Health Information Exchange and Privacy
Download
Report
Transcript Health Information Exchange and Privacy
Protecting Patient Privacy
in the Era of Health
Information Exchange
Corinne A. Carey
Senior Public Policy Counsel
New York Civil Liberties Union
ACLU CLE
July 28, 2010
What this CLE will cover
The basics
What is health information exchange (HIE)?
What are EHRs? What are PHRs?
How does HIE work?
Genesis of interoperable health information exchange
Privacy in the pre- and post-HIE world
How do patients interact with HIEs?
Why should we be concerned about protecting
privacy in HIE?
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
2
The Basics
What is Health Information Exchange (HIE)?
What is an Electronic Health Record (EHR)?
What is a Personal Health Record (PHR)?
How is health information linked?
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
3
What is Health Information
Exchange (HIE)?
Individual electronic records (EHRs) linked via
electronic network
Internal computer networks
Internet
Some parallel (private or public) structure
Into a network accessed by providers who may be
Unaffiliated
separated by geographic distance or by time
maybe otherwise unaware that they have or have had
a patient in common
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
4
What is an Electronic Health
Record (EHR)?
computerized equivalent of patient’s existing medical
records
created by provider or facility for use by medical staff
content controlled by health care provider, property of
the health care provider
can be siloed in one office or shared electronically
between providers (“networked”)
standards for patient protections and rights of access
are (or should be) similar to paper records
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
5
What is a Personal Health
Record (PHR)?
AKA “Facebook for medical information”
E.g., Google Health/Microsoft Health Vault
created by patient for use by patient, potentially accessed by
health care provider
standards for patient protections/access/control are complicated
currently NOT protected by HIPAA/state Law
currently regulated by FTC; potentially regulated by HHS
owned by vendor (legal rights are unclear) patient rights are
largely be subject to contract w/vendor
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
6
How does an HIE link files?
Infinite number of configurations
Most are variations on these three general models:
Centralized Data Bank
Virtual Health Record (VHR) Approach
Health Record Bank/PHR Approach
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
7
Centralized Data Bank
Patient A’s whole file from Dr. B, her internist, is
uploaded to a central server combined with her files
from
Dr. C (gynecologist), Dr. D (dermatologist), and Dr. E
(her allergist)
Lab results; radiology reports; etc.
ER/hospital inpatient files
In an actual physical file
accessible by all participating providers for whom she
has given consent.
Patient data can be “pushed” to providers (e.g., lab
tests automatically forwarded) or “pulled” by providers.
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
8
Virtual Health Record (VHR) Approach
Patient X’s EHR remains in his provider’s office.
Central server contains only identifying demographic information not actual
patient medical information
Dr. B wants to access Patient X’s records from his visit to Dr. D:
she sends a query to the central server
which pulls in the information from all the other providers he has seen, and
assembles it in a temporary virtual health record,
which is then downloaded by Dr. B and incorporated into Dr. B’s files
permanently - each provider with access creates an integrated complete medical
record for patient.
Central registry maintains a record of the request and of what information was
included in the VHR, but not the actual information.
No central database at risk of direct security breach; data remains property of
providers.
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
9
Health Record Bank (PHR) Approach
System based on personal health records.
Patient Y sets up an HRB account which is under her control.
Drs. B, C & D all “push” information to the account or information is
pulled by the account
Patient can add information to the account
Patient controls which doctors have access to the file and potentially
granularity of information to which they have access.
Pilot program in Washington State
RED FLAG: reliance on software vendors who are not “covered
providers” (not “HIPAA-covered”) vendor potentially owns, controls
information, privacy controls (including access to information by
marketers) held by vendor like other websites (see issues with
Facebook privacy controls)
unclear whether MDs will accept information in patient-controlled PHRs
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
10
Genesis of interoperable health
information exchange
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
11
How did this all start?
