- Policy & Research
- About KHI
Sept. 30, 2013
Map developed by Patient Privacy Rights and Harvard researchers
WASHINGTON, D.C. Health information technology is being rapidly adopted and the number of patients whose information is being digitized and exchanged over computer networks is likewise growing in leaps and bounds.
But some of the basic rules have yet to be written that will regulate users of health information technology (HIT) and protect the security and privacy of patient information.
Today, the top federal HIT regulatory body held a five-hour hearing as the first step toward crafting one small, but critical policy. Namely: What information should patients routinely be given regarding who has accessed their data?
A so-called "Accounting for Disclosures" policy must be crafted by the U.S. Department of Health and Human Services, as mandated by the HITECH Act, the same 2009 law that authorized more than $25 billion in incentive payments for doctors, hospitals and states to adopt HIT systems to take the place of paper records.
Representatives of patients, doctors, insurance companies, and technology companies that make the HIT systems, testified today via an online meeting of the agency's HIT Policy, Privacy and Security Tiger Team.
"We believe it's the patient's right to have digital access that is real-time and online for accounting of disclosures," said Dr. Deborah Peel, the head of Patient Privacy Rights, a group she founded in 2004. Patients "need and want the data for our own health. We need to have independent agents as advisors, independent decision-making tools, we need independence from the institutions and data holders that currently control our information. We need to have agents that represent us, not the interests of corporations," she said.
"I think the day will come when people will understand that their health information is the most valuable personal information about them in the digital world and that it's an asset that should be protected in the same way that they protect and control their financial information online," Peel said.
She recommended regulators require that makers of health information technology provide open access to logs that record every time a patient's digital health information is accessed or shared over a network.
But most of those who spoke on behalf of doctors, insurance companies, and software markers said that was not feasible.
Requiring comprehensive reporting that is readily accessible by patients would be an administrative burden and come at the expense of core services, they said. Some said the best route for investigating potential improper disclosures is through individual investigations sparked by complaints.
Individual investigations, they said, would be preferable to automated, routine access — in part — because patients don't seem much interested in the so-called "patient portals" that some insurance companies already provide for viewing basic health record information.
For example, patients rarely demand an accounting of the paper records or complain about privacy violations, according to a representative of Kaiser Permanente who testified that — so far in 2013 — only 63 privacy complaints have been received by the company, which covers 66 million people.
Mark Richert, a patient representative and public policy director for the American Federation for the Blind, found fault with that line of reasoning.
"I think we're drifting into 'fires are unlikely to happen so let's not invest in fire departments.'"
Eric Cooper of EPIC, one of the largest makers of electronic health record software, said that requiring comprehensive patient access could have unintended consequences.
"It is extremely important to understand the volume of information that would be included," he said. "The volume is staggering. A typical patient visit will produce between 500 and 1,000 auditable events in the provider's clinical system — physician views, modifications, transactions with the outside world, views related to clinical or administrative work," Cooper said, noting such events could be triggered by human and automated computer queries alike.
"The magnitude and granularity of this information would overwhelm most patients, obscuring instead of revealing any instance of improper access," he said.
Peel, the patient representative, said that was a potential problem best dealt with later, but not now by regulators crafting policy in the public's interest.
"That might be true that it's difficult. But I can promise you that if we get the data — even if it's not humanly readable — an industry will develop to translate that data into meaningful ways we can understand, and use it for ourselves...There are plenty of smart people who can figure out how to make sense of that data for the rest of us," Peel said.
"Patients can’t get electronic copies of their health information, but a broad array of hidden users can," she said citing an interactive data map developed by her organization working with Harvard researchers.
"Health data is controlled by data holders that don’t want to be transparent or accountable," Peel said.
The panel is scheduled to meet again Oct. 9. But since the meeting would be considered a "non-essential" government function, it could be postponed in the event Congress fails to pass a resolution funding routine government activities.
The KHI News Service is an editorially independent initiative of the Kansas Health Institute. It is supported in part by a variety of underwriters. The News Service is committed to timely, objective and in-depth coverage of health issues and the policy-making environment. All News Service stories and photos may be republished at no cost with proper attribution, including a link back to KHI.org when a story is reposted online. An automatically updated feed of headlines and more from KHI can be included on your website using the KHI widget. More about the News Service at khi.org/newsservice or contact us at (785) 233-5443.