Last week, I summarized the Health and Human Services Health Information Technology Policy Committee Privacy and Security Tiger Team (Tiger Team)’s findings.

As a reminder, their charge was to “make short-term and long term recommendations to the Health Information Technology Policy Committee (HITPC) on privacy and security policies and practices that well help build public trust in health information technology and efficiency, particularly as related to the  American Recovery and Reinvestment Act (ARRA) of 2009 and the Affordable Care Act (ACA) which mandates a number of duties to the ONC relative to privacy and security.”

Their findings were put out for public comment April 11 –May 11, 2011. Below is a series of excerpts from the comments which represent the major points of discussion. The full set of comments can be viewed on the HHS Federal Advisory Committee Blog.

  1. There should be a health industry discussion on general tracking and accounting of disclosures.  ARRA-HITECH proposed rules have not been released and there has been little industry discussion regarding how disclosures can be tracked especially in larger organizations where disclosure may occur. This is both a policy and a technology issue.
  2. Methods for tracking exchange partners need to be developed.  Web site info with the ability for the patient to print should cover it, and maybe an annual signoff indicating they know where to find it if they want it. A NwHIN participant will have difficulty keeping track of all the potential indirect participants. If the level of HIEs gets to 225-250-plus keeping a list of the possible exchange partners becomes overwhelming and probably complicated for the individual to understand.
  3. Confidentiality is crucial to reducing barriers to care for adolescents. It has long been recognized that if adolescents do not believe their information will be kept private, they will avoid seeking care.  Laws governing the conditions under which a minor may seek and consent to healthcare without permission from a parent or guardian vary from state to state. The HIPAA Privacy Rule mostly defers to these states laws.  Dual (or plural) consent must be available to allow for teens and their parents to access different portions of electronic health information.  Current technologies do not allow adolescents to provide consent for their information to be included in a health information exchange (HIE).
  4. Children in foster care or kinship care have additional unique privacy and consent issues, including the need for multiple and changing guardianship information and access rights
  5. There is concern about the effect that a granular system of consent may have on the availability of information for health care providers. The Tiger Team’s recognition that the technology for granular consent is still in the early stages of development and that models for a granular approach should be carefully evaluated, taking into consideration factors such as patient educational needs, operational considerations, and health care quality. In particular, we are concerned that the ability to limit large segments of health care information from inclusion in HIE will greatly diminish the usability of the data that is available, and therefore adoption of health information exchange. If physicians cannot rely on the information available in HIE to provide quality care, they are not likely to engage in HIE. Instead, we propose that patients should be able to decline to participate in HIE altogether. This approach would address the concerns of patients who prefer not to have their information shared via HIE, while at the same time ensuring, for those patients who do participate, that health care providers will have access to information necessary to provide quality care.
  6. Assuming that by “granular patient consent,” you mean consent that can apply to some contents of a record and not others, and/or to some recipients and not others. This level of control is already required by law with regard to mental health, alcohol and drug treatment, HIV/AIDS status, and likely others. It is not enough for ONC to explore this concept. It must be delivered.

As relayed by the comments, a lot of decisions regarding Security and Privacy rights still have to be determined.  How Security and Privacy will be handled by the technology and will it be trusted by the public are still questions to be answered.  Hopefully, the multiple government agencies working to secure our healthcare and internet data will work together to find the answer.