Protecting Patient Privacy in the Era of Health Information Exchange Corinne A. Carey Senior Public Policy Counsel New York Civil Liberties Union ACLU CLE July 28, 2010 What this CLE will cover The basics What is health information exchange (HIE)? What are EHRs? What are PHRs? How does HIE work? Genesis of interoperable health information exchange Privacy in the pre- and post-HIE world How do patients interact with HIEs? Why should we be concerned about protecting privacy in HIE? NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 2 The Basics What is Health Information Exchange (HIE)? What is an Electronic Health Record (EHR)? What is a Personal Health Record (PHR)? How is health information linked? NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 3 What is Health Information Exchange (HIE)? Individual electronic records (EHRs) linked via electronic network Internal computer networks Internet Some parallel (private or public) structure Into a network accessed by providers who may be Unaffiliated separated by geographic distance or by time maybe otherwise unaware that they have or have had a patient in common NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 4 What is an Electronic Health Record (EHR)? computerized equivalent of patient’s existing medical records created by provider or facility for use by medical staff content controlled by health care provider, property of the health care provider can be siloed in one office or shared electronically between providers (“networked”) standards for patient protections and rights of access are (or should be) similar to paper records NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 5 What is a Personal Health Record (PHR)? AKA “Facebook for medical information” E.g., Google Health/Microsoft Health Vault created by patient for use by patient, potentially accessed by health care provider standards for patient protections/access/control are complicated currently NOT protected by HIPAA/state Law currently regulated by FTC; potentially regulated by HHS owned by vendor (legal rights are unclear) patient rights are largely be subject to contract w/vendor NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 6 How does an HIE link files? Infinite number of configurations Most are variations on these three general models: Centralized Data Bank Virtual Health Record (VHR) Approach Health Record Bank/PHR Approach NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 7 Centralized Data Bank Patient A’s whole file from Dr. B, her internist, is uploaded to a central server combined with her files from Dr. C (gynecologist), Dr. D (dermatologist), and Dr. E (her allergist) Lab results; radiology reports; etc. ER/hospital inpatient files In an actual physical file accessible by all participating providers for whom she has given consent. Patient data can be “pushed” to providers (e.g., lab tests automatically forwarded) or “pulled” by providers. NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 8 Virtual Health Record (VHR) Approach Patient X’s EHR remains in his provider’s office. Central server contains only identifying demographic information not actual patient medical information Dr. B wants to access Patient X’s records from his visit to Dr. D: she sends a query to the central server which pulls in the information from all the other providers he has seen, and assembles it in a temporary virtual health record, which is then downloaded by Dr. B and incorporated into Dr. B’s files permanently - each provider with access creates an integrated complete medical record for patient. Central registry maintains a record of the request and of what information was included in the VHR, but not the actual information. No central database at risk of direct security breach; data remains property of providers. NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 9 Health Record Bank (PHR) Approach System based on personal health records. Patient Y sets up an HRB account which is under her control. Drs. B, C & D all “push” information to the account or information is pulled by the account Patient can add information to the account Patient controls which doctors have access to the file and potentially granularity of information to which they have access. Pilot program in Washington State RED FLAG: reliance on software vendors who are not “covered providers” (not “HIPAA-covered”) vendor potentially owns, controls information, privacy controls (including access to information by marketers) held by vendor like other websites (see issues with Facebook privacy controls) unclear whether MDs will accept information in patient-controlled PHRs NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 10 Genesis of interoperable health information exchange NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 11 How did this all start? Interest in this for many years Intra- has existed for a long time Kaiser health systems Large Hospital Systems Inter- is relatively new NIH pilot project in 1994 (Regenstreif) affiliated with Indiana University developed informatics that connected all hospitals in the area NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 12 Bush Era Big push for development of interoperable health information exchange Objectives Increased efficiency Cost savings Improved patient care Free market orientation Policy intended to remove obstacles to private adoption of EHR/HIE Privacy (and liability for privacy protection) seen as an obstacle NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 13 Bush Years Executive Order 13335, issued April 27, 2004 goal of widespread adoption of interoperable EHRS by 2014 established the HHS ONC - Office of the National Coordinator for Health Information Technology Objectives strategic plan to guide nationwide implementation of interoperable HIT in both public and private sectors; Coordinate federal HIT policy/programs & executive branch agencies; conduit for grants for state HIE projects via HISPC (Health Information Security & Privacy Collaboration) NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 14 Obama Administration: New Funding, New Laws, New Policies No radical reorganization of free-market structure Starts with individual doctors offices American Reinvestment and Recovery Act (ARRA) 2009 and post-ARRA Advocates forced the Obama Administration to confront need for consistency and consumer protection Big step in the right direction NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 15 Obama Administration Feb 2009: ARRA/HITECH (Health Information Technology for Economic and Clinical Health) Direct funding for HIT projects Incentives via Medicaid and Medicare to encourage adoption and “meaningful use” of EHRs Funding for state-level HIE activities, development of national standards, education and dissemination of best practices Important privacy changes NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 16 Post-ARRA Health Information Technology is a rapidly developing field Administration has tapped into growing field of experts from many domains: advocacy, think-tank, tech/med professional, and academic worlds Rethinking of level of need for privacy protection Regulations, white papers, recommendations being developed almost daily NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 17 Transformation of ONC ONC approach to privacy draws on the key advocates for patient privacy/control rights Chief Privacy Officer: Joy Pritts, Georgetown Univ., O’Neill Inst. for National and Global Health Law academic focus is privacy of health information and patient access to medical records Co-Chair, Privacy & Security Workgroup: Deven McGraw, Center for Democracy & Technology Key author on privacy and consent issues in HIT NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 18 Transformation of ONC ONC is currently revisiting basic policy on consumer consent, privacy, enforcement of HIPAA/HITECH protections, PHRs and privacy issues (also under consideration at FTC) Discussion underway re: structure of NHIN - network of SHINs or direct linkage of EHRs nationally (NHIN Direct, now under development) NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 19 What’s happening in the states? States in different stages of development & implementation Some programs are already underway, policy is either not been developed or developed in various ways with varying degrees of consumer input In places furthest along, policies are the most entrenched, either by design by default (lack of policy *is* policy) So many models, we can’t address all, we’ll talk about general themes, and use NY as a reference point NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 20 What is the federal government’s role in shaping HIE? No legal requirement for what model will look like in states (e.g., no req’t that states set up policy boards, or adopt state regulation) To-date, limited requirements for technological capability to ensure granular control of data No requirement that it be state-run, or privately-run And it appears that there are no requirements regarding patient consent to participate Incentive-based system Theory: Encourage many different models to see which will be the best. “Let 1000 flowers bloom” (or, as some say, “Let 1000 weeds fester.”) NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 21 Privacy in the Pre- and Post-HIE World Existing federal and state laws protecting certain types of medical information HIPAA ARRA/HITECH NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 22 Pre-HIE sets the stage Federal laws protecting patient confidentiality e.g., substance abuse treatment, genetic information State laws protecting patient confidentiality General obligation of health care providers Special rules regarding: Minors Substance abuse HIV/AIDS Mental health HIPAA NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 23 HIPAA HIPAA enacted in 1996 Initially required consent for dissemination of medical information for TPO (treatment, payment, and operations) In 2002 (under Bush), HIPAA revised so that was no longer necessary. Legacy is: great confusion Bottom line is that, contrary to popular belief, HIPAA didn’t establish adequate protections for patient privacy NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 24 HIPAA “Protections” MYTH: The HIPAA privacy rule requires stringent protections for all health information FACT: Privacy protections are very limited and vary by who holds the information and why it is being shared. HIPAA protections apply only to information held by “covered entities” “Covered Entities” - health care providers who transmits health information in electronic form, health care plans and clearinghouses. Information held by any other organization or patient is not subject to HIPAA No patient consent required for “uses” (within an organization) and “disclosures” (shared outside the organization) that are for purposes of “TPO” (treatment, payment, and operations…plus other authorized uses like government reporting, required by law, subpoena, and some others) NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 25 HIPAA “Protections” MYTH: What you sign in the doctor’s office is a consent to disclosure FACT: The paper you sign is only a notice of office practice regarding disclosure *** MYTH: HIPAA limits use/disclosure to the “minimum necessary” to achieve purpose of use/disclosure FACT: The “minimum necessary” standard is not applicable to disclosures to another health care provider for treatment purposes NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 26 HIPAA “Protections” MYTH: If you consent to allow your information to be sent to a non-covered entity, HIPAA guards against redisclosure. FACT: Once you consent to disclosure to non-covered entity, that information is no longer “protected” by HIPAA *** MYTH: HIPAA ensures stringent audit trails and you can find out who has viewed your medical information FACT: (Until HITECH) patients had limited rights to access logs/know who had accessed their records and when; no logging was required for TPO access. NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 27 ARRA/HITECH modified HIPAA Substantially enhanced HIPAA protections for patients: Extension of HIPAA standards to “business associates” More stringent audit/access trail requirements Enforceable punishments for breach or misuse State AG enforcement power (already been exercised, e.g. Conn) Increased patient rights to access own data Exclusion of services paid for “out-of-pocket” New restrictions on marketing NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 28 How Do Patients Interact with HIEs? NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 29 Pre-HIE: patient control in the world of paper records In general, patients control which information providers can access Patient is main source of medical history/lifestyle information: medical diagnoses, past and present lifestyle including alcohol, substance use, reproductive history, sexuality, etc. medications, past and present names of other providers Allows patient to decide which information to share with which provider. Exceptions: Information conveyed via referrals or consultations, generally require patient consent (under some state laws) Intrafacility access to patient files; e.g., different departments of same facility, affiliated facilities NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 30 Patients in the HIE World What control do patients have over: Inclusion of their information in “the system”? Sharing of that information within an HIE network? Wider dissemination of that information from the network to external entities? NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 31 Consent to participate: states follow four general models Automatic inclusion with no option to opt-out of system. “Opt-out”: Patient locator information &/or patient records are included in the system unless patient affirmatively refuses to participate. “Opt-in”: Patient must consent before patient locator information &/or patient records are included in HIE system. Partial opt-out or opt-in: Patient has option of either consenting to have partial information included or partial information excluded. NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 32 Consent to Share Information within HIE All of patient’s providers have automatic access to patient’s records, no right to opt-out. Opt-out: providers have access to records unless patient affirmatively opts out. Opt-in: No records shared unless patient consents. Upon consent, all of patient’s providers have access. Partial opt-out or opt-in: Patient has option of either consenting to have partial information shared or partial information made inaccessible. “Break the Glass” provision: Where patient is in need of emergency treatment, provider can access records in absence of affirmative consent or despite affirmative refusal to participate, or can override other limits placed by patient or default policy. NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 33 All-or-Nothing Consent At this time, “participation” in HIE generally means consent to sharing all information, or sharing none at all. Patients cannot select which information they want to share. However, some systems allow patients to choose which providers within HIE have access to all of their medical information NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 34 Granularization Granularization: the degree of specificity of patient control over information included in system or shared with providers. Consent regimes could allow patients to limit information included in the HIE or shared by the HIE. Granularization operates in terms of: Provider: To whom, from whom Time: how far back? Service, encounter, and condition: what do they get to see? NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 35 Civil Liberties Concerns Experience should teach us to be most on our guard to protect liberty when the Government’s purposes are beneficent. Men born to freedom are naturally alert to repel invasion of their liberty by evil-minded rulers. The greatest dangers to liberty lurk in the insidious encroachment by men of zeal, well-meaning but without understanding. Olmstead v. United States, 277 U.S. 438, 479 (1928) (Brandeis, J., dissenting). NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 36 Four Questions 1. Why should we be concerned about privacy in the context of health information exchange? 2. What needs to be put in place to sufficiently address privacy concerns? 3. What looming issues promise to complicate efforts to protect privacy? 4. Where do we need to go from here? NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 37 Why should we be concerned about privacy in the context of health information exchange? The way that information flows in & out of the system The kinds of information that will be exchanged The number of people with access to health information Concerns about proxy/surrogate access to health information System capability to shield sensitive health information For the first time, you will have one complete medical file with everything in it. “This will go down in your permanent record.” The impact of any error is exponentially more damaging NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 38 What goes into the system? All providers in an affiliated network who the patient has seen All electronic files As far back as the provider has maintained electronic records Currently HIE is region-wide; contemplation is statewide, and then