Interest in this for many years
Intra- has existed for a long time
Kaiser health systems
Large Hospital Systems
Inter- is relatively new
NIH pilot project in 1994 (Regenstreif)
affiliated with Indiana University
developed informatics that connected all hospitals
in the area
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
12
Bush Era
Big push for development of interoperable health
information exchange
Objectives
Increased efficiency
Cost savings
Improved patient care
Free market orientation
Policy intended to remove obstacles to private
adoption of EHR/HIE
Privacy (and liability for privacy protection) seen as
an obstacle
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
13
Bush Years
Executive Order 13335, issued April 27, 2004
goal of widespread adoption of interoperable EHRS by 2014
established the HHS ONC - Office of the National
Coordinator for Health Information Technology
Objectives
strategic plan to guide nationwide implementation of
interoperable HIT in both public and private sectors;
Coordinate federal HIT policy/programs & executive branch
agencies;
conduit for grants for state HIE projects via HISPC (Health
Information Security & Privacy Collaboration)
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
14
Obama Administration:
New Funding, New Laws, New Policies
No radical reorganization of free-market structure
Starts with individual doctors offices
American Reinvestment and Recovery Act (ARRA)
2009 and post-ARRA
Advocates forced the Obama Administration to
confront need for consistency and consumer
protection
Big step in the right direction
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
15
Obama Administration
Feb 2009: ARRA/HITECH (Health Information
Technology for Economic and Clinical Health)
Direct funding for HIT projects
Incentives via Medicaid and Medicare to
encourage adoption and “meaningful use” of
EHRs
Funding for state-level HIE activities, development
of national standards, education and
dissemination of best practices
Important privacy changes
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
16
Post-ARRA
Health Information Technology is a rapidly developing
field
Administration has tapped into growing field of
experts from many domains: advocacy, think-tank,
tech/med professional, and academic worlds
Rethinking of level of need for privacy protection
Regulations, white papers, recommendations being
developed almost daily
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
17
Transformation of ONC
ONC approach to privacy draws on the key
advocates for patient privacy/control rights
Chief Privacy Officer: Joy Pritts, Georgetown Univ.,
O’Neill Inst. for National and Global Health Law
academic focus is privacy of health information and
patient access to medical records
Co-Chair, Privacy & Security Workgroup: Deven
McGraw, Center for Democracy & Technology
Key author on privacy and consent issues in HIT
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
18
Transformation of ONC
ONC is currently revisiting basic policy on consumer
consent, privacy, enforcement of HIPAA/HITECH
protections, PHRs and privacy issues (also under
consideration at FTC)
Discussion underway re: structure of NHIN - network
of SHINs or direct linkage of EHRs nationally (NHIN
Direct, now under development)
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
19
What’s happening in the states?
States in different stages of development &
implementation
Some programs are already underway, policy is either
not been developed or developed in various ways with
varying degrees of consumer input
In places furthest along, policies are the most
entrenched, either by design by default (lack of policy
*is* policy)
So many models, we can’t address all, we’ll talk about
general themes, and use NY as a reference point
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
20
What is the federal government’s
role in shaping HIE?
No legal requirement for what model will look like in states (e.g.,
no req’t that states set up policy boards, or adopt state
regulation)
To-date, limited requirements for technological capability to
ensure granular control of data
No requirement that it be state-run, or privately-run
And it appears that there are no requirements regarding patient
consent to participate
Incentive-based system
Theory: Encourage many different models to see which will be
the best. “Let 1000 flowers bloom” (or, as some say, “Let 1000
weeds fester.”)
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
21
Privacy in the Pre- and Post-HIE World
Existing federal and state laws protecting
certain types of medical information
HIPAA
ARRA/HITECH
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
22
Pre-HIE sets the stage
Federal laws protecting patient confidentiality
e.g., substance abuse treatment, genetic information
State laws protecting patient confidentiality
General obligation of health care providers
Special rules regarding:
Minors
Substance abuse
HIV/AIDS
Mental health
HIPAA
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
23
HIPAA
HIPAA enacted in 1996
Initially required consent for dissemination of medical
information for TPO (treatment, payment, and
operations)
In 2002 (under Bush), HIPAA revised so that was no
longer necessary.
