HIT Policy Privacy & Security Tiger Team

Virtual Hearing on Accounting for Disclosures

─────────── September 30, 2013

AGENDA Virtual Hearing on Accounting for Disclosures

HITPC Privacy and Security Tiger Team

Monday, September 30, 2013 from 11:45 a.m. – 5:00 p.m./Eastern Time

VIRTUAL HEARING

11:45 a.m. Welcome and Roll Call

– Michelle Consolazio, Office of the National Coordinator for Health IT

11:50 a.m. Opening Remarks/Framing & Introductions

– Deven McGraw, Chair

– Paul Egerman, Co-Chair

– Linda Sanches, Office for Civil Rights

12:05 p.m. Panel I: Patient Perspectives

– Mark Richert, Esq. - Director, Public Policy

American Federation for the Blind

– Dr. Deborah Peel – Founder

Patient Privacy Rights

– Michelle de Mooy – Senior Associate, National Priorities

Consumer Action

12:25 p.m. Question and Answer

1:20 p.m. Panel 2: Vendor/Business Associate Perspectives

– Kurt Long – Chief Executive Officer and Founder

FairWarning

– Eric Cooper - Health Information & Identity Management Product Lead

EPIC

– Jeremy Delinsky - Chief Technology Officer

Athena Health

– John Travis - Senior Director, Regulatory Compliance

– Lori Cross – Director of Laboratory Operations

Cerner

1:40 p.m. Questions and Answer

2:40 p.m. Panel 3: Provider Perspectives

– Darren Lacey – Chief Information Security Officer

Johns Hopkins University Health System

– Lynne Thomas Gordon – Chief Executive Officer

American Health Information Management Association

– Jutta Williams – Director, Corporate Compliance Privacy Office

Intermountain Healthcare

– William Henderson – Administrator, The Neurology Group, LLP

(Albany, NY) and Co-Chair, Board of Directors of Medical Group

Management Association

– Kevin Nicholson – Vice President, Public Policy and Regulatory Affairs

National Association of Chain Drug Stores

2:55 p.m. Question and Answer

3:50 p.m. Panel 4: Payer Perspectives

– Scott Morgan – Executive Director, National Privacy and Security

Compliance Officer

Kaiser Permanente

– Jay Schwitzgebel – Director Information Security & IT Compliance

Caresource

4:00 p.m. Question and Answer

4:40 p.m. Wrap up/Next Steps/Closing Remarks

4:45 p.m. Public Comment

5:00 p.m. Adjourn

HIT Policy Privacy and Security Tiger Team

Members Organization

Chair

Deven McGraw Center for Democracy & Technology

Co-Chair

Paul Egerman Businessman/Entrepreneur

Members

Dixie Baker Martin, Blanck, and Associates

Judith Faulkner Epic Systems Corporation

Leslie Francis University of Utah College of Law

Larry Garber Reliant Medical Group

Gayle Harrell Florida State Legislator

John Houston University of Pittsburgh Medical Center

David McCallie, Jr. Cerner Corporation

Wes Rishel Gartner, Inc.

Micky Tripathi MA eHealth Collaborative

Federal Ex officios

David Holtzman ONC-HHS

Kitt Winter Social Security Administration

1

PRESENTER BIOGRAPHICAL SKETCHES Hearing on Accounting for Disclosures

HITPC Privacy and Security Tiger Team September 30, 2013

______________________________________________________________________ Panel 1: Patient Perspectives

Mark Richert, Esq., American Federation for the Blind Dr. Deborah Peel, Patient Privacy Rights Michelle de Mooy, Consumer Action

