Division of Medical Ethics and Humanities Interoperable Electronic Health Records, the American Reinvestment and Recovery Act, and Patient Privacy and

Division of Medical Ethics and HumanitiesDivision of Medical Ethics and Humanities

Interoperable Electronic Health Records, the American Reinvestment and Recovery Act,

and Patient Privacy and Confidentiality

Leslie FrancisDistinguished Professor of Law & Philosophy

Alfred C. Emery Professor of LawAdjunct Professor of Internal Medicine

Division of Medical Ethics and Humanities

Goals

• Outline the concerns for privacy and confidentiality associated with the likely increase in use of interoperable EHRs

• Demonstrate the inadequacy of the current HIPAA regulatory regime

• Explain several areas of current debate: de-identification, surveillance, research, and the protection of categories of “sensitive” health information


Distinguishing Privacy and Confidentiality• Privacy: about access to, control over, the person• Confidentiality: about control over information—how and

on what authority it is shared• The difference matters

– Having information in the system is important for many reasons (research, public health surveillance, treatment)

– But information may not get into the health care system unless people trust control over where it goes

– Depending on the context, we may need to protect confidentiality to protect privacy, or the converse

– Current debates confuse privacy with confidentiality


Ethically: Privacy as Control of Access• Autonomy—controlling access to the person is important to the

individual’s ability to make central choices about his/her life• Physical security—protection from bodily harm done by intrusion• Freedom from intrusion—into the body, the home, other protected

space• The ability to form intimate relationships through controlling access• Dignity—not being subject to contact, intrusion regarded as

degrading• Identity—protecting access as critical to individual or group identity• Equality—ease of access to some but not to others may affect

social positions (e.g. equality of women)


Ethically: Confidentiality as Information Control• Autonomy—control of choices about information• Physical security—harm that may result when information is

shared: throwing lepers off the Molokai cliffs or stoning patients with HIV

• Intimacy and identity—sharing information as a way of establishing intimacy

• Equality—protection from discrimination: e.g. ADA, GINA (the Genetic Information Non-discrimination Act)


Interoperable Electronic Records in Primary Care

• Recent estimates (Health Affairs 2009) are that approximately one in eight physicians in the US today have even “rudimentary” electronic records systems

• Barriers cited in the literature include start up costs, productivity losses, lack of technical expertise, questions about which system to choose

• Clinical value of increased use of health IT is hypothesized but evidence is limited (e.g., Parente & McCullough, Health Affairs 2009); one recent study has linked EHR structural capacity in primary care practices to improved HEDIS measures (Friedberg et al., Annals of Internal Medicine 2009)


ARRA• ARRA includes $17 billion for adoption and “meaningful use”

of EHRs by Medicare and Medicaid providers (up to $44,000 each; that would cover about 386,000 of the estimated 940,000 physicians in the US today)

• “Meaningful use” includes sharing information with other systems; functionalities including computerized order entry, transmissible prescriptions, drug interaction checking, updated problem list

• Ultimate goals include patient registries, quality improvement, public health promotion


Confidentiality and Patient Trust• The most widely quoted estimate is that a significant percentage of patients (1/6)

withhold information from physicians because of concerns about whether it will be protected (California HealthCare Foundation, National Consumer Health Privacy Survey 2005).

• Almost 10% of patients chose not to “opt in” to Massachusetts interoperable EHR demonstration project, many citing privacy concerns (Tripathi et al., Health Affairs 2009)

• Harris poll re research using identifiable health information: 28% no consent or general consent in advance; 38% study-specific consent, 13% refuse to participate or be contacted, remainder unsure (2007, referenced in IOM 2009)

• This behavior may increase as the use of interoperable EHRs increases (CDT 2009)• Patient trust is particularly jeopardized by unanticipated events, so it will be

especially important to inform patients about interoperable records and confidentiality protection


HIPAA Coverage—A Solution?• Mis-described as a “privacy” rule—a confidentiality rule• Applies to “covered entities”: health plans, health care

clearinghouses, and health care providers who transmit health information in electronic form for which HHS has adopted standards—and their “business associates”

• Covers “protected health information”: any individually identifiable health information possessed by covered entities

• Does not cover: employment records, educational records, or de-identified data, even if health information is included in these records and they are otherwise possessed by a covered entity

• And . . . There’s much more HIPAA doesn’t do


HIPAA: what’s outside coverage?• Any entities that possess individually identifiable health

information, but are not covered entities or their business associates: spas, for example

• Many PHR vendors: WebMD, Microsoft Healthvault, GoogleHealth, except if under business associate agreements

• Health 2.0: PatientsLikeMe, 23andMe• Any data transferred with patient authorization out to an

unprotected site


HIPAA Exceptions to Authorization• Health care operations—including business planning, insurance underwriting, quality

assurance, and fraud and abuse detection• Law enforcement—including child abuse, abuse of a vulnerable adult, information

about victims, and information that might implicate family members (e.g. DNA from Pap smear)

• Public health—infectious disease surveillance, bioterrorism, any reportable condition• Employers—information needed to comply with an OSHA request, a Mine Safety and

Health Administration request, or other required workplace-related law• FDA—adverse drug events, post-marketing surveillance information• Research—if IRB has granted a waiver, or information is included in a “limited data

set”• “Serious threat”—to prevent or lessen a serious and imminent threat to a person or

the public, when such disclosure is made to someone believed able to prevent or lessen the threat (including the target of the threat)


Problems with Interoperable EHRs

• Deidentification?—and risks of reidentification• Surveillance and informed consent– Syndromic– Registries

• Limits to research?• Transfer of sensitive health information?