Legacy is: great confusion
Bottom line is that, contrary to popular belief, HIPAA
didn’t establish adequate protections for patient
privacy
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
24
HIPAA “Protections”
MYTH: The HIPAA privacy rule requires stringent protections for all
health information
FACT: Privacy protections are very limited and vary by who holds the
information and why it is being shared. HIPAA protections apply only to
information held by “covered entities”
“Covered Entities” - health care providers who transmits health information
in electronic form, health care plans and clearinghouses.
Information held by any other organization or patient is not subject to HIPAA
No patient consent required for “uses” (within an organization) and
“disclosures” (shared outside the organization) that are for purposes of
“TPO” (treatment, payment, and operations…plus other authorized uses like
government reporting, required by law, subpoena, and some others)
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
25
HIPAA “Protections”
MYTH: What you sign in the doctor’s office is a
consent to disclosure
FACT: The paper you sign is only a notice of office
practice regarding disclosure
***
MYTH: HIPAA limits use/disclosure to the “minimum
necessary” to achieve purpose of use/disclosure
FACT: The “minimum necessary” standard is not
applicable to disclosures to another health care
provider for treatment purposes
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
26
HIPAA “Protections”
MYTH: If you consent to allow your information to be sent to a
non-covered entity, HIPAA guards against redisclosure.
FACT: Once you consent to disclosure to non-covered entity,
that information is no longer “protected” by HIPAA
***
MYTH: HIPAA ensures stringent audit trails and you can find
out who has viewed your medical information
FACT: (Until HITECH) patients had limited rights to access
logs/know who had accessed their records and when; no
logging was required for TPO access.
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
27
ARRA/HITECH modified HIPAA
Substantially enhanced HIPAA protections for
patients:
Extension of HIPAA standards to “business associates”
More stringent audit/access trail requirements
Enforceable punishments for breach or misuse
State AG enforcement power (already been exercised,
e.g. Conn)
Increased patient rights to access own data
Exclusion of services paid for “out-of-pocket”
New restrictions on marketing
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
28
How Do Patients Interact with HIEs?
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
29
Pre-HIE: patient control in the world of
paper records
In general, patients control which information providers can
access
Patient is main source of medical history/lifestyle information:
medical diagnoses, past and present
lifestyle including alcohol, substance use, reproductive history,
sexuality, etc.
medications, past and present
names of other providers
Allows patient to decide which information to share with which
provider. Exceptions:
Information conveyed via referrals or consultations, generally
require patient consent (under some state laws)
Intrafacility access to patient files; e.g., different departments of
same facility, affiliated facilities
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
30
Patients in the HIE World
What control do patients have over:
Inclusion of their information in “the system”?
Sharing of that information within an HIE network?
Wider dissemination of that information from the
network to external entities?
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
31
Consent to participate: states follow four
general models
Automatic inclusion with no option to opt-out of
system.
“Opt-out”: Patient locator information &/or patient
records are included in the system unless patient
affirmatively refuses to participate.
“Opt-in”: Patient must consent before patient locator
information &/or patient records are included in HIE
system.
Partial opt-out or opt-in: Patient has option of either
consenting to have partial information included or
partial information excluded.
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
32
Consent to Share Information within HIE
All of patient’s providers have automatic access to patient’s
records, no right to opt-out.
Opt-out: providers have access to records unless patient
affirmatively opts out.
Opt-in: No records shared unless patient consents. Upon
consent, all of patient’s providers have access.
Partial opt-out or opt-in: Patient has option of either consenting
to have partial information shared or partial information made
inaccessible.
