C E N T E R F O R D E M O C R A C Y & T E C H N O L O G Y

1634 I St., NW, Suite 1100, Washington, DC 20006 • v. +1.202.637.9800. • f. +1.202.637.0968 • http://www.cdt.org

Comprehensive Privacy and Security:

Critical for Health Information Technology Version 1.0 – May 2008

In this paper, CDT calls for the adoption of a comprehensive privacy and security framework for protection of health data as information technology is increasingly used to support exchange of medical records and other health information. CDT believes that privacy and security protections will build public trust, which is crucial if the benefits of health IT are to be realized. In CDT's view, implementation of a comprehensive privacy and security framework will require a mix of legislative action, regulation and industry commitment and must take into account the complexity of the evolving health exchange environment.

Privacy and Security Protections are Critical to Health IT

Healthinformationtechnology(healthIT)andhealthinformationexchangecanhelp improve health care quality and efficiency, while also empoweringconsumers to play a greater role in their own care. At the federal and statelevels,policymakersarepushinginitiativestomovethehealthcaresystemmorerapidlyintothedigitalage.

However,healthITinitiativesposeheightenedriskstoprivacy.Recentbreachesofhealthinformationunderscorethattherisksarereal.Atthesametime,thereiswidespreadconfusionandmisinterpretationaboutthescopeofcurrenthealthprivacylaws.Somearepushingforquick“fixes”totrytoaddressthepublic’sprivacy concerns, but fully resolving these issues requires a comprehensive,thoughtfulandflexibleapproach.

While some persist in positioning privacy as an obstacle to achieving theadvances thatgreateruseofhealth ITcanbring, it is clear that theopposite istrue: enhanced privacy and security built into health IT systemswill bolsterconsumertrustandconfidenceandspurmorerapidadoptionofhealthITandrealizationofitspotentialbenefits.

SurveydatashowsthatAmericansarewellawareofboththebenefitsandtherisksofhealthIT.Alargemajorityofthepublicwantselectronicaccesstotheir

C E N T E R F O R D E M O C R A C Y & T E C H N O L O G Y

2

personal health information – both for themselves and for their health careproviders–becausetheybelievesuchaccessislikelytoincreasetheirqualityofcare. At the same time,peoplehave significant concernsabout theprivacyoftheir medical records. In a national survey conducted in 2005, 67% ofrespondentswere “somewhat”or “very concerned”about theprivacyof theirpersonalmedicalrecords.1Ina2006survey,whenAmericanswereaskedaboutthebenefitsofandconcernsaboutonlinehealthinformation:

• 80%saidtheyareveryconcernedaboutidentitytheftorfraud;• 77%reportedbeingveryconcernedabouttheirmedicalinformationbeing

usedformarketingpurposes;• 56%wereconcernedaboutemployershavingaccesstotheirhealth

information;and• 53%wereconcernedaboutinsurersgainingaccesstothisinformation.2

Appropriate privacy protections must be incorporated from the outset in thedesignofnewhealthITsystemsandpolicies.Itisoftendifficultorimpossibletoestablish effective privacy protections retroactively, and restoring public trustthathasbeensignificantlyunderminedismuchmoredifficultthanbuildingitatthestart.Now—intheearlystagesofhealthITadoptionisthecriticalwindowforaddressingprivacy.

AsanInternetpolicyorganizationandprivacyadvocate,CDTbringsauniqueperspective to these issues, based on our experience in shaping workableprivacysolutionsforanetworkedenvironment.Inthispaper,wedescribewhyit is necessary that all partiesfrom traditional health care entities and newdevelopers of personal health records, to legislators and regulatorsaddressprivacyandsecurity inhealthITsystems. WeemphasizethatallstakeholdersneedtobeginimmediatelytoimplementandenforceacomprehensiveprivacyandsecurityframeworkinallofthevarioustoolsandprocessesofhealthIT.

The Consequences of Failing to Act

Protectingprivacyisimportantnotjusttoavoidharm,butbecausegoodhealthcare depends on accurate and reliable information. 3 Without appropriate

1NationalConsumerHealthPrivacySurvey2005,CaliforniaHealthCareFoundation(November2005)(2005NationalConsumerSurvey).

2StudybyLakeResearchPartnersandAmericanViewpoint,conductedbytheMarkleFoundation(November2006)(2006MarkleFoundationSurvey).