NHIN. NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 39 Patient A: Ana Ana obtains a surgical abortion from a Planned Parenthood clinic doctor in 2010. The clinic does not place this information into the system because there is no way to safeguard sensitive health information. Ana discusses her abortion with her PCP a year later when she is trying to get pregnant, and the doctor records the information in her record. Should Ana’s podiatrist have access in 2020 to information about the abortion she obtained without complication ten years earlier? NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 40 Who Gets to See? All of an individual’s health care providers & their affiliates Business associates Certain family members The patient’s health insurance company The patient’s life insurance company Government Potential Employers Marketers (Bad Actors) NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 41 Patient B: Benjamin When he was in his early 20s, Benjamin struggled with his use of heroin and sought substance abuse treatment. Records of this treatment are protected by federal law, and were therefore excluded from HIE. However, his PCP at the time knew about his heroin addiction, and made a note of it in his charts. Ten completely sober years later, Benjamin develops a condition that causes him severe pain. His new doctor is reluctant to prescribe the most effective pain medication for Benjamin because, after reviewing his files, she is concerned that his reports of pain are “drug seeking behavior.” NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 42 Patient C: Candace Candace is struggling with a worsening depression. She is reluctant to seek mental health treatment, and does not want to ask her primary care physician for help-particularly for any prescription medication to treat her condition--because she is afraid that her employer will gain access to her health records and it may affect her ability to move up in her company. NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 43 Ever Expanding Circle: More Information to More People More people are getting access to more information. The larger the pool of people with access to your health information, the likelihood of breach and misuse. The greater the scope of information included, the greater the risk of misuse. NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 44 Original Data Holder Slide courtesy of Latanya Sweeney, Ph.D., Trustworthy Designs for the Nationwide Health Information Network Electronic Privacy Information Center, May 28, 2010 NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 45 Primary Sharing MAY have some Restrictions 1 1 1 1 1 Slide courtesy of Latanya Sweeney, Ph.D., Trustworthy Designs for the Nationwide Health Information Network Electronic Privacy Information Center, May 28, 2010 NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 46 Secondary and Alternative Sharing Unbounded 1 2 3 2 1 3 1 1 1 2 2 3 4 4 5 Sweeney, L. Information explosion. Confidentiality, Disclosure, and Data Access: Theory and Practical Applications for Statistical Agencies, Washington, DC, 2001. 47 Alice’s Employer Employer’s clinic & wellness program Clinical Laboratory Consulting Physician State Bureau of Vital Statistics Care Provider (physician, hospital) Managed Care Organization Alice’s Health Record Life Insurance Company Retail Pharmacy Pharmacy Benefits Manager Health Insurance Company Medical Researcher Accrediting Organization Medical Information Bureau Spouse’s self-insured employer Lawyer in Malpractice Case Long-term repository Flow of patient-identified health information Short-term repository Flow of de-identified patient health information Temporary Access Clayton, P., et al. For The Record. National Academy Press,1997. NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 48 Coding Alice’s Employer Employer’s clinic & wellness program Transcription Clinical Laboratory Public Health Consulting Physician Care Provider (physician, hospital) State Bureau of Vital Statistics CDC Managed Care Organization Alice’s Health Record Life Insurance Company Retail Pharmacy ICU Mgt Health Insurance Company Pharmacy Benefits Manager Clearing House Patient Portal Prescriptions Database Equipment Monitoring Pharmaceutical Companies Medical Researcher Accrediting Organization Medical Information Bureau Spouse’s self-insured employer Lawyer in Malpractice Case Workflow Analytics Disease Management De-identification Review NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange Marketing Outcomes Analytics Compliance Management Ambulatory Discharge Hospital Discharge 49 Patient D: Denise Denise lives in a small town in upstate New York with her husband who is a doctor. Denise’s husband is physically abusive to her and their two children. After a particularly violent attack, Denise leaves and seeks assistance from a local domestic violence shelter. Denise is now concerned about seeking any medical care, even though she now lives in another county, because she suspects that some information about her and her children, including her address, may be available either to her husband or to her husband’s associates. NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 50 Patient Control vs. Provider Confidence: A False Dichotomy Patients have always had some degree of control The myth of the “complete record” Liability concerns Relationship between patient and provider one of “mutual trust” (“Hippocratic Bargain”) Integrity of system patient “buy in” improved delivery/health outcomes & efficiency NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 51 Limitations in technology and policy create perverse result Those who may benefit the most may decline to participate, or may be excluded under state policy Mental health services recipients Substance abuse services recipients Patients of