Yesterday, the White House released an important report on health information technology. In the report, the President’s Council of Advisors on Science and Technology (PCAST) – an advisory group of scientists and engineers appointed by the President – made several recommendations intended to make it easier to exchange health information from one health care system to another. Among the report’s recommendations is an approach that would apply a universal language for exchanging health data and would tag health data with certain information, including patient privacy preferences.
The PCAST report comes while a multi-year government program is underway to encourage health care providers to adopt electronic health records (EHRs). The program subsidizes providers’ purchase of EHR systems if the provider can demonstrate ‘meaningful use’ of the system. Providers who decline to adopt and make meaningful use of EHR systems face a penalty in the form of decreased Medicare and Medicaid reimbursements. Despite these incentives, however, the PCAST report states that exchange of health data between institutions is hampered by incompatible and proprietary systems, holding back the full potential of health IT to improve patient care and making it more difficult for innovators to create health data applications for patients’ personal use.
To overcome this interoperability problem, the PCAST report recommends a universal exchange language using tagged data. Under the proposal, EHR systems could conceivably retain health records in any format – so long as they can send and receive the records in the agreed-upon universal language (PCAST recommends XML). Each record would be annotated, or tagged, with metadata that gives context to the records. The metadata contains information that helps health care providers locate the record (such as when the record resides in another provider’s system) and confirm its origin. The metadata also contains relevant privacy protection information (such as who may access the record and for what purposes).
While the report acknowledges that patient consent is an important component of privacy protection, PCAST emphasized that real privacy requires comprehensive privacy and security protections that set clear rules on how patient data can be accessed, used and disclosed. PCAST listed privacy as a key advantage to its approach in part because data tagging can help restrict access, uses and disclosures of the record to those authorized by law and by any applicable patient preferences. According to PCAST, data tagging would also enable patients’ privacy choices to apply to particular records and make it easier for those choices to be honored over time and across institutions. This is in contrast to the clumsier all-or-nothing approach to health privacy common to health information exchanges: patients often must choose to have all their data exchanged electronically or none of it.
PCAST recommends several design principles to improve data security. Each health data element should be encrypted while it is stored and while it is being exchanged over networks. Metadata should be subject to a different form of encryption, so that parties can sometimes access only the metadata while being restricted from viewing the underlying record. PCAST recommends never storing the encryption key on the same computer system as the encrypted data, making it considerably more difficult for an unauthorized party to decrypt the information.
Our initial reaction to the PCAST report is favorable. PCAST’s proposal does not require a universal patient identifier, nor does it require a centralized repository for health information (something CDT has argued against recently). We are also pleased to see PCAST recommend an approach to privacy that manage uses and disclosures of health records without shifting the burden for privacy protection onto individual patients.
PCAST has called on the Department of Health and Human Services (HHS) and the Centers for Medicare and Medicaid Services to take the lead in implementing the report’s recommendations, such as by establishing the universal data language. HHS has taken the first step in this direction by releasing a request for information on the PCAST report yesterday. Based on comments by HHS Secretary Sebelius and the National Coordinator for health IT, Dr. David Blumenthal, HHS will be pursuing PCAST’s recommended approach in future programs. It will take more time and discussion to be clear, but the PCAST report may be a turning point in the development of a digital health care system in the United States.