Topics Covered Privacy: Who Owns What and Who Gets Access?

advertisement

Privacy: Who Owns What and

Who Gets Access?

Allen Fremont, M.D., Ph.D.

RAND Corporation

Annual Meeting of AcademyHealth

Sunday, June, 25 th 2006 Seattle, WA

Topics Covered

• Why Privacy is Paramount

• Ownership of Health Data

• HIPAA Privacy Rule from Consumer

Perspective

Concerns about privacy of personal information high and likely to grow

• Privacy can be defined as “the ability to control information about yourself even after you have given it to someone else”

• Americans are concerned that privacy they once took for granted is increasingly at risk, particularly with respect to spread of IT into more domains of everyday life

Continued high profile losses or thefts of personal data may impact disclosure of PHI for research

• NSA monitoring domestic phone calls

• Widely covered reports about releases or theft of personal information:

– VA loss of several hundred thousand records

– Choicepoint

Public particularly concerned about disclosure of PHI

• Nearly 4 of 5 Americans feel confidentiality of their medical records is “very important”

(Gallup Poll, 2000)

• Inappropriate disclosure of PHI not only offensive, but can be devastating:

– Embarrassment

– Employment

– Insurance

Emerging regional and national

EHRs also contributing to concern about PHI

• Americans will not support a system of EHRs if

“security and privacy were not readily apparent”

(HIT Leadership Panel Report, 2005)

• Lack of confidence will not only slow HIT uptake but could undermine data reliability

– 1 in 6 people withhold medical information because of concerns about confidentiality (Goldman et al 2004)

How do consumers feel about regional or national EHRs?*

• Most adults (71%) have not heard or read about such initiatives

• When told about them, ~ 70% concerned that PHI could be leaked because of weak security, or shared without their knowledge

• 82% believe that it is important that patients be able to track and use their info in EMR

• Nearly half (47%) thought the privacy risks outweighed benefits of emerging EHRs

*(Harris Poll, 2005)

Topics Covered

• Why Privacy is Paramount

• Ownership of Health Data

• HIPAA Privacy Rule from Consumer

Perspective

Who owns health information?

• “We generate a tremendous amount of data as physicians…Some parts of it, such as patient information clearly belong to physicians.”

– William Hazel, Jr. M.D.

• “Patients may have voluntarily turned over their bodies or bodily fluids for examination, but they have done so in the expectation that the information …would be used for their own treatment and their privacy would be maintained”

– Privacy Rights Clearinghouse

Traditional “rule” for ownership of medical record outdated

• States have traditionally considered the provider owner of the medical records they maintain, subject to patient rights relating to information contained.

– Statutes developed in era of paper records

• However, even under traditional rule, no one person can be truly said to “own” patient identifiable information

– i.e. exercise complete sovereignty over the information

What do we really mean by who owns health data?

• Who may access data?

• Who may mine or manipulate data?

• Who may use data and for what purpose?

• Who may sell data?

• Who may disclose or publish data?

• Who may pay to access, use, publish, or sell data?

Topics Covered

• Why Privacy is Paramount

• Ownership of Health Data

• HIPAA Privacy Rule from Consumer

Perspective

HIPAA Privacy Rule

• Protects “individually identifiable health information” held or transmitted by health care providers, insurers, other Covered

Entities, and Business Associates

• Details permitted uses and disclosures with and without authorization, and penalties

• Specifies patient rights with respect to their personal health information (PHI)

Consumer advocates view HIPAA as important step, but insufficient

• HIPAA exemptions for uses unrelated to care without patient authorization are too broad:

– E.g., use for “health care operations” or quality improvement too vague and subject to abuse.

• Concerns intensify when spread of EHRs considered; they want patients to have more control over who sees what information

• “Function Creep” feared

Others agree Privacy Rule does not address many emerging privacy issues

• Ownership and control of PHI

• Nature of patient participation

• Division of role-based access

• Need for additional disclosure limitations

• Means of patient identification

Stokes, 2005

Alternatives for addressing privacy issues being discussed

• Opt-in vs. Opt-out system

– Opt-out is cheaper but consumers may object

– Opt-in gives patients control but would take longer, and be less representative

• Role-based access

• Individual privacy settings

• Access notification

Download