Kolodner's presentation on Developing a Privacy and Security Framework came near the close of a meeting of the 18-member American Health Information Community in Washington. The AHIC was established in 2005 by HHS Secretary Mike Leavitt to advise him on healthcare IT policy. Kolodner co-chaired the AHIC meeting with Leavitt. It was his first AHIC meeting as co-chairman, replacing David Brailer, who resigned last week.
Kolodner said members of the AHIC's staff have been working hard on a framework of privacy principles, setting up a comparison of principles from five sources that have developed "high-level" policy statements over the past four decades. The goal is to build a national consensus around a "harmonized" set of privacy principles. Kolodner noted there are more principles in common than there are differences in the "recognized privacy and security instruments" from these five sources:
- The Markle Foundation's Model Privacy Policies for Health Information Exchange. Markle, which issued the 17-page policy statement in April 2006, supports technology policy development in two areas: healthcare and national security.
- The International Security Trust & Privacy Alliance's "common terminology in privacy requirements," according to Kolodner's PowerPoint presentation. The alliance, founded in 1999 as a not-for-profit organization incorporated in South Carolina, describes itself on its Web site as "a global association of companies, institutions and technology providers, working to clarify and resolve security, trust and privacy issues." Its list of members includes IT companies, security consulting firms and Carnegie Mellon University, but no provider organizations. Its privacy framework was released in 2002.
- An as-yet-unnamed coalition of 20 organizations that released in March 2006 a three-page set of health IT consumer principles. Members of the coalition include the AARP, the AFL-CIO, Consumers Union and the National Partnership for Women & Families.
No agenda or documents of presentations at the meeting had been posted to the AHIC Web site more than an hour after the meeting had begun. However, a copy of Kolodner's 10-page PowerPoint presentation, a meeting agenda and other presentations was available after the meeting had concluded.
"There has been no discussion with us at all," Rothstein said. And it is not that ONCHIT or HHS has forgotten his number. "The NCVHS has been asked to do this project on what they call secondary uses, which is basically the use of health records for quality assurance purposes. We were asked to do that by (ONCHIT) recently. We're just starting on that project. They still think that NCVHS has a contribution to make, but maybe not in privacy."
Rothstein said the NCVHS held its hearings in locations across the country.
"We heard from zillions of witnesses, and then, had months of rather spirited debates on where we would go. We spent a lot of time working on that. What our recommendations have to offer, unlike some of the others, (ours) were put together expressly for the purpose of guiding the secretary in developing the NHIN. Some of these other things were more general and may not have the NHIN in mind.
"I would respectfully disagree with (Kolodner) that a privacy framework for the NHIN can be distilled from those documents. I know from having read most of those documents that they don't discuss hardly any of the things that we discussed in our letter (to Leavitt). They simply don't address the issues that we talk about.
"I should note that the CDC (Centers for Disease Control and Prevention) not that long ago, within the last two or three weeks, put out a request for applications on some sort of grant proposals where the applicants were specifically directed in their applications to (address) how they intended to follow the principles laid out in the NCVHS letter, so it is being followed to some degree by an HHS agency."
"We're just beginning to build a consensus around a framework," said Kolodner. ONCHIT staffers will sift through the works of the five groups to build "a harmonized set of principles." He gave no timeline for completion of the policy effort, which will include a public comment period.
"Ideally, a system that really works for patients and consumers should satisfy those elements, and I don't think anyone is overreaching," McGraw said. "They should really be the baseline from which any system is built."
The foundational fair information privacy principles call for patient control over use of their information, a principle that already is often ignored in American healthcare. For example, the ubiquitous use of prescription drug information for data-mining and pharmaceutical marketing is a multibillion-dollar industry. Not surprisingly, one thorny issue the no-name coalition tackled was how patients could choose whether to participate in a health information exchange, McGraw said.
"The one that we probably struggled with was opt-in vs. opt-out," she said. "We say at a minimum, opt-out. Opt-in is obviously the most consumer-oriented model and if you want to ensure people trust the system, it is the better way to go. For some folks, for whatever reason, the thought of having their records in an electronic system is scary to them. We think there are more benefits than risks, but there are people who still" fear that.
McGraw said the coalition leaned heavily on the privacy principles in the Markle Foundation's "Common Framework," a policy blueprint it developed for healthcare information exchange.
"We did rely on them fairly heavily to draft ours," McGraw said. "We looked at Markle, but we didn't exactly replicate Markle, because we felt that our principles (needed to meet) the needs of consumer organizations." In the end, though, McGraw said, "I don't think our principles differ from the common framework."
"If they don't get something issued, they are at risk of getting another one," McGraw said. "It's one of those things that I'm cautiously optimistic about, but I'll wait until I see it."
Privacy advocate Deborah Peel is less than enamored of Kolodner's approach.
"His objective should not be to build consensus around a (new) set of privacy and security principles, because a powerful national consensus already exists," said Peel, an Austin, Texas-based psychiatrist and founder of the not-for-profit Patient Privacy Rights Foundation.
"Kolodner, Leavitt, HHS and AHIC should look to traditional principles of medical ethics, look to the over 200-year history of strong state laws, common law, the physician-patient privilege and constitutional law, which reflect a powerful longstanding national consensus on what privacy standards our nation should have. This consensus is far more powerful, representative and tested over time."
"You cannot find a single poll of Americans that supports data mining of their medical records or eliminating their right to control access to their medical records," Peel said. "His objective should be to uphold the law and medical ethics."
What do you think? Write us with your comments at firstname.lastname@example.org. Please include your name, title and hometown.