Patient Privacy Rights applauds Neal Patterson's call for "universally available" directed push and directed query. Universal availability includes the patient and any agent the patient selects as allowed by HIPAA.
Universal availability can best be achieved by allowing the physician and patient to control the endpoints for directed exchange. Anything less, such as technical restrictions on endpoints at the institutional or EHR vendor level, dilute and frustrate the physician-patient relationship and can result in duplicate testing, delayed follow-up and reduced ability to detect medical errors.
At the January 29 HIE hearing, Patient Privacy Rights called for ONC guidance to make clear that Direct protocols, as required in Stage 2 Meaningful Use, give physicians the choice to accept self-signed patient certificates as a practical way to ensure that all patient-directed endpoints are accessible on the nationwide health information network.
We also applaud Mr. Patterson's testimony that: "As the volume of data interchange increases, we cannot continue to rely on statistical matches based on a highly constrained set of data elements," and calls for a shift to voluntary use of patient identifiers. However, Patient Privacy Rights believes that identifiers that are strongly linked to the patient such as driver's license or biometrics are not voluntary because the patient cannot choose different identifiers in different circumstance in order to protect privacy.
It is critical to use IDs that protect privacy, not eliminate privacy. Truly voluntary patient identifiers should be patient-selected in the way we select among credit cards or email addresses in privacy-sensitive situations. For this reason, Patient Privacy Rights’ testimony at the Jan 29 hearings called for use of Direct secure email addresses, including addresses with self-signed certificates, as the preferred method of patient identification across institutions.
Patients that do not wish to use a Direct email should be allowed to use other credentials that are verifiably under their control and globally unique if these arise in the future as a result of federal efforts such as the National Strategy for Trusted Identities in Cyberspace.
The right of patients to receive care anonymously is important and should not be arbitrarily restricted by health information exchange technology. This right is recognized in HIPAA when patients pay cash for their care and this right should not be undercut by health information sharing beyond the institution in situations such as e-prescribing. Patients seeking anonymous care within the limits of public health regulations must be allowed to share information on the network using the patient identifiers that they select if the identifier is acceptable to the other parties.