A key government advisory panel on healthcare information privacy continues to wrestle with how much—if any—control patients should have over the use and movement of their electronic health records.
Patient consent for movement and use of records “is absolutely a part of this framework,” said Deven McGraw, chair of the Privacy and Security Workgroup of the Health IT Policy Committee. Still, patient consent should not be the linchpin of healthcare information privacy, she argued at the committee’s May 19 meeting, “because then you’ve asked the patient to bear that burden.”
The privacy and security work group made three recommendations to the committee:
Construct specific privacy and security-protection policies and technologies in all forms of electronic health-information exchange, and implement principles of the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information, which was issued in the waning days of the George W. Bush administration.
Encrypt messages, even in one-to-one information exchanges, and limit potentially identifiable information used to identify patients and their records and in electronic communication.
Enforce these “strong” new policies so that there is no need for “any additional individual consent beyond what is already required by current law.”
The last recommendation would leave a lot of latitude for data-sharing without patient consent.
In December 2008, the Office of the National Coordinator for Health Information Technology at HHS issued its 12-page National Privacy and Security Framework , the plan the work group says should be implemented. It defines privacy not as a patient’s right to control the movement of his or her medical information, but rather as “an individual’s interest in protecting his or her individually identifiable health information.” In 2006, however, the National Committee on Vital and Health Statistics, in a list of 26 recommendations, defined health information privacy as “an individual’s right to control the acquisition, uses or disclosures of his or her identifiable health data.”
The role of patient control and consent—whether it is a right or merely an interest—remains unresolved. The issue is important because under a 2002 revision of the privacy rule under HIPAA, the federal government overturned the consent requirement in the original rule and provides “regulatory permission” for disclosure of patient information without consent for treatment, payment and a broadly defined catch-all category of “other healthcare operations.” Some states, whose more-stringent privacy laws pre-empt HIPAA’s provisions, still require patient consent for certain types of record-sharing, such as lab test results; some, such as New York, do so even for treatment.
McGraw said the work group began its discussions by focusing on consent but found quickly that consent “is just one piece of a bigger puzzle.”
Even if patients are fully empowered to make decisions about controlling the use of their medical information, she said, “Just what kind of a decision is that if there is a fair degree of uncertainty about how exchange is going to operate and who can access data and for what purposes?”
If consent were deemed to be “your one and only or most important protection, you might end up with individuals essentially bearing the burden of protecting their own privacy through the decisions that they make about whether to participate,” McGraw said.
For example, the ONC is supporting development of NHIN Direct, a lightweight version of the proposed national health information network.
According to McGraw, NHIN Direct contemplates peer-to-peer movement of patient information between providers, as in a computerized transfer of a referral letter from one physician’s electronic health-record system to another’s. In more-sophisticated forms of exchange, as in the transfer of data to a state or regional health-information organization, the risk of privacy loss is heightened from the patient’s perspective.
“We have such a plethora of potential (data-exchange) models out there that grappling with this from a policy standpoint is incredibly challenging,” McGraw said. “We don’t think what we have in current law today adequately addresses the activities of these exchange facilitators.”
And that, she said, “led to some great difficulty coming to some resolution on the issue of consent.”
McGraw said the work group adopted as a “touchstone” to guide their discussions what she described as the “Paul Tang principle,” which is, “What would a reasonable patient expect?”
McGraw said the principle was named for the physician informaticist and chief medical information officer of the Palo Alto, Calif., Medical Foundation, who serves as vice chairman of the Health IT Policy Committee and is a member of the privacy and security work group.
“One of the places where we quite often fall down is transparency,” she said. “Patients often don’t know what’s done with their data, who has access to it and for what purposes. There is a sense that, when you have that direct, one-to-one exchange, it’s more consistent with what the patient expects versus a more robust query/response system, creating separate databases, or lack of strong protections on what the entities in the middle can do with the data.”
In applying the Tang principle to these latter forms of exchange, McGraw said, “You can see where the patient expectation test is telling you, we’re straying into territory that is well beyond what many reasonable patients would expect and we have a responsibility to meet that with a strong set of policies in order to build trust and create a set of circumstance where what patients expect is in fact what we’re doing.”
Source: ModernHealthcare.com
Comments are closed.
Copyright 2015 - Pulse Practice Solutions | 615.425.2719