The HIT Policy Committee and the HIT Standards Committee were created last year under the authority of the American Recovery and Reinvestment Act of 2009. Their charge is to advise the Office of the National Coordinator for Health Information Technology at HHS on health IT matters. In June, ONC quietly furloughed two privacy and security work groups, one from each committee, replacing them temporarily with what was presumed to be one smaller and more-nimble privacy and security “tiger team.”
The team, in presenting its report Wednesday to the HIT Policy Committee, asked the committee to vote on whether it was moving in the right direction with its recommendations.
Tiger team co-chair Deven McGraw said the full committee would have at least two more shots at reviewing and voting on the tiger team's recommendations when a second package of recommendations is presented in August and a wrap-up version of all recommendations is made in September.
The HIT Policy Committee unanimously approved the tiger team's presentation, but a couple of committee members did so only with the caveat that they would get a subsequent vote.
One key tiger team recommendation is that providers—given their relationship with patients, which the tiger team called “the foundation for trust in health information exchange,”—be “ultimately responsible for maintaining the privacy and security of their patients' records” even though providers “may delegate certain decisions related to exchange to others,” including IT partners such as health information exchange organizations and IT vendors.
Another tiger team recommendation is that "patient expectations" be considered when developing policies about how personal healthcare information will be used and shared so that patients will "not be surprised to learn what happens to their data."
Several committee members during the presentation emphasized the need for the federal government to step up and develop a system to help educate patients about the benefits and risks of health information exchange, noting the burden to do so should not fall solely on providers.
Regarding patient consent for the movement and use of their healthcare information, the tiger team presentation focused on the exchange requirements providers must meet to achieve meaningful use of electronic health records under the stimulus-law subsidy program for health IT.
The tiger team also limited discussion to the broad, binary default choices of either opting in or opting out of information exchange. Under the opt-in model, patients would have to give their consent to having their medical records exchanged (with possible exceptions under emergency circumstances when the patient is unable to provide consent). Under the opt-out model, by default, patient records automatically would be exchanged unless the patient took affirmative action not to authorize such exchanges.
It was regarding the choice between opting in and opting out that the tiger team failed to reach consensus on its recommendation.
One group thought that providers and health information exchange organizations should be free to decide whether to adopt an opt-in or an opt-out model. The other group felt “very strongly” that opt-in should be required, McGraw said.
HIT Policy Committee member Gayle Harrell, who also serves on the privacy and security tiger team, was so committed to a position favoring opt-in that she distributed a single-page white paper she had authored titled “ 'Opt In': the Only True Choice Which Empowers Patients and Preserves Our Values.”
“We need to be making decisions based on an objective and realistic assessment of the risks and the legal protections in place for patients," Harrell wrote. "The fundamental right of privacy should determine the architecture of the system to be used and the policy that formulates it. Technology must be used to preserve our values, and be determined by them—not the other way around.”
At the meeting, acting as a HIT Policy Committee member, Harrell voted in favor of accepting the tiger team's recommendations but noted that the issue of opt-in versus opt-out was unresolved.
“Being the author of that document, I would like to defend it,” Harrell said. “I truly believe we have a constitutional right to privacy in this country. It has also been upheld vigorously in our courts. There is nothing more private than your health information, and once your health information has been divulged, there is no way to retrieve it. There is no way an individual can be made whole if sensitive information has been divulged. People have a constitutional right to that and we in our policy recommendations need to make it very clear.”
Harrell said there needs to be some allowances made for overriding a patient's refusal to permit his or her information from being used or exchanged, citing so-called “break the glass” instances in emergencies, but otherwise, “we have to make sure there is real choice.”
HIT Policy Committee member and New York physician Neil Calman, president and CEO of the Institute for Family Health, said that he heard Harrell's constitutionality concerns but that as a practical matter, opt-in is unrealistic.
“I have 100,000 patients in our network,” Calman said. “How many years is it going to take them to get some time to sit down and explain to them who has access to their information?” Calman asked.
He likened the prospect of dealing with new information-exchange consents to providers' experience when the Health Insurance Portability and Accountability Act of 1996 privacy consents were announced.
“We're going to be handed millions of pages of paper and they're going to sign off on them in a split second while people are shuffling them into an exam room,” Calman said. “I really believe it has to be an opt-out process.”
Basically, Calman said, physicians should be able to tell patients this is how they do business, and that includes information exchange. “Their way to opt out is to tell them not to come to our practice,” he said. “If you don't want to be part of that process, you can't get care in one of our centers.”