Health privacy regs, metadata fuel heated debate

A heated panel discussion about patient data and privacy regulation was one of the highlights at the Second International Summit on the Future of Health Privacy in Washington, D.C., this week. Health law attorney James Pyles, who has worked on privacy measures both for HIPAA and the HITECH Act, argued that current legislation doesn't go far enough to protect patients, especially given the advances in technology over the last decade and a half.

"We now have electronic disclosures of patient privacy that are entirely different from disclosures of paper records," Pyles said. "You can get a paper record back; you cannot get an electronic record back. You can disclose millions of electronic records simultaneously; you cannot do that with paper records."

Pyles added that health information technology is a legal "game changer."

"The damage that can be done to someone is perpetual," he said. "And the damages that can be awarded are incalculable."

Pyles' sentiments echoed earlier statements by fellow panelist Joy Pritts, chief privacy officer for the Office of the National Coordinator for Health IT, that technology has moved a lot faster than the law. Pritts, however, also argued that HIPAA has its strengths in that it allows states to decide if they want to extend enforcement of privacy regulations beyond the floor set by the federal regulation.

"In some states, there are very strict standards on how [health information] can be shared," Pritts said. "In other states, they didn't see a need to do that because they thought patients were comfortable getting care and sharing that information for certain purposes without having to expressly write it down on a piece of paper."

Frank Pasquale, a healthcare regulation and enforcement professor at Seton Hall University, talked about the use of metadata as having potential to give patients more control over the privacy in their records. "We've got to create new modes, enable modes of granular control over the data in order to make people feel safe. Otherwise, we're never going to have the type of benefits we can get from big data analysis, from observational research."

Pritts, however, said that, for now at least, metadata is off the table for electronic health records, citing a recommendation made last fall to the U.S. Department of Health & Human Services by the National Committee on Vital and Health Statistics. The committee said that a better understanding of the maturity level of such standards is needed before their use can be adopted.

During the summit's opening keynote, National Coordinator for Health IT Farzad Mostashari said he expects the final omnibus HIPAA rule to be out by the end of the summer.