Wednesday, January 28, 2009

Groups push for health IT privacy safeguards

When the subject of digitizing medical records comes up - and there are privacy advocates in the vicinity - you're in for a complex discussion with few easy answers. Where there's no debate is whether transitioning to digitized records will help save money and improve health care...this is a certainty.

What remains contentious - and rightly so - is the intrinsic threat a massive electronic database containing all of our most personal medical records poses to our privacy. The fact is there are benefits and pitfalls to such a plan. And being that this digital transition is a key component to both President Obama's health plan AND his economic stimulus package, this debate has just been pushed to the forefront of the ongoing privacy debate.

The places I go to get all the facts I could ever need on this subject, and numerous others related to privacy protection are The Privacy Rights Clearinghouse and the World Privacy Forum.

The Privacy Rights Clearinghouse nails the current challenge and debate:

Certainly, access to electronic records would have greatly assisted emergency health teams in the aftermath of Hurricane Katrina in August 2005. And most individuals can easily envision the benefits to hospital emergency rooms when assisting unconscious patients. But the challenges regarding security and confidentiality are profound.


These types of aggregated electronic health records pose a number of concerns:

The custodian of the records may not necessarily be a "covered entity" under the HIPAA privacy rule. HIPAA only applies to health care providers, health plans, and health care clearinghouses. Therefore, it is possible that consumers may not have any privacy rights under the HIPAA law if they utilize a service that electronically aggregates medical records.

The Web site operator could become subject to judicial process and can be served with a subpoena for your personal medical records. This greatly facilitates the ability of both government entities and civil litigants to go on fishing expeditions for your medical records.

The Web site's privacy policy can be changed at any time. This could, for example, subject consumers to targeted advertising based upon their medical conditions.

And in testimony to Congress, Pam Dixon of the World Privacy Forum brought up the growing problem of Medical Identity theft that any Health IT plan must adequately protect against:

And a final note: it is important to take the growing crime of medical identity theft into account. This is a crime where an identity thief may intentionally alter or inadvertently cause to be altered a victim’s medical file so that the file reflects diseases or a medical history that the victim does not have. It is nightmarish that a patient’s medical chart may include information about someone who has stolen the patient’s identity for the purposes of using the victim’s insurance or for dodging medical bills. However, this crime is already occurring and the accuracy of patient medical files is already being impacted. Medical identity theft is an unfortunate reality that must be dealt with sooner rather than later. A better and broader amendment rule will serve to protect privacy and reduce medical errors in this context, one that is in sore need of being addressed.

Pam also notes the inevitability of such a transition...making the need to protect patient privacy that much more paramount:

It is perfectly apparent that health care record keeping will be increasingly automated and networked in the future. This prospect, especially increased networking, means that the risks of improper access to and disclosure of records will increase in the future. If we are to find a way to continue to protect patients, then we must find a way to control improper uses and disclosures. Accounting is one way to accomplish that goal.

Click here to read her remarks in their entirety.

So everyone should prepare to hear a lot more about this issue as this massive economic stimulus bill works its way through Congress. Although lawmakers are close to pulling the trigger. ensuring the privacy of patients' electronic health records (EHR) remains a top concern.

Sen. Jim Whitehouse, a Rhode Island Democrat who chaired a hearing this morning examining the appropriate safeguards government should insist on before it doles out billions of dollars to help providers computerize patients' records, may have hit the nail on the head: "I very firmly believe that the Achilles heel of health IT is privacy."

Now that I've given a quick background with some important details to keep in mind, let's go to today's article in Computerworld on this very debate, taking place as we speak in Congress.

Grant Gross reports:

Health IT improvements are needed to improve the quality and efficiency of health care in the U.S., but patients might be wary of electronic health records without strong privacy safeguards built in, Sen. Patrick Leahy (D-Vt.) said.

"If you don't have adequate safeguards to protect privacy, many Americans aren't going to seek medical treatment," Leahy said. "Health care providers who think there's a privacy risk ... are going to see that as inconsistent with their professional obligations, and they won't want to participate."


The bill includes several privacy provisions. It extends privacy requirements to business associates of health care providers, and it requires the U.S. Department of Health and Human Services to put out annual guidance on the most effective privacy safeguards. The bill also requires health care providers to notify customers of any security breaches.


At this morning's hearing, members of the Senate Judiciary Committee heard testimony from witnesses representing private industry, government, the medical community and the public-interest sector. Almost in chorus, they championed health IT, but warned that without adequate privacy safeguards, patients would opt out of electronic record-keeping and providers would be reluctant to share their data.


Then others, while reaffirming their general commitment to health IT, said that the bill's privacy protections are too vague. They asked the senators to add details laying out a tiered system for who could access what sort of information to fit into a more comprehensive privacy framework -- just the sort of delay Microsoft's Stokes spoke against.


Lawmakers need to balance privacy with the benefits that health IT can provide, said David Merritt, project director at the Center for Health Transformation and the Gingrich Group. "Privacy cannot be compromised, but neither can we compromise progress in pulling our health care system out of the technological Stone Age," Merritt said. "We need to find the right balance between privacy at all costs and progress at any cost."

Click here to read more.

No comments: