KHI News Service

Security and privacy of patient data subject of regulatory hearing

Representatives of patients, providers, insurers and tech companies testify before federal panel

By Phil Cauthon | September 30, 2013

Map developed by Patient Privacy Rights and Harvard researchers

A map of current health information technology systems shows hidden flows of patient health information and data analytics. View an interactive version of this map at

View larger photo

Health information technology is being rapidly adopted and the number of patients whose information is being digitized and exchanged over computer networks is likewise growing in leaps and bounds.

But some of the basic rules have yet to be written that will regulate users of health information technology (HIT) and protect the security and privacy of patient information.

Today, the top federal HIT regulatory body held a five-hour hearing as the first step toward crafting one small, but critical policy. Namely: What information should patients routinely be given regarding who has accessed their data?

A so-called "Accounting for Disclosures" policy must be crafted by the U.S. Department of Health and Human Services, as mandated by the HITECH Act, the same 2009 law that authorized more than $25 billion in incentive payments for doctors, hospitals and states to adopt HIT systems to take the place of paper records.

Representatives of patients, doctors, insurance companies, and technology companies that make the HIT systems, testified today via an online meeting of the agency's HIT Policy, Privacy and Security Tiger Team.

Dr. Deborah Peel is a physician and advocate for the privacy and security of patient health information.

View larger photo

A ‘patient's right’

"We believe it's the patient's right to have digital access that is real-time and online for accounting of disclosures," said Dr. Deborah Peel, the head of Patient Privacy Rights, a group she founded in 2004. Patients "need and want the data for our own health. We need to have independent agents as advisors, independent decision-making tools, we need independence from the institutions and data holders that currently control our information. We need to have agents that represent us, not the interests of corporations," she said.

"I think the day will come when people will understand that their health information is the most valuable personal information about them in the digital world and that it's an asset that should be protected in the same way that they protect and control their financial information online," Peel said.

She recommended regulators require that makers of health information technology provide open access to logs that record every time a patient's digital health information is accessed or shared over a network.

‘Not feasible’

But most of those who spoke on behalf of doctors, insurance companies, and software markers said that was not feasible.

Requiring comprehensive reporting that is readily accessible by patients would be an administrative burden and come at the expense of core services, they said. Some said the best route for investigating potential improper disclosures is through individual investigations sparked by complaints.

Individual investigations, they said, would be preferable to automated, routine access — in part — because patients don't seem much interested in the so-called "patient portals" that some insurance companies already provide for viewing basic health record information.

For example, patients rarely demand an accounting of the paper records or complain about privacy violations, according to a representative of Kaiser Permanente who testified that — so far in 2013 — only 63 privacy complaints have been received by the company, which covers 66 million people.


HIT Policy Privacy & Security Tiger Team Virtual Hearing on Accounting for Disclosures

Download .PDF


Public Comment Virtual Hearing on Accounting for Disclosures

Download .PDF

‘Massive information asymmetry’

Mark Richert, a patient representative and public policy director for the American Federation for the Blind, found fault with that line of reasoning.

"I think we're drifting into 'fires are unlikely to happen so let's not invest in fire departments.'"

Eric Cooper of EPIC, one of the largest makers of electronic health record software, said that requiring comprehensive patient access could have unintended consequences.

"It is extremely important to understand the volume of information that would be included," he said. "The volume is staggering. A typical patient visit will produce between 500 and 1,000 auditable events in the provider's clinical system — physician views, modifications, transactions with the outside world, views related to clinical or administrative work," Cooper said, noting such events could be triggered by human and automated computer queries alike.

"The magnitude and granularity of this information would overwhelm most patients, obscuring instead of revealing any instance of improper access," he said.

Peel, the patient representative, said that was a potential problem best dealt with later, but not now by regulators crafting policy in the public's interest.

"That might be true that it's difficult. But I can promise you that if we get the data — even if it's not humanly readable — an industry will develop to translate that data into meaningful ways we can understand, and use it for ourselves...There are plenty of smart people who can figure out how to make sense of that data for the rest of us," Peel said.

"Patients can’t get electronic copies of their health information, but a broad array of hidden users can," she said citing an interactive data map developed by her organization working with Harvard researchers.

"Health data is controlled by data holders that don’t want to be transparent or accountable," Peel said.

The panel is scheduled to meet again Oct. 9. But since the meeting would be considered a "non-essential" government function, it could be postponed in the event Congress fails to pass a resolution funding routine government activities.

Coverage of electronic health records in Kansas

Kansas breaks ground on statewide digital health network (5/28/12)
The pros and cons of health information exchange: An interview with Dr. Joe Davison (5/28/12)

More coverage
KanHIT Advisory Council to craft 'secondary data use' policy (2/18/14)
Kansas HIE networks connected ‘live’ for first time (12/23/13)
Network execs confident they will meet looming deadline (12/16/13)
Patient health exchange networks agree to connect (11/12/13)
The Kansas insurance marketplace that might have been (10/21/13)
Security and privacy of patient data subject of regulatory hearing (9/30/13)
Deadline looming for state's patient record exchange (8/26/13)
KDHE begins day-to-day duties of HIE regulation (7/19/13)
Network execs squabble over issue of exchange connectivity (5/23/13)
KU Hospital, Shawnee Mission going live on statewide health record exchange (5/9/13)
Governor signs HIE bill transferring regulatory authority from KHIE to KDHE (4/18/13)
This is why health IT systems aren't keeping up (3/19/13)
Senate panel hears bill to move HIE regulatory authority to KDHE (3/13/13)
Bill introduced to transfer regulatory authority from KHIE to KDHE (2/12/13)
Legislators request 'lengthy discussion' on HIE developments (1/16/13)
KHIE board members get cold feet on legal changes (12/13/12)
KHIE defers details of transition to KDHE (10/10/12)
KHIE board turns over regulatory duties to state (9/12/12)
HIE board delays decision on turning authority, costs over to state (8/8/12)
Regulators of health information exchange to consider ceding authority to state (8/6/12)
The cost of independent regulation of health information exchange (8/6/12)
KHIE board presented with proposal to dissolve the organization by August (7/11/12)
Far fewer than projected patients opting out of health information exchange (6/14/12)
Public awareness campaign begins for health information network (5/23/12)
Networks granted temporary licenses to exchange patient data (4/11/12)
KHIE committee changes course on funding scheme (3/26/12)
Rural Kansas doc featured as national technology leader (8/17/11)
State Medicaid officials announce new schedule for digital health records exchange (7/25/11)
Kansas health care providers get first look at exchange implementation (2/4/11)

Full coverage of health information technology in Kansas

The KHI News Service is an editorially independent initiative of the Kansas Health Institute. It is supported in part by a variety of underwriters. The News Service is committed to timely, objective and in-depth coverage of health issues and the policy-making environment. All News Service stories and photos may be republished at no cost with proper attribution, including a link back to when a story is reposted online. An automatically updated feed of headlines and more from KHI can be included on your website using the KHI widget. More about the News Service at or contact us at (785) 233-5443.