Privacy--Get Over It?
You have zero privacy anyway. Get over it.” I'm not defending this quip by the master quipster, founder and former CEO of Sun Microsystem, Scott McNealy, but is this the de facto consequence of the mad dash to implement EHRs and HIEs?
Lately, my e-mail inbox is full of stories about hospitals fined for what looks like minor breaches of patient privacy. In one case, a California hospital was dinged $25,000 for two employees accessing three patients’ health information. Fines for more “egregious” breaches have been higher.
Really, how in the world can a medical facility ensure that there will be no unauthorized viewing of health information given the state of EHR’s internal data privacy, and given the fact that much of this information is now being more widely distributed via HIEs? Clearly, busting employers on a HIPAA beef is not working to prevent employees from accessing or leaking out personal health information.
I suppose the first question is: Do patients really care about keeping their health information private? One would think so based on the way the public reacts to stories about the information that they voluntarily post on Facebook getting out. But on the other hand, physicians, HIE advocates, and the government would like to have all information about the patient readily available to assist in diagnosis and treatment.
So who decides how much information is open to whom?
And is it possible to provide a more granular access to patient information and restrict just what information goes to which interested party and controlled pretty much completely by the patient?
The answer to the second question is, of course.
We do this every day with our financial information. We gladly hand over our credit card to a waitress anywhere in the world in order get an authorization to charge the restaurant bill to the card. When we lease or finance a car, we permit a one-time access of our credit history and credit score for the dealer. My county property tax records are online. Anyone can easily see out how much property tax I pay each year, but not what I had for dinner or how I paid the taxman (check, credit card, or cash). We do not permit the real estate agent, car salesman, or waitress to roam about in our financial records freely.
There is a well-defined set of discrete transactional access paths to our financial information and we restrict the access to these paths to certain individuals and institutions for a specific time period for a specific use.
Why can’t we do the same thing with our health information?
We might be OK with pretty much everyone knowing what we are allergic to. We certainly want the health insurance company to get sufficient information to pay the claim (most of the time). We might want to restrict information about our orthopedic work to our primary care doc and the orthopedist who did the work, but not share it with a clerk at a different orthopedist office who may be in the same HIE. A patient may want to restrict mental health records to only the psychiatrist who treats them and no one else.
There is a solution. There is a considerable amount of standards work, reference models, demonstration products, and a handful of software companies with technology for sale that enable patient controlled consent over just what health information gets out and where it goes.
For those specifically interested in healthcare consumer privacy and consent management the May and June presentations to the Privacy and Security Workgroup are enlightening.
The May meeting lays out the consent management model in detail. Click here for the PowerPoint document that explains the model. The June meeting shows an example implementation at the Veterans Administration (click here). And for those interested in all the gritty details I would point you to the HL7 collaborative care model page as a starting point.
In the patient controlled consent model, information sharing is done via well-defined XML documents, if the patient consents. This is similar to, but much more modern and flexible, than current EDI and other financial transaction and information transfers--very secure, discrete, and comprehensive.
Given the fact that there are so many EHRs, and more and more HIEs already deployed, probably the path of least resistance is to use service-oriented architecture design principals and technology, with consent management software, on top of the current EHRs and HIEs, and restrict the “browser” mode to a very small subset of heath providers, and of course, subject to the patient’s wishes.
Of course it would be better to build this technology into EHRs and HIE from the get-go, but that is probably not going to happen anytime soon.
Adding patient consent and tracking to health information privacy and sharing may slow down the implementation of EHRs and HIE--and raise the cost, but until we fix the core privacy issues with EHRs and HIEs we are probably going to live in the world of McNealy’s admonition. Get used to it.
Rob Tholemeier is a research analyst for Crosstree Capital Management in Tampa, Fla., covering the heath I.T. industry. He has over 25 years experience as an information technology investor, research analyst, investment banker and consultant, after beginning his career as a hardware engineer and designer.