January 2, 2010

The Safety of Electronic Health Records?

“I want [Americans] to benefit from a health care system that works for all of us ... where patients are spending more time with their doctors, and doctors can pull up on a computer all the medical information and last research they’ll ever want to know to meet patients’ needs.” - President Obama, Press Conference, Health Care Reform legislation, July 22, 2009

The electronic health record (EHR) is an emerging concept in healthcare today, designed to provide on-line, real time access to patient medical records that encompass multiple Care Delivery Organizations (CDOs) over an extended period of time. While an electronic medical record (EMR) provides data on the care provided by a single hospital or physician, the EHR provides data that spans multiple CDOs, offering a comprehensive view of a patient’s medical and treatment history... The EHR represents the sharing of medical information among stakeholders, including all elements of a CDO, patients and payers, both private and governmental. - The Case for Electronic Health Records, Health News Digest, April 27, 2009

The EHR will become the key focal point of clinical information systems. All electronic medical devices and equipment will be required to share and exchange information with EHRs, which are expected to become ubiquitous over the next 10 years as part of a federal government initiative to streamline the delivery of healthcare services. - Medical Device Connectivity and Patient Centric Surveillance, June 13, 2005

Hospitals have been slowly converting to electronic health records (EHR) for several years, but with health-care reform, at last, high on Washington's to-do list, President Barack Obama has called for $19 billion in stimulus money to speed up the process. Before policymakers can determine how best to spend that money, however, they need to know how the digital switchover is going so far and what's holding things up. - Electronic Health Records: What's Taking So Long?, TIME Magazine, March 25, 2009

The HITECH Act, part of the 2009 economic stimulus package (ARRA) passed by the US Congress, aims at inducing more physicians to adopt EHR... The HITECH Act directs the federal HHS Secretary to set standards, coordinate the nationwide plan and infrastructure, and select non-profit health information technology centers to be funded... In 2004, the Office of the National Coordinator for Health Information Technology (ONC) was created. It reports directly to the HHS Secretary. Under the ONC, Regional Health Information Organizations (RHIOs) have been established in many states in order to promote the sharing of health information. The ONC is authorized in section 3007(c) of the HITECH Act to charge each health care provider a nominal fee (on a sliding scale) for the adoption of a system certified by them. - Electronic Health Records - Incentives in the United States

The legislation envisions the "utilization of an electronic health record for each person in the United States by 2014... the National Coordinator shall establish a governance mechanism for the nationwide health information network" (PDF p. 244, 245). Congress, through its enactment of the "stimulus" bill, is committed to spending $787 billion on various projects, including $20 billion to encourage doctors and hospitals to adopt electronic health records (EHRs). This new spending is a component of the Obama Administration's health care agenda, which includes the promotion of health information technology (HIT). - readthestimulus.org, 2009 U.S. Economic Stimulus Package

Is Patient Data Privacy on Its Sickbed?

As we stand on the cusp of a massive healthcare modernization program, we face increasing challenges over healthcare data privacy. Danny Bradbury explores what’s happening in the US from a technological perspective, and what it means for our sensitive data.

By Danny Bradbury, Infosecurity
August 3, 2009

British Romantic wit Alexander Pope had it right when he said:
“Reason’s whole pleasure, all the joys of sense, lie in three words,—health, peace and competence.”
In today’s modern healthcare environment, health requires a whole different type of competence; we’ll only achieve peace of mind when we secure private patient information in an increasingly digital environment.

The American healthcare system is poised to undergo one of the most significant changes in its history. Electronic healthcare records have been on the agenda for some time, but with the recent change in the administration, modernizing the system has become a priority. President Obama has pledged to revolutionize the healthcare system using funds provided by the American Recovery and Reinvestment Act stimulus package Bill passed in February.

As soon as he came into office, Obama pledged to computerize the nation’s health records within five years. However, that carries significant challenges from an information security perspective. How is it going to happen, and who is going to protect our data as it does?

The core of the modernization initiative will be a Nationwide Health Information Network, which will connect a series of regional networks called Health Information Exchanges together across a broader backbone. The US Department of Health and Human Services is overseeing the system and has commissioned 15 contractors to produce prototypes.

That initiative will hopefully take care of the communications infrastructure that will enable records to be exchanged between different parts of the country (so that, for example, a doctor in Florida could access the records of a retiree from Minnesota who is spending the winter in the Sunshine State). The Healthcare Information Technology Standards Panel, created by the American National Standards Institute, will take care of the format for electronic health records.

The Meaning of Privacy

Where do privacy and security lie in this massive modernization program? Dr Deborah Peel, a practicing physician who also founded non-profit special interest group Patient Privacy Rights, isn’t convinced that they have been given enough thought.

"The Bush administration de-regulated the consumer protections across the board, and one of the places where they did that was the HIPAA privacy rule." - Deborah Peel, Patient Privacy Rights

There may be a legal definition of what privacy means in the US, but there isn’t a government-ratified one pertaining to health, she warns.

“Congress has not set a definition of what that means, in the portion of the stimulus package that is about health technology,” she says. The National Committee on Vital and Health Statistics developed a definition in 2006, but the Department of Health and Human Services did not adopt it, she recalls.
But surely the Health Insurance Portability and Accountability Act (HIPAA) should provide some protection? Passed in 1996, the legislation is designed to provide some privacy for healthcare information. Entities covered by the legislation include healthcare providers, healthcare clearing houses, and health plans.

