CDT Issues Comments on PCAST Report
Yesterday, CDT issued comments to the Dept. of Health and Human Services Office of the National Coordinator (ONC) on a report from a White House advisory council that outlines a vision for achieving a digital health care system. The report – authored by the President’s Council of Advisors on Science and Technology (PCAST) – makes several technical recommendations to enable the electronic exchange of health information. Although the PCAST report offers a compelling direction for the national effort to modernize the health care system with health IT, the PCAST report does not address some of the important policy questions that should guide technological choices.
The PCAST Report
One major recommendation in the PCAST report is metadata tagging. PCAST envisions affixing standardized, mandatory metadata tags to individual elements of health data. The metadata tags are essentially annotations that are tethered to the health data and contain information about the health data. According to PCAST, the metadata tags would include attributes of the health data, such as where the data was created, and also any privacy permissions the patient applied to the health data.
A second major PCAST recommendation is establishing a means for indexing, searching and controlling access to health data through an exchange network. The service – termed the data-element access service (DEAS) – would enable providers and health care institutions to run queries on patients and health data – akin to a web search engine, but with more restrictions on access to the search results. According to the PCAST report, the role of a DEAS user (i.e., primary care physician) and patients’ privacy preferences would largely determine access to the indexed health information.
PCAST made other recommendations and also provided a brief summary of health IT efforts to date. For more on the content of the PCAST report, check out our earlier blog post or the PCAST report itself.
CDT Comments
The PCAST report makes sweeping technical recommendations, but leaves a number of important policy questions unanswered. CDT’s comments urged HHS to let policy goals guide technology choices – not the other way around. An effective health information exchange system will require an infrastructure that promotes trust among the exchange participants, including patients and health care providers. That infrastructure needs not just technology, but also clear legal requirements, incentives for appropriate sharing and accountability for noncompliance.
Although PCAST refers to the importance of a comprehensive framework of privacy and security protections, the report focuses a great deal of its brief discussion of privacy issues on patient consent. Specifically, a chief privacy protection would be patient consent directives communicated through the metadata tags. As CDT has stated in the past, overreliance on patient or consumer consent is ultimately bad for privacy. This is especially true at the granular level contemplated in the PCAST report. Even medical professionals have great difficulty understanding the increasingly complex flow of health data, and most patients are unlikely to have enough time and expertise to provide meaningful consent to all future uses of all their data. CDT urged HHS to explore how to leverage metadata tagging to enforce patient consent choices in areas for which the law already requires consent, such as for marketing and certain sensitive data categories, but HHS should continue developing privacy protections incorporate the full complement of Fair Information Practices.
PCAST’s proposed DEAS also faces some practical challenges. The PCAST report appears to give DEAS users automatic access to data if the users have the appropriate role and authentication credentials (and their access is not blocked by patient privacy permissions). Yet, health care institutions are unlikely to be comfortable automatically sharing data with uses that they don’t necessarily know or trust. Furthermore, like any search engine, a query to the DEAS is likely to generate false positives – unnecessarily exposing health data. One important way to mitigate both concerns is to give data holders some control over whom they share their data with. Data holders have a strong role to play in correctly matching patients to their data and can thus help eliminate false positives. This also would enable data holders to share data based on the trusted relationships that patients and providers have built through compliance with legal requirements and sound business practices – strengthening the incentive for exchange participants to remain accountable for their uses of patients’ health data.
A Path Forward
Aside from the reservations described above and in CDT’s comments, there is a lot that is quite positive in the PCAST report. PCAST recommends several good database design principles to improve data security, including strong encryption. PCAST rejects the concept of a universal patient identifier, as well as centralized repositories of health information. PCAST should be applauded for its leadership in promoting health information exchange. We look forward to working with ONC as it considers how to implement the PCAST’s recommendations. PCAST supplied a description of the available technological tools, and now it’s time to apply those tools to the policy goals of safeguarding patient privacy and improving quality of care.