Mark Richert, Esq., serves as the Director of Public Policy for the American Foundation for the Blind, the leading national nonprofit expanding possibilities for people with vision loss, and the cause to which Helen Keller devoted more than four decades of her extraordinary life. Mark oversees the formulation and implementation of AFB's legislative, regulatory, and policy research agendas. A lawyer with nearly 20 years of policy and organizational management experience, Mark serves as a co-chair of the Civil Rights and Technology Task Forces of the Consortium for Citizens with Disabilities, and is a founder and co-chair of the Coalition of Organizations for Accessible Technology (COAT). Mark has shaped much of the public policy affecting people who are blind or visually impaired in an array of subject matter areas, from special education, to mainstream technology usability, to copyright law and vocational rehabilitation. Dr. Deborah Peel, in 2004, Dr. Peel founded Patient Privacy Rights (PPR), the world's leading consumer health privacy advocacy organization. PPR has over 12,000 members in all 50 states. In 2007, she founded the bipartisan Coalition for Patient Privacy, representing 10.3 million US citizens who want to control the use of personal health data in electronic systems. In 2007-2008, she led the development of PPR’s Trust Framework, 75+ auditable criteria that measure how effectively technology systems protect data privacy. The Framework can be used for research about privacy and to certify HIT systems. In 2011, Dr. Peel created the International Summits on the Future of Health Privacy , co-hosted by Georgetown Law Center. The 2013 summit keynote speakers were Peter Hustinx, Todd Park, Leon Rodriguez, Mark Rotenberg, and Melvin Urofsky. In 2012, her chapter in Information Privacy in the Evolving Healthcare Environment laid out a 5-year plan to move the US health IT system from institutional to patient control over health data. Dr. Peel was voted one of the ―100 Most influential in Healthcare‖ in the US by ModernHealthcare magazine in 2007, 2008, 2009, and 2011—the first and only privacy expert ever listed. In 2013 she was named one of four ―Healthcare IT Iconoclasts‖ by ModernHealthcare magazine and one of the ―Top Ten Influencers in Health Information Security‖ by Healthcare Info Security. Michelle de Mooy is Senior Associate for National Priorities with Consumer Action. Her work is focused primarily on enhancing consumer privacy online by advocating for pro-consumer policy and legislation and facilitating dialogue between industry and other

http://patientprivacyrights.org/wp-content/uploads/2013/04/%C2%A9-2010-to-2013-PPRs-Trust-Framework-Brief-Summary-and-Auditable-Critera.pdfhttp://www.healthprivacysummit.org/http://www.healthprivacysummit.org/http://ebooks.himss.org/product/information-privacy-in-evolving-healthcare-environment44808http://ebooks.himss.org/product/information-privacy-in-evolving-healthcare-environment44808

2

stakeholders to build innovative solutions to privacy questions. Michelle currently sits on the Advisory Board of the Future of Privacy Forum, a privacy think tank located in Washington, D.C. and has been a panelist and featured speaker at many events related to digital privacy, including Federal Trade Commission workshops, the Internet Governance Forum, Health Privacy Summit, and State of the Mobile net. Prior to Consumer Action, Michelle was a Senior Consultant for eCampaigns at M+R Strategic Services, where she managed online media strategy for the Campaign for Tobacco-Free Kids, The Wilderness Society, and labor rights group American Rights at Work. Before relocating to DC in 2005, Michelle provided strategic marketing, communications and technology consulting for non-profits and universities in the Philadelphia area, including the Women’s Law Project, Women’s Opportunities Resource Center, To Our Children’s Future With Health, the University of Pennsylvania and Villanova University.

In Philadelphia, Michelle was a senior marketing manager for Investor Broadcast Network where she managed corporate communications, brand advertising and marketing for three web properties, radionwallstreet.com, hedgecall.com, and investorbroadcast.com. She was also involved in the early days of the first dotcom boom, developing software and website projects for startups in San Francisco, including Looksmart, Ltd.

Michelle graduated from Lehigh University in 1997 with a degree in Government. Panel 2: Vendor/Business Associate Perspectives

Kurt Long, FairWarning Eric Cooper, EPIC Jeremy Delinsky, Athena Health John Travis, Cerner Lori Cross, Cerner

Kurt Long, is the Founder and CEO of FairWarning, Inc., the inventor, patent holder and global leader in patient privacy monitoring for electronic health records. Mr. Long founded FairWarning® in 2005 and has led the company through significant customer and revenue growth. FairWarning’s leading healthcare provider customers now represent over 1,100 hospitals and 4,500 clinics in forty-seven (47) of the United States, Canada, the United Kingdom, and Europe. FairWarning® has been profitable every year beginning in 2008. Prior to FairWarning®, Mr. Long founded and served as CEO of OpenNetwork Technologies a leader in web single sign on and identity management software solutions. As CEO, Mr. Long led OpenNetwork to over 2,000% growth with customers across the United States, United Kingdom, Europe and Asia. In 2005, OpenNetwork

http://radionwallstreet.com/http://hedgecall.com/http://investorbroadcast.com/

3

was acquired by BMC Software. At the outset of his career, Mr. Long held positions of growing responsibility with Lockheed Space Operations Corporation at Kennedy Space Center serving as Space Shuttle Databank Mission Manager on NASA’s Hubble Space Telescope, Galileo and Ulysses missions as well as additional Space Shuttle flights. Mr. Long received a Bachelor's degree in Business from the University of Florida graduating with High Honors. Kurt also received a Master's degree in Mathematics, Theoretical Computer Science from the University of South Florida, graduating with Honors. Mr. Long is co-Founder of Next Generation Entrepreneurs with the Pinellas Education Foundation and is the Judging Chairman. Eric Cooper, in 2004, Cooper began his career at Epic as a software developer focused on the Health Information Management team. He currently leads both the Identity and HIM products which include features to manage patient disclosures and track access to patient records. Eric’s responsibilities include working closely with healthcare providers to understand the complex nature of patient privacy within the electronic medical record and designing solutions. Eric graduated with a Bachelors of Science in Engineering in Computer Engineering from University of Michigan in Ann Arbor, Mi. Epic makes software for mid-size and large medical groups, hospitals and integrated healthcare organizations – working with customers that include community hospitals, academic facilities, children's organizations, safety net providers and multi-hospital systems. Founded in 1979, Epic is private and employee-owned. We develop, install and support all our applications in-house. Jeremy Delinsky joined Athena Health in 2004 and currently serves as its Chief Technology Officer. As CTO, Jeremy is responsible for Athena Health’s research & development, technology infrastructure, EDI, interoperability, and analytics organizations. Jeremy also serves as a member of the Health IT Standards Committee. Prior to his role as CTO, Mr. Delinsky served in a variety of leadership roles with Athena Health in Product Management, Product Development, and Operations. Jeremy worked for several years as a strategy and operations consultant to payer organizations and academic medical centers as part of the health care industry practice at Deloitte Consulting before joining Athena health. Jeremy is Phi Beta Kappa graduate of Wesleyan University and received his MBA from The Wharton School of the University of Pennsylvania, where he was awarded the Henry J. Kaiser Family Foundation prize for leadership potential in the health care field. John Travis, is Senior Director and Solution Strategist for Compliance for Cerner Corporation. John oversees solution management for responding to the regulatory requirements of Medicare payment rules, CMS quality measurement programs, HIPAA

4

Security and Privacy, ARRA HITECH Meaningful Use incentive programs, Joint Commission accreditation, EHR certification requirements for federal health programs and other federal rule making. John provides analysis, consulting and knowledge transfer to Cerner associates and clients on federal laws, regulations and industry wide accrediting requirements, and the role of software in enabling compliance by our clients. John is a member of the Implementation Workgroup of the HIT Standards Committee advising the Secretary of HHS on meaningful use standards and specifications, a member of the Data Segmentation Workgroup of the Standards and Interoperability Framework advising the Office of the National Coordinator (ONC) and participates in several workgroups of the HIMSS Electronic Health Records Association (EHRA) involved with HIT and meaningful use. John is a past member of the Security, Privacy and Infrastructure workgroup of the Health Information Technology Standards Panel (HITSP) and a past co-chair of the HL7 Medical Records/Information Management Technical Committee. John has provided testimony to NCVHS, the HIT Standards Committee, the National Institutes of Health and other regulatory bodies on HIT certification, HIPAA Security and Privacy and other compliance topics. John has written articles and developed presentations on HIPAA Security and Privacy, CMS regulations and other topics for professional journals of associations such as the American Health Lawyers Association, the Healthcare Financial Management Association (HFMA), the American Health Information Management Association (AHIMA), the Association of Health Internal Auditors (AHIA), the Missouri Hospital Association, the College of American Pathology (CAP) and other professional and trade journals. John has been with Cerner since 1986. John has a Bachelor’s degree in Business Administration from Kansas State University, and a Master’s Degree in Administration with a Health Services concentration from Central Michigan University. John is a licensed CPA in the State of Missouri, and he is a Fellow with HFMA, and Past President and current Board Member of the Heart of America Chapter of HFMA. Panel 3: Provider Perspectives

Darren Lacey, Johns Hopkins University Health System Lynne Thomas Gordon, American Health Information Management Association Jutta Williams, Intermountain Healthcare William S. Henderson, FACMPE, The Neurology Group, LLP Kevin Nicholson, R.Ph., J.D., National Association of Drug Chain Stores

Darren Lacey, has been serving as Chief Information Security Officer and Director of IT Compliance for Johns Hopkins University and Johns Hopkins Medicine for the past ten