“Break the Glass” provision: Where patient is in need of
emergency treatment, provider can access records in absence
of affirmative consent or despite affirmative refusal to
participate, or can override other limits placed by patient or
default policy.
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
33
All-or-Nothing Consent
At this time, “participation” in HIE generally means
consent to sharing all information, or sharing none at
all.
Patients cannot select which information they want to
share.
However, some systems allow patients to choose
which providers within HIE have access to all of their
medical information
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
34
Granularization
Granularization: the degree of specificity of patient
control over information included in system or shared
with providers.
Consent regimes could allow patients to limit
information included in the HIE or shared by the HIE.
Granularization operates in terms of:
Provider: To whom, from whom
Time: how far back?
Service, encounter, and condition: what do they
get to see?
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
35
Civil Liberties Concerns
Experience should teach us to be most on our guard
to protect liberty when the Government’s purposes
are beneficent. Men born to freedom are naturally
alert to repel invasion of their liberty by evil-minded
rulers. The greatest dangers to liberty lurk in the
insidious encroachment by men of zeal, well-meaning
but without understanding.
Olmstead v. United States, 277 U.S. 438, 479 (1928)
(Brandeis, J., dissenting).
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
36
Four Questions
1.
Why should we be concerned about
privacy in the context of health information
exchange?
2.
What needs to be put in place to
sufficiently address privacy concerns?
3.
What looming issues promise to
complicate efforts to protect privacy?
4.
Where do we need to go from here?
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
37
Why should we be concerned about privacy in
the context of health information exchange?
The way that information flows in & out of the system
The kinds of information that will be exchanged
The number of people with access to health information
Concerns about proxy/surrogate access to health information
System capability to shield sensitive health information
For the first time, you will have one complete medical file with
everything in it. “This will go down in your permanent record.”
The impact of any error is exponentially more damaging
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
38
What goes into the system?
All providers in an affiliated network who the
patient has seen
All electronic files
As far back as the provider has maintained
electronic records
Currently HIE is region-wide; contemplation is
statewide, and then NHIN.
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
39
Patient A: Ana
Ana obtains a surgical abortion from a Planned
Parenthood clinic doctor in 2010. The clinic does not
place this information into the system because there
is no way to safeguard sensitive health information.
Ana discusses her abortion with her PCP a year later
when she is trying to get pregnant, and the doctor
records the information in her record. Should Ana’s
podiatrist have access in 2020 to information about
the abortion she obtained without complication ten
years earlier?
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
40
Who Gets to See?
All of an individual’s health care providers & their
affiliates
Business associates
Certain family members
The patient’s health insurance company
The patient’s life insurance company
Government
Potential Employers
Marketers
(Bad Actors)
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
41
Patient B: Benjamin
When he was in his early 20s, Benjamin struggled
with his use of heroin and sought substance abuse
treatment. Records of this treatment are protected by
federal law, and were therefore excluded from HIE.
However, his PCP at the time knew about his heroin
addiction, and made a note of it in his charts. Ten
completely sober years later, Benjamin develops a
condition that causes him severe pain. His new
doctor is reluctant to prescribe the most effective pain
medication for Benjamin because, after reviewing his
files, she is concerned that his reports of pain are
“drug seeking behavior.”
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
42
Patient C: Candace
Candace is struggling with a worsening
depression. She is reluctant to seek mental
health treatment, and does not want to ask
her primary care physician for help-particularly for any prescription medication to
treat her condition--because she is afraid that
her employer will gain access to her health
records and it may affect her ability to move
up in her company.
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
43
Ever Expanding Circle: More
Information to More People
More people are getting access to more
information.
The larger the pool of people with access to
your health information, the likelihood of
breach and misuse.
The greater the scope of information
included, the greater the risk of misuse.
