While much of the federal privacy focus is on HIPAA, in the U.S., “what we're really talking about is a mosaic of policies,” says Ioana Singureanu, a health IT standards development consultant with her own firm, Eversolve, in Windham, N.H.
Singureanu has been a member since 1997 of Health Level Seven, a prominent healthcare IT standards development organization. Most recently, she's been working with HL7 on developing guidelines for electronic patient consent directives for EHRs and data exchanges.
While HIPAA places a privacy floor under both the states and the federal government, “the floor has to be raised, that's quite clear,” Singureanu says. “If you raise the floor, then you can make this mosaic a little bit more manageable.”
But reliance on policies as the sole protector of individual privacy won't work, either, she says. Technology itself needs to be brought to bear to create tools to aid providers in enforcing those publicly evolved privacy policies. “I think the systems of the future will have to be more proactive, to prevent you from doing what you're not allowed to do by policy,” she says.
“The technology exists already to protect certain information that meets specific criteria,” she says. “That's not too different than the quality measures that people are being asked to collect automatically. The challenge is to formulate rules in such a way that they actually live up to the spirit of the policy.”
Singureanu says Australia and the Canadian province of British Columbia, as well as the U.S. Veterans Affairs Department's health system, all “have some sort of form they use to record your preferences. These are in use now.” Other countries also do well in providing technologies for patients to revoke previously given consent, she says.
IT-enabled privacy protection functions need to be included in EHR certification criteria and their use made part of the meaningful-use criteria under the stimulus law's EHR incentive program, she says.
Kenneth Goodman, professor of medicine and philosophy and the director of the bioethics program at the University of Miami, says he sees HIPAA as part of the health IT furniture.
“Is HIPAA a good place to start for moving into the new world of ubiquitous IT?” Goodman asks. “It better be. Because starting over isn't a practical or politically viable option. I'm sure if the framers of HIPAA would have do-overs, they'd do it differently. I believe that HIPAA can be improved. It's the best we've got.”
Goodman co-authored an article on ethics, policy, EHRs and biobanking published in February in Science Progress, an online science and policy magazine of the liberal Center for American Progress, a Washington-based think tank. In it, Goodman argues that individuals have an obligation to provide access to their healthcare information for the public good and that society has both a right and a duty to use that information to improve community health.
A new challenge will be to regulate against the abuse of data outside the scope of HIPAA. “You encounter personal health records, where people put their health information on a cell phone, or on Google and Microsoft, and Google and Microsoft are not covered entities. We need to figure out what the privacy framework is for personal health records and other sharing of personal information.”
Deborah Peel is the practicing psychiatrist who founded the Patient Privacy Rights Foundation in Austin, Texas. To Peel, the HIPAA paradigm is obsolete and inadequate and needs to be replaced.
“You can't draw a fence around who has sensitive health information,” Peel says. “It might have made sense 20 years ago, but it is a model that doesn't fit the realities of today. It's based on an anachronistic view of the healthcare system, as if it's totally separate from everything else in business and in life, and if technology has taught us anything, it's that that's not effective.”
Peel also says the 42 CFR Part 2 framework should be applied to all patient data. “Healthcare information, because of the Internet, is everywhere; therefore, the protections must follow the data,” she says. “If we don't say a damn word about social media and websites and the rest, we lose because that information is out there in all of those places.”
Mark Rothstein, a lawyer and the director of the Institute for Bioethics, Health Policy and Law at the University of Louisville (Ky.) School of Medicine, says he's been “a proponent of comprehensive privacy legislation for a long time, which we don't have, and nobody's talking about this. What I mean by comprehensive is we don't have it limited to a group of three covered entities. It applies to everyone who accesses and uses private health information.”
But Rothstein, who served as chairman of the subcommittee on privacy and confidentiality of the National Committee on Vital and Health Statistics, an advisory committee to HHS, from 1999 to 2008, concedes that major legislative changes to the HIPAA paradigm, as much as it is needed, are unlikely.
One lesser change Rothstein suggests would be helpful is to add to HIPAA the right of an individual to sue a privacy violator in federal court. “It would certainly act as a deterrent to wrongdoing,” Rothstein says. “The wrongdoers would be at risk from civil judgment. Now, all you have to do is promise not to do it again, if it gets that far.”
“The other thing we ought to take a look at is the nonconsensual using of discarded information,” Rothstein says.
Consent is key, according to Rothstein, who cited the Texas cases in support of his argument. “One mother sued, and as result of the lawsuit, 5.3 million blood samples were destroyed,” Rothstein says. A state law passed in the wake of the uproar gave parents the right to opt out of the collection program. “Since then, the opt-out rate is only 3%,” Rothstein says. “But they want to be asked.”
Pam Dixon, the founder and executive director of the World Privacy Forum, says HIPAA is only “a beginner framework” that “we've grown out of now.”
“There has to be an entirely new approach and it has to start with governance,” she says. Dixon, who has served as a member of the state-chartered California Privacy and Security Advisory Board since 2008, says the U.S. needs to create the position of a national data commissioner on privacy with broad authority across all industries, not just healthcare. “We're the only industrialized country that doesn't have this.”
One of the clearer windows on Internet-based threats to personal privacy is the case of social media site PatientsLikeMe confronting market researcher Nielsen.
“Nielsen posed as a depressed patient, and then they turned on a computer once they were logged in,” says Jamie Heywood, co-founder and board chairman of PatientsLikeMe. What Nielsen gathered while there was “data that was available to the community—to 70,000 people,” he says. But the point, according to Heywood, is Nielsen didn't ask, it took.
“When we sell our data, we contractually require our clients to do certain things,” he says. “They can't re-identify the data. We feel we have a moral contract with our customers to make the world better. What Nielsen did was they went in and took data that was available and sold it with none of the restrictions that we work under. So we stopped them. We sent them a cease-and-desist letter. They broke a legal contract when you sign on to our site.”
Nielsen spokesman Matt Anchin, in response to questions about the company's doings on the PatientsLikeMe website, says the activities were conducted by a Nielsen service called BuzzMetrics. Anchin would not say who, even by the type of industry, uses BuzzMetrics data, or for what purpose. “We became aware of it and we stopped it,” Anchin says.
“There is no such thing as de-identified data any longer,” Heywood says. “Anyone who has a state, age and gender and a couple of diagnoses is pretty much identifiable to every doctor and insurance company.”
Editor's note: This is an expanded version of the story published in the Nov. 22, 2010, issue of Modern Healthcare.