5

years. He has been working in the technology sector, as a developer, attorney, consultant and executive for twenty years. He serves on several committees related to homeland security, privacy and cyber-security. He was the first Executive Director of the Johns Hopkins University Information Security Institute, a National Security Agency Center of Academic Excellence in Information Assurance. Lynne Thomas Gordon, MBA, RHIA, CAE, FACHE, FAHIMA, joined AHIMA in October 2011 as the Chief Executive Officer. Previously she was Associate Vice President for Hospital Operations and Director of the Children’s Hospital at Rush University Medical Center in Chicago. Earlier Lynne served as the Administrator of Houston Medical Center in Georgia, and as COO of Children’s Hospital of Michigan and Shands AGH in Florida. She was a member of the Information Management Taskforce of the Joint Commission. She was a Governor on the ACHE Board and was awarded their Early Career Healthcare Executive and Regent’s Awards. At AHIMA she served on the AHIMA Nominating Committee and House of Delegates, and received both the Achievement Award and Education-Practitioner Award. She is a past president of the Georgia HIMA and received their Distinguished Member Award. In 2012 she earned the prestigious Certified Association Executive (CAE) designation, and her Fellowship status at AHIMA. Currently she also serves on the Board of Directors for Association Forum, and the WEDI Report Executive Steering Committee. Jutta Williams is the Chief Privacy Officer for Intermountain Healthcare and is the Director for Intermountain Healthcare’s Corporate Compliance Privacy Office. The privacy office employs 8 fulltime employees dedicated to serving patient privacy interests. As the Privacy Officer, Williams and her team interface with patients on a diverse set of privacy questions and concerns on a daily basis. Williams came to the healthcare industry after working for several years in Federal environments and as a privacy and security risk management consultant. She graduated with Highest Distinction from Carnegie Mellon University with a Masters in Information Security Policy and Management. She is a member of the HIMSS Privacy and Security Policy Task Force and supports HIMSS Policy activities by providing privacy and security expertise and input. She frequently presents on health IT privacy topics at national association conferences. William S. Henderson, FACMPE, is the administrator of The Neurology Group, LLP in Albany New York, and has worked in neurology practices for 18 years. The Neurology Group, which has eight neurologists and three non-physician providers, was created in 2011 by the merger of two independent neurology practices in the Capital Region. Bill is currently co-chair of the board of directors of the Medical Group Management Association (MGMA). He previously served as president of New York MGMA. Bill is also currently a member of the Medical Economics and Management Committee of the American Academy of Neurology. In that capacity he regularly speaks at conferences

6

on health information technology and the use of electronic health records. Mr. Henderson holds two masters degrees and has done additional post-graduate study and teaching at the University of Pennsylvania. Kevin Nicholson R.Ph., J.D., is Vice President of Public Policy and Regulatory Affairs for NACDS. In this role, he is responsible for the strategic direction of the Association’s public policy and regulatory affairs activities. Nicholson oversees activities and staff in providing legislative and regulatory policy analysis in federal and state healthcare issues. He and his team provide expertise to lobbyists and other Association staff, as well as chain members. He has over twenty years’ experience in the pharmacy industry, including six years as a practicing community pharmacist. Panel 4: Payer Perspectives

Scott Morgan, Kaiser Permanente Jay Schwitzgebel, CISM, CISSP-ISSMP, Caresource

Scott Morgan serves as Executive Director and National Privacy and Security Compliance Officer at Kaiser Foundation Health Plan, Inc. within the Kaiser Permanente Medical Care Program, which provides comprehensive healthcare services to more than nine million members in nine states and the District of Columbia. He is responsible for the privacy and security program in the National Compliance, Ethics and Integrity Office and with a network of privacy and security officers in Kaiser Permanente regions and national functions. Scott’s involvement in privacy and security extends back to 2000 as a director within the Kaiser HIPAA Program, and he has been in his current role since 2005. His other responsibilities include the Kaiser Permanente code of conduct, conflict of interest program, and national compliance policies. Prior to work on HIPAA, Scott held health administration, project management, and consultant roles at Kaiser Permanente beginning in 1990. He has a Master of Public Health degree from University of California at Berkeley. Jay Schwitzgebel, CISM, CISSP-ISSMP, is Director of Information Security and IT Compliance at CareSource. He received a B.S. in Electrical Engineering from Penn State University and a M.S. in Engineering Management from the University of Massachusetts at Amherst. He began his professional career as a U.S. Air Force officer, which lead him into the Information Assurance field, where he lead teams of security analysts monitoring the Air Force's worldwide computer networks. Since that time, he has accrued 16 years of experience in Information Security and Privacy leadership roles for the military and commercial employers as a Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM). He has developed a particular depth of expertise building internal IT controls to protect sensitive data and demonstrate compliance with regulatory requirements in the healthcare industry.

7

Accounting for Disclosures Virtual Hearing Questions for Panelists

1

Goal 1: Gain a greater understanding of what patients would like to know about uses, accesses, and disclosures of their electronic protected health information (PHI).

1. What are the reasons patients may want to learn who/what entities have used,

accessed or received their PHI as a disclosure? What are the reasons they might want to know about internal uses or accesses?

2. What information would patients want to know about such use, access, or disclosure? For example, is it important to know the purpose of each, or the name or role of the individual involved?

3. What are acceptable options for making this information available to patients? (report, investigation, etc.)

4. If there are limitations to the information about uses, accesses or disclosures that can be automatically collected given today’s technologies, what are the top priorities for patients?

