The next steps for health IT

By early 2004, Eric Drew was supposed to die. His doctors thought he would.

So did Richard Gibson, who was an employee at the Seattle cancer treatment center where Drew had been a leukemia patient since the prior September.

Thinking the patient's death would cover his tracks, Gibson took home from work enough information about Drew to steal his identity and go on a credit-card shopping spree in Drew's name.

Unobligingly, though, Drew didn't die. So when the charges for Gibson's fraudulent purchases showed up on accounts Drew never opened, he and a local TV news reporter tracked down the culprit. In 2005, a U.S. attorney in Seattle put Gibson behind bars, the first person convicted of a criminal violation of the privacy rule under the Health Insurance Portability and Accountability Act.

But for Drew, it wasn't over. Gibson's escapade ruined his credit rating. Banks that issued the fraudulent credit cards to Gibson and the major credit-reporting agencies were either slow or spotty in removing payment delinquencies for Gibson's purchases from his record, Drew says. The stress from battling them and cancer took a toll.

“It was three years just getting the mess cleaned up, letters, phone calls,” says Drew, who survived after having two experimental cord-blood stem-cell transplants. “I lost two mortgage applications and then the real estate market collapsed, and all of this was an indirect affiliation with this one episode.”

From bitter experience, Drew is passionate about patient privacy. So he was both pleased and dismayed by the answers of healthcare IT leaders on six privacy-related questions in this year's Modern Healthcare/Modern Physician 2013 Survey of Executive Opinions on Key Information Technology Issues.

Congress passed the American Recovery and Reinvestment Act in 2009, providing a host of stringent privacy and security provisions, many of which were fleshed out in a 563-page final privacy rule HHS released in February.

In our survey, we asked healthcare leaders about four provisions of that rule and whether they would have a positive, negative or no impact on their organizations. We also asked two questions about patient-consent procedures involving health information exchanges.

The rule bans the sale of patient medical data; adds a breach notification requirement; partially restores patients' rights to control the disclosure of their medical records—if they pay for the care out of pocket; and provides much stiffer penalties—up to $1.5 million—for privacy or security rule violations under HIPAA. (These and some subsequent percentages do not equal 100% because of rounding or some respondents did not answer the question.)

A substantial majority (61%) of respondents said the ban on patient data sales would have no impact on their organizations. Another 35% reported it would have a positive effect, while just 5% indicated it would have a negative effect.

“People need the right to choose,” Drew says. “So, I'm really happy that the CIOs and CEOs and the decisionmakers are saying this would have no impact or say it has a positive impact.”

Leaders' views on the breach notification requirements, which went into effect soon after passage of the ARRA, were more varied. Some 39% indicated that the breach law had no impact on their organizations, 36% said it had a negative impact and 22% said it had a positive effect.

The self-pay consent requirement would have no effect, according to nearly 44% of health leaders surveyed, while nearly 35% said it would have a negative effect and about 22% said it would have a positive effect.

A majority of survey respondents (55%) indicated stiffer penalties for HIPAA violations would have a negative impact, 35% indicated no impact and 8% a positive impact.

In one question about health information exchange, a substantial majority of leaders (nearly 63%) responded that their healthcare organizations obtain a patient's consent before they disclose that information outside their organizations—for example, to a health information exchange or regional health information organization, commonly called HIEs or RHIOs. Another 24% indicated their organization does not require patient consent to share patient information through an exchange, while 14% were unsure.

The survey also asked leaders which method patients should be able to use to manage their participation in an HIE or RHIO. A plurality (45%) selected opt-out, meaning that by default patients' information will be exchanged unless they take action to prevent it.

Some 17% of survey respondents supported opt-in—by default patients' information will not be exchanged unless they request it—and 18% indicated patients should have no choice, meaning their information would be disclosed as part of providing them care. Another 19% of respondents chose offering patients so-called “granular” consent, in which some parts of their records, particularly those involving more sensitive areas such as treatment for being HIV-positive or mental-health issues, could be controlled by the patient and withheld from exchange.

Drew argues that patients should be able to control whether their records are shared or disclosed with others, although that right has been undermined by commercial interests.

“The basic principle is that somebody's information should belong to them and they should have ultimate control over who buys and sells it and who should profit from it,” says Drew, who lives in Los Gatos, Calif. He says he has successfully sued several banks and credit-reporting agencies for violating state and federal fair-credit laws and has since launched the Eric Drew Foundation to assist seriously or terminally ill patients.

“What if somebody steals my identity, goes into a hospital, accesses my medical records and gets a bunch of treatments and it ends up on my medical records?” Drew asks. “What if they're allowed to sell it?” If so, he says, the potential exists that erroneous, possibly life-threatening records could be sold and resold. If that happens, “the tracing is infinite and you can never get things cleaned up,” he says.

In filling out his IT survey questionnaire, Doug Torre, vice president and chief technology officer of North Shore-Long Island Jewish Health System, Great Neck, N.Y., indicated that all four HIPAA provisions would have a negative impact on operations at his organization, but Torre says his objections were “at kind of the global level.”

The ban on selling patient data, for example, “would not cause my health system a problem at all,” he says.

“There are absolutely good reasons for a lot of this,” Torre says, adding, “The reason I came out on a side, they all have potential to add complexity and overhead. That's the challenge that all of us in the technology sector have to manage, all that complexity.”

Dr. Neil Kudler, vice president and chief medical information officer at Baystate Health, Springfield, Mass., says he has switched his consent management preference. On the survey, Kudler, an HIV treatment specialist, chose granular consent when he filled out the survey, which was sent out in November.

“At the time, I think I was putting myself in the position of the patient, who might want to have those control levers,” Kudler says. But in the months since, having worked on linking Baystate to a HIE, he says he “can't really support” that position and now favors opt-in.

“Our heads have been spinning over this,” Kudler says. “We're trying to abide by the regulations and do what's best for our patients.”