Part two of a two-part series (Access part one):If the nation's top health information technology official makes good on a pledge he made recently to resurrect two key privacy policy papers, he will find that their recommendations are still relevant, according to a Kentucky lawyer who helped produce both documents.
David Blumenthal, head of HHS' Office of the National Coordinator for Health Information Technology, said last month he would be looking into the papers produced by the National Committee on Vital and Health Statistics.
“The issues have not been resolved,” said Mark Rothstein, director of the Institute for Bioethics, Health Policy and Law at the University of Louisville School of Medicine. “They have not been addressed. They're still hanging out there. The 2006 framework is still as timely now as it was then. The issues have not changed appreciably.''
Rothstein is a former member of the NCVHS and chaired its subcommittee on privacy and security when the 2006 and 2008 reports to then-HHS Secretary Mike Leavitt on privacy policy—the ones Blumenthal said last month he'll review—were developed.
Rothstein said he hasn't heard from Blumenthal about the reports, but the committee's work, the recommendations on privacy policy in those two reports, could be of use.
“I wish those things were addressed three years ago, but we're going have to deal with it eventually,” Rothstein said.
The June 2006 report contained 26 recommendations for privacy policy. It also attempted to define privacy as “an individual's right to control the acquisition, uses, or disclosures of his or her identifiable health data.” The NCVHS report said its members had cribbed the definition from earlier work by the Institute of Medicine.
The 2008 NCVHS report proposed patients should have some measure of control over the movement of certain particularly sensitive types of healthcare information
across the proposed NHIN.
When both reports were issued they were, basically, ignored.
In June 2007, after
repeated bashings by the General Accountability Office over the failure of HHS to enunciate a coherent, national privacy policy, ONC head Robert Kolodner announced that his staff had
begun work on a national healthcare privacy policy and released source documents for that effort. Noticeably absent from the list was the NCVHS' list of privacy policy recommendations to Leavitt from the year before. Kolodner later instructed ONC staff to
take a second look at the NCVHS recommendations.
In December 2008, Kolodner's ONC issued a 12-page
Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information.
In its appendix, the Kolodner framework defined privacy as: “An individual's interest in protecting his or her individually identifiable health information and the corresponding obligation of those persons and entities, that participate in a network for the purposes of electronic exchange of such information, to respect those interests through fair information practices.”
That definition, which said individuals only have an “interest” in protecting their information, but not a right to do so,
didn't sit so well with privacy advocates.
And it was a far cry from the standard in the 2006 in the NCVHS report that defined health information privacy as an individual's “right” to control their information.
That framing of privacy as an individual's right, or merely an interest, remains unresolved and likely will remain at the core of the debate in the months to come.
What do you think? Write us with your comments at hitsdaily@modernhealthcare.com. Please include your name, title and hometown.
