Kolodner unveils AHIC's privacy policy framework

Robert Kolodner, the head of the Office of the National Coordinator for Health Information Technology at HHS, revealed at a meeting of a key federal healthcare IT advisory panel Tuesday that his staff has begun work on a healthcare privacy policy to accompany the government's IT promotion efforts.

Kolodner's presentation on Developing a Privacy and Security Framework came near the close of a meeting of the 18-member American Health Information Community in Washington. The AHIC was established in 2005 by HHS Secretary Mike Leavitt to advise him on healthcare IT policy. Kolodner co-chaired the AHIC meeting with Leavitt. It was his first AHIC meeting as co-chairman, replacing David Brailer, who resigned last week.

Kolodner said members of the AHIC's staff have been working hard on a framework of privacy principles, setting up a comparison of principles from five sources that have developed "high-level" policy statements over the past four decades. The goal is to build a national consensus around a "harmonized" set of privacy principles. Kolodner noted there are more principles in common than there are differences in the "recognized privacy and security instruments" from these five sources:

  • The Federal Trade Commission's Fair Information Practice Principles. A foundational source of federal privacy policy was developed by HHS' predecessor, the Department of Health, Education and Welfare, and its 1973 Code of Fair Information Practice Principles, which were followed by passage of the Federal Privacy Act of 1974. The FTC enforces adherence to commercial privacy policies under federal commerce laws.
  • The Organization for Economic Co-operation and Development and its Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The European trade group privacy policy flowed out of the U.S. fair information practice principles and was first adopted in 1980.
  • The Markle Foundation's Model Privacy Policies for Health Information Exchange. Markle, which issued the 17-page policy statement in April 2006, supports technology policy development in two areas: healthcare and national security.
  • The International Security Trust & Privacy Alliance's "common terminology in privacy requirements," according to Kolodner's PowerPoint presentation. The alliance, founded in 1999 as a not-for-profit organization incorporated in South Carolina, describes itself on its Web site as "a global association of companies, institutions and technology providers, working to clarify and resolve security, trust and privacy issues." Its list of members includes IT companies, security consulting firms and Carnegie Mellon University, but no provider organizations. Its privacy framework was released in 2002.
  • An as-yet-unnamed coalition of 20 organizations that released in March 2006 a three-page set of health IT consumer principles. Members of the coalition include the AARP, the AFL-CIO, Consumers Union and the National Partnership for Women & Families.
Notably absent from the list of privacy policy framework documents was the six-page list of recommendations prepared last year by the National Committee on Vital and Health Statistics, or NCVHS, which formed a privacy and security subcommittee in 2004 at the request of Brailer when he served as the head of ONCHIT. The NCVHS conducted an 18-month policy development effort, including hosting six public hearings. NCVHS submitted 26 privacy policy recommendations in a letter to Leavitt in June 2006.

No agenda or documents of presentations at the meeting had been posted to the AHIC Web site more than an hour after the meeting had begun. However, a copy of Kolodner's 10-page PowerPoint presentation, a meeting agenda and other presentations was available after the meeting had concluded.

Mark Rothstein, who chaired the NCVHS privacy subcommittee, said that he was unaware of the ONCHIT effort. Rothstein, who serves as director of the Institute for Bioethics, Health Policy and Law at the University of Louisville (Ky.) School of Medicine, has previously criticized HHS for ignoring the work of the NCVHS, which was charged in 2004 by Brailer to look into privacy policy issues.

"There has been no discussion with us at all," Rothstein said. And it is not that ONCHIT or HHS has forgotten his number. "The NCVHS has been asked to do this project on what they call secondary uses, which is basically the use of health records for quality assurance purposes. We were asked to do that by (ONCHIT) recently. We're just starting on that project. They still think that NCVHS has a contribution to make, but maybe not in privacy."

Rothstein said the NCVHS held its hearings in locations across the country.

"We heard from zillions of witnesses, and then, had months of rather spirited debates on where we would go. We spent a lot of time working on that. What our recommendations have to offer, unlike some of the others, (ours) were put together expressly for the purpose of guiding the secretary in developing the NHIN. Some of these other things were more general and may not have the NHIN in mind.