C E N T E R F O R D E M O C R A C Y & T E C H N O L O G Y

3

protections for privacy and security in the healthcare system, patients willengagein“privacy‑protective”behaviorstoavoidhavingtheirpersonalhealthinformationusedinappropriately.4Accordingtoarecentpoll,oneinsixadults(17%)– representing38millionpersons– say theywithhold information fromtheir health providers due to worries about how the medical data might bedisclosed.5 Personswho report that theyare in fairorpoorhealthand racialandethnicminoritiesreportevenhigherlevelsofconcernabouttheprivacyoftheir personal medical records and are more likely than average to practiceprivacy‑protectivebehaviors.6

Peoplewho engage in privacy‑protective behaviors to shield themselves fromstigma or discrimination often pay out‑of‑pocket for their care; ask doctors tofudgeadiagnosis;switchdoctorsfrequentlytoavoidhavingalloftheirrecordsinone location; lie;orevenavoidseekingcarealtogether.7 Theconsequencesare significant– for the individual, for themedical community,and forpublichealth:

• Thequalityofcarethesepatientsreceivemaysuffer;• Theirhealthcareproviders’abilitytodiagnoseandtreatthemaccurately

maybeimpaired;• Thecostofcareescalatesasconditionsaretreatedatamoreadvancedstage

andinsomecasesmayspreadtoothers;and• Research,publichealth,andqualityinitiativesmaybeundermined,asthe

datainpatientmedicalrecordsisincompleteorinaccurate.8

3SeeJanloriGoldman,“ProtectingPrivacytoImproveHealthCare,”HealthAffairs(Nov‑Dec,1998)(ProtectingPrivacy);PromotingHealth/ProtectingPrivacy:APrimer,CaliforniaHealthcareFoundationandConsumersUnion(January1999),http://www.chcf.org/topics/view.cfm?itemID=12502(PromotingHealth/ProtectingPrivacy).

4ProtectingPrivacy;PromotingHealth/ProtectingPrivacy;2005NationalConsumerSurvey.

5HarrisInteractivePoll#27,March2007.

62005NationalConsumerSurvey.

7ProtectingPrivacy;2005NationalConsumerSurvey;PromotingHealth/ProtectingPrivacy.

8Id.

C E N T E R F O R D E M O C R A C Y & T E C H N O L O G Y

4

Health IT Can Protect Privacy – But Magnifies Risks

HealthIThasagreatercapacitytoprotectsensitivepersonalhealthinformationthanisthecasenowwithpaperrecords.Forexample,itisoftenimpossibletotellwhethersomeonehasinappropriatelyaccessedapaperrecord.Bycontrast,technologies, including strong user authentication and audit trails, can beemployed to limit and track access to electronic health informationautomatically. Electronic health information networks can be designed tofacilitatedatasharingforappropriatepurposeswithoutneedingtocreatelarge,centralizeddatabasesofsensitiveinformationthatcanbevulnerabletosecuritybreaches.Encryptioncanhelpensurethatsensitivedataisnotaccessedwhenasystemhasbeenbreached. Privacyandsecuritypoliciesandpracticesarenot100%tamperproof,butthevirtuallocksandenforcementtoolsmadepossiblebytechnologycanmakeitmoredifficultforbadactorstoaccesshealthinformationandhelpensurethat,whenthereisabuse,thattheperpetratorswillbedetectedandpunished.9

At the same time, the computerization of personal health informationin theabsence of strong privacy and security safeguardsmagnifies the risk toprivacy. As the recent spate of large‑scale privacy and security breachesdemonstrates, serious vulnerabilities exist now. Tens of thousands of healthrecordscanbeaccessedordisclosedthroughasinglebreach.Recentheadlinesabout the theft of an NIH laptop loaded with identifiable information aboutclinical research subjects, and the accidental posting of identifiable healthinformationontheInternetbyahealthplan,underscoretheseconcerns,andarejusttwoofnumerousexamples. Thecumulativeeffectofthesereportsofdatabreachesandinappropriateaccesstomedicalrecords,coupledwiththelackofenforcementofexistingprivacyrulesbyfederalauthorities,deepensconsumerdistrust in the ability of electronic health information systems to provideadequateprivacyandsecurityprotections.10

9SeeForTheRecord:ProtectingElectronicHealthInformation,CommitteeonMaintainingPrivacyandSecurityinHealthCareApplicationsoftheNationalInformationInfrastructure,ComputerScienceandTelecommunicationsBoard,NationalResearchCouncil(NationalAcademyPress,Washington,DC1997)foradiscussionoftheinabilityofsystemstobe100%tamperproof.

10Seehttp://www.cdt.org/healthprivacy/20080311stories.pdfforstoriesofhealthprivacybreachesandinappropriateusesofpersonalhealthinformation.

C E N T E R F O R D E M O C R A C Y & T E C H N O L O G Y

5

Elements of a Comprehensive Privacy and Security Framework That Will Build Public Trust, Advance Health IT

Acomprehensiveprivacyandsecurityframeworkmustbeimplementedbyallstakeholdersengagedine‑healthefforts.Suchaframework,asoutlinedbytheMarkleFoundation’sConnectingforHealth,would:

• Implementcoreprivacyprinciples;• Adopttrustednetworkdesigncharacteristics;• Establishoversightandaccountabilitymechanisms.

Congress should set the framework for national policy through legislation.Ensuringandenforcingadequateprotectionsforprivacyandsecurityalsowillrequire coordinated actions on the part of key regulatory agencies, aswell asindustry best practices. The framework should be implemented in part bystrengtheningtheHIPAAPrivacyRegulationforrecordskeptbythetraditionalhealthsystemparticipants,butalsoneedstoaddresstheincreasedmigrationofpersonalhealthinformationoutofthetraditionalmedicalsystem.

Notwithstandingtheurgentneedtoaddressprivacy,healthinformationpolicyinitiatives ‑ both legislative and administrative – aremoving forwardwithoutaddressingprivacyandsecurityatall,ortheyaretakingapiecemealapproachthat toonarrowly focusesonasingleactivity, suchase‑prescribing,oron justoneaspectof fair informationpractices,suchas theappropriateroleofpatientconsent.

In developing a comprehensive framework, policymakers, regulators, anddevelopers ofHIT systems need not start from scratch.A framework forHITand health information exchange already exists, in the form of the generallyaccepted “fair information practices” (“FIPS”) that have been used to shapepolicies governing uses of personal information in a variety of contexts,mostnotably the HIPAA Privacy Regulation, which established the first federalhealthprivacyframework.11Whilethereisnosingleformulationofthe“FIPs,”theCommonFrameworkdevelopedbytheMarkleFoundation’sConnectingforHealth initiative, which includes broad representation from across the healthcare industry and patient advocacy organizations, describes the principles asfollows:

11OtherpotentialsourcesforpolicyrecommendationsincludetheGAO,theNationalCenterforVitalHealthStatisticsandtheNationalGovernor’sAssociationStateAllianceforeHealth.

C E N T E R F O R D E M O C R A C Y & T E C H N O L O G Y

6

• OpennessandTransparency:Thereshouldbeageneralpolicyofopennessaboutdevelopments,practices,andpolicieswithrespecttopersonaldata.Individualsshouldbeabletoknowwhatinformationexistsaboutthem,thepurposeofitsuse,whocanaccessanduseit,andwhereitresides.

• PurposeSpecificationandMinimization:Thepurposesforwhichpersonaldataiscollectedshouldbespecifiedatthetimeofcollection,andthesubsequentuseshouldbelimitedtothosepurposesorothersthatarespecifiedoneachoccasionofchangeofpurpose.

• CollectionLimitation:Personalhealthinformationshouldonlybecollectedforspecifiedpurposes,shouldbeobtainedbylawfulandfairmeansand,wherepossible,withtheknowledgeorconsentofthedatasubject.

• UseLimitation:Personaldatashouldnotbedisclosed,madeavailable,orotherwiseusedforpurposesotherthanthosespecified.

• IndividualParticipationandControl:• Individualsshouldcontrolaccesstotheirpersonalhealth

information: Individualsshouldbeabletoobtainfromeachentitythat

controlspersonalhealthdata,informationaboutwhetherornottheentityhasdatarelatingtothem.

• Individualsshouldhavetherightto: Havepersonaldatarelatingtothemcommunicatedwithina

reasonabletime(atanaffordablechange,ifany),andinaformthatisreadilyunderstandable;

Begivenreasonsifarequest(asdescribedabove)isdenied,andtobeabletochallengesuchadenial:

Challengedatarelatingtothemandhaveitrectified,completed,oramended.

• DataIntegrityandQuality:Allpersonaldatacollectedshouldberelevanttothepurposesforwhichtheyaretobeusedandshouldbeaccurate,completeandcurrent.

• SecuritySafeguardsandControls:Personaldatashouldbeprotectedbyreasonablesecuritysafeguardsagainstsuchrisksasloss,unauthorizedaccess,destruction,use,modificationordisclosure.

• AccountabilityandOversight:Entitiesincontrolofpersonalhealthdatamustbeheldaccountableforimplementingtheseinformationpractices.

• Remedies:Legalandfinancialremediesmustexisttoaddressanysecuritybreachesorprivacyviolations.

TheConnecting forHealthCommonFramework also sets forth characteristicsfor network design that can help ensure health information privacy and

C E N T E R F O R D E M O C R A C Y & T E C H N O L O G Y

7

security.12 These network design characteristics facilitate health informationexchange not through centralization of data but rather through a “network ofnetworks.”Suchadistributedarchitectureismorelikelytoprotectinformation.Otherkeyelementsofsuchasystemare interoperabilityandflexibility,whichsupportinnovationandcreateopportunitiesfornewentrants.

The Role of HIPAA in the New Environment

Thefederalprivacyandsecurityrulesthattookeffectin2003undertheHealthInsurance Portability andAccountabilityAct (HIPAA) reflect elements of thisframework and provide important privacy protections governing access, useanddisclosureofpersonallyidentifiablehealthinformationbysomeentitiesinthe health care system. TheHIPAAPrivacyRulewas a landmark in privacyprotection, but it is widely recognized that the regulation is insufficient toadequately cover the new and rapidly evolving e‑health environment. Forexample:

• Stateandregionalhealthinformationorganizationsorhealthinformationexchanges(alsoknownasRHIOsorHIEs),whichmayaggregateandfacilitateexchangeofpersonalhealthinformation,areoftennotcoveredbyHIPAA’sPrivacyRule.

• Personalhealthrecordsandotherconsumeraccessservicesnowbeingcreatedbythirdparties,includingcompaniessuchasGoogleandMicrosoft,aswellasbyemployersusuallyfalloutsideoftheHIPAArules.

• PersonalhealthdataismigratingontotheInternetthroughanexplodingarrayofhealthinformationsites,onlinesupportgroups,andotheron‑linehealthtools,regulatedonlythroughenforcementbytheFederalTradeCommission(FTC)ofthegeneralprohibitionagainstunfairanddeceptivetradepractices,suchasafailuretofollowpromisedprivacypolicies.

• WhilethePrivacyRuleincludescriteriaforde‑identifyingdata,newtechnologiesaremakingitmucheasiertore‑identifyoncede‑identifiedhealthinformationandtocombineitwithpersonalinformationinotherdatabases,makingitmorelikelythatsensitivehealthinformationwillbeavailabletounauthorizedrecipientsforusesthathavenothingtodowithtreatmentorpayment.

12Seewww.connectingforhealth.orgformoredetailsontheCommonFramework.

C E N T E R F O R D E M O C R A C Y & T E C H N O L O G Y

8

Inaddition, theHIPAAruleshaveneverbeenadequatelyenforced. TheHHSOfficeforCivilRights(OCR),chargedwithenforcingHIPAA,hasnot leviedasinglepenaltyagainstaHIPAA‑coveredentityinthenearlyfiveyearssincetheruleswereimplemented,eventhoughthatofficehasfoundnumerousviolationsoftherules.13

Historically, states have filled the gaps in federal health privacy laws byenacting legislation thatprovidesstrongerprivacyandsecurityprotections forsensitive data, such as mental health and genetic information. The statescontinue to have an important role to play, but relying on the states to filldeficiencies in HIPAA’s Privacy Rule – or to regulate entities outside of thetraditional healthcare sphere – does not provide a comprehensive, baselinesolutionthatgivesallAmericansadequateprivacyandsecurityprotections,anddoesnotofferall theentities in thee‑healthspaceapredictableandconsistentpolicyenvironment.

National Conversations about Privacy and Security Have Been Too Focused on the Issue of Individual Consent

The ability of individuals to have some control over their personal healthinformationisimportant,andacomprehensiveprivacyandsecurityframeworkshouldaddresspatientconsent.14However,consentisnotapanacea.Ifhealthprivacy rules fail to address the range of privacy and security issues throughconcretepolicies, and instead relyonly (or significantly)ongiving individualsthe right to consent to multiple uses and disclosures of their personal healthinformation, theresult is likelytobeasystemthat is lessprotectiveofprivacyandconfidentiality.

Among other reasons, a consent‑based system places most of the burden ofprivacyprotectiononpatientsata timewhere theymaybe leastable tomakecomplicateddecisionsaboutuseoftheirhealthdata.Mostdon’treadthedetailsofa consent formand those thatdooftendonotunderstand the terms.Manywrongly assume that the existence of a “privacy policy” means that their

13“Effectivenessofmedicalprivacylawisquestioned,”RichardAlonso‑Zaldivar,LosAngelesTimes(April9,2008)http://www.latimes.com/business/la‑na‑privacy9apr09,0,5722394.story.

14Muchmoreshouldbedonetoimprovethewayinwhichconsentoptionsarepresentedtoconsumersinthehealthcarecontext.Internettechnologycanhelpinthisregard,makingiteasiertopresentshortnotices,layerednoticesandmoregranularformsofconsent.

C E N T E R F O R D E M O C R A C Y & T E C H N O L O G Y

9

personal information will not be shared, even when the policy and theaccompanying consent form say just the opposite.15 If mere patientauthorization is all that is needed to share data with third parties, highlysensitive patient information will be disclosed to entities that are completelyoutside the scope of the HIPAA privacy regulation. If consent becomes thefocus of privacy protection, it is clear that patients will be exposed tounregulatedandpotentiallyuncontemplateduses—andmisusesoftheirdata.Further, ifrelianceonconsentbyanindividualforanyparticularuseofhisorherinformationistreatedbypolicymakersasthekeytoprivacyprotection,thehealthcare industrywillhavefewer incentivestodesignsystemswithstrongerprivacyandsecurityprotections.16

All Entities Should Adopt and Implement a Comprehensive Privacy and Security Framework

Regardless of whether or not Congress takes action to address these issues,statesandentitiesdevelopinghealthinformationexchangesandotherhealthITinitiativesshouldcommittoadoptionofthecomprehensiveprivacyframeworkoutlined here. Guidance for policy development for health informationexchangescanbefound,forexample,intheCommonFrameworkdevelopedbythe Markle Foundation’s Connecting for Health Project. Consumer accessservices such as PHRs must also implement the comprehensive frameworkthroughrigorousprivacyandsecurityprotections.17Suchentitiesshouldmake

15See“StoppingSpywareattheGate:AUserStudyofPrivacy,NoticeandSpywareʺ(withNathanGood,RachnaDhamija,JensGrossklags,StevenAronovitz,DavidThawandJosephKonstan),presentedatthe2005SymposiumonUsablePrivacyandSecurity(SOUPS),alsoinACMINTERNATIONALCONFERENCEPROCEEDINGSERIES;VOL.93,PROCEEDINGSOFTHE2005SYMPOSIUMONUSABLEPRIVACYANDSECURITY,Pittsburgh,Pennsylvania(2005);2005NationalConsumerSurvey;“Researchreport:ConsumersFundamentallyMisunderstandtheOnlineAdvertisingMarketplace,”JosephTurow.DeidreK.Mulligan&ChrisJayHoofnagle,SurveyconductedbyUniversityofPennsylvaniaAnnenbergSchoolforCommunicationsandUC‑BerkeleyLawSchool’sSamulesonLaw,TechnologyandPublicPolicyClinic2007.

16Bycontrast,acomprehensiveapproachputstheprincipalburdenontheentitiesholdingpersonalhealthinformationtoprotectprivacybyplacingclearenforceablelimitsonthecollectionanduseofpersonalhealthinformationandbacksitupwithstrongenforcement.SeeBeyondConsumerConsent:WhyweneedaComprehensiveApproachtoPrivacyinaNetworkedWorld,http://www.cdt.org/healthprivacy/20080221consentbrief.pdf.

17See,e.g.theBestPracticesforEmployersofferingPHRshttp://cdt.org/healthprivacy/20071218Best_Practices.pdf.

C E N T E R F O R D E M O C R A C Y & T E C H N O L O G Y

10

their privacy commitment explicit in a published privacy notice. Consumersshould look for these promises and should measure them against theframework.Oncecompaniesmakeaprivacypromise,theywillbeboundtoitunder the Federal Trade Commission Act. In addition, consumer ratingservicescancompareandassessprivacypractices,measuringthemagainsttheprinciplesoutlinedhere.