5. If patients have a concern about possible inappropriate access to or disclosure of their health information, what options currently are available to address this concern? What options should be developed for addressing or alleviating that concern?

Goal 2: Gain a greater understanding of the capabilities of currently available, affordable technology that could be leveraged to provide patients with greater transparency re: use, access, or disclosure of PHI. 1. What capabilities are currently used to enable transparency regarding (or to

track or monitor) each use, access, or disclosure of PHI? To whom (and for what purpose) is this information communicated?

2. If you currently do not track each user that accesses a record internally along with the purpose of that access, what would it take to add that capability from a technical, operational/workflow, and cost perspective? What would it take to add that capability for external disclosures?

3. Is there is any “user role” or other vehicle that can be utilized to distinguish an

access by in internal user from an external disclosure? Can it be determined, for example, that the user is a community physician who is not an employee of the healthcare organization (IDN or OHCA)? If not, what are the obstacles to adding this capability?

4. Does the technology have the capability to track access, use, or disclosure by vendor employees, like systems’ administrators, (for example, who may need to occasionally access data in native mode to perform maintenance functions) ? Do you currently deploy this capability and if so, how?

5. Are there certain uses, access, or disclosures within a healthcare entity that do not raise privacy concerns with patients? What are these uses and disclosures?

Accounting for Disclosures Virtual Hearing Questions for Panelists

2

Can the technology distinguish between these others that might require transparency to patients?

6. Do you have the capability to generate reports of access to, uses of, and disclosures from, a medical record? • How frequently are the reports generated, and what do they look like? • How granular are these reports? Are they detailed by aggregate data

categories, individual type of data, or individual data element, or in some other way?

• Can they be generated automatically, or do you use manual processes? • Do you integrate reports across multiple systems? • What is the look-back period?

. Goal 3: Gain a greater understanding of how record access transparency technologies are currently being deployed by health care providers, health plans, and their business associates (for example, HIEs). 1. How do you respond today to patients who have questions or concerns about

record use/access/disclosure? What types of tools/processes would help you improve your ability to meet patient needs for transparency regarding record use/access/disclosure? Have you ever received a request from a patient (or subscriber) that requested a list of every employee who had access to PHI?

2. What types of record use/access/disclosure transparency or tracking technologies are you deploying now and how are you using them?

3. For transparency, what do you currently provide to patients regarding use/access and disclosure, and do you see any need to change your current approach?

4. Do you have any mechanisms by which patients can request limits on access? For example, if a patient had concerns about the possibility that a neighbor employed by the facility might access his/her record, is there a way for this to be flagged?

Goal 4: Gain a greater understanding of other issues raised as part of the initial proposed rule to implement HITECH changes. 1. Regarding access reports, what information do you collect besides the basic

information collected in an audit log? 2. What would be involved in obtaining access information from business

associates? Do current business associate agreements provide for timely reporting of accesses to you or would these agreements need to be renegotiated?

3. What issues, if any, are raised by the NPRM requirement to disclose the names of individuals who have accessed/received copies of a patient’s PHI (either as part of a report of access/disclosures or in response to a question about whether a specific person has accessed)? What are the pros and cons of this approach?

Accounting for Disclosures Virtual Hearing Questions for Panelists

3

4. How do you think current mechanisms to allow patients to file a complaint and request an investigation regarding possible inappropriate uses or disclosures are working? Could they be enhanced and be used in lieu of, or in addition to receiving a report? • Should entities be required to do such an investigation – if so, what should be

the scope? • Should entities still be required to produce a report if the patient wants one? • What recourse does the patient have if he/she is not satisfied with the

response? • What options do entities have if patient’s transparency requests cannot be

honored?

Sept 30, 2013

Deven McGraw, Chair

Paul Egerman, Co-Chair

HIT Policy Committee's Privacy and Security Tiger Team

Office of the National Coordinator for Health IT

Re: Virtual Hearing on Accounting for Disclosures

Dear Deven and Paul:

Patient Privacy Rights (PPR) is the leading national consumer voice for building ethical,

trustworthy HIT systems. We have 12,000 members in all 50 states and also represent 10.3

million Americans through our leadership of the bipartisan Coalition for Patient Privacy (see:

http://patientprivacyrights.org/coalition-patient-privacy/). The Coalition:

Seeks to restore the right of consent and the right to health information privacy in

electronic health systems and data exchanges. Consent and control are imperative for

patients to be willing to participate in and trust in electronic health systems and data

exchanges.

Expanded FIPPs for healthcare and developed the PPR Trust Framework, 75+ auditable

criteria that enable the public to easily see which companies, websites, platforms, and

applications meet their expectations for privacy in electronic systems.