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
44
Original Data Holder
Slide courtesy of Latanya Sweeney, Ph.D., Trustworthy Designs for the
Nationwide Health Information Network Electronic Privacy Information
Center, May 28, 2010
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
45
Primary Sharing MAY have some Restrictions
1
1
1
1
1
Slide courtesy of Latanya Sweeney, Ph.D., Trustworthy Designs for the
Nationwide Health Information Network Electronic Privacy Information
Center, May 28, 2010
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
46
Secondary and Alternative Sharing Unbounded
1
2
3
2
1
3
1
1
1
2
2
3
4
4
5
Sweeney, L. Information explosion. Confidentiality, Disclosure, and Data Access: Theory and Practical Applications for Statistical Agencies,
Washington, DC, 2001.
47
Alice’s
Employer
Employer’s clinic &
wellness program
Clinical
Laboratory
Consulting
Physician
State Bureau
of Vital
Statistics
Care Provider
(physician, hospital)
Managed Care
Organization
Alice’s
Health
Record
Life Insurance
Company
Retail
Pharmacy
Pharmacy
Benefits Manager
Health
Insurance
Company
Medical
Researcher
Accrediting
Organization
Medical
Information
Bureau
Spouse’s
self-insured
employer
Lawyer in
Malpractice Case
Long-term repository
Flow of patient-identified health information
Short-term repository
Flow of de-identified patient health information
Temporary Access
Clayton, P., et al. For The Record. National Academy Press,1997.
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
48
Coding
Alice’s
Employer
Employer’s clinic &
wellness program
Transcription
Clinical
Laboratory
Public Health
Consulting
Physician
Care Provider
(physician, hospital)
State Bureau
of Vital
Statistics
CDC
Managed Care
Organization
Alice’s
Health
Record
Life Insurance
Company
Retail
Pharmacy
ICU Mgt
Health
Insurance
Company
Pharmacy
Benefits Manager
Clearing
House
Patient Portal
Prescriptions
Database
Equipment
Monitoring
Pharmaceutical
Companies
Medical
Researcher
Accrediting
Organization
Medical
Information
Bureau
Spouse’s
self-insured
employer
Lawyer in
Malpractice Case
Workflow
Analytics
Disease
Management
De-identification
Review
NYCLU: Protecting Patient Privacy in the Era of
Health
Information Exchange
Marketing
Outcomes
Analytics
Compliance
Management
Ambulatory
Discharge
Hospital
Discharge
49
Patient D: Denise
Denise lives in a small town in upstate New York with
her husband who is a doctor. Denise’s husband is
physically abusive to her and their two children. After
a particularly violent attack, Denise leaves and seeks
assistance from a local domestic violence shelter.
Denise is now concerned about seeking any medical
care, even though she now lives in another county,
because she suspects that some information about
her and her children, including her address, may be
available either to her husband or to her husband’s
associates.
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
50
Patient Control vs. Provider Confidence:
A False Dichotomy
Patients have always had some degree of
control
The myth of the “complete record”
Liability concerns
Relationship between patient and provider
one of “mutual trust” (“Hippocratic Bargain”)
Integrity of system patient “buy in”
improved delivery/health outcomes &
efficiency
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
51
Limitations in technology and policy
create perverse result
Those who may benefit the most may decline
to participate, or may be excluded under state
policy
Mental health services recipients
Substance abuse services recipients
Patients of reproductive health clinics
Some minors (in NY, those between 10 and 18
are excluded by policy)
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
52
Minors: Concerns about Surrogate/
Proxy Access
Parental consent is generally required for minors to
receive health care
In some states (like NY) minors have the right to
receive health care without parental consent under
certain circumstances (e.g., STI care; post sexual
assault care)
Who has the right to see the records?
