Wednesday, December 17, 2008

A Privacy Framework for Personal Health Records

When I lecture about the new generation of personal health records such as Google Health and Microsoft Healthvault, I emphasize that these applications are not covered by HIPAA. Google and Microsoft are not healthcare provider organizations and thus their privacy is only as strong as the policies they post on the website. Since Google and Microsoft monetize these sites by attracting search traffic, they are highly motivated to build secure and trustworthy systems. As a member of the Google Advisory Council, I know that the Google privacy policies are stronger than HIPAA. Microsoft has very similar policies.

These policies are good, but they are self developed by the companies. Ideally we would have a single national privacy policy framework for all personal health record products.

On Monday at the Nationwide Health Information Network meeting, Secretary Leavitt released the nation's first national privacy framework for personal health records.

This framework builds upon national and international efforts such as the Markle Connecting for Health Framework , HIPAA, and privacy legislation from the EU/Japan/Australia/Canada.

The framework is based on 8 principles:

Individual Access - HIPAA mandates that every patient have access to their records, but it does not specify the means of access. The default in most institutions requires patients to visit medical records and request a paper copy. This privacy principle highlights the need for secure electronic delivery of medical records to patients.

Correction - Existing regulations and best practices mandate the non-repudiability of the medical record. Doctors cannot simple delete data or change previously signed notes. However, medical records often contain incomplete or inaccurate information. This privacy principle requires that a process exists for amendment/correction of inaccurate information. In the case of Beth Israel Deaconess, we do not delete or edit previously entered information, we amend it with a time/date stamp to reflect an audit trail of correction to previously documented records.

Openness and Transparency - HIPAA mandates that health care providers provide a notice of privacy practices to patients. The Openness and Transparency privacy principle extends that to include a notice of how information is collected, used, and disclosed including policies, procedures, and technology. Also it importantly highlights the need to explain to patients their control over the use and disclosure of their information. In Massachusetts, all our community data sharing efforts require opt in consent.

Individual Choice -- Consumers should be empowered to make decisions about with whom, when, and how their personal health information is shared (or not shared).

Collection, Use, and Disclosure Limitation – It is important to limit the collection, use and disclosure of personal health information to the extent necessary to accomplish a specified purpose. The ability to collect and analyze health care data as part of a public good serves the American people and it should be encouraged. But every precaution must be taken to ensure that this personal health information is secured, deidentified when appropriate, limited in scope and protected wherever possible.

Data Integrity – Those who hold records must take reasonable steps to ensure that information is accurate and up-to-date and has not been altered or destroyed in an unauthorized manner. This principle is tightly linked to the correction principle. A process must exist in which, if consumers perceive a part of their record is inaccurate, they can notify their provider. Of course the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule provides consumers that right, but this principle should be applied even where the information is not covered by the Rule.

Safeguards – Personal identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.

Accountability – Compliance with these principles is strongly encouraged so that Americans can realize the benefit of electronic health information exchange. Those who break rules and put consumers’ personal health information at risk must not be tolerated. Consumers need to be confident that violators will be held accountable.

Having a framework for privacy that can be applied to all PHR products - those tethered to an EHR, those offered by a payer, those sponsored by an employer or those created by third party vendor ensures that consumers have a rubric to evaluate these products. Hopefully a certification group like CCHIT will also certify PHR products to these framework, making it easy for consumers to look for the "Good Housekeeping Seal" and be confident that their privacy is being protected.

As I have said many times, with good policy, appropriate technology, and funding, we can do anything. With the the release of this framework, the policy is now available.

32 comments:

  1. A big deterrent to the adoption of e-health records is the potential liability for breaches of security. Consumer advocates are hunting for ways to hold data holders liable for compromises of e-security. Details: http://legal-beagle.typepad.com/wrights_legal_beagle/2008/09/legal-liability-for-data-security-breach.html –Ben

    ReplyDelete
  2. I just thought I would add a quick note on the PHR subject. I have been communicating with one of the vendors who now has a widget for their product, TrialX.org.