Congress Should Establish a Comprehensive Health Privacy and Security Approach

AlthoughstatesandtheprivatesectorshouldnotwaitforactionbyCongresstoprotectprivacy,CDTbelievesthatCongressshouldestablishnationalpolicytoensure that health information technology and electronic health informationexchange is facilitated by strong and enforceable privacy and securityprotections.

Accordingtorecentsurveys:

• 75%believethegovernmenthasaroleinestablishingrulestoprotecttheprivacyandconfidentialityofonlinehealthinformation;

• 66%saythegovernmenthasaroleinestablishingtherulesbywhichbusinessesandotherthirdpartiescanhaveaccesstopersonalhealthinformation;and

• 69%saythegovernmenthasaroleinencouragingdoctorsandhospitalstomaketheirpersonalhealthinformationavailableovertheInternetinasecureway.18

One of the major challenges in developing a comprehensive privacy andsecurity framework is to integrateanynewruleswith theHIPAAprivacyandsecurity rules. Congress should consider both strengthening HIPAA whereappropriateandestablishingadditionallegalprotectionstoreachnewactorsinthee‑healthenvironment.

Congress should set the general rules – the attributes that a trusted healthinformation system must have – based on the Fair Information Practicesdiscussedearlier.Further,Congressshouldholdaseriesofhearingsonsomeofthemoredifficult issues toresolveanddevelopa full recordthatwill serveas

182006MarkleFoundationSurvey.

C E N T E R F O R D E M O C R A C Y & T E C H N O L O G Y

11

the basis for more specific legislative action. In particular, Congress shouldconsider:

• Theappropriateroleforpatientconsentfordifferente‑healthactivities;• Theabilityofconsumerstohaveunderstandableinformationaboutwhere

andhowtheirPersonalHealthInformation(PHI)isaccessed,used,disclosedandstored;

• TherightofindividualstoviewallPHIthatiscollectedaboutthemandbeabletocorrectorremovedatathatisnottimely,accurate,relevant,orcomplete;

• Limitsonthecollection,use,disclosureandretentionofPHI;• Requirementswithrespecttodataquality;• Reasonablesecuritysafeguardsgivenadvancesinaffordablesecurity

technology;• UseofPHIformarketing;• Othersecondaryuses(or“reuses”)ofhealthinformation;• Responsibilitiesof“downstream”usersofPHI;• Accountabilityforcomplyingwithrulesandpoliciesgoverningaccess,use,

anddisclosure,enforcement,andremediesforprivacyviolationsorsecuritybreaches;19and

• Usesandsafeguardsforde‑identifiedinformation.

Congress Also Should Enact Legislation to Strengthen HIPAA For Health System Entities

Withrespecttotheaccess,useanddisclosureofelectronichealthinformationbythetraditionalplayersinthehealthcaresystem,therearesomeimmediatestepsCongresscouldtaketofillsomeofthegapsinHIPAA.Forexample,Congresscan take a number of actions to secure more meaningful enforcement of theHIPAArules,including:

• StrengtheningOfficeforCivilRight’s(OCR’s)rolebyrequiringittoconductperiodicauditsofcoveredentitiesandtheirbusinessassociatestoensurecompliancewiththerules;

• IncreasingthepenaltiesassociatedwithfailuretocomplywithkeyprovisionsoftheHIPAArules;

• IncreasingresourcesdedicatedtoHIPAAenforcement;• RequiringOCRtoreporttoCongressonaregularbasisonenforcementof

19SeetheCommonFramework,www.connectingforhealth.org.

C E N T E R F O R D E M O C R A C Y & T E C H N O L O G Y

12

therules;and• AmendingHIPAAtoallowforenforcementoftherulebystateauthorities

(suchasattorneysgeneral).

Congressshouldalsoconsiderenactinglegislativeprovisionsto:

• Establishnotificationrequirementsandpenaltiesfordatabreaches;• StrengthentheexistingHIPAArulesrequiringexpressauthorizationforuse

ofpatientidentifiabledataformarketing;and• Requireelectronichealthsystemstoprovideconsumerswithaccesstotheir

healthinformationinanelectronicformat.

Although it isdesirable forCongress to enact legislation that fills someof thegaps in HIPAA and to enact a general privacy and security framework togovern health IT, it will be impossible for Congress to legislatively adoptcomprehensiverulesthatfitallofthevariousactorsandbusinessmodelsintherapidly expanding and evolving e‑health environment. Therefore, a secondmajorchallengeforCongressistodecidewhatcanbelegislatedandwhatmustbe delegated to agency rulemaking – and what areas are best left to bedevelopedandenforcedthroughindustrybestpractices.

