A substantial majority (61%) of respondents said the ban on patient data sales would have no impact on their organizations. Another 35% reported it would have a positive effect, while just 5% indicated it would have a negative effect.
“People need the right to choose,” Drew says. “So, I'm really happy that the CIOs and CEOs and the decisionmakers are saying this would have no impact or say it has a positive impact.”
Leaders' views on the breach notification requirements, which went into effect soon after passage of the ARRA, were more varied. Some 39% indicated that the breach law had no impact on their organizations, 36% said it had a negative impact and 22% said it had a positive effect.
The self-pay consent requirement would have no effect, according to nearly 44% of health leaders surveyed, while nearly 35% said it would have a negative effect and about 22% said it would have a positive effect.
A majority of survey respondents (55%) indicated stiffer penalties for HIPAA violations would have a negative impact, 35% indicated no impact and 8% a positive impact.
In one question about health information exchange, a substantial majority of leaders (nearly 63%) responded that their healthcare organizations obtain a patient's consent before they disclose that information outside their organizations—for example, to a health information exchange or regional health information organization, commonly called HIEs or RHIOs. Another 24% indicated their organization does not require patient consent to share patient information through an exchange, while 14% were unsure.
The survey also asked leaders which method patients should be able to use to manage their participation in an HIE or RHIO. A plurality (45%) selected opt-out, meaning that by default patients' information will be exchanged unless they take action to prevent it.
Some 17% of survey respondents supported opt-in—by default patients' information will not be exchanged unless they request it—and 18% indicated patients should have no choice, meaning their information would be disclosed as part of providing them care. Another 19% of respondents chose offering patients so-called “granular” consent, in which some parts of their records, particularly those involving more sensitive areas such as treatment for being HIV-positive or mental-health issues, could be controlled by the patient and withheld from exchange.
Drew argues that patients should be able to control whether their records are shared or disclosed with others, although that right has been undermined by commercial interests.
“The basic principle is that somebody's information should belong to them and they should have ultimate control over who buys and sells it and who should profit from it,” says Drew, who lives in Los Gatos, Calif. He says he has successfully sued several banks and credit-reporting agencies for violating state and federal fair-credit laws and has since launched the Eric Drew Foundation to assist seriously or terminally ill patients.