Record Banks, Privacy Certification Promoted for Health Records
The only way to calm the privacy worries of patients about their health information in an electronic environment is to ensure that they control the data, William Yasnoff, managing partner of NHII Advisors, said on a panel at the eHealth Initiative conference. Yasnoff co-presented with Katherine Ball, director of health sciences informatics at Johns Hopkins University. Yasnoff is the CEO and Ball the director of informatics of Patient Privacy Certified.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Yasnoff supports a repository system for electronic health information, rather than the “scattered” model proposed by the Nationwide Health Information Network. In the repository model, nonprofit, community-based health record banks would accept “deposits” of health records by patients. The consumer would authorize which doctors would have access, and after each visit to a health care provider, the record would be updated. Consumers could control the level of access to information so a podiatrist wouldn’t have access to psychiatric records, for example, or so unspecified emergency room doctors would have access as needed. There would be records of all doctors who gained access to the information, he said, adding accountability.
The health-record bank model solves several problems, Yasnoff said. It would be inexpensive: One estimate is $8 a person yearly. It would keep all the data securely in one place. It would promote participation, because otherwise reluctant institutions would have to turn over patient records, because the bank would be making the request on behalf of patients, who are entitled to copies of their records. The banks could even offer a financial incentive to doctors when they update records, he said. A health-record bank system is being piloted in Washington state, he said.
The scattered model simply isn’t realistic, Yasnoff said after the panel. “The problem with the NHIN as it’s envisioned -- and it’s not really clearly envisioned either - - but the problem is, people have not carefully thought through the requirements,” he said. The NHIN has been described as a network of networks. Yasnoff said it doesn’t make sense to send out electronic queries for information to all providers a person has visited: It makes more sense to keep the information in one place. Under the scattered model, if someone visited an emergency room on the other side of the country, the facility from that point on would have to forward information about the visit in response to requests. The hospital doesn’t want to spend the computing power to do that, he said. It’s more practical for the emergency room to forward the information once, to a health record bank, so the patient has the information as part of a complete health record and the hospital doesn’t have to bother with it again, he said.
Neither Congress nor the Department of Health and Human Services has a definition of privacy, Ball said. Further, the Health Insurance Portability and Accountability Act doesn’t protect privacy as is often assumed, she said. HIPAA includes exceptions for the release of information for treatment, payment and operations purposes, and there’s no notification, review or disclosure requirement surrounding that information-sharing exception, she said. The Electronic Communications Privacy Act actually protects electronic health records better than HIPAA, she said.
Entities that have electronic health records should undergo privacy certification in the same way a company would get financially audited, Ball and Yasnoff said. Their organization, Patient Privacy Certified, is already doing certifications, Yasnoff said. An audience member wondered if calling for privacy certifications doesn’t duplicate the work of the Certification Commission for Healthcare Information Technology. Yasnoff said the groups have a different emphasis. CCHIT concentrated at first on functional certificates, he said. “The fact that the system can do something is not as important as whether you're actually doing it,” he said. Ball said their group looks at privacy policies and practices on the ground. There’s no need for limits on the number of groups performing certifications, Yasnoff said, just as companies can get audited by any number of auditing firms.
Ball and Ritu Agarwal, director of the Center for Health Information and Decision Systems at the University of Maryland, cited surveys showing concern among the public about the privacy of health information. In 1995, Agarwal said, 20 percent of the public could be described as “privacy unconcerned” and 25 percent as “privacy fundamentalists,” people who feel they've lost a lot of their privacy and want to hold on to what remains. By 2001, she said, only 8 percent could be described as privacy unconcerned and the ranks of the privacy fundamentalists had grown to 34 percent of the population. One of the reactions to privacy concerns is to hide information. Ball said that in 2006, 13 percent of people said they hid information because of privacy concerns. In 2007 the figure grew to 17 percent. Those percentages are important, Yasnoff said after the discussion, because a minority of the population can stop projects, like the NHIN, that it doesn’t like or trust. The repository model gives them control of their information, he said. It could still be used for research and public health programs, he said, as long as patients gave permission. Research shows that, if asked properly, most people are willing to allow use of their data for altruistic purposes, he said.
Agarwal also shared preliminary data from a survey she conducted to get more details about privacy concerns. “What we do lack … is a deep and granular understanding of what health information privacy concerns really mean to the general public,” she said. The survey showed people are most protective of mental health information and more willing to share their information with hospitals than the government or pharmaceutical companies, she said. But the desire to get better overwhelms other considerations, which raises an ethical question about when people should be asked for consent, she said. -- Leslie Cantu
eHealth Initiative Conference Notebook
There are two facets of health IT adoption, said Robert Kolodner, national coordinator for health IT at the Department of Health and Human Services. One is adoption of the technology by providers, and the other is adoption of standards. Standards have been developed in the last several years, he said, but they aren’t yet used extensively in products on the market. Vendors need to know there’s a market and need to use those standards in their products, he said. Adoption by providers differs by type of practice, said Kolodner, with large practices at 50 percent adoption and small practices, of four or fewer doctors, at 9 percent. He said it’s critical to figure out how to get to a point where Americans’ health records are connected in the same way the highway and road system connects the nation. The self-sufficiency of regional health information exchange organizations, once viewed as the vehicle for health IT adoption, must be addressed, particularly when adoption is still low and there still isn’t capacity to share information as envisioned.
----
Privacy and security in health IT should be thought of as a process, not a product, said Carol Diamond, managing director of the health program at the Markle Foundation. That’s because technology continues to evolve and how that technology is used changes, she said. Nor should privacy and security be thought of as something that can be taken care of with a one-size-fits-all policy, she said. “If I've learned anything in the last five years… it is that the most common mistake in privacy and security is to search for yet another magic bullet.” A policy for personal health records won’t necessarily work as a policy for surveillance of drugs after they're sold, for example. However, all the policies can apply the same fair-information principles, including transparency, data quality lifeguards, limitation of data collection and accountability. The foundation regularly surveys people about aspects of health IT, and people consistently say they're concerned about privacy, said Diamond, even though the majority can also envision benefits. In the most recent survey, almost half of respondents said they weren’t interested in electronic personal health records. Of those who weren’t interested, 57 percent said it was because they worried about privacy. The foundation released a model policy for personal health records in June, endorsed by 31 organizations ranging from Google to the U.S. Department of Veterans Affairs. Diamond said the experience of working with groups with widely divergent views and coming up with a policy they could agree upon showed that the privacy and security issue is soluble. She also said people must get away from arguing over single aspects of privacy and security, like consent or network security. “I think in many ways what the right policy at the right time can do is give people confidence to innovate,” she said, and help accelerate the adoption of health IT.