Title two of the Act focuses on preventing healthcare fraud and abuse, and entails five rules revolving around privacy, transactions and code sets, security, unique identifiers, and enforcement.

HIPAA’s privacy rule requires covered entities to disclose protected health information (PHI) to an individual within 30 days of a request, and they must also fix errors in that information when asked to. They must also tell individuals how that information is being used.

"At present, Google and Microsoft have created very strong policies, and they are not covered by HIPAA, so patients have to trust those policies." - John Halamka, Harvard

The Role of Security

The Security role is another significant one. It focuses on electronically held PHI, and mandates administrative, physical, and technical safeguards. These are many and varied, but include, for example, the requirement to adopt a rigorous set of privacy procedures, and the designation of a privacy officer. Covered entities should have a contingency plan for dealing with security breaches, and must protect their computer systems from intrusion. Encryption must be used when transmitting data over open networks.

Peel doesn’t feel that HIPAA offers consumers the protection that they deserve, however.

“HIPAA eliminated the right to privacy,” she says. “The Bush administration de-regulated the consumer protections across the board, and one of the places where they did that was in the HIPAA privacy rule,” she says, arguing that a 2002 amendment eliminated the right of individuals to give their consent to healthcare providers wishing to share their information with others.

They literally take the individuals out of it, and the decisions about when information will be used, and for what purposes, are in the hands of businesses,” she says. The amendment applies to ‘covered entities’, which applies to most businesses operating in the healthcare sector, she adds. “They totally turned HIPAA into a data miner’s dream.”

There is alternative legislation on the table, however. The Protect Patients and Physicians Privacy Act was introduced into the House of Representatives in May by Rep. Ron Paul (R-TX). It has been referred to the Committee on Energy and Commerce as well as the Committee on Ways and Means, as part of the long, arduous process to make a Bill law. If passed, the Act would reinstate some of the patient privacy rules that Peel says were cut out of HIPAA.

This may be true, but nevertheless there are some entities not covered by HIPAA that perhaps should be. In particular, there are some companies hoping to act as stewards for consumer health information that is not subject to the same rigorous controls that health plans face.

Google launched its Health service in April 2008, while Microsoft rolled out its Healthvault service in October 2007. The two services have similar goals: to help consumers store and manage their own health information, rather than leaving it purely in the hands of medical practitioners.

“Google Health is free to anyone, much like other Google products we offer, including Google News and iGoogle,” says Google, about its service. “This is just another step in helping us fulfill our mission to organize all of the world’s information and make it universally accessible and useful.”

The Benefits of Sharing

The potential benefits of these systems are enormous. They are connecting with networks of medical institutions such as pharmacies, making it possible for patients to pool their prescription and healthcare data into their own account managed on either Microsoft or Google’s servers. They can then choose who sees that information, and in some cases can make more informed searches about their healthcare questions.
“There is a way in which we can securely hold information about patients, giving them the ability to share their information, under their control, very explicitly”, says John Coulthard, director of healthcare and life sciences at Microsoft. “There is a cohort of individuals that want to search for healthcare information, learn about what it tells them, save that information, and then act upon it.”

"People's health information will potentially be more at risk of being used for commercial and marketing purposes." - Deven McGraw, CDT

That’s all well and good, but who is going to police these services? John Halamka, chief information officer and dean for technology at Harvard Medical School, who helped to develop the Google Health service, admits that it does not fall under HIPAA regulation. Although he says, the companies have been co-operative in agreeing to their own standards.

“At present, Google and Microsoft have created very strong policies, and they are not covered by HIPAA, so patients have to trust those policies,” he says.
However, Peel, who is trying to put together an evaluation system for privacy protection in healthcare information systems, says that only Microsoft replied when she invited several companies to contribute. Google didn’t get back to her, she says.

Commercial Activity

She is not the only person concerned over the safety of electronic health records within some of these privately owned services.

“People’s health information will potentially be more at risk of being used for commercial and marketing purposes,” warns Deven McGraw, director of the health privacy project at the Centre for Democracy and Technology in Washington, DC. “The volume of that kind of activity will ramp up considerably in a health and information system that is all commercially run.”
"There is a way in which we can securely hold information about patients, giving them the ability to share their information, under their control, very explicitly." - John Coulthard

Such issues could become more problematic as these companies begin using their expertise in social networking tools to enhance the value of these healthcare records. Google has already launched a social networking function as part of its Health service, and it is unlikely to be the last (although it has vowed not to use advertising as part of its healthcare system). Microsoft executives have already talked about the benefits of such features.

The balance between security and usability is always a fine one, and in the case of healthcare it is particularly politically charged. On the one hand, the appeal of managing one’s own personal health information is obvious, as is the opportunity of plugging it into innovative services that can add value to it.

On the other hand, there is a need to protect patients’ personal information, both from commercially motivated cyber criminals, and also from special interests that could use those records for their own ends. Let’s hope that as we continue to modernize our systems, our privacy remains in good health.

No comments:

Post a Comment

Go to The Lamb Slain Home Page