In most instances, parents have the right to access all
of their children’s medical records
In some states, it is the person who consents to health
care (the minor, not the parent) who can access
records regarding that care
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
53
Surrogate/Proxy Access
In those states where confidentiality is preserved for
minors such that parents are not permitted access to
records of care that a minor received without parental
consent the problem is:
Technological inability to separate minor-consented
information from parent-consented information
HIE presents a challenge: how to build a system that
guards against undesirable disclosure to otherwise
authorized agents
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
54
Patient E: Evan
Evan has been receiving care from his
pediatrician since he was born. His parents
consent to this care, and as a result, have
access to his health information. When he
starts becoming sexually active, he confides
in his doctor. After one sexual encounter he
regrets, he requests the Gardasil© vaccine
and an STI test.
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
55
What needs to be put in place to
address privacy concerns?
Granularization
Patient Ability to Correct/Amend EHRs
Protections against Breach & Misuse
A Critical Examination of Consent
Effective Public Outreach
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
56
Granularization
Person or entity: who gets to see?
Time: how far back?
Service, encounter, and condition: what do
they get to see?
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
57
Granularization by Provider
By Provider patient can choose to restrict/include
information based on which provider is source
Patient A chooses not to include records from visits to her
gynecologist in order to ensure that testing for STIs is not
included in her HIE-accessible record.
To Provider patient can choose to allow/exclude
specific providers from accessing HIE record
Patient B chooses to allow her internist to access records
from her gynecologist to ensure coordinated treatment, but
chooses to exclude her podiatrist from access to her record.
Potentially allows limiting access to specific providers within
a practice.
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
58
Granularization by Time
Time Frame: Patients can choose to include/exclude
records based on when they were created
Include only information from a limited look-back period
Patient A restricts information to the last 5 years,
ensuring that her negative HIV-test from 10 years ago
remains private.
Exclude information from a specific time period
Patient B excludes a 4 month period from his records, to
ensure that his in-patient treatment for substance use
remains private.
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
59
Granularization by Service, Encounter, or
Condition
“Sensitive Information” - patient can choose to exclude sensitive
information from system or to restrict which providers have
access
“Sensitive information” can be defined as specific types of
information or as defined by patient.
Patient A chooses to omit references to his anorexia, preferring to
tell individual providers himself as necessary.
Type of data: choose to include/exclude specific categories of
data (lab tests, MD notes, etc.)
Patient B chooses to exclude/include medications to keep his
history of psychotropic medications private.
Additional possibilities: visit-by-visit opt-in or opt-out; choice to
exclude/include different information within a single visit
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
60
Consequences of failing to ensure
granularization
Patient trust in the system suffers, patients opt out
The solution adopted by New York to preserve
minors’ legal rights to confidential care excludes
minors from the benefits of HIE altogether
HITECH requires some degree of granularization (for
treatment paid for out-of-pocket).
In systems that can’t accommodate this degree of
granularization, patients must either give up their
rights under HITECH, or decline to participate
altogether.
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
61
Current New York State Capability on
Granularization
No granularization below the group/facility level: if
one provider in group has access, other treating
providers in that group will have access.
No granularization by time frame, type of data, type
of condition.
No granularization by information: Consent to access
records extends to all records, including HIV-related
information and other sensitive data that might
otherwise require specific consent under state or
federal law.
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
62
Patient Ability to Correct/Amend Health
Information
Errors in a Patient’s Record may be result of
Pure error
Identity theft
Information that later proves untrue (e.g., positive toxicology)
Patients are already guaranteed the right (via HIPAA,
to review medical records and
insert additional information and amendments
HITECH, and state law)
Complications
Difficulty tracking in a system with wide dissemination
Impact of error greater; transformed by larger record with
wider dissemination
If it is a widely linked record, the corrective mechanism
cannot be local
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
63
Patient Ability to Correct/Amend
Must be assurance that there is a mechanism
for correcting/amending record in each
location where it is held
through audit trail
ability to send out correct information to each
individual/entity that has accessed the record
when errors are identified
assurance that record is correct going forward
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
64
Protections against breach & misuse
Breach is a “red herring” in privacy
discussions
Biggest concern: someone hacking into your
medical records and violating your privacy or
“the government will get your info”
There are strong protections in state policies
and procedures and in federal regulations
regarding breach
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
65
Misuse & Other Harms
Breach is information leaving the system without your
consent; misuse is info leaving WITH your consent.
