Privacy Group Testifies on Patient Data Matching

Initial findings from the Office of the National Coordinator for Health Information Technology on ways to match patients with their data do address problems with current HIT systems and data exchanges, notes advocacy organization Patient Privacy Rights.


Initial findings from the Office of the National Coordinator for Health Information Technology on ways to match patients with their data do address problems with current HIT systems and data exchanges, notes advocacy organization Patient Privacy Rights.

But there isn’t much else in the findings that the organization agrees with. In testimony at an ONC public meeting in December, PPR noted that “the findings address today’s problems without anticipating where we will be tomorrow; they did not foresee that the HITECH Act and meaningful use requirements can be used to resolve many of today’s problems without patient identity and patient matching.”

The findings—or ideas that merit more consideration—rely on mandating standardized identifying attributes and capturing the attributed in certified IT systems, as well as developing a series of best practices for the matching process and data governance, keeping information current and accurate, and verifying patient attributes.

These initial findings, Patient Privacy Rights contends, missed the opportunity to create and leverage genuine patient engagement in controlling their medical information. The organization envisions a health care environment evolving over the next few years where patients and physicians become full participants in health I.T. and data exchange.

“Today, the nation’s sensitive health records are exchanged by hundreds of hidden users without meaningful informed consent,” according to the PPR testimony. “Health technology systems violate our federal rights to see who used our data and why. Despite the federal right to accounting of disclosures—the lists of who accessed our health data and why—technology systems violate this right to accountability and transparency.” Conversely, meaningful patient engagement “will enable patients to fully participate in their health care and in electronic systems. Meaningful engagement will ensure they can access, control or delegate use and disclosure of PHI, and monitor all health data exchange automatically in real-time.”

Patient Privacy Rights calls for all health data holders and health data aggregators to operate as HIPAA covered entities. A non-inclusive list includes master patient indexes, record locator services, health information exchanges, health information organizations, prescription drug monitoring programs, health insurance exchanges, all-payer claims databases, pharmacies and prescription aggregators, clinical laboratories, medical imaging facilities, public and private health data research aggregators, state and national registries and health databases, and commercial data aggregators that collect and use PHI such as Acxiom and credit bureaus.

These health data holders, PPR contends, should provide notice of privacy practices, patient-controlled IDs that are voluntary, patient and physician portals, secure email between patients and physicians, automated real-time accounting of disclosures, right to electronic copies of PHI and Blue Button Plus technology to view, download and copy a patient’s own PHI.

Rather than focusing on findings that assess current industry capabilities, ONC and the industry should be looking at the near future, the organization asserts in its testimony. “The U.S. is moving toward far better patient identity systems where patients can have voluntary cyber-IDs that don’t reveal all of their attributes, and enable the use of multiple email addresses so sensitive data can be segmented to protect privacy.” The complete testimony is available here.

More for you

Loading data for hdm_tax_topic #better-outcomes...