McGraw was updating the committee on the workgroup's discussions and was not making policy recommendations, but rather was seeking feedback from HIT policy committee members on the workgroup's general sense of direction.
McGraw said a consensus has been reached that a comprehensive set of privacy and security protections that build on current laws and implement the principles in the National Privacy and Security Framework is critical to building what she called a “foundation of trust.”
That foundation will be needed to support and enable the meaningful use of electronic health-record systems by providers, hospitals and patients under the EHR subsidy program of the American Recovery and Reinvestment Act 2009, also known as the stimulus law.
The National Privacy and Security Framework was released by the Office of the National Coordinator for Health Information Technology at HHS last year. That document said patients have an “interest” in controlling their healthcare information, but it did not assert, as others have, that by definition, privacy means a patient has the “right” to “control the acquisition, uses, or disclosures of his or her identifiable health data.”
McGraw said the privacy laws in question include the federal Health Insurance Portability and Accountability Act of 1996, a separate federal law governing the privacy of patient records from federally funded mental health, drug and alcohol treatment programs, as well as various state laws.
“Those are just a starting point,” McGraw said. “There needs to be a lot more detail.” For example, what are the privacy protections for electronic health information exchange, “including, but not limited to, the role of consumer choice.”
Choice and the type of patient consent may vary, she said, “based on how exchange occurs.”
For example, according to McGraw, guidelines about patient consent in existing practices and laws, such as HIPAA, might be sufficient to govern the use of that patient's medical information in a “one-to-one” sharing arrangement between the patient's primary-care physician and another physician, say a specialist, also directly involved in that patient's care.
In those cases, the workgroup members are “largely comfortable” with the idea that “no additional individual consent/authorization requirements should be imposed beyond those that would otherwise apply under state or federal laws,” McGraw said. That also would include information sharing via some data transfer “intermediary,” as long as the intermediary didn't have access to the data beyond what was reasonably needed to transport it from one point to the other, she said.
On the other hand, a different kind of consent—say, in which a patient is given the choice to either opt in or opt out of having his or her information moved via a health information exchange organization, for example—is being considered by the workgroup, McGraw said.
Such an exchange might copy and store the patient's record to facilitate record transfer or for other business purposes of the organization.
Determining what functions or features beyond a patient's reasonable expectations regarding the use of his or her data would “trigger” a robust set of consent requirements is an additional consideration, McGraw said.
“These have not been easy discussions,” McGraw said. “It's really difficult to think about consent outside of the context. I think we have a responsibility to set that frame as much as we have a responsibility to set the parameters of choice.”
One technological tool to facilitate patient choice involves what's called “granular consents,” that is, fine-tuned, electronically stored and patient-controlled restrictions on a record-keeping system's ability to exchange specific elements of a patient's medical record. Under the granular consent model, a patient might allow the movement of most of his or her records, but restrict the exchange of information about a specific diagnosis or prescription.
A hospital-coordinated community health initiative in Bellingham, Wash., for example, applied such consents to the flow of patient information using a Web-based application.
An anecdote by HIT Policy Committee member Charles Kennedy, a physician and vice president of health information technology at WellPoint, the giant health insurer, illustrated a problem that incomplete granular controls might pose.
Kennedy's story highlighted two world views in conflict over patient-centered healthcare. One is a paternalistic view that would limit patient control over information for the patient's own good, and the other being a sense of informed consent, with the doctor providing adequate information so the patient can make an informed decision.
Kennedy spoke of a patient who had been seeing both an internist and a psychiatrist. The internist used the services of a prescription drug exchange to download that patient's prescription history and, in so doing, saw that the patient had been prescribed lithium.
The patient was upset to find out her internist had learned of the lithium prescription, Kennedy said, because, “She never told her internist that she was seeing a psychiatrist.”
Kennedy said a practitioner or an exchange might be complying with the patient's demand to control movement of details of his or her psychiatric visit, but “just blocking out the diagnosis without the correlating medicine is probably not sufficient as well.”
McGraw said the privacy and security workgroup intends to address the problem.
“We are going to get to the issue of that level of granularity,” McGraw said. “We have not gone there yet.” Dealing with medication data “is very difficult,” she said. “The patient is very upset, and yet psychiatric drugs are the ones that are most reactive with other drugs.”
One approach might be to educate patients of the potential safety consequences of withholding medical information, McGraw said. Also, “Many states are deciding the way to deal with the sensitive mental health data is not to include it.”
The idea of patients controlling the flow of specific data elements in their records didn't sit well with fellow HIT Policy Committee member Michael Klag, a physician—also an internist, coincidentally—and the dean of the Bloomberg School of Public Health at Johns Hopkins University.
“I'm not sure that this committee can get that granular,” Klag said. “I would argue we should not get that granular.”
One element of the discussion that has implications not only for patient privacy, but also for the long-term viability of the entire government approach to developing the proposed National Health Information Network, is the economic instability of many state and local health information exchange organizations.
These state and local organizations have long been considered the essential building blocks of the NHIN, which has been ballyhooed by its proponents as “a network of networks.” So many of these organizations, formerly known as regional health information organizations, or RHIOs, but more recently called health information organizations, HIOs, health information exchanges, or HIEs, remain dependent on grants for their operation. That fact calls into question whether the national network can succeed as planned.
“It strikes me that the state HIEs just came along too quickly,” said HIT Policy Committee member Judith Faulkner, CEO of Epic Computer Systems, Verona, Wis., a developer of EHR systems for hospitals and physician offices.
When it comes to exchanging healthcare information, Faulkner said, “state lines are artificial. A lot of care takes place across state lines.”
The economics of health information exchange organizations needs to be discussed, Faulkner said. One funding mechanism for HIEs “is to charge a healthcare organization and the other is to sell the data,” she said. “If we are to address their viability, then we need to address the selling of data to pharma and to research.”
“I guess there is a third way, and that is government sponsorship,” Faulkner offered.
Paul Tang, the physician co-chairman of the HIT Policy Committee, said, however, “We've ruled that one out.”
During the public comment period at the end of the meeting, privacy advocate Deborah Peel, an Austin, Texas, psychiatrist and founder of the Patient Privacy Rights Foundation, said the conundrum of protecting psychiatric patients' sensitive information while maintaining patient safety is a problem she's faced—and handled—throughout her 30-year professional career.
A lot of patients don't want their other physicians to know they are seeing a psychiatrist, she said, out of concern that their complaints of physical ailments will be dismissed as “that's in your head.”
The simplest and best way to protect a patient's privacy, Peel said, isn't the creation of complex situational rules or affording patients the choice to “opt in” or “opt out” of a network, but by using technology to give patients full control over what information is or is not used, shared or exchanged.
“I think you are coming very close to the need to require that these systems segment their information at the patients' request,” Peel said. “We'll be able to teach them about the choices. No one should have to be all in or all out and have to forego the benefits of technology because they can't trust the system.”
“Internists are not stupid,” she said. “Cardiologists are not stupid. We don't need to destroy someone's privacy because they're too dumb to ask the right questions. As a practicing physician, I don't think technology has to solve all the problems. It's really important not to forget the way (medical) practice actually works.”