The Accounting for Disclosures (AODs) provision was one of 6 new consumer protections we

sought to include in HITECH. The bipartisan Coalition for Patient Privacy urged Congress to

include historic new privacy and security rights in the Health Information Technology for

Economic and Clinical Health (HITECH) Act.1

The other 5 key protections are: a ban on sales of protected health information (PHI)

without consent, the ability to segment sensitive PHI, meaningful breach notice, the

right to block disclosure of protected health information PHI for healthcare operations

(HCO) if treatment is paid for out-of-pocket, and encryption.

PPR was very involved in the regulatory process for AODs following HITECH.

We submitted detailed letters about the NPRM and requirements for AODs in 2010 and 20112. The 2011 letter has a section on the history of the AOD requirement.

1 See the Coalition’s letter to Congress on HITECH at:

http://patientprivacyrights.org/wpcontent/uploads/2013/08/CoalitionPatPriv_Final01.14.091.pdf 2 See Appendix for PPR’s 2010 and 2011 letters to the Office of Civil Rights about the Accounting for

Disclosures provisions in HITECH.

http://patientprivacyrights.org/coalition-patient-privacy/http://patientprivacyrights.org/trust-framework/http://patientprivacyrights.org/wpcontent/uploads/2013/08/CoalitionPatPriv_Final01.14.091.pdf

2

Current health IT systems: hidden data flows3 and data analytics4

Patients can’t get electronic copies of their health information, but a broad array of hidden

users can, see thedatamap.org above. Few have direct relationships with patients.

“Today the healthcare analytics market has exploded.” 5 Aetna/ActiveHealth Management, The

Advisory Board Company, athenahealth, Caradigm, CareEvolution, Cerner, Explorys, Health

Catalyst, Humedica/Optum, IBM, InterSystems, McKesson/MedVentive, Truven Health Analytics,

and Wellcentive are all major players in this giant new market. All of them seek to acquire and

use more and more patients’ PHI. Two examples:

“Optum and its founding partner, Mayo Clinic are making their information assets

(109M lives of claims data, 35M lives of EHR data).” 6

Explorys’ “customers span 14 major integrated healthcare systems with over 100 billion

data elements, 40 million cared for lives, 200 hospitals, and over 100,000 providers.” 7

3 thedatamap.org

4 http://www.chilmarkresearch.com/chilmark_report/2013-clinical-anaytics-for-pop-health-market-

trends-report/ 5 Ibid.

6 http://strataconf.com/rx2013/public/schedule/detail/29813

http://www.chilmarkresearch.com/chilmark_report/2013-clinical-anaytics-for-pop-health-market-trends-report/http://www.chilmarkresearch.com/chilmark_report/2013-clinical-anaytics-for-pop-health-market-trends-report/http://www.chilmarkresearch.com/chilmark_report/2013-clinical-anaytics-for-pop-health-market-trends-report/http://strataconf.com/rx2013/public/schedule/detail/29813

3

Massive information asymmetry is a key reason that the billions spent on health IT failed to

achieve the Triple Aim: lowering costs, improving health, and improving care. Health data is

controlled by data holders that don’t want to be transparent or accountable.

HIPAA states patients should have been able to automatically receive copies of PHI since 2001

and HITECH states patients should have been able to receive AODs since 2009. Surely it’s time to

ensure patients’ federal rights to access PHI and AODs are finally honored.

Implementing robust AODs using Blue Button Plus and Direct will spur

innovation, lower costs, improve health, and improve care

Most of the billions spent on health IT was wasted supporting the high-cost status quo. The

systems and technologies implemented so far:

Lock patients out of access to their own data.

Violate patients’ rights to privacy and control over PHI.

Prevent transparency and accountability.

Destroy the patient-physician relationship. Physicians can’t act as patients’ stewards to

protect PHI from hidden use, disclosure, and sale.

Support institutional control over PHI.

Fail to lower costs, improve quality or improve care.

When patients can get their own data, innovators will finally build technology to serve them

instead of large enterprises. Patients will be able to share PHI and use applications to:

Independently audit their records for errors and breaches

Receive independent decision support and advice

Compare cost and quality of care

Donate data for research they support

According to Harvard Prof. Clay Christensen, “Companies fail by listening to their customers,

constantly improving products and services, and maximizing profits…They fail to do something

counterintuitive: pursue new opportunities at the low end of their markets. 8” The customers of

HITECH Certified EHR Technology are not the patient and her physician who have become

simply subjects of an increasingly hidden health-industrial complex.

Patients and patient advocates are the new opportunity at the low end of the healthcare

market. Eager to use PHI, they are very motivated to seek high quality treatment and the best

physicians, understand risks, support breakthrough research, lower treatment costs, prevent

errors, and identify data breaches. The Tiger Team should empower patients and create new

markets to serve them by giving them their daM data9.

