Friday, September 18, 2009

Trouble with Privacy and Security

There is still a great deal of work to do regarding privacy and security of confidential electronic patient health information. This was a big topic of conversation at the recent HIT Policy Committee meeting, but it seems there is still quite a way to go to ensure the safety and privacy of patient health data. Deborah Peel, founder and chair of Patient Privacy Rights, told the committee that implementing privacy protections should be one of the first steps of planned health IT projects. Peel added that health data privacy also should play a major role in healthcare reform. Peel cited a recent study from the Agency for Healthcare Research and Quality on consumer engagement in developing electronic health information systems to support her emphasis on patient control.

Deven McGraw, a member of the advisory panel and director of the health privacy project at the Center for Democracy and Technology said "Although the concept of patient control is very appealing, consent does not work the way we want it to. Consent does not provide protection." This is because health insurers often require blanket consent forms in which patients authorize a broad variety of uses and disclosures that may not be well understood by patients. "Patients don't really have a choice, because if they don't sign the consent form, the insurer will deny coverage," McGraw said.

Susannah Fox, associate director of the Pew Internet & American Life Project, discussed how online tools have changed the landscape for medical data privacy. A survey conducted by Pew showed people are not waiting for new privacy regulations under HIPAA to access information. But while more people are turning to the Internet for medical advice, that has not replaced the traditional desire for a relationship between doctor and patient. On HIPAA's Broken Promise Susannah references Paul Ohm and his article, "Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization." They make a strong case that our current information privacy structure is a house built on sand.

But aside from specific issues regarding online health data-sharing, we also face serious weakness in the area of breach notification. On August 24, 2009 the Department of Health and Human Services (HHS) released an interim final rule on health data breach notification. These “breach notification” regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA). Through the rule, HHS establishes data security standards that they believe are strong enough to eliminate the need to notify consumers of a data breach. So if a health care entity applies one of these security processes to its data, and then that data is lost or otherwise breached, the entity does not have to inform patients.

ARRA defines the term "breach" as "the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information." The ARRA required HHS to issue a rule on breach notification. In this interim final rule, HHS established a harm standard: breach does not occur unless the access, use or disclosure poses “a significant risk of financial, reputational, or other harm to individual.” The main purpose of mandatory breach notification is to provide an incentive for healthcare entities to protect data. In the event of a breach, the rule requires covered entities to perform a risk assessment to determine if the harm standard is met. If they decide that the risk of harm to the individual is not significant, the covered entities never have to tell their patients that their sensitive health information was breached.

Breach notification is expensive so healthcare companies try to avoid this expense. In the interim final rule, HHS has given healthcare entities the chance to avoid notification if the companies protect the data through strong encryption or destruction methodologies. I am unconvinced this method will be effective. If you do not have to report a breach unless harm occurs it is already too late. I think patients should be notified when institutions which they’ve trusted with their data damage the privacy of that data, even if the risk of harm to the patient is not very high.

If you read the Request for Information which is being developed into this rule, you see that HHS seems to want to bring its harm standard closer to the more consumer-friendly "rebuttable presumption of acquisition" standard that the Federal Trade Commission established in its own breach notification rule. The best way to reduce the number of necessary notifications is to have strong privacy and security practices. Overly broad standards could lead to lax security, with a greater number of breaches and less notification. If we are going to take electronic health records to the next level, then we need the confidence of health consumers. Strong privacy and security standards are going to be a necessary component to gain this trust.