Just as it wouldn’t be The Wizard of Oz without “lions and tigers and bears, oh my,” so too it wouldn’t be a month in the healthcare world without an adequate dose of concern over security and privacy and control… oh my.
On July 22, the eHealth Initiative published a report titled “Migrating Toward Meaningful Use: The State of Health Information Exchange, A Report Based on the Results of the eHealth Initiative’s 2009 Sixth Annual Survey of Health Information Exchange.” Among the report’s key findings:
“For the first time in six years, initiatives identified ‘addressing privacy and confidentiality issues’ as the most pressing challenge they face, surpassing ‘developing a sustainable business model’.”
In one sense, that is tremendous news. If HIEs are beginning to see their way to a sustainable business model such that it is not their top concern, it means that they are seeing a quantifiable benefit from HIEs against which they can favorably compare the cost. Indeed, the report goes on to say that health information exchange can help reduce costs for a number of different stakeholders and that “hospitals and physician practices could see the greatest return on investment (ROI).” Among the benefits reported are:
- Reduced staff time spent on handling lab and radiology results
- Reduced staff time spent on clerical administration and filing
- Decreased dollars spent on redundant tests
- Decreased cost of care for chronic care patients
- Reduced medication errors
That’s pretty compelling stuff, but what is equally striking is the lack of benefit associated with patient participation in or through the HIE. Of the 193 organizations (150 respondents plus 43 HIEs that reported in 2008 and are still active but did not report in 2009), only 14 have patient portals with 3 more in the planning stage. No wonder that operating efficiencies, risk reduction, customer/patient satisfaction or improved health through improved communication with patients did not factor into the benefits. We predict that consumer access to personal health information through or in collaboration with HIEs will see a significant advance in the next year—assuming privacy and confidentiality objections can be overcome.
Which brings us back to the question of security and privacy.
We completely agree with the position take by Dr. Deborah Peel and the Patient Privacy Rights Foundation that “the potential benefits of electronic health systems cannot be realized unless Americans have confidence that ironclad privacy protections are in place for online health records, databases, and networks.”
However, the concerns and the solutions are not the same when comparing provider-centric health information technology with consumer-centric personal health records—at least not today.
When it comes to provider-side health information technology, including internal electronic medical record (EMR) systems and community wide health information exchanges (HIEs) the consumer has very little—if any at all—control over his or her personal health information. The consumer must rely upon the protections of HIPAA as well as various state and federal regulations for privacy protection.
Personal Health Records, on the other hand, give the ultimate control over personal health information to the consumer. You decide not only what information should be in your record, but whether there should be a personal health record at all!! If it don’t exist, it ain’t at risk, and that is the ultimate assurance of privacy.
Fundamentally, each of us must have the right to decide whether the risk of disclosing personal health information is greater than the benefit. For a significant number, unauthorized disclosure of personal health information outweighs the benefit of having access to critical information at the time and place of need. But for most of us, availability of information is the higher priority. In an emergency, I want people to know my mother has Alzheimer’s disease. I want them to know this is not some critical emergent condition that needs immediate testing and treatment. Rather, it is just another day in our struggle with this terrible condition. Frankly, my concern over the confidentiality of her personal health information is not a factor.
Even within a family, a father (like me for instance who is never ever going to get sick or die) can choose not to enter any medical information at all, while capturing as much information as possible about my mother. It is my choice. I have control over security and privacy.
Ultimately, we would all like to have both availability of personal health information and absolute confidence in our privacy, and we’d like that dual assurance to apply to all of our personal health information wherever it resides. With that objective, on July 21, a federal advisory panel, the Privacy and Security Workgroup, presented 37 technical standards to the Health Information Technology Standards Committee including a recommendation that consent management tools be implemented by 2015. Consent management tools refer to software and legal policies that allow consumers to control access to their personal health information.
According to an article in Federal Computer Week, the recommendation to delay the effective date for consent management standards compared to other security and privacy standards reflects the levels of maturity of existing standards. According to Steven Findlay, the work group’s co-chair, “The standards do not currently exist to do the complexity of consent management that we would like to see.”
We completely agree. In the meantime, we expect to see big advances in consent management at least with respect to personal health records. As for consent management applied to provider-side health information technology, that feels like its somewhere over the rainbow, while we’re still stuck back in Kansas.