7 https://www.explorys.com/about-us

8 http://www.businessweek.com/articles/2012-05-03/clay-christensens-life-lessons

9 http://www.youtube.com/watch?v=0gpk-fbfg4Y

https://www.explorys.com/about-ushttp://www.businessweek.com/articles/2012-05-03/clay-christensens-life-lessonshttp://www.businessweek.com/articles/2012-05-03/clay-christensens-life-lessonshttp://www.youtube.com/watch?v=0gpk-fbfg4Y

4

Recommendations to quickly implement AODs using existing HIT and MU

The Tiger Team should:

Acknowledge that AODs implicitly require that patients can see which data are used or

disclosed, along with information from access logs that contain dates, times, names of

those who used/disclosed the patient’s data, the purpose of the use/disclosure, and

who received it. AODs would obviously be meaningless if patients can’t know what

information was used or disclosed.

Automate the process of creating and transmitting AODs & PHI in the following ways:

Data holders should create patient and physician portals

Patient voluntary email address(es) should be used for data exchange and RLS

directories to enable segmentation

Patients and physicians should be able to use the Direct Project to securely

exchange data

Automate BB/ Blue Button Plus so patients can view, download, and transmit PHI

and AODs

Enable patients to get PHI in ‘real time’. HIPAA allows for delays, but all AODs

should be designed for automatic transmission in ‘real time’. A physician should be

able to override institutional policies that delay transmission of AODs or PHI.

Automate AOD log entries to include:

a copy of the data used or disclosed (or a link to the data)

the AOD log information: who used or sent the data and who received it

the purpose of the use or disclosure

Automate patients’ ability to ‘pull’ AODs or automatically or ‘push’ AODs each time

there is an AOD entry (or periodically) to:

a data base (such as a health data bank account)

an auditor or a designated agent

Summary: Instead of setting up new separate processes or acquiring new technologies to

build, manage, and transmit AOD information and logs, the Tiger Team should recommend

implementing AODs by ‘piggybacking’ on top of other key HIT initiatives already underway:

CEs should use the Direct Project to securely transmit AODs and PHI to patients

Automate Blue Button / Blue Button Plus

Use existing data security technologies for authentication and auditing employees’

access, use, and disclosure of PHI

Automating AODs and obtaining copies of PHI is the cheapest, fastest, and simplest way

to enable innovation and achieve the Triple Aim.

Conclusion

Congress very deliberately required AODs for TPO uses and disclosures of PHI in HITECH because

most uses and disclosures of health data occur for ‘routine’ purposes, exceptions are very rare.

5

Congress wanted individuals to be able understand at least what, why, and to whom their health

data is disclosed from electronic health records systems for the past three years.

Unless AODs are automated and include all the detailed information about all TPO uses and

disclosures, individuals literally have no way to know to whom their PHI goes, or what was

disclosed or used. We can’t check our own PHI or get independent agents or decision support

unless we can obtain robust AODs (including the copies of the PHI used or disclosed).

A market-based transition to the Triple Aim requires informed patients and competition for new

patient-facing services. The essential first step for informing patients is AOD. It must be done in

a way that actually engages patients through independent decision support, independent risk

assessment and independent audit of all personal data uses.

Sincerely,

Deborah C. Peel, MD

Founder and Chair, Patient Privacy Rights

O: (512) 732-0033

www.patientprivacyrights.org

http://www.patientprivacyrights.org/

Appendix 1

�

May 18, 2010 Office of Civil Rights Department of Health & Human Services Re: HIPAA Privacy Rule Accounting of Disclosures Under the HITECH ACT: Request

for Information (Doc ID HHS-OCR-2010-0009-0001) II. Questions 1. What are the benefits to the individual of an accounting of disclosures, particularly of disclosures made for treatment, payment, and health care operations purposes? An accounting of disclosures of protected health information (PHI) is critical to building patient trust in electronic healthcare systems. Patients cannot presently control the use of PHI in electronic health systems since no consent is required for uses of PHI for treatment, payment and health care operations. As such, an accounting of all disclosures would enable greater transparency and accountability for the use of PHI. Individuals would prefer to “own” and control their PHI in electronic systems, according to the AHRQ:

A majority want to “own” their health data, and to decide what goes into and who has access to their medical records (AHRQ p. 6).

