The Commission on Systemic Interoperability has recommended moving in lock step with some of the directions outlined by the Office of the National Coordinator for Health Information Technology, or ONCHIT, headed by David Brailer, M.D. But it also has moved past the Brailer approach of contracting out with private-sector companies to achieve consensus on certain issues.
The commission, in its 264-page report issued in late October, made 14 recommendations and advocated several already-controversial policy positions, including sweeping changes to the federal healthcare privacy law and the adoption of a national, uniform patient identification procedure that could include a national patient identifier.
Several commission recommendations dovetail with the ONCHIT's work, including endorsing a process for certifying healthcare IT systems, harmonizing data communication standards and monitoring IT adoption.
But while the ONCHIT hired a contractor in late September to meet with officials in various states to seek reconciliation of the differences between the privacy rule in the 1996 Health Insurance Portability and Accountability Act and more stringent privacy laws it permitted a number of states to maintain or enact, the commission recommended outright that Congress "develop a uniform health information privacy standard for the nation, based on HIPAA and pre-empting state privacy laws."
This recommendation prompted howls of protest from privacy advocates even before it was issued.
"What we decided to do was to have a single national standard for protecting the confidentiality of medical records," says Scott Wallace, chairman of the 11-member commission and president and chief executive officer of the National Alliance for Health Information Technology, adding the variations impede national IT interoperability. While creating a single national standard could mean raising the national level of privacy protections to that of the most stringent state, that scenario "is unlikely," he says.
In addition, the commission also called for HHS to develop a standard national procedure for determining patient identity.
Standardization could include either a set number of required data elements, such as name, date of birth and address, sufficient for authenticating identity, or adoption of a single, discrete national patient identifier. "There are 25 different ways of doing this," Wallace says. "The problem is nobody does it consistently."
While the commission stopped short of recommending adoption of a national patient ID, a majority of the members agreed that a single ID would be the best approach, according to commission member Don Detmer, M.D., who is president and chief executive officer of the American Medical Informatics Association, Bethesda, Md.
Initially, HIPAA provided for the creation of a national patient identifier, but it quickly became a political hot potato and was dropped by HHS after Congress, under pressure from privacy advocates, barred funding for its implementation.
In recent years, the AMIA, the Health Information and Management Systems Society and the IEEE-USA, the American arm of an international professional society for electrical engineers, all have formally endorsed creating a government-run patient ID system with voluntary patient participation.
The commission's recent recommendation does not call for the government to run the national ID system or provide a way for patients to opt out.
"At some level, this issue can't go away if you're going to deliver accurate care," Detmer says. "Why shouldn't citizens have the right to have a national identifier? If somebody doesn't want to play because of their privacy concerns, I think they have every right (not) to, but why is somebody who wants to play being kept from doing that? We're not giving Americans the opportunity to make that decision."
The commission also asked Congress to augment HIPAA protections by authorizing federal criminal sanctions against individuals who intentionally access protected data without authorization.
Through Oct. 31, 2005, (the HIPAA privacy rule went into effect in April 2003) the Office for Civil Rights at HHS has investigated 16,118 privacy complaints but has fined no one for a civil privacy violation. The Office for Civil Rights has forwarded slightly more than 200 complaints to the Justice Department for possible criminal prosecution. A federal prosecutor in Seattle secured the first, and what may still be the only criminal HIPAA privacy conviction last year.
Two weeks before the report was issued, having read news accounts of its contents, the 19-organization Consumer Coalition for Health Privacy wrote to Wallace and key congressional leaders expressing their concern about the commission's proposal to pre-empt state privacy laws with one comprehensive federal law.
The coalition includes, among others, the Health Privacy Project, American Hospice Foundation, AFL-CIO, American Civil Liberties Union, Families USA, Bazelon Center for Mental Health Law, Consumer Federation of America and National Association of People with AIDS.
The coalition's letter said many consumers, already mistrustful of the healthcare profession, are engaging in "privacy protection measures" that include paying out-of-pocket so their insurers or employers won't have a claim documenting the encounter, giving incomplete or inaccurate information to providers and even avoiding medical care. Thus, "stripping consumers of current safeguards is not just misguided, but dangerous, and would undoubtedly have a drastic impact on the extent to which patients are willing to engage in health information technology initiatives."
Pre-emption, proponents say, is necessary to create a future nationwide, interoperable healthcare IT system, but many local and multi-state data-sharing arrangements operate just fine without it. Privacy experts, meanwhile, suggest those calling for pre-emption are engaging in a form of groupthink.
Lauri Matijas is director of operations for the Maryland Quality Indicator Project, which gathers patient-level data on more than 200 measures from hundreds of hospitals in 45 states. The variance between state privacy laws and HIPAA standards does not affect the work of her 20-year-old quality-improvement organization, Matijas says. "They have been no problem at all for us," she says. "There wasn't even a blip on the radar screen."
Janlori Goldman, director of the Washington, D.C.-based Health Privacy Project, speaking Nov. 9 at the release in Washington of a California HealthCare Foundation survey on attitudes about patient privacy, disparaged efforts that call for overruling stricter state privacy laws in favor of less-stringent federal laws.
She noted how this has been promoted in the name of standards harmonization-the phrase used in the ONCHIT effort-concluding both the ONCHIT and the commission are after the same thing.
"The term 'harmonization' is a nice way of saying 'pre-empt state law,' " she said. "Exactly what (state) laws are preventing information technology from moving forward? We need to have a reasonable conversation and not just say 'It's a problem.' "
Commissioner William Stead, M.D., is associate vice chancellor for health affairs at Vanderbilt University as well as chief information architect for the university and chief information officer for the Vanderbilt University Medical Center. Stead says he knows that pre-emption is what has most privacy advocates most upset, but "This patchwork puts an unworkable burden on the system."
For example, Stead says, "There are different state laws about what insurers can access and transmit to their employers. What (makes) a law apply? Is it where the patient lives, where the patient receives care, or where the doctor was?"
Michael Zamore is senior policy adviser to Rep. Patrick Kennedy (D-R.I.), who is one of several sponsors of pending healthcare IT legislation. Kennedy's bill would let people opt out of an information network and allow patients to shield data pertaining to sexually transmitted diseases, mental health and drug- and alcohol-treatment programs, Zamore says.
"My biggest concern and the congressman's is that we wind up with a smack-down between privacy activists and the IT people," Zamore says.