Personal health records (PHRs) have the potential to move our health care system toward a more patient-centered model by enabling individuals to store and share copies of their health information. However, many consumers hesitate to use PHRs because of privacy concerns. These concerns are justified by the uncertainty that characterizes our current system: there are no consistent rules protecting PHRs, and there are arguably no national privacy and security standards governing PHRs provided by entities outside the coverage of the Health Insurance Portability and Accountability Act (HIPAA).

When doctors, hospitals, and health insurers (or their business associates) offer PHRs, the HIPAA Privacy Rule applies. When independent entities provide PHRs—like many of the ones available online—no substantive standards apply except that a company must comply with whatever privacy policy it creates or risk Federal Trade Commission (FTC) action. Unsurprisingly, a 2007 study commissioned by the Department of Health and Human Services (HHS) found many PHR privacy policies lacking.

A seemingly intuitive solution to the problem is to apply the HIPAA Privacy Rule to all PHRs. However, HIPAA was drafted to address the privacy issues raised by traditional health records, not consumer-oriented PHRs. The broad application of HIPAA could actually make personal health information less safe due to two major deficiencies.
(more…)

The health IT movement is fast and furious.  Paper-based health records are quickly moving online where health information can be collected, stored, and shared electronically.
Policymakers are aware of the movement – the federal government just committed $19 billion in the economic recovery legislation for health IT efforts.   Providers for the most part are also in the know – they’ve either already embraced the technology, or will likely do so in the near future.  But how clued in are consumers about health IT?  Do they know what an electronic health record (EHR) is, or how their health information is used or disclosed?  Likewise, do consumers understand health privacy laws and their protections under the law in the event their health information is misused?  These are important questions to consider as we move forward; educating and engaging consumers about health IT and privacy is integral to building trust and, ultimately, the success of health IT.

(more…)

Congress committed billions to health IT as part of the American Recovery and Reinvestment Act of 2009 (ARRA), and the U.S. Department of Health and Human Services (HHS) has officially entered rulemaking season on the health IT provisions.   Just two weeks ago, the agency posted guidance listing the technologies and methodologies that qualify as making protected health information “unusable, unreadable, or indecipherable to unauthorized individuals,” which is a critical component of the new breach notification provisions.

However, the talk lately has focused on defining the term “meaningful use.â€? What’s the significance of “meaningful useâ€??  Well, it triggers $17 billion in Medicare and Medicaid incentives for the adoption of electronic health record (EHR) systems by eligible professionals (clinicians) and hospitals to improve the quality of health care and patient outcomes.  While “meaningful useâ€? is currently defined by ARRA in a loose manner (full text of the bill is available here, with criteria listed under Subtitle-A Medicare Incentives), it’s the core criteria (along with the other loosely defined term “certified EHRâ€?) for determining whether or not clinicians and hospitals can collect these incentive payments.  These payouts don’t begin until 2011, but with so many dollars at stake, it’s clear that these words need to be, well, more meaningfully, defined.

(more…)

There has been considerable discussion lately about whether the new privacy provisions in the economic stimulus legislation (the American Recovery and Reinvestment Act or ARRA) extend the coverage of the HIPAA privacy and security regulations to commercial vendors of personal health records (PHRs) any time they contract with a HIPAA covered entity. In a blog post today we argue that PHR vendors should be covered under HIPAA only under certain circumstances, such as when they are performing a function or activity on behalf of a hospital or physician. PHRs should be governed by a comprehensive framework of privacy and security protections, but HIPAA – which was designed to regulate the flow of information among entities in the traditional health care system – would provide inadequate privacy protection for records kept by or for individuals.

The blog post explains why the HIPAA privacy regulations, at least as they are currently structured, are inappropriate for protecting PHRs in most circumstances. The post also looks at other factors that should be taken into consideration in deciding when vendors of PHRs could (and perhaps should) be covered by HIPAA.

The post is part of a three-party series co-authored by Vince Kuraitis, J.D., M.B.A., Principal and Founder of Better Health Technologies LLC and David C. Kibbe, M.D., M.B.A., Principal, The Kibbe Group LLC.

Kansas Governor Kathleen Sebelius, Obama’s nominee for HHS Secretary, expressed her commitment to health information technology Tuesday calling it a “linchpin” of health care reform, during a confirmation hearing that buffeted her with questions on the issue.

Health IT was clearly a “hot topic� during Gov. Sebelius’ hearing; that emphasis stood in marked contrast to former Senator Daschle’s confirmation hearing when he was up for the job back in January. Daschle had widely promoted health IT at that time, and the issue was squarely on the table (the economic stimulus legislation was under consideration). Yet, members of the Senate Committee on Health, Education, Labor, and Pensions Tuesday took on a noticeably heightened interest in health IT during Gov. Sebelius’ hearing, probing her on her ideas for health IT and her understanding of the myriad issues surrounding its adoption and implementation.
(more…)

The nation’s preeminent health policy publication, Health Affairs, is holding an event today highlighting a series of major policy papers published in its latest issue. CDT’s Deven McGraw, director of the Health Privacy Project, will speak today about key points contained in one of those papers that she and several CDT colleagues authored for the peer-reviewed journal.

HPP’s paper describes a proposed privacy framework developed by the Markle Foundation’s Connecting for Health initiative that would incorporate key privacy principles. Those principles include specific network design features, and oversight mechanisms to establish greater public trust in health IT.