A majority believes their medical data is “no one else’s business” and should not be shared without their permission. This belief was expressed not necessarily because they want to prevent some specific use of data but “as a matter of principle”. (AHRQ p. 18)1

Currently, there is no accountability and transparency in HIT systems and far beyond healthcare as PHI flows unbounded to secondary and tertiary entities. Informed

1 AHRQ Publication No. 09-0081-EF “Final Report: Consumer Engagement in Developing Electronic Health

Information Systems” Prepared by: Westat, (July 2009) See:

http://healthit.ahrq.gov/portal/server.pt/gateway/PTARGS_0_1248_888520_0_0_18/09-0081-EF.pdf

http://www.patientprivacyrights.org/site/R?i=8TeFfgnPbzMaO17we0tPzg..http://www.patientprivacyrights.org/site/R?i=8TeFfgnPbzMaO17we0tPzg..http://healthit.ahrq.gov/portal/server.pt/gateway/PTARGS_0_1248_888520_0_0_18/09-0081-EF.pdf

2

consent is not required for each new use of data. According to Latanya Sweeny, in her testimony at a recent congressional briefing2:

“Since the passage of HIPAA, there has been an explosion in the collection and

sharing of patient information. While HIPAA explicitly identifies covered entities

that handle patient information, there is no identification of the vast number of

business associates who receive patient information from covered entities, or

of the business associates of those business associates, and so on, as secondary

sharing is unbounded. Data sharing through business associate arrangements

is widespread yet hidden from patients, making harms difficult to trace.”

“Having meaningful users of EMRs (electronic medical record systems) as

encouraged by ARRA [6] will further increase data sharing, but the most

dramatic increase will be a consequence of benefits made possible by

nationally sharing patient information over the NHIN.”

Congress’ intent to require an accounting of disclosures was to provide individuals with accountability and transparency of the use of their sensitive health information so they could know who accessed, used, or disclosed their PHI. The expansion in data sharing when certified EHRs are in widespread use and the proposed NHIN models are working, will vastly expand data sharing as Dr. Sweeney pointed out. Without meaningful audit trails, all of those uses and disclosures would remain hidden from patients, making the HIT system neither accountable nor transparent. Patients expect to know how their PHI is used and for what purposes. If they cannot find out how their information was shared, with whom, and for what purposes, one in eight will either refuse treatment or refuse to fully communicate with providers3, which will undermine electronic health information exchange generally resulting in erroneous and incomplete data. There is no way to trust HIT systems if you have no control over where your PHI flows and no accounting of disclosures. 2. Are individuals aware of their current right to receive an accounting of disclosures? On what do you base this assessment?

2 The Congressional briefing on April 22nd was a roundtable discussion on the “Implementation of Health

Information Technologies in a Healthcare Environment”. The briefing was hosted by Representatives

Patrick Kennedy and Tim Murphy and sponsored by the Capitol Hill “Steering Committee on Tele-health

and Healthcare Informatics” and the Institute for e-Health Policy. See:

http://patientprivacyrights.org/wpcontent/uploads/2010/04/Sweeney-CongressTestimony-4-

22-10.pdf

3 See National Consumer Health Privacy Survey 2005, Conducted for the California HealthCare Foundation

by Forrester Research, Inc. November 9, 2005

http://patientprivacyrights.org/wpcontent/uploads/2010/04/Sweeney-CongressTestimony-4-22-10.pdfhttp://patientprivacyrights.org/wpcontent/uploads/2010/04/Sweeney-CongressTestimony-4-22-10.pdf

3

Generally speaking, individuals are not aware of their right to an accounting of disclosures. We have contact with many individual consumers through our website along with technology experts and have not come across anyone aware of their current right to receive an accounting of all non-TPO disclosures. The non-TPO disclosures are rare since by far the most uses and disclosures of PHI are for TPO. The current right to an accounting of non-TPO disclosures appears not to be explained to patients. If patients were more aware of how often their information is being inappropriately shared with people who have no direct relationship with them, they would likely want to have more information about their rights to an accounting of disclosures, so they could exercise it. 3. If you are a covered entity, how do you make clear to individuals their right to receive an accounting of disclosures? How many requests for an accounting have you received from individuals? We are not a covered entity, but the leader of the bipartisan Coalition for Patient Privacy representing over 10 million Americans. The individuals we represent have long advocated for a full accounting of all uses and disclosures of PHI for TPO. This right needs to be communicated to patients in clear, user-friendly ways. Best practices would indicate both oral and written notification. 4. For individuals that have received an accounting of disclosures, did the accounting provide the individual with the information he or she was seeking? Are you aware of how individuals use this information once obtained? Patient Privacy Rights has not been contacted by any consumers who have received and accounting of non-TPO disclosures. Again, since the vast majority of disclosures fall under TPO, we would be surprised if the previous non-TPO only accounting right would reveal anything meaningful to the individual. 5. With respect to treatment, payment, and health care operations disclosures, 45 CFR 170.210(e) currently provides the standard that an electronic health record system record the date, time, patient identification, user identification, and a description of the disclosure. In response to its interim final rule, the Office of the National Coordinator