IT guru says some e-vendor contracts violate privacy

A nationally prominent physician informaticist who serves as a member of a federal privacy advisory panel said that some electronic health-record and personal health-record vendors have placed in their contracts stipulations that would obligate healthcare providers to violate privacy rules.

Internist Paul Tang is vice president and chief medical information officer of the Palo Alto Medical Foundation, a California multispecialty group practice, and chairman of the board for the American Medical Informatics Association, a professional group whose members use healthcare data for clinical improvement and research.

Tang said he has personally seen the contract language. He declined to identify the vendors or how he came to see the offending contract provisions.

"That wouldn't be fair," Tang said. "It's just those things are in there."

Tang's observations disturbed, but did not surprise, several privacy advocates, including Joy Pritts, a lawyer and assistant research professor with the Health Policy Institute at Georgetown University. She blamed the problem in part on laxity by the Office for Civil Rights at HHS, which is charged with enforcing federal healthcare privacy rules under the Health Insurance Portability and Accountability Act of 1996.

"I'd like to say that I'm shocked and appalled by this kind of activity, but that would only be half-right," Pritts said in an e-mail response. "I'm really not that surprised. Health information is valuable and it looks like they're buying and selling it like any other commercial commodity. What's to stop them? OCR doesn't have authority over the vendors, and even if they did, what's the risk of getting caught? OCR isn't doing any compliance audits where they could actually go on-site and demand copies of contracts; they're just relying on complaints. Who's going to file a complaint? The patient? They won't even know what the provider and vendor are up to until it is too late."

Tang also serves as a member of the consumer empowerment work group of the American Health Information Community, which was established by HHS Secretary Mike Leavitt in 2005 to advise the government on healthcare information technology policy. In addition, Tang is a member of the National Committee for Vital and Health Statistics, another HHS advisory panel, and its subcommittee on privacy and confidentiality. Today, an NCVHS ad hoc work group on the secondary uses of health data on which Tang also serves is finishing off three days of meetings in Hyattsville, Md.

Tang talked at length about the offending IT contract provisions during a telephone interview Tuesday after the ad hoc work group's first day of meeting. But he initially mentioned the problem at an NCVHS privacy subcommittee meeting Jan. 23.

His remarks came during the course of a conversation on the need for urgency in adopting broader federal privacy policies to address an avalanche of new healthcare information technology vendors, products and services. Many have appeared subsequent to the 2002 relaxation by the Bush administration of the HHS privacy rule that broadly authorized the exchange of patient information without patient consent by providers, plans and claims clearinghouses for treatment, payment and "other healthcare operations."

Fellow NCVHS subcommittee member Harry Reynolds, vice president of HIPAA and information compliance officer for Blue Cross and Blue Shield of North Carolina, was talking about the rapidly changing IT environment. "There is an industry out there that is wide open, putting stuff in place," Reynolds said. "I think at some point privacy has got to catch up, or this discussion has got to catch up with it, because once it is implemented, undoing it and getting everybody to go back and change it to come back to where we would like everybody to be is not something that works well in this world."

To which Tang replied, "I just want to round out, just in case Harry didn't make it clear, I am just scared of witnessing as many egregious violations. It is a changed world just in the past one year or two years. There are vendors that are obligating covered entities to do things that they are not allowed to do."

The offending provisions are not the industry standard, Tang said in the telephone interview, but they can be found in IT vendor contracts for both inpatient and outpatient systems as well as in the privacy statements of some PHR systems providers.

"There are certainly large and small vendors that I have seen contracts of that do" that, Tang said. "Some people (vendors) say they have ownership to data. There are contracts that say they will have real-time access to the database, that they will have exclusive access to the data, that they can resell the data. I think it would be unlawful that covered entities abide by that."

PHR vendors are even more problematic, because many are not covered organizations, and if HIPAA applies to them at all, it is only indirectly through "business associate" agreements with the covered groups who hired them.

"That's where there is a loophole," Tang said. "Business associate agreements are not very robust, (and) the patient consumer is usually not aware of any actions of IT vendors."

In addition, a number of new PHR providers are independent and have no link to covered organizations at all and are not governed by HIPAA privacy rules, even indirectly.

"There are more and more of these (PHRs), and they are outsourced to a company that is not a covered entity and they believe there is some financial potential of accessing that asset," Tang said. Consumers contribute data to these PHRs for their own benefit, he said, creating a "mismatch between the consumers' expectation and what's happening" in practice. "And right now, there is no law that controls that behavior and no laws that require that it be disclosed to the consumer. One of the ways that (PHR) companies get around their responsibilities is put their disclosure in the 'I agree' statement that nobody reads. Is that fair practice? It's a little bit of buyer beware."

"I think the temptation to use data in these clinical systems has always been out there," Tang said. "I think (with) the push to use clinical systems, there are just more folks using them, so there are more to get interested.

"What we're struggling with is how to control the bad apples, because the misuse of health data could hurt the good use of health data," he said.

Tang emphasized that his comments about bad contract language do not pertain to the EHR system from Epic Systems Corp. that Palo Alto Medical Foundation uses. "Epic doesn't do anything like that at all."