Misuse is the bigger concern WITHIN the system,
and when it LEAVES the system.
Examples of misuse:
Prejudicial impact on treatment
Use by authorized user for non-medical purpose
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
66
A Critical Examination of “Consent”
Ensure the adequacy of consent forms
Determine whether consent is:
Informed
Truly consensual
Begin to think about protecting use vs. access
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
67
Public Outreach
Outreach currently designed to encourage patients to
“sign up”
A more responsible public outreach campaign would:
Tell patients that HIE is happening now
That information is capable of being shared/accessed
How information can be accessed
Explain to patients how they fit in by:
Explaining benefits
Explaining risks
Educating them about how to manage risk
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
68
When Health Information Moves
Outside the Network
Moving Beyond the Patient-Provider
Paradigm
Personal Health Records
Marketing & Commercial Data Harvesting
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
69
Moving Beyond the Patient-Provider
Paradigm
HIE holds the promise of improved patient care and
efficiency
There are public health goals that could be achieved
through access to EHRs not related to patient care or
efficiency:
System Accountability
Research
Public Health Monitoring/Government Access
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
70
System Accountability
Theoretically, access to EHRs could assist in
Medicaid fraud investigations
Quality control of physician care
To what extent should HIE allow for this level
of access?
What patient consent should be required?
State policy under development in this area
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
71
Research
E.g., NYS policy allows for use for research
with a higher level of consent
De-identified data from EHRs is accessible
Challenges
Defining “research”
How to ensure against re-identification of deidentified data (e.g., small population/small
health dep’t, sensitive issues; increasing ability
to identify de-identified data, e.g., SSNs)
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
72
Public Health Monitoring/State Access
What is the state to do when it has identified a public
health threat?
When will a health department feel compelled to
intervene?
common vector
suspected intentional transmission
If the state is the provider/custodian, when will
unconsented-to access seem like a good idea?
Incarcerated individuals
Residents of homeless shelters
Recipients of public assistance
State policy under development in this area
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
73
Personal Health Records
Standards for patient protections/
access/control are complicated
Owned by vendor (legal rights are unclear)
Currently NOT protected by HIPAA/State Law
patient rights are largely be subject to contract w/vendor
except: Some are already business associates of HIPAAcovered entities (e.g., patient portals), and so are
therefore subject to HIPAA
Currently regulated by FTC; potentially regulated
by HHS
Some changes in HITECH will apply
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
74
Marketing & Commercial Data Mining
What is “informed consent” in the context of consent
to release to marketers?
E.g., what does a patient give up by consenting to Rx
discount program offered by a pharmaceutical
company?
Comprehensive medical information kept in one
place is a highly valuable commodity: vulnerable to
unauthorized access and exploitation Concerns
about re-sale of health information
State policies under development
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
75
Where do we go from here?
Technology and implementation developing
faster than policies & procedures
Policies and procedures developing faster
than our ability to identify all of the
repercussions
Public participation in identifying threats to
privacy has been little
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
76
We have a long way to go…
To decide whether and how to revise state
laws to deal with the full implications of
sharing records formerly kept on paper now
that they are shareable electronically
To strengthen protections against patient
mistreatment, medical/disability discrimination
To strike the proper balance between patient
control and provider control
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
77
What can an ACLU affiliate do?
Be on lookout for issues in your own region/state
Understand what’s happening at state level
Play a role in state policy-making
Be aware of how private entities are entering the field
Consider contributing to consumer/
patient/stakeholder voices on national scene
Revisit internal policies on consent
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
78
For more information, contact
Corinne A. Carey
Senior Public Policy Counsel
New York Civil Liberties Union
[email protected]
212 607 3327
NYCLU: Protecting Patient Privacy in the Era of
Health Information Exchange
79