Healthcare privacy advocates find cold comfort in the call by a federally funded panel to wait until next year before privacy protection policies -- and the technical mechanisms to implement them -- are selected for moving patient data to and from electronic personal health-record systems.
The Healthcare Information Technology Standards Panel on Friday gave consensus approval to three batches of healthcare IT "interoperability specifications," including standards to electronically move a patients medication history and demographic profile into a PHR as part an effort to boost "consumer empowerment" in healthcare decisionmaking. (See previous story.)
But for lawyer and privacy advocate Joy Pritts, "To put it politely, it seems that they are putting the cart before the horse."
"Theyre looking at the technicalities before they are looking at the policies," said Pritts, a research associate professor with the Health Policy Institute at Georgetown University. "When you develop standards, you have to have policies in place first. And when it comes to health information, the privacy policies should be one of the things you should look at first."
The HITSP was created and is being overseen by the American National Standards Institute, Washington, an accreditation body for standards-development organizations, under terms of a $3.3 million contract issued in October 2005 by the Office of the National Coordinator for Health Information Technology at HHS. The AHIC was created last year by HHS Secretary Mike Leavitt to advise the government on healthcare IT policy.
The HITSP interoperability specifications are scheduled to be reviewed and possibly endorsed by the American Health Information Community at its meeting Tuesday.
Several formal comments were filed with HITSP prior to the meeting Friday criticizing the absence of standards addressing privacy issues. In response, the panel developed a four-paragraph statement acknowledging that privacy was both important and "in scope" with the panels assignment.
The HITSP statement noted that "Patient consent, confidentiality, consumer exercise of granular role- and relationship-based user permissions, data persistence, and many other constructs critical to consumers' interests are not addressed by HIPAA (the Health Insurance Portability and Accountability Act) in the case of a personal health record (PHR) nor are they established within widely accepted PHR standards."
The statement also acknowledged that "HIPAA does not cover personal health records unless they are held by a covered entity (generally a healthcare provider, payer or claims clearinghouse), nor an individuals use of their own health information. Moreover, (individually identifiable health information) is both too narrowly defined under HIPAA to deal with the many data elements that can be envisioned in a PHR and does not deal with anonymous or pseudonymous data-exchange scenarios among PHR and EHR systems."
But, the statement said, "Because of time and resource constraints and the need for further information as described below, HITSP has decided to defer specifying most security requirements, instead treating these as a pre-condition for implementing the core information exchanges. Patient consent, confidentiality, consumer exercise of granular role- and relationship-based user permissions, data persistence, and many other constructs critical to consumers interests are not addressed by HIPAA in the case of a personal health record (PHR) nor are they established within widely accepted PHR standards. Work on patient consent has been deferred until the second year of HITSP."
HITSP Chairman John Halamka said the standards panel was awaiting input from a newly formed AHIC work group on confidentiality, privacy and security, which met for the first time in late August, and from the Health Information Security and Privacy Collaboration, which, like HITSP, was formed last year pursuant to an HHS contract. The Research Triangle Institute and the National Governors Association were awarded a $17.23 million contract by the Agency for Healthcare Research and Quality to study variances in state privacy laws and to recommend solutions, including federal preemption, to promote healthcare information interoperability.
"What we need are the privacy policies from HITSP and the AHIC work group," Halamka said. "As soon as we have those policies, well go back and give you specific privacy and security standards. The way that all of our national projects are going, architecture, standards harmonization and privacy are all being done in parallel. If we had the luxury of time, we might start with privacy, then architecture and then standards after that. We are doing the best job that we can and then when HISPC has its work done, then we can fill in the gaps."
Twila Brase, president of the Citizens Council on Healthcare, St. Paul, said it is not at all surprising the federally funded contractor put off addressing privacy issues.
"I think it only follows what has historically happened with HIPAA is that privacy has always been the unwelcome cousin at the table with the rest of the family," Brase said. "Its as though they never wanted privacy in the beginning so why they should put emphasis on it now?"
Even though work on patient control of the PHR has been delayed, Brase said she is "bemused" by any attention paid to the notion of patient control of PHRs. As long as they are connected to electronic health-records systems, "Its a charade to make a patient feel like they have some control," she said. Privacy issues under provider-based EMRs fall under the jurisdiction of HIPAA, and "HIPAA is not a privacy rule," she said, because a rewording of the HIPAA privacy rule in 2002 eliminated patient consent as a requirement for a large swath of healthcare transactions. As a result, according to Brase, HIPAA "means nothing for real protection."
Many personal health-records systems already available have privacy controls built into them. A PHR developed by a collaborative of patients and providersin Bellingham, Wash., and used by a community-based regional health information organization there, allows patients to turn on and off access to providers for discrete elements of patient information.
"I would agree, you have to get those privacy things in upfront," said Fred Eberlein, founder and chief executive officer for ReliefInsite.com, a startup developer of a Web-based PHR for pain management patients.
"Thats kind of common sense. If you want the maximum privacy, you say, 'Fine, patient, youre in control.'
The system allows full patient control and interoperability, Eberlein said.
"If the doctor has permission, he or she can see it, even if you updated it two minutes ago," he said. You need that for the patients to feel comfortable for the installations to get moving."
What do you think? Write us with your comments at href="mailto:[email protected]">[email protected]
href="mailto:[email protected]">[email protected].
Please include your name, title and hometown.