Strengthening Privacy and Security Will Also Require a More Tailored Regulatory Approach

While Congress should establish a strong framework for health privacy andsecurity, itmustavoida “onesizefitsall”approachthat treatsallactorsthathold personal health information the same. The complexity and diversity ofentitiesconnectedthroughhealthinformationexchange,andtheirverydifferentrolesanddifferentrelationshipstoconsumers,requirepreciselytailoredpolicysolutionsthatarecontextandrole‑basedandflexibleenoughtobothencourageandrespondtoinnovation.Forexample,itmakeslittlesensetohavethesameset of rules for “personal health records,” which are often created by andcontrolled by patients and held by third party data stewards outside thehealthcare system, and for “electronic health records,”which are created andcontrolled by health care providers for purposes of treatment and caremanagement. To take another example, rules for use of personal healthinformationfortreatmentneedtobequitedifferentthanrulesformarketingorother secondary uses. Rules regarding use of health information for researchneedtobeseparatelyconsideredaswell.

Congressshouldnotattempttodevelopallofthedetailsinlegislation.Rather,Congressshouldenactlegislationspecificallyrecognizingtheimportanceoftheprivacy rights inhealth information across technologyplatforms andbusiness

C E N T E R F O R D E M O C R A C Y & T E C H N O L O G Y

13

models, setting out principles and attributes to guide one ormore regulatoryagencies in developingdetailed, context‑specific rules for the range of entitiesthat collect, use and distribute personal health information in the newinterconnected healthcare system. One approach would be to direct theDepartment of Health and Human Services to strengthen the HIPAAregulations that apply to traditional players in the health system, while alsodirectingHHSorpossiblytheFederalTradeCommissiontoissueregulationstogovernthehandlingofpersonalhealthinformationbynewplayerswhoarepartof the broader Internet marketplace and not part of the healthcare system. Ifmore thanoneagency is tobe involved,Congresscouldrequire themtoworktogether to avoid issuing conflicting rules (as the financial services regulatoryagenciesdidindevelopingsecurityrulesforfinancialinformation).

Tasking HHS and/or the FTC with the responsibility for developing detailedregulationsallowsfor:

• Amoretailored,flexibleapproachthatwillensurecomprehensiveprivacyandsecurityprotectionsinamyriadofdifferente‑healthenvironments,and

• Moreregular,activemonitoringofdevelopmentsinthemarketplaceandamorerapidresponsetonewlyemergingprivacyandsecurityissues.

Congressshouldmaintainstrongoversightovertheregulatoryprocessby:

• Requiringregulationstobedevelopedwithinaparticulartimeframe;• RequiringsatisfactorycompletionoftherulemakingbeforefederalHIT

grantscanbemade;• Mandatingreportingbytheagenciesonimplementationandenforcement;

and• Vigorousoversightandreportingonimplementationandenforcement.

Conclusion

To establish greater public trust in HIT and health information exchangesystems, and thereby facilitate adoption of these new technologies, acomprehensive privacy and security framework must be in place. Fromtraditional health entities to new developers of consumer‑oriented health ITproducts to policymakers, all have an important role to play in ensuring acomprehensive privacy and security framework for the e‑health environment.Congress should set the framework for privacy and security by strengtheningenforcement of existing law and ensuring that all holders of personal healthinformation are subject to a comprehensive privacy framework. Congress canalso take immediate steps to strengthen existing privacy rules, for example,empoweringconsumerstoplayagreaterroleintheirhealthcarebymandating

C E N T E R F O R D E M O C R A C Y & T E C H N O L O G Y

14

electronicaccesstotheirhealthrecords.Giventhebroadarrayofentitiesinthee‑health arena, the technological changes in the marketplace today, and theprospectsforrapidinnovation,muchofthedetailsofthatframeworkshouldbeworkedoutthroughtheregulatoryprocess. Thechallengeforpolicymakers isto find the right mix of statutory direction, regulatory implementation, andindustry best practices to build trust in e‑health systems and enable thewidespreadadoptionofhealthIT.

FOR MORE INFORMATION

Pleasecontact:Deven McGraw Director, CDT’s Health Privacy Project 202-637-9800http://www.cdt.org