    It uses the information from both Google Health and HealthVault to search and find clinical trials according to the information in the PHR, and the widget on the site lets one to a general search.

    One more reason for a PHR:) I like the format and it can be ported over to another set of software if needed, but the nice part is the letter it formats to the investigator to make it easy. Clinical Trial enrollments and finding candidates and keeping them updated on the progress has been a bit of a mess, but I think this simplistic format might be able to do the trick, as the search is simple enough.

    I had it out on Twitter a few weeks ago and the physicians who looked at it seemed to think it was ok.

    I have added it to my blog under the resource area if you want to see how it works, really not bad at all and has a place for investigators to enroll. Down the road, don't know how soon, but they are working on an EHR integration process as well to bring it full circle to perhaps give an MD the option of alerts via an API while right in the chart. Anyway, thought I would mention an thanks for letting me share a bit here.

    http://ducknetweb.blogspot.com/2008/12/clinical-trials-and-personal-health.html

    ReplyDelete
  3. well this framework is really nice for health records.

    Acai

    ReplyDelete
  4. Interesting, and I definitely agree, a better system needs to be implemented.

    -Jeff
    acai juice

    ReplyDelete
  5. well this framework is really nice for health records. I reaaly apricite you to share this information.

    ReplyDelete
  6. Hi, Really interesting information.Your blog sounds good. Keep posting more interesting information.I love Acai berry and these products are very effective for health

    ReplyDelete
  7. Very Interesting =, i totally agree with this

    Acai Berry

    Acai Berry

    ReplyDelete
  8. Interesting, and I am fully agree with you.
    Acai Berry

    Acai Berry

    ReplyDelete
  9. This comment has been removed by the author.

    ReplyDelete
  10. acai berry is very important as weight loss product
    acai berry
    acai berry oprah

    ReplyDelete
  11. Yes having a good policy in place to protect personal health records is an important issue.
    Acai Berry Weight Loss

    ReplyDelete
  12. Its a time demand that some strong steps should be taken.
    Acai Berry
    Acai Berry
    Acai Berry

    ReplyDelete
  13. Well this is very interesting indeed.Would love to read a little more of this.
    yoga
    bikram yoga

    ReplyDelete
  14. I'm sorry to say I don't agree at all! It really isn't important to have a framework for health records.

    That's overkill in my humble opinion!

    ReplyDelete
  15. Great subject. Glad that the issue of security for health platforms is finally being addressed.

    Acai Berry

    ReplyDelete
  16. Great Blog For Acai Berry You Can Read My Acai Berry here,
    or more Acai Berry Side Effects here

    ReplyDelete
  17. You want a piece of free government grants, federal grants, housing grants, small business grants, business grants, college grants, foundation grants, minority grants, women grants, state grants, personal grants, government grants.
    Wouldn't it be great get a share form the billions of dollars in free grant money?
    Instant Payday LoanFree Government Grants

    ReplyDelete
  18. hmmm...,
    could be interesting
    I was thinkin about this topic
    thanks for the post.
    Instant Payday LoanFree Government Grants

    ReplyDelete
  19. this information helpful to Get Rid of Wrinkles in 30 days

    For more info on product visit :- Get Rid of Wrinkles

    ReplyDelete
  20. Such a very hopefully Interesting information

    best wrinkle
    cream

    ReplyDelete
  21. new health care policy should be put in place is not an easy task but there is always an alternative.
    Acai Berry Research

    ReplyDelete
  22. i am really impresed.such a good site

    Anti Aging

    ReplyDelete
  23. Could be interesting
    I was thinking about this topic.
    thanks for the post.

    Acai

    ReplyDelete
  24. well this is really nice for health records.

    Acai

    ReplyDelete
  25. wow... it such a very interesting article about health,i fully agree with this.

    Resveratrol Supplement

    ReplyDelete
  26. It's absolutely crucial that individuals have control over their own medical data. The data belongs to no one but the person to whom it relates. No one else should have any say in it.

    ReplyDelete
  27. Great ideas here. Keeping medical records confidential is of primary importance.

    ReplyDelete