The most vexing issue surrounding the creation of a national electronic healthcare network is the privacy, confidentiality and security of personal health information.To be sure, the technical and financial challenges are no cakewalk. But almost everyone involved in this effort now believes that, in time, the information technology wizards will find a way to make everything sync together (termed "interoperability" in IT-speak), and that the financial obstacles will be overcome as well. What's not so clear is whether privacy policies and consumer protections will be established in time to engender consumers' trust and widespread participation.
On IT, privacy is the priority
Ideas for a data security plan that can win essential public trust
Even today, with our paper-based system, that trust is spotty. Millions of Americans perceive no self-interest, let alone a national public health interest, in sharing their health information. A sizable percentage of people who see mental health providers, for example, pay out-of-pocket for care and drugs, and request that any record of that care be closely guarded. Thousands of people still get HIV and other sexually transmitted disease tests "off the grid."Any inkling of exposure that threatens personal embarrassment, job security, or the ability to obtain health or life insurance, and the envisioned national health information network could face a large-scale boycott and suboptimal functioning -- if not outright failure.
Too little is being done to resolve this problem. Although everyone from HHS Secretary Mike Leavitt on down pays frequent lip service to medical records privacy, there's a disconnect between the rhetoric and the reality.For example, the American Health Information Community, the high-level commission Leavitt set up in 2005 to advise him on health IT issues, mostly punted on privacy and security, even though it was specifically charged with integrating privacy and confidentiality into the fabric of its activities. Making no real progress on the issue after a year, however, AHIC in August 2006 was compelled to create a separate work group to grapple with privacy. After initial meetings, that work group is now grumbling. Several of its members say their charge -- to address privacy as it relates to each of three "use cases," or real-world scenarios -- is too narrow. They want a broader approach. Similarly, the AHIC-affiliated organization established to harmonize health IT standards has been constrained to the consideration of transactions relevant to the three use cases. The group issued an initial batch of standards in November 2006. None of them dealt with the privacy or security of electronic health records. Mind you, all of this is going on even as large insurers and employers have announced major initiatives to kick-start both EHRs and personal health records. We believe four main factors are impeding progress: • A lack of any national policy on healthcare privacy. Should people have a right to opt out of an electronically based system? Should they be able to hide or exempt parts of their record? Should they be guaranteed electronic access to their health information? These questions remain unanswered. • A fear of reopening the Health Insurance Portability and Accountability Act of 1996. It is now widely acknowledged that HIPAA's privacy provisions do not adequately protect the confidentiality of medical records in a fully digitized electronic-health world, but HIPAA is a dirty acronym in some quarters, and there is much skittishness around creating unintended consequences and costs by amending it. • Lack of a clear vision of what the national health information network will (or should) be. As the thoughtful National Committee on Vital and Health Statistics asked in a June 2006 letter to Leavitt: Will the national health information network store data and information, or only transport it? Or both? Will it be centralized or decentralized? Who will run it? • Organizational and bureaucratic confusion. The Bush administration deserves credit for leadership on health IT, but it has shied away from difficult policy challenges, and it has poorly integrated technical and policy deliberations. HHS and the Office of the National Coordinator for Health Information Technology also have been overly engaged in the minutiae of technical and standard-setting activities and overly reliant on a use-case driven model. There are three things to do to address this problem. First, the administration and HHS must address healthcare privacy and confidentiality policy issues head-on. Consumers need a strong signal that their health information and data will be secure on the Internet, and they deserve to know how an e-health system will incorporate and enforce protections. There is no substitute for openness. And the time for this public dialogue is now. Second, in the short run, the newly created AHIC privacy work group should be charged with developing broad policy options, and AHIC, in turn, charged with making concrete recommendations on medical privacy in an electronic age. Third, Congress should get into the act. Legislation on health IT passed both chambers in 2006 but died in conference committee. Congress can now start over and should. We believe that any legislation that emerges in 2007 should incorporate some core health information privacy protections and address gaps in HIPAA. For example, it could specify that individuals be given access to any of their health-information held electronically anywhere. It could also require electronic audit trails for all health information transmissions that identify patients. Congress should also establish an independent national health information network oversight body on par with the Securities and Exchange Commission or the Federal Trade Commission. It's that important. EHRs and a national electronic health information network hold out enormous promise to improve healthcare and empower consumers. But that promise simply won't be realized without the public's trust and good will.
Steven Findlay is a healthcare analyst in the Washington office of Consumers Union. Alison Rein is assistant director for food and health policy at the National Consumers League, Washington.
This article initially appeared in the Jan. 15 edition of Modern Healthcare magazine.What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.
Send us a letter
Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.