Health Data Systems Need A Comprehensive Privacy and Security Framework
Contact: Brock N Meeks, CDT
(202) 637-9800 ex. 114
(703) 989-3547 (CELL)
WASHINGTON – The Health Privacy Project of the Center for Democracy and Technology today released a paper urging policymakers and the private sector to develop and implement a comprehensive privacy and security framework to govern the wide range of computer and Internet-based systems being created to share sensitive health information.
The CDT paper examines the key issues confronting the adoption of information technology in the health care field (“health IT”). It also outlines suggestions for crafting policies and business practices that will protect patient rights while facilitating the kinds of information sharing that can reduce costs and improve care.
Health IT has the potential to transform health care, improving quality and efficiency while empowering consumers to play a larger role in their own health care. However, survey research shows that the public has significant privacy concerns about the increased movement of health information electronically. Recent large-scale breaches of electronic health information underscore that the risks are real.
“Some have positioned privacy as an ‘obstacle’ to use of information technology in health care, but it’s clear that the opposite is true,” said Deven McGraw, director of CDT’s Health Privacy Project. “Enhanced privacy and security, built into health IT systems, will bolster consumer trust and confidence and spur a more rapid adoption of health IT, to the benefit of us all.”
CDT warns that health IT initiatives are moving forward, either not addressing privacy at all or taking a piecemeal approach. The CDT document makes the case that fully resolving the complex issues raised by health IT requires a more comprehensive and flexible approach. Although the scope of health IT encompasses a wide range of services and networks, policy makers and regulators don’t have to start from scratch in crafting a comprehensive privacy and security framework. Fair information practices (FIPs) that have helped shape privacy policies for decades, including the HIPAA Privacy Regulation, can be used as a blueprint for developing a framework to guide health IT, the report says. The report cites the Common Framework, developed by the Markle Foundation’s Connecting for Health initiative, as a good model.
Broad Approach Needed, Consent No Panacea
To date, much of the discussion about privacy and security has placed too much emphasis on patient consent. Consent, however, is no panacea. Patient consent should be part of a comprehensive privacy and security framework, but undue reliance on consent may actually undermine privacy and could interfere with disclosures necessary to provide healthcare.
“It is unrealistic to ask patients to make nuanced decisions about every possible use of their health data, particularly at a time when they may be least able to make sound, informed decisions – like when they are sick or injured,” McGraw said. The CDT report notes that a system that relies too heavily on consent is likely to lead to patients giving blanket consent to disclosure. Instead, consumers deserve an e-health system that incorporates restrictions on inappropriate uses of their health information and protects their safety through audit trails, technical safeguards, enforcement, and other policies in addition to notice and consent.
CDT calls on Congress to set the parameters of a comprehensive approach through legislation. In addition, the Department of Health and Human Services and the Federal Trade Commission should develop regulations tailored to respond to the unique issues raised by the diversity of entities connected through health information exchange.
The CDT policy paper also notes that health IT stakeholders need not wait for Congress to act on these issues. Instead states and entities developing health information exchanges and other health IT initiatives should all commit to adopting and implementing comprehensive privacy and security protections.
The challenge for policymakers today is to find the right mix of statutory direction, regulatory implementation, and industry best practices to build consumer trust in the emerging e-health systems and enable the widespread adoption of health IT.