A Privacy Framework for Personal Health Records

When I lecture about the new generation of personal health records such as Google Health and Microsoft Healthvault, I emphasize that these applications are not covered by HIPAA. Google and Microsoft are not healthcare provider organizations and thus their privacy is only as strong as the policies they post on the website. Since Google and Microsoft monetize these sites by attracting search traffic, they are highly motivated to build secure and trustworthy systems. As a member of the Google Advisory Council, I know that the Google privacy policies are stronger than HIPAA. Microsoft has very similar policies.

These policies are good, but they are self developed by the companies. Ideally we would have a single national privacy policy framework for all personal health record products.

On Monday at the Nationwide Health Information Network meeting, Secretary Leavitt released the nation's first national privacy framework for personal health records.

This framework builds upon national and international efforts such as the Markle Connecting for Health Framework , HIPAA, and privacy legislation from the EU/Japan/Australia/Canada.

The framework is based on 8 principles:

Individual Access - HIPAA mandates that every patient have access to their records, but it does not specify the means of access. The default in most institutions requires patients to visit medical records and request a paper copy. This privacy principle highlights the need for secure electronic delivery of medical records to patients.

Correction - Existing regulations and best practices mandate the non-repudiability of the medical record. Doctors cannot simple delete data or change previously signed notes. However, medical records often contain incomplete or inaccurate information. This privacy principle requires that a process exists for amendment/correction of inaccurate information. In the case of Beth Israel Deaconess, we do not delete or edit previously entered information, we amend it with a time/date stamp to reflect an audit trail of correction to previously documented records.

Openness and Transparency - HIPAA mandates that health care providers provide a notice of privacy practices to patients. The Openness and Transparency privacy principle extends that to include a notice of how information is collected, used, and disclosed including policies, procedures, and technology. Also it importantly highlights the need to explain to patients their control over the use and disclosure of their information. In Massachusetts, all our community data sharing efforts require opt in consent.

Individual Choice -- Consumers should be empowered to make decisions about with whom, when, and how their personal health information is shared (or not shared).

Collection, Use, and Disclosure Limitation – It is important to limit the collection, use and disclosure of personal health information to the extent necessary to accomplish a specified purpose. The ability to collect and analyze health care data as part of a public good serves the American people and it should be encouraged. But every precaution must be taken to ensure that this personal health information is secured, deidentified when appropriate, limited in scope and protected wherever possible.

Data Integrity – Those who hold records must take reasonable steps to ensure that information is accurate and up-to-date and has not been altered or destroyed in an unauthorized manner. This principle is tightly linked to the correction principle. A process must exist in which, if consumers perceive a part of their record is inaccurate, they can notify their provider. Of course the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule provides consumers that right, but this principle should be applied even where the information is not covered by the Rule.

Safeguards – Personal identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.

Accountability – Compliance with these principles is strongly encouraged so that Americans can realize the benefit of electronic health information exchange. Those who break rules and put consumers’ personal health information at risk must not be tolerated. Consumers need to be confident that violators will be held accountable.

Having a framework for privacy that can be applied to all PHR products - those tethered to an EHR, those offered by a payer, those sponsored by an employer or those created by third party vendor ensures that consumers have a rubric to evaluate these products. Hopefully a certification group like CCHIT will also certify PHR products to these framework, making it easy for consumers to look for the "Good Housekeeping Seal" and be confident that their privacy is being protected.

As I have said many times, with good policy, appropriate technology, and funding, we can do anything. With the the release of this framework, the policy is now available.