Part one of a two-part series:
Minnesota is typically in the "vanguard" when it comes to healthcare advances, says David Feinwachs, general counsel for the Minnesota Hospital Association, and the state recently took a couple of leaps forward in the area of electronic medical-records adoption. But at least one consumer advocate insists that the state also took a giant step backward in protecting patient privacy.
As politics and technology interests collide in Minnesota, it highlights the battle being fought between those who want unfettered access to patients' medical information and those who seek to stop their most private information from becoming public knowledge. Now, however, some companies are learning how the same technology being used to pry into people's personal data can also be used to block the view. As knowledge of these patient-consent applications become more known, there is more outcry that they be put to use.
Minnesotas $1.46 billion health and human services appropriation bill signed by Gov. Tim Pawlenty mandated that all hospitals and healthcare providers install interoperable EMR systems by Jan. 1, 2015, and the bill included $14 million to help small rural providers and clinics implement systems.
In addition, Minnesota Medical Association Chairman of the Board of Trustees Michael Ainslie says the state updated the Minnesota Health Records Act for the 21st century by clarifying EMR policies and laid the groundwork for the development of an electronic record-locater service, or RLS. An RLS is an index of patient-identifying information directing providers in a health information exchange, or HIE, to a patients health records. But, according to consumer healthcare advocate Twila Brase, the RLS did so at the expense of the states reputation of being a guardian of patient privacy.
Brase, who is a nurse and the president of the Citizens Council on Health Care, says provisions calling for patient consent for inclusion of their records in the RLS were removed and, in so doing, people's personal medical information is being put at risk of being used by hackers, read by nosy healthcare workers and exploited by health plans.
"When they can take our data and put it online without our consent, what this says is our data is not ours," she says. "The whole idea is that data is gold and this is the 21st century version of the gold rush. Its about influencing medical decisions from outside the exam room and getting their hands on the data."
But Feinwachs says the RLS mentioned in the legislation is more concept than reality right now and he believesif the state moves ahead slowly but surelythere will be time to work out any problems.
"A record locater service has the potential for abuse, but where we differ from Twila is that, clearly, we see electronic medical records are the wave of the future," he says. "It's unrealistic to believe that electronic medical records won't become the norm in the future, and it's unrealistic to believe that this form of rapid communication won't be used to make healthcare safer and more efficient."
While speeding up the process, Feinwachs says using the Web does have the side effect of making simple business transactions more complex. Nevertheless, Feinwachs says if participation in the RLS required an affirmative "opt in" by patients, "there probably wouldn't be enough participation to make it worthwhile." He adds that other consent provisionssuch as making certain health information available to only certain providers at certain timesposes problems as well.
"It's possible, but I don't think it's practical," Feinwachs says, adding that consumers will have to make "global decisions" on the use of their information rather than having different choices for different situations.
Money vs. privacy
But Kelly Callahan, the head of business development for HIPAAT, a provider of "consent aggregation" software, disagrees. His Mississauga, Ontario-based company has been working on detailed "access controls" since 2002, but it's only been in the past six to eight months that interest has really been picking up, he says.
"If you get people pushing back and saying 'This is not possible,' we can show them it is possible," he says. "There's a misconception that it's more trouble than it's worth. It is a pain point, and it's painful because you have to spend more money, but what are the consequences if someone has their information exposed?"
Callahan's company takes its name from the Health Insurance Portability and Accountability Act of 1996, and he calls enforcement of HIPAA's privacy rules "negligible at best." He also acknowledges that "if it were not for the electronic exchange of information, there would be little need for what we do."
Callahan describes the HIPAAT program as a "call center" for an EMR system.
If a healthcare provider within a regional health information organization, HIE or nationwide health information network wants to look up a patient's record, Callahan explains that the request would first go through HIPAAT's aggregation of organization privacy policies and patient-consent directives. Then, if these policies and directives allow that particular provider in that particular situation to view the information, "seamless" access will be provided.
InterSystems Corp., a Cambridge, Mass.-based IT company, developed its HealthShare product line specifically for RHIOs and other HIE applications. It consists of a browser-based viewer and a central index hub. In between is the HealthShare Gateway connection that filters physician information requests through the patient-consent declarations and security policies it has stored inside. A 2006 company white paper states that "every request is automatically checked by the appropriate Gateway for adherence to patient consent policies."
Feinwachs wasn't aware of how advanced the consent-management business had become, but he wasn't surprised either.
"Every time you pass a law, there's a company somewhere developing a product to implement it," he says. Callahan credits patient-consent mandates in the U.K. and the Canadian province of Ontario for the recent flurry of HIPAAT activity, and says it's only a matter of time before state and federal governments in the U.S. take notice that not only is patient-controlled access possible, but also it is necessary to gain public acceptance of EMR systems.
"It's being recognized that you can't invest loads of money into a national program if the public doesn't buy into it," he says. "In the U.K., they were five years into a national program and they had to pull back and address what they could do to get the public's confidence."
This story initially appeared in this week's edition of Modern Healthcare magazine.
What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.