how their data is collected, used and disclosed, security to prevent unauthorized disclosures, and accountability of providers for complying with these requirements.

All of this seems reasonable, but as always, the devil is in the details. If "informed consent" becomes too onerous, health information exchange, too, will remain an impossible dream. - Ken