The National Committee on Vital and Health Statistics has approved a letter to HHS Secretary Mike Leavitt, again recommending that patients be able to control the movement of some of their healthcare information over a proposed national health information network.
It was the second time in the past 21 months that the federal advisory panel at HHS has advocated restoring some form of patient consent as a prerequisite to the disclosure of personal healthcare information on a NHIN.
At a meeting Feb. 20, the NCVHS approved the 11-page letter that likely will be sent to Leavitt this week. In summary, the committee wrote, "We have concluded that NHIN policies should permit individuals limited control, in a uniform manner, over access to their sensitive health information disclosed via the NHIN. Public dialogue should be undertaken to develop the specifics of these policies, and pilot projects should be initiated to test their implementation."
The recommendations stand in marked contrast to past and current HHS privacy policies. In its 2002 revision of the privacy rule of the Health Insurance Portability and Accountability Act of 1996, HHS eliminated patient consent as a requirement for the disclosure of so-called "protected healthcare information" for use in treatment, payment and a host of other healthcare operations.
And last June, the Office of the National Coordinator for Health Information Technology at HHS announced its intention to develop a national privacy and security framework for health IT. Nearly nine months later, staffers at HHS and ONCHIT still are working on the framework behind closed doors.
In its letter, the NCVHS recommended affording patients the ability to sequester particularly sensitive information by treatment category. And while those categories were not specified, the committee did provide examples of categories to be considered for special handling. They were: domestic violence, genetic information, mental health information, reproductive health and substance abuse. If all of the NCVHS examples are accepted in a federal model, it could reduce variation between state and federal privacy laws.
Under federal law, the letter noted, any program for drug or alcohol abuse treatment receiving federal funds generally may not disclose healthcare information without a patient's consent. But state privacy laws for other medical conditions offer a mixed bag, according to NCVHS committee member and physician Paul Tang, vice president and chief medical information officer of the Palo Alto (Calif.) Medical Foundation and chairman of the American Medical Informatics Association.
For example, Tang said the privacy of records about sexually transmitted diseases are not being treated equally by state laws. "It's much more variable, and that creates a challenge when you're wanting to create a national system." With federal uniformity, he said: "They'd have one policy to understand. I think they would trust the system more."
The letter noted that the advent of the NHIN represents "a major shift" from the current, decentralized and largely paper-based medical-record system to an electronic system that holds "significant implications for individual privacy and confidentiality."
"Unless specific, privacy-enhancing measures are designed into the network, individuals could have significantly less privacy than they currently have," according to the letter, which explains how the consequences could be dire.
"If individuals fear that they have no control over such sensitive health information or that they cannot trust that their sensitive health information will be protected from unwarranted disclosure, they might fail to divulge sensitive information relevant to their care, fabricate answers to sensitive questions, or even avoid seeking timely healthcare altogether, thereby endangering their own health, and possibly the health and safety of others," the letter states.
Fellow NCVHS member Mark Rothstein is a lawyer and director of the Institute for Bioethics, Health Policy and Law at the University of Louisville School of Medicine. Rothstein also serves as chairman of the NCVHS Subcommittee on Privacy and Confidentiality. He said the letter represents a best effort to reach a set of consensus recommendations.
"This letter was a compromise," Rothstein said. "The final draft was draft No. 18, and we've been working on this for well over a year, so that, I think, attests to the difficulty we had with many of the issues."
One such tough call was agreeing on the level of "granularity" of patient consents for information-sharing. Some privacy advocates recommend allowing patients to lock out specific data fields, blocking the disclosure of, say, prescriptions or of one test result but not others.
"The reason we rejected the more granular approach is that the result would have been, I think, to destroy the confidence (physicians) would have in the record," Rothstein said. "If the patient gets to pick and choose, then the result (by physicians) would be to not trust anything. That's the argument. The counterargument is (physicians) don't get everything now."
NCVHS committee member J. Marc Overhage, the physician president and chief executive officer of the Indiana Health Information Exchange, Indianapolis, cast the lone dissenting vote against the most recent NCVHS letter.
"Part of the argument was that patients need to be comfortable and confident their data should be protected," Overhage said. "I think that should be true, but I think that's true for all data. I don't think the committee disagrees with that, but I worry that this sends a message that it is perhaps too scoped. I think there is a risk identifying certain categories for sequestering that it might result in patients feeling the rest of their data is not secure. It feels like a slippery slope."
Overhage said he also was concerned about the cost and the unforeseen implications of giving patients such control.
"Will the patient understand that sequestering might influence a physician's choice of an antibiotic? How do you explain that kind of complexity? Are they making that choice with good information at hand? How does that work, and how does that happen?" Overhage said. "And, secondarily: How much money are we going to be spending building those controls into systems? And how soon? And is that the best expenditure of resources?
"I believe the patient's data belongs to them," Overhage adds. "We need to have policies to make sure all of their data is protected. I don't know the committee weighed adequatelyand they felt like they didthe operational costs of this."
The latest NCVHS letter is a follow-up to one sent to Leavitt in June 2006 on privacy issues involving the proposed NHIN.
That earlier missive recommended "HHS should assess the desirability and feasibility of allowing individuals to control access to the specific content of their health records via the NHIN." It also called for "an open, transparent and public process" to make that assessment and decision. The committee in 2006 recommended access controls should have limits, such as "based on age of the information, the nature of the condition or treatment, or the type of provider."
What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.