The folks at Health Affairs will cover the event the health IT event live on Twitter. You can follow those updates by following the hashtag #HAHIT (health affairs health IT); you can search Twitter for that hashtag by clicking this link.

The Health Affairs communications staff will be sending “tweets” about speakers key points; linking to abstracts, news coverage, websites, or other relevant information online; and posting photos from the event.

Here’s how Health Affairs describes the current issue:

As the U.S. government prepares to embark on major new investments in health information technology, the latest issue of Health Affairs explores the benefits, challenges and potential risks of transforming the health care system through the use of IT. A series of papers and perspectives suggests that the gains could be real and dramatic – but are often not easy to achieve.

Despite the promises health IT offers, protecting the privacy of people’s health information is a major challenge to ensuring widespread adoption of health IT in the United States. Several papers in the March-April issue tackle the various debates over health information privacy, and offer potential solutions to this thorny issue.

Last week, during a keynote speech to the National Health Information Network Forum here D.C., Health and Human Services (HHS) Secretary Leavitt announced key privacy principles for electronic health information exchange, called The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information. Leavitt hopes these principles will guide the actions of all health care related entities that participate in networks that electronically exchange patient health information. The principles in the new Privacy and Security Framework include: Individual Access; Correction; Openness and Transparency; Individual Choice; Collection, Use, and Disclosure Limitation; Data Quality and Integrity; Safeguards; and Accountability.

In tandem, HHS’s Office of Civil Rights also published new HIPAA Privacy Rule Guidance as part of a “toolkit� to implement the new framework of principles. The guidance provides some important clarifying information on how the Privacy Rule governs covered entities involved in electronic health information exchange. For example, the guidance clarifies that covered entities must enter into business associate agreements with HIEs and RHIOs when these entities are exchanging information on behalf of a covered entity (e.g. exchanging data for treatment purposes). The guidance also clarifies that personal health records offered to consumers by covered entities are covered by the HIPAA Privacy and Security Rules. However, the guidance merely encourages covered entities to adopt stronger privacy and security policies for electronic personal health information consistent with the principles in the new framework.
(more…)

We’re heading into flu season, though we don’t yet know exactly when, where, or how hard the disease will strike. As the New York Times reported, this year Google may be able to help us predict outbreaks as much as a week to 10 days before the Centers for Disease Control and Prevention can. Google Flu Trends compiles individuals’ searches on flu-related terms from across the U.S. and creates visuals that show their volume and geographic source. As it turns out, those trends are closely correlated with actual outbreaks reported by the medical establishment.

Good news for syndromic surveillance, but is it good for privacy? Google Flu Trends assures us that its data “can never be used to identify individual users�. Perhaps. We would all rest easier if Google would be more transparent about how it assures that identification won’t happen. And such assurances are getting harder to back every day.

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule includes guidelines on how to “de-identify� health data to protect personal privacy while enabling it to support social goods like improving the quality and safety of health procedures, public health, and medical research. But the Privacy Rule hasn’t kept up with the times, even though the authors’ intention was that it should evolve. For one thing, it doesn’t apply to Google… or a host of other companies and organizations that now access and use personal health data.
(more…)

Ineffective oversight has led to “numerous, significant vulnerabilitiesâ€? in the system that safeguards electronic protected health information (EPHI), according to a government report released last week. In addition, the report found that the agency charged with oversight of HIPAA’s Security Rule had not conducted a single compliance review nor levied any civil penalties at the time of publication. The report also warned that poor enforcement has placed confidentiality of EPHI at “high risk.â€?

No wonder nearly two-thirds of Americans distrust the privacy of electronic medical records.

The Inspector General (IG) for the Department of Health and Human Services (HHS) issued the study on implementation of HIPAA’s Security Rule. The findings were alarming in what they suggested about the integrity of American medical records. The report also reinforced CDT’s repeated calls for stronger enforcement of the HIPAA Privacy and Security Rules.
(more…)

Health information technology – including electronic medical records, electronic health information exchange, and personal health records – have the potential to dramatically improve our health care system. Survey data shows that the public clearly wants electronic access to their health information – both for themselves and their health care providers. At the same time, people have significant concerns about the privacy of their health information on-line. In one recent survey, 67% of respondents were either “somewhat” or “very concerned” about the privacy of their personal medical records.

The failure to address public concerns about the privacy of their health information could have significant consequences. Without appropriate protections for privacy and security in the healthcare system, patients will withhold information from the health care providers – or decide not to seek treatment – because of fears about how their personal health information could be misused. Ignoring concerns about privacy – or inadequately address them – will significantly threaten public trust in these new e-health technologies, and in our overall healthcare system.

Privacy concerns are often described as an “obstacle” to moving forward with health IT. In fact, the opposite is true. Building privacy and security protections into e-health systems is the key to accelerating the adoption of health IT.

Next week we have a unique opportunity to make our voices heard on the importance of protecting privacy in health IT, and what policies and technical tools need to be adopted in order to build public trust. Beginning October 27, and continuing throughout the week, advocates and citizens will engage in an on-line discussion about how we can use information technology to improve healthcare while safeguarding privacy.

Find out more at by logging on to the National Dialogue Web site.

The results of this online dialogue will be compiled into a report to the Federal CIO Council and the incoming administration. This unique experiment in democracy is hosted by the National Academy of Public Administration, a non-profit, non-partisan organization focused on good government, in partnership with AmericaSpeaks and Delib. CDT will be logging on thoughout the week to provide comments, and we encourage you to do the same.