Deidentification• “Deidentified” data: created either by stripping out all of 19 listed types

of identifying information (“safe harbor” rule), or by meeting expert standards regarding risk of reidentification

• Vastly increases the possibilities for use of information—but data are not covered by HIPAA once deidentified

• Concerns– Risk of re-identification when data sets are combined, especially with

publicly available data sets: statistically unusual patterns, genetic information and growth of personalized medicine, PHRs, health blogs, Health 2.0

– Data “miners” (marketers, for example) may try to reidentify deidentified data in the public domain

– Harms from data uses even when identifiers are absent: important personal beliefs, community identity, group stigmatization; the 13% who would refuse to allow their data to be used in research


Surveillance• “Syndromic surveillance”—data are monitored for unusual patterns that

may represent disease activity or terrorist activity• Novel types of data used—google hits predicting flu outbreak• Significance of a particular data point becomes apparent only after the

pattern is discerned, so there is no way to engage in patient informed consent ex ante; compare traditional public health reporting, where the significance of a finding can be explained in advance (Source: Francis et al., Journal of Bioethical Inquiry 2009)

• Risks of stigmatization, job loss, even physical threat, e.g. to an index patient or to someone who has been identified as a danger


Disease Reporting: New York’s Ha1C Registry• Reporting of all Ha1C results by lab to registry (no opt out)• Results reported only to patients, providers (not insurance

companies or employers)• Patients may opt out of reporting (but not registry)• Preliminary results: 17% of patients say receiving the

letters prompted them to make appointments; 50% remembered receiving the letter

• Justice concerns: pilot in South Bronx neighborhoods, stigmatization and racialization

• (Source, Chamany et al., Milbank Quarterly 2009)


Research• Concern that the HIPAA “privacy” rule is impeding health

research—both too protective and too weak• HIPAA and disclosure of PHI for research:

– By patient authorization: requires “a description of each purpose of the requested use or disclosure”; authorization that is “specific and meaningful”—very difficult to apply to stored specimens, biobanks, patient registries, where new research questions are proposed

– By waiver of authorization—if no more than minimal risk, adequate safeguards, research not “practicable” without the waiver or without access to the PHI

– No clear standards for minimal risk to confidentiality or for impracticability


IOM Recommendations (2009)• New, uniform privacy, confidentiality & security standards for

all health research• With these standards, exempt research from HIPAA• Distinction between information-only research and direct,

interventional research• With informational research, certify institutions with

protective policies and practices to facilitate use of large data sets for research without individual consent


Sensitive Information• Some patients regard particular categories of health information as

especially sensitive, and would not want it shared with all providers as information is transferred across a RHIO or an NHIN

• Examples: genetic information, social history, reproductive history (e.g. abortion), substance abuse, mental health history

• Providers are concerned that incomplete records may lead to inadequate clinical care and do not want to make medical judgments without seeing the full interoperable record (but what do they see now, with siloed records?)

• Privacy/confidentiality advocates are concerned that if interoperable design fails to implement protections, patients will opt out of RHIO/NHIN (if given that choice), or will protect confidentiality by not accessing the health care system


NCVHS Proposal

• EHR design should build in the capacity to segregate pre-designated categories of sensitive health information, which could be masked on transfer at patient request

• Flag to indicate that masking has occurred• “Break the glass” feature for emergencies• Drug interaction alerts maintained


MAeHC—Opt in/out; preset categories

• “Opt-in” not “opt-out”• Preset categories of information: medication list, problem

list, diagnoses, immunization, allergies, smoking status, vital signs, procedures, lab results, radiology results

• Not: text notes, consult letters, scanned reports• An approximately 90% opt in rate among patients—but

10% of patients chose not to participate, many citing privacy concerns

• (Source: Tripathi et al., Health Affairs 2009)


Conclusions• The use of interoperable electronic health

records in primary care will continue to grow• Patient confidentiality concerns are significant

and inadequately protected with HIPAA• If patients are to trust providers’ use of EHRs,

it will be important to avoid “surprises” about their health information


• Areas of particular concern– Entities outside of HIPAA and data transfers to

them (even at patient request)– Deidentification and “data mining”– Syndromic surveillance and disease reporting– Research: biobanking and personalized medicine– Protection of categories of sensitive information,

even as records are transmitted among providers

Documents

Division of Medical Ethics and Humanities Interoperable Electronic Health Records, the American Reinvestment and Recovery Act, and Patient Privacy and