Wednesday, December 17, 2008

A Privacy Framework for Personal Health Records

When I lecture about the new generation of personal health records such as Google Health and Microsoft Healthvault, I emphasize that these applications are not covered by HIPAA. Google and Microsoft are not healthcare provider organizations and thus their privacy is only as strong as the policies they post on the website. Since Google and Microsoft monetize these sites by attracting search traffic, they are highly motivated to build secure and trustworthy systems. As a member of the Google Advisory Council, I know that the Google privacy policies are stronger than HIPAA. Microsoft has very similar policies.

These policies are good, but they are self developed by the companies. Ideally we would have a single national privacy policy framework for all personal health record products.

On Monday at the Nationwide Health Information Network meeting, Secretary Leavitt released the nation's first national privacy framework for personal health records.

This framework builds upon national and international efforts such as the Markle Connecting for Health Framework , HIPAA, and privacy legislation from the EU/Japan/Australia/Canada.

The framework is based on 8 principles:

Individual Access - HIPAA mandates that every patient have access to their records, but it does not specify the means of access. The default in most institutions requires patients to visit medical records and request a paper copy. This privacy principle highlights the need for secure electronic delivery of medical records to patients.

Correction - Existing regulations and best practices mandate the non-repudiability of the medical record. Doctors cannot simple delete data or change previously signed notes. However, medical records often contain incomplete or inaccurate information. This privacy principle requires that a process exists for amendment/correction of inaccurate information. In the case of Beth Israel Deaconess, we do not delete or edit previously entered information, we amend it with a time/date stamp to reflect an audit trail of correction to previously documented records.

Openness and Transparency - HIPAA mandates that health care providers provide a notice of privacy practices to patients. The Openness and Transparency privacy principle extends that to include a notice of how information is collected, used, and disclosed including policies, procedures, and technology. Also it importantly highlights the need to explain to patients their control over the use and disclosure of their information. In Massachusetts, all our community data sharing efforts require opt in consent.

Individual Choice -- Consumers should be empowered to make decisions about with whom, when, and how their personal health information is shared (or not shared).

Collection, Use, and Disclosure Limitation – It is important to limit the collection, use and disclosure of personal health information to the extent necessary to accomplish a specified purpose. The ability to collect and analyze health care data as part of a public good serves the American people and it should be encouraged. But every precaution must be taken to ensure that this personal health information is secured, deidentified when appropriate, limited in scope and protected wherever possible.

Data Integrity – Those who hold records must take reasonable steps to ensure that information is accurate and up-to-date and has not been altered or destroyed in an unauthorized manner. This principle is tightly linked to the correction principle. A process must exist in which, if consumers perceive a part of their record is inaccurate, they can notify their provider. Of course the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule provides consumers that right, but this principle should be applied even where the information is not covered by the Rule.

Safeguards – Personal identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.

Accountability – Compliance with these principles is strongly encouraged so that Americans can realize the benefit of electronic health information exchange. Those who break rules and put consumers’ personal health information at risk must not be tolerated. Consumers need to be confident that violators will be held accountable.

Having a framework for privacy that can be applied to all PHR products - those tethered to an EHR, those offered by a payer, those sponsored by an employer or those created by third party vendor ensures that consumers have a rubric to evaluate these products. Hopefully a certification group like CCHIT will also certify PHR products to these framework, making it easy for consumers to look for the "Good Housekeeping Seal" and be confident that their privacy is being protected.

As I have said many times, with good policy, appropriate technology, and funding, we can do anything. With the the release of this framework, the policy is now available.


Benjamin Wright said...

A big deterrent to the adoption of e-health records is the potential liability for breaches of security. Consumer advocates are hunting for ways to hold data holders liable for compromises of e-security. Details: –Ben

Medical Quack said...

I just thought I would add a quick note on the PHR subject. I have been communicating with one of the vendors who now has a widget for their product,

It uses the information from both Google Health and HealthVault to search and find clinical trials according to the information in the PHR, and the widget on the site lets one to a general search.

One more reason for a PHR:) I like the format and it can be ported over to another set of software if needed, but the nice part is the letter it formats to the investigator to make it easy. Clinical Trial enrollments and finding candidates and keeping them updated on the progress has been a bit of a mess, but I think this simplistic format might be able to do the trick, as the search is simple enough.

I had it out on Twitter a few weeks ago and the physicians who looked at it seemed to think it was ok.

