The stimulus law says the CPO will advise the ONC “on privacy, security and data stewardship of electronic health information and to coordinate with other federal agencies (and similar privacy officers in such agencies), with state and regional efforts, and with foreign countries with regard to the privacy, security and data stewardship of electronic individually identifiable health information.”
“I think very highly of her,” said fellow lawyer Mark Rothstein, director of the Institute for Bioethics, Health Policy and Law at the University of Louisville (Ky.) School of Medicine. Rothstein is a former member of the National Center for Vital and Health Statistics, or NCVHS, and served as chairman of its privacy and subcommittee. Rothstein's subcommittee held public hearings and deliberated for nearly two years on IT and privacy and delivered to former HHS Secretary Mike Leavitt two lists of largely ignored recommendations on privacy, including a rare definition of privacy as “an individual's right to control the acquisition, uses or disclosures of his or her identifiable health data.”
Rothstein said Pritts is “well respected as being extremely knowledgeable about privacy issues and very thoughtful in considering the interests of stakeholders affected by HIT policies.”
Deborah Peel is a psychiatrist who founded Patient Privacy Rights, a not-for-profit organization based in Austin, Texas, which advocates for increased patient privacy protections in the digital age.
“We look forward to working with her,” Peel said. “We think she is a scholar and a person with great integrity. I think she'll be a great person to work with and we look forward for her to bring to the table the perspective of persons who have been harmed by violations of their privacy rights.”
Because the appointment is coming nearly a year after passage of the stimulus law, Pritts will be playing catch up in providing advice to federal policy makers.
Defining privacy, and whether that includes—as the NCVHS concluded—the right of a patient to control electronic access and sharing of his or her information, is virtually guaranteed to be one of the most contentious issues Pritts will face.
Peel predicts that Pritts will be lobbied hard by health insurance and pharmaceutical industry data miners who maintain commercial access to patient data, Peel said.
“It's such a difficult situation,” Peel said. “They want to find someone who doesn't define privacy as the way it's been defined in medicine and law forever, that patients have a right to control their information.”
“We're hoping that the privacy officer will demand that HHS will commit to a definition so we'll all know what we're talking about when we're sitting down at the table.”
Donald Mon, vice president of practice leadership for the American Health Information Management Association, said he has met and worked with Pritts over the years in healthcare IT standards development groups and at a federally funded Health Information Security and Privacy Collaborative.
“Were excited to have someone of Joy's caliber in this role,” Mon said. The AHIMA position is, “She's the right person for this job, and we'll support her and her office in any way we can.”
Mon also said Congress came to the right decision in creating the position of CPO.
“It's been much needed,” Mon said. “One of the great challenges we have is to reduce the variation in the state privacy laws and set a direction and a process on how we're going to reduce that variation.”
Mon also said Pritts will have her work cut out for her.
Mon said there is a great need to revise and improve the Health Insurance Portability and Accountability Act of 1996 regulations "and to help the entire nation to appropriately implement the current HIPAA laws even as we work to revise and improve them. So clearly, those two things have to be on her plate.”
“The industry still has some confusion about consents for the disclosure of information and the authorization for the release of information. Different states call it different things, so you have to figure it out,” he said.
“There is a consent for the disclosure of information for treatment payment and operations, and when it's not TPO, the individual provides what is an authorization for the release of information,” Mon said. “They're both authorizations by the patient for the release of information, but one is for TPO and one is not.”
Under HIPAA, the definition of other healthcare operations is quite broad and originally provided a broad prohibition against disclosure since patient consent was at first required before disclosure even for TPO. When the HIPAA privacy rule was amended during the Bush administration in 2002, however, consent no longer was required for disclosures for TPO. So, the broad definition of “other healthcare operations" created a wide loophole in HIPAA privacy protections, except where more stringent state privacy laws trump them, as they are permitted to do under HIPAA.
“Under HIPAA, you don't need consent for release of information for treatment, payment in other operations, but in New York, you have to deliberately obtain that consent for TPO,” Mon said.
Variations in state privacy laws are an area of expertise for Pritts.
In 2009, Pritts conducted an HHS-funded study of state privacy laws affecting the movement of electronic laboratory results and their implications for health information exchange. Her report was released in October 2009.
Pam Dixon, founder of the World Privacy Forum, Cardiff by the Sea, Calif., also foresees that Pritts will face tremendous pressure from health industry data users.
But Dixon said the CPO should be “bridging a gap with what industry wants, rushing forward with health information exchange, with the interests of patients. It needs to be done correctly, and those interests need to be balanced.”
Dixon, who serves as co-chairman of a California advisory panel on IT privacy and security to the state's health information exchanges initiative, said the conflict between data users and privacy protectors “is already showing up profoundly at the state level. The stimulus package is already putting pressure on privacy and security.
“In California, we're already having huge fights. If it's too costly or too burdensome, then privacy and security always gets tossed out the door.”
The CPO “has to hold this together and really, really represent the consumers' interests", Dixon said. "I do see some indications from HHS that they need to take privacy and security seriously; that if this system gets built and patients don't trust it, it will all be for naught.
“They need to give this person real power to put patient's interest first, not industry's interest first,” Dixon said.
What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.