reproductive health clinics Some minors (in NY, those between 10 and 18 are excluded by policy) NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 52 Minors: Concerns about Surrogate/ Proxy Access Parental consent is generally required for minors to receive health care In some states (like NY) minors have the right to receive health care without parental consent under certain circumstances (e.g., STI care; post sexual assault care) Who has the right to see the records? In most instances, parents have the right to access all of their children’s medical records In some states, it is the person who consents to health care (the minor, not the parent) who can access records regarding that care NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 53 Surrogate/Proxy Access In those states where confidentiality is preserved for minors such that parents are not permitted access to records of care that a minor received without parental consent the problem is: Technological inability to separate minor-consented information from parent-consented information HIE presents a challenge: how to build a system that guards against undesirable disclosure to otherwise authorized agents NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 54 Patient E: Evan Evan has been receiving care from his pediatrician since he was born. His parents consent to this care, and as a result, have access to his health information. When he starts becoming sexually active, he confides in his doctor. After one sexual encounter he regrets, he requests the Gardasil© vaccine and an STI test. NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 55 What needs to be put in place to address privacy concerns? Granularization Patient Ability to Correct/Amend EHRs Protections against Breach & Misuse A Critical Examination of Consent Effective Public Outreach NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 56 Granularization Person or entity: who gets to see? Time: how far back? Service, encounter, and condition: what do they get to see? NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 57 Granularization by Provider By Provider patient can choose to restrict/include information based on which provider is source Patient A chooses not to include records from visits to her gynecologist in order to ensure that testing for STIs is not included in her HIE-accessible record. To Provider patient can choose to allow/exclude specific providers from accessing HIE record Patient B chooses to allow her internist to access records from her gynecologist to ensure coordinated treatment, but chooses to exclude her podiatrist from access to her record. Potentially allows limiting access to specific providers within a practice. NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 58 Granularization by Time Time Frame: Patients can choose to include/exclude records based on when they were created Include only information from a limited look-back period Patient A restricts information to the last 5 years, ensuring that her negative HIV-test from 10 years ago remains private. Exclude information from a specific time period Patient B excludes a 4 month period from his records, to ensure that his in-patient treatment for substance use remains private. NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 59 Granularization by Service, Encounter, or Condition “Sensitive Information” - patient can choose to exclude sensitive information from system or to restrict which providers have access “Sensitive information” can be defined as specific types of information or as defined by patient. Patient A chooses to omit references to his anorexia, preferring to tell individual providers himself as necessary. Type of data: choose to include/exclude specific categories of data (lab tests, MD notes, etc.) Patient B chooses to exclude/include medications to keep his history of psychotropic medications private. Additional possibilities: visit-by-visit opt-in or opt-out; choice to exclude/include different information within a single visit NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 60 Consequences of failing to ensure granularization Patient trust in the system suffers, patients opt out The solution adopted by New York to preserve minors’ legal rights to confidential care excludes minors from the benefits of HIE altogether HITECH requires some degree of granularization (for treatment paid for out-of-pocket). In systems that can’t accommodate this degree of granularization, patients must either give up their rights under HITECH, or decline to participate altogether. NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 61 Current New York State Capability on Granularization No granularization below the group/facility level: if one provider in group has access, other treating providers in that group will have access. No granularization by time frame, type of data, type of condition. No granularization by information: Consent to access records extends to all records, including HIV-related information and other sensitive data that might otherwise require specific consent under state or federal law. NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 62 Patient Ability to Correct/Amend Health Information Errors in a Patient’s Record may be result of Pure error Identity theft Information that later proves untrue (e.g., positive toxicology) Patients are already guaranteed the right (via HIPAA, to review medical records and insert additional information and amendments HITECH, and state law) Complications Difficulty tracking in a system with wide dissemination Impact of error greater; transformed by larger record with wider dissemination If it is a widely linked record, the corrective mechanism cannot be local NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 63 Patient Ability to Correct/Amend Must be assurance that there