I have added it to my blog under the resource area if you want to see how it works, really not bad at all and has a place for investigators to enroll. Down the road, don't know how soon, but they are working on an EHR integration process as well to bring it full circle to perhaps give an MD the option of alerts via an API while right in the chart. Anyway, thought I would mention an thanks for letting me share a bit here.

Improvedliving said...

well this framework is really nice for health records.


dasdas said...

Interesting, and I definitely agree, a better system needs to be implemented.

acai juice

Unknown said...

well this framework is really nice for health records. I reaaly apricite you to share this information.

Halen Smith said...

Hi, Really interesting information.Your blog sounds good. Keep posting more interesting information.I love Acai berry and these products are very effective for health

Unknown said...

Very Interesting =, i totally agree with this

Acai Berry

Acai Berry

Unknown said...

Interesting, and I am fully agree with you.
Acai Berry

Acai Berry

Bitcoins said...
This comment has been removed by the author.
Bitcoins said...

acai berry is very important as weight loss product
acai berry
acai berry oprah

admin said...

Yes having a good policy in place to protect personal health records is an important issue.
Acai Berry Weight Loss

Jerry said...

Its a time demand that some strong steps should be taken.
Acai Berry
Acai Berry
Acai Berry

Anonymous said...

Well this is very interesting indeed.Would love to read a little more of this.
bikram yoga

Contour said...

I'm sorry to say I don't agree at all! It really isn't important to have a framework for health records.

That's overkill in my humble opinion!

Unknown said...


Unknown said...

Great subject. Glad that the issue of security for health platforms is finally being addressed.

Acai Berry

Unknown said...

Great article, thanks for sharing.
Weight loss tips

Anonymous said...

Great Blog For Acai Berry You Can Read My Acai Berry here,
or more Acai Berry Side Effects here

exploit91 said...

You want a piece of free government grants, federal grants, housing grants, small business grants, business grants, college grants, foundation grants, minority grants, women grants, state grants, personal grants, government grants.
Wouldn't it be great get a share form the billions of dollars in free grant money?
Instant Payday LoanFree Government Grants

Health Power said...

could be interesting
I was thinkin about this topic
thanks for the post.
Instant Payday LoanFree Government Grants

wrinkles free face said...

very Interesting information.Keep Posting. best wrinkle cream

bestantiagingcream said...

this information helpful to Get Rid of Wrinkles in 30 days

For more info on product visit :- Get Rid of Wrinkles

Anonymous said...

Such a very hopefully Interesting information

best wrinkle

benbes said...

new health care policy should be put in place is not an easy task but there is always an alternative.
Acai Berry Research

bestantiagingcream said...

i am really impresed.such a good site

Anti Aging

wrinkles free face said...

i agree with your views

Green Tea

Atherine Elizabeth Alexandria said...

Could be interesting
I was thinking about this topic.
thanks for the post.


Unknown said...

well this is really nice for health records.


Unknown said...

wow... it such a very interesting article about health,i fully agree with this.

Resveratrol Supplement

Anonymous said...

琳賽蘿涵懷孕|馮媛甄寫真|郭開源blog|范文芳李銘順|康乃狄克鬼屋事件 plus|李猶龍mv|



|超級偶像張芸京陳雅倫影片危情謝順福blog蔣萬安 blog劉文正 mv謝順福blog蔣萬安 blog高以翔圖片男紀香blog守護甜心漫畫王祖賢mv迷你漢堡余筱萍的照片猴頭菇食譜東部巨型蜘蛛羅家英 only you楓之穀遊戲薛景求mv史蒂芬金黑塔郭翰陽mv無名挖挖挖王傑莫綺雯mtv大堡礁島主 clare范植偉的照片朱麗倩的近況Makiyo milkiway吴亭欣bt迷霧驚魂報稅軟體瘦大腿的方法狼愛豬影片 狼愛豬影片 山田優 real you 禹承妍照片吳淑敏寫真n95型口罩 藤原紀香尹雪姬販毒溫昇豪部落格 賈靜雯部落格禹承妍自殺電玩少女瑤瑤開球 吳威廷blog時尚服飾,服裝搭配 祕魯議員萊昂 最新發型 豬哥亮廣告哈拉论坛汽车租赁

Healthy Omega 3 said...

It's absolutely crucial that individuals have control over their own medical data. The data belongs to no one but the person to whom it relates. No one else should have any say in it.

John said...

Great ideas here. Keeping medical records confidential is of primary importance.