That's true, according to Epic Chief Executive Officer Judith Faulkner, although it's not because her company hasn't been approached over the years to team up by each of the three main commercial secondary users of healthcare data—payers, pharmaceutical companies and data-miners.

"To the payers we have said, 'It's not our data, so it's not our decision,' " Faulkner said. "For the pharmaceuticals, they said it was for research, but the healthcare organizations have told us it is more for marketing, and the healthcare organizations have not wanted to share, so we don't. The data-miners said they wanted to work with us, but we've said we don't know that we've needed their help."

At issue, Faulkner said, is a key underlying question, whose data is it? "My sense is it belongs to the patients and it is in the trusted care of the physicians or the healthcare organization."

Robert Gellman, a Washington, D.C.-based lawyer specializing in privacy issues, said he has little use for what he called "commercial, advertising-supported PHRs," calling them "the moral equivalent of a scam." "They get the patient to sign an authorization. That's how they get the data in the first place. Why any patient would agree to do this, I have no idea whatsoever."

Gellman said he has not seen vendor contracts for provider IT systems similar to those Tang described, but the provisions could expose both the provider and the vendor to legal liability.

"Any contract that deals with ownership of medical data is pretty meaningless, because laws and medical ethics control the rights and responsibilities of medical records," Gellman said. "Whoever holds the records as a covered entity has certain obligations and limits under law, regardless of how the contracts are written. As long as a doctor is covered by HIPAA, those rules for disclosure hold. If a doctor signs an agreement like that, the doctor has certainly violated HIPAA, and may be pursued by OCR and may be sued by the patient for all kinds of things. You may have a tort or you may have a claim of breach of contract with your doctor, but you (also) may have malpractice claim under standards of care."

Pritts, the Georgetown privacy lawyer, took a lawyerly approach to the contract provisions Tang mentioned, noting they may or may not violate HIPAA, depending on the details.

"It depends on what the clause is and what purpose they're using the information for," Pritts said. That said, Pritts added that "I'm having a hard time wrapping my head around what would make it legitimate."

Further, Pritts said, "If there is a violation, how would a patient ever know, unless it was marketing information on something so obscure they would have to know that it came from their provider."

As for the OCR, Pritts said, "I think this is a perfect example of why compliance audits are necessary at the provider level. Compliance audits are an authorized enforcement tool under HIPAA, but they are not utilized at all. HHS has made the decision that they are not conducting compliance audits. You have a visit from HHS and they say, 'Let's see your contracts, let's see what you're really doing here.' That would be the way to find the problem. You would see the practice stop pretty dramatically, if it is occurring."

Like Gellman, Pritts said she has not seen the contract provisions that Tang has, but said, "I think we'd all be naive if we didn't recognize this health information is very valuable and the temptation is great, especially when they're getting squeezed with reimbursements."

William Bria is chief medical information officer at 60-bed Shriners Hospital for Children, Tampa (Fla.), and is chairman of the Association of Medical Directors of Information Systems, an association of physician informaticists.

Bria said that he has no data on how widespread the practice of data ownership is, but, "Am I shocked by this? No. Do I think it is an issue? Of course it is. I have been approached, as I think everybody has over the years, by pharma and they said they would like to have access to your data and there would be payment because they would like to use that for marketing and research."

In Bria's case, money couldn't persuade him, but he can understand how it might be persuasive with others.

"From the pharma standpoint, we said: 'Thanks very much, see you,' " Bria said. "From the research standpoint, it had to be IRB (Institutional Review Board) approved. It didn't persuade me to do it outside of a research arrangement, but could I possibility imagine it, yeah, I think it could be really challenging."

Tang said that technology fixes have been suggested on controlling the use of data, such as giving patients control down to the data-field level, but they could be inordinately expensive. "There would be a great administrative burden putting in place the technical infrastructure that would allow the individual to control each data element," he said. "It wouldn't be technically impossible, but it would probably be more costly than we can afford."

According to Tang the NCVHS privacy subcommittee proposed an alternative solution among 26 privacy policy recommendations it submitted to Leavitt in June 2006. It says that: "HHS should work with other federal agencies and the Congress to ensure that privacy and confidentiality rules apply to all individuals and entities that create, compile, store, transmit or use personal health information in any form and in any setting, including employers, insurers, financial institutions, commercial data providers, application service providers and schools." In effect, the protections would run with the data, and not be limited by a group of defined users as it is now with HIPAA and its covered entities.

"It is increasingly less possible to de-identify data in ways to preserve its value," Tang said. "If you take away the 18 identifiers (specified under HIPAA, such as name, date of birth, etc.) it is possible to de-identify data. But if you take away dates, the value to public health is less and less. Most data cannot be de-identified without destroying its value for public health or research. So we have to have laws that govern the use and disclosure of that data, and everyone who has access to that data has accountability. That would remove the administrative burden of the covered entity trying to maintain control of that data when it is actually in the hand of these business associates that are not covered entities."

What do you think? Write us with your comments at Please include your name, title and hometown.