is a mechanism for correcting/amending record in each location where it is held through audit trail ability to send out correct information to each individual/entity that has accessed the record when errors are identified assurance that record is correct going forward NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 64 Protections against breach & misuse Breach is a “red herring” in privacy discussions Biggest concern: someone hacking into your medical records and violating your privacy or “the government will get your info” There are strong protections in state policies and procedures and in federal regulations regarding breach NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 65 Misuse & Other Harms Breach is information leaving the system without your consent; misuse is info leaving WITH your consent. Misuse is the bigger concern WITHIN the system, and when it LEAVES the system. Examples of misuse: Prejudicial impact on treatment Use by authorized user for non-medical purpose NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 66 A Critical Examination of “Consent” Ensure the adequacy of consent forms Determine whether consent is: Informed Truly consensual Begin to think about protecting use vs. access NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 67 Public Outreach Outreach currently designed to encourage patients to “sign up” A more responsible public outreach campaign would: Tell patients that HIE is happening now That information is capable of being shared/accessed How information can be accessed Explain to patients how they fit in by: Explaining benefits Explaining risks Educating them about how to manage risk NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 68 When Health Information Moves Outside the Network Moving Beyond the Patient-Provider Paradigm Personal Health Records Marketing & Commercial Data Harvesting NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 69 Moving Beyond the Patient-Provider Paradigm HIE holds the promise of improved patient care and efficiency There are public health goals that could be achieved through access to EHRs not related to patient care or efficiency: System Accountability Research Public Health Monitoring/Government Access NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 70 System Accountability Theoretically, access to EHRs could assist in Medicaid fraud investigations Quality control of physician care To what extent should HIE allow for this level of access? What patient consent should be required? State policy under development in this area NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 71 Research E.g., NYS policy allows for use for research with a higher level of consent De-identified data from EHRs is accessible Challenges Defining “research” How to ensure against re-identification of deidentified data (e.g., small population/small health dep’t, sensitive issues; increasing ability to identify de-identified data, e.g., SSNs) NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 72 Public Health Monitoring/State Access What is the state to do when it has identified a public health threat? When will a health department feel compelled to intervene? common vector suspected intentional transmission If the state is the provider/custodian, when will unconsented-to access seem like a good idea? Incarcerated individuals Residents of homeless shelters Recipients of public assistance State policy under development in this area NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 73 Personal Health Records Standards for patient protections/ access/control are complicated Owned by vendor (legal rights are unclear) Currently NOT protected by HIPAA/State Law patient rights are largely be subject to contract w/vendor except: Some are already business associates of HIPAAcovered entities (e.g., patient portals), and so are therefore subject to HIPAA Currently regulated by FTC; potentially regulated by HHS Some changes in HITECH will apply NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 74 Marketing & Commercial Data Mining What is “informed consent” in the context of consent to release to marketers? E.g., what does a patient give up by consenting to Rx discount program offered by a pharmaceutical company? Comprehensive medical information kept in one place is a highly valuable commodity: vulnerable to unauthorized access and exploitation Concerns about re-sale of health information State policies under development NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 75 Where do we go from here? Technology and implementation developing faster than policies & procedures Policies and procedures developing faster than our ability to identify all of the repercussions Public participation in identifying threats to privacy has been little NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 76 We have a long way to go… To decide whether and how to revise state laws to deal with the full implications of sharing records formerly kept on paper now that they are shareable electronically To strengthen protections against patient mistreatment, medical/disability discrimination To strike the proper balance between patient control and provider control NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 77 What can an ACLU affiliate do? Be on lookout for issues in your own region/state Understand what’s happening at state level Play a role in state policy-making Be aware of how private entities are entering the field Consider contributing to consumer/ patient/stakeholder voices on national scene Revisit internal policies on consent NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 78 For more information, contact Corinne A. Carey Senior Public Policy Counsel New York Civil Liberties Union ccarey@nyclu.org 212 607 3327 NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange 79