Who can argue with a week devoted to "raising awareness among healthcare professionals, their employers and the public of the importance of protecting the privacy, confidentiality and security of personal health information?"
Deborah Peel, an Austin, Texas, psychiatrist and founder of the Patient Privacy Rights Foundation, that's who. Peel is arguing about the focus on personal health records and other nuances of the privacy debate that the American Health Information Management Association put forth as part of its fourth annual Health Information Privacy and Security Week, which was held last week.
In particular, Peel was upset with a statement in AHIMA privacy and security week education materials that declared: "Consumers should establish a personal health record."
Specifically, she questioned the privacy of records created by insurance companies and employers, and worried that the information stored in these PHRs could be used against patients.
"The health data in PHRs is not protected by any laws and will be held in databases owned by corporations not subject to laws or medical ethics that guarantee privacy," Peel wrote in an e-mail to Health IT Strategist. "PHRs are being designed to facilitate the data-mining, aggregation and sale of Americans' health records."
Sandra Fuller, AHIMA executive vice president and chief operating officer, said there is a danger of oversimplifying the issue into "PHRs are good/PHRs are bad" rhetoric.
"I think there are legitimate issues that all consumers should weigh," Fuller said, and she urged anyone concerned with AHIMA's stance on privacy and PHRs to visit its myPHR.com Web site and read a joint statement put out in February by the AHIMA and the American Medical Informatics Association.
The position statement includes calls for:
- Persons to have control over how their data are "accessed, used and disclosed," and that all secondary uses of PHR data must be disclosed to the consumer with an option to opt-out, "except as required by law."
- PHR compliance with Certification Commission for Healthcare Information Technology data standards and Health Insurance Portability and Accountability Act of 1996 security criteria.
- Accountability of PHR operators for any unauthorized use or disclosure of personal information.
Despite these statements, Peel maintained that the problem with the AHIMA's positions were that they stressed HIPAA compliance and guarding against unauthorized uses. Stating that HIPAA's privacy regulations allow "everything under the sun." She added: "I dare them to find an unauthorized user. I figure it would be a challenge."
Peel said congressional action giving patients consent for secondary uses of their health data is needed to restore privacy. And, while AHIMA's privacy week materials call on healthcare organizations to review their privacy materials, she said the Hippocratic oath's call to "keep secret and never reveal" a patient's medical information is all the policy that's needed.
"It's worked well," Peel said. "There's no need for a new one (policy) because we've had one that's been vetted through the millennia."
Fuller countered by saying that privacy and security were "values of health information professionals way before HIPAA."
"It's great to have a week to bring privacy and security into the spotlight," Fuller said. "But this is an important issue for health information managers the other 51 weeks of the year as well."What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.