"I would respectfully disagree with (Kolodner) that a privacy framework for the NHIN can be distilled from those documents. I know from having read most of those documents that they don't discuss hardly any of the things that we discussed in our letter (to Leavitt). They simply don't address the issues that we talk about.

"I should note that the CDC (Centers for Disease Control and Prevention) not that long ago, within the last two or three weeks, put out a request for applications on some sort of grant proposals where the applicants were specifically directed in their applications to (address) how they intended to follow the principles laid out in the NCVHS letter, so it is being followed to some degree by an HHS agency."

AHIC panel member Chip Kahn, president of the Federation of American Hospitals, also said he had not known before Kolodner's announcement Tuesday that ONCHIT had begun work on a privacy policy. But Kahn said he was "not surprised."

The congressional watchdog Government Accountability Office in February issued its latest in a series of critical reports on the HHS efforts to develop IT. The 52-page report chided HHS for failing to establish milestones to measure progress in development of privacy protections, and for not having a person or organization in charge of coordinating federal privacy policy initiatives.

"We're just beginning to build a consensus around a framework," said Kolodner. ONCHIT staffers will sift through the works of the five groups to build "a harmonized set of principles." He gave no timeline for completion of the policy effort, which will include a public comment period.

Deven McGraw, chief operating officer of the National Partnership for Women & Families, said Kolodner met with coalition members about a month ago at AARP offices. At a minimum, according to McGraw, a national privacy policy needs all of the recommendations the coalition made.

"Ideally, a system that really works for patients and consumers should satisfy those elements, and I don't think anyone is overreaching," McGraw said. "They should really be the baseline from which any system is built."

The foundational fair information privacy principles call for patient control over use of their information, a principle that already is often ignored in American healthcare. For example, the ubiquitous use of prescription drug information for data-mining and pharmaceutical marketing is a multibillion-dollar industry. Not surprisingly, one thorny issue the no-name coalition tackled was how patients could choose whether to participate in a health information exchange, McGraw said.

"The one that we probably struggled with was opt-in vs. opt-out," she said. "We say at a minimum, opt-out. Opt-in is obviously the most consumer-oriented model and if you want to ensure people trust the system, it is the better way to go. For some folks, for whatever reason, the thought of having their records in an electronic system is scary to them. We think there are more benefits than risks, but there are people who still" fear that.

McGraw said the coalition leaned heavily on the privacy principles in the Markle Foundation's "Common Framework," a policy blueprint it developed for healthcare information exchange.

"We did rely on them fairly heavily to draft ours," McGraw said. "We looked at Markle, but we didn't exactly replicate Markle, because we felt that our principles (needed to meet) the needs of consumer organizations." In the end, though, McGraw said, "I don't think our principles differ from the common framework."

While Kolodner made no promises—or even estimates—of when the privacy policy might be developed, McGraw said that timing is a point of interest for her. She's not holding her breath, she says, noting the multiple, critical GAO reports.

"If they don't get something issued, they are at risk of getting another one," McGraw said. "It's one of those things that I'm cautiously optimistic about, but I'll wait until I see it."

Privacy advocate Deborah Peel is less than enamored of Kolodner's approach.

"His objective should not be to build consensus around a (new) set of privacy and security principles, because a powerful national consensus already exists," said Peel, an Austin, Texas-based psychiatrist and founder of the not-for-profit Patient Privacy Rights Foundation.

"Kolodner, Leavitt, HHS and AHIC should look to traditional principles of medical ethics, look to the over 200-year history of strong state laws, common law, the physician-patient privilege and constitutional law, which reflect a powerful longstanding national consensus on what privacy standards our nation should have. This consensus is far more powerful, representative and tested over time."

"You cannot find a single poll of Americans that supports data mining of their medical records or eliminating their right to control access to their medical records," Peel said. "His objective should be to uphold the law and medical ethics."

What do you think? Write us with your comments at Please include your name, title and hometown.