Part one of a two-part series.Health information technology in current use is incapable of providing the level of privacy protection that some patients may desire, so it is important for federal policymakers as well as healthcare providers not to oversell the limited protections that are available, according to a federal privacy and security advisory panel.
In fact, providers should consider discussing privacy limitations with patients instead.
"I think the conclusion we can draw is if we really want to maintain the patients' sense of trust, we shouldn't let them conclude that they have more protection," said Wes Rishel, a vice president in the healthcare provider research practice of Gartner, an IT market-research firm.
Rishel is a member of the privacy and security Tiger Team, a special work group of the federally chartered Health IT Policy Committee. The committee was created under the American Recovery and Reinvestment Act of 2009 to advise HHS on healthcare policy matters.
“If we're going to maintain the patient's trust, whatever partial solutions we describe that are consistent with the current EHR technology need to be characterized as partial solutions, as incomplete solutions, and that characterization has to get all the way to the patient,” Rishel said.
In an Aug. 3 meeting, the Tiger Team first tackled the issue of the release of entire patient records in a so-called directed exchange. Directed exchange was defined as occurring when a hospital, physician or other healthcare provider transfers a patient's medical records to another provider for treatment of that patient, as in generating a patient referral to a specialist.
Team members considered whether the presence of particularly "sensitive" information in a patient's record should trigger a requirement that the patient's consent be obtained before the information is shared.
The
answer they came up with was no.
The second question involved using technology to give a patient, through his or her provider, the ability to withhold specific elements of sensitive information that are part of the patient's medical record, such as test results for and diagnoses of HIV/AIDS. In regard to this second question, Tiger Team members worded it thusly:
"To what extent does current EHR technology support the ability for patients to make more granular decisions on consent—in particular, to give consent to the providers to transmit only certain parts of their medical record?"
For this second question, the tiger team's answer was far less precise and much more dependent upon time and technology, and likely to be even less satisfying to patients than the answer to the first question.
Health IT, Tiger Team members conceded, on the whole isn't advanced enough—and the advanced technology that does exist isn't in sufficiently wide use by healthcare organizations—to provide patients the privacy protections they may want or expect.
For now, creating so called “granular consent directives” for a patient's medical records is technologically possible with structured data, such as diagnostic, procedure and lab codes and prescription drug data, according to several Tiger Team members. But the capabilities of the current crop of electronic health records to select and block such codes from transmission are spotty at best and are rarely used within the health IT industry.
"I don't think every vendor is necessarily in the same boat here" on suppressing information by code, said Tiger Team member John Houston, vice president of information security and privacy and assistant counsel at the University of Pittsburgh Medical Center.
And the "per-patient filtering" technology that is available is cumbersome for providers to use, said physician David McCallie, vice president of medical informatics at Kansas City, Mo.-based Cerner Corp. "We typically put that burden onto the consumer to go in and manage their own records," he said.
One example of this kind of record-management authority/responsibility given to patients is found in the
Shared Care community health improvement program in Bellingham, Wash. The program was developed and deployed under a grant from the Robert Wood Johnson Foundation, and the system's privacy summary page offers patients a series of pull-down menus and check boxes that enable patients to limit provider access to all or parts of their information.
But even if all of the diagnosis and other codes in a patient record were rounded up and blocked by software, a typical record also contains blocks of text from which a sensitive diagnosis could be inferred, according to an e-mail that Judith Faulkner, CEO of IT developer Epic Systems, Verona, Wis., circulated among Tiger Team members before the meeting.
Much of the discussion at the Aug. 3 meeting centered on the contents of that e-mail, which was provided to
Health IT Strategist by the Office of the National Coordinator at HHS. Faulkner said the examples in the e-mail were written by physicians and included the privacy problem presented by a hypothetical patient with an HIV diagnosis. Even if the patient wanted to mask such highly sensitive information, elements of the record could prove to be "leaky" nonetheless, according to the e-mail.
Here's an excerpt from Faulkner's e-mail:
"A patient has HIV. He is on the usual succession of drug regimens and has all the usual lab findings for an HIV patient. He is seen regularly by an infectious-disease specialist. He was diagnosed a few years ago when he was admitted to the hospital with pneumonia caused by a type of bacteria that is seen almost exclusively in HIV patients.
“If the healthcare organization wanted to remove evidence from the record that this patient has HIV prior to exchanging information with another organization, the challenge would be significant. HIV appears on the patient's problem list and his medical history.
“He is likely seen by a number of different providers, each of whom would almost certainly mention HIV prominently in the clinical notes. The anti-retroviral medications on the patient's med list are clear evidence that the patient has HIV, as are many of the lab results in his chart.
“The specific bacterial pneumonia that led to the diagnosis is also clear evidence of HIV infection, and it will appear in the history, the lab results, and multiple different notes. Complete redaction could not practically be done in an automated fashion, and time-consuming manual redaction would result in the removal of large, clinically significant portions of the record."
Even if transferred medical records are condensed into a Continuity of Care Document, a standards-based format for medical records summaries and transmission; the problems don't vanish, according to Rishel.
"CCDs have a list of coded and textual information in them," Rishel said. "It gets back to the same issues. CCD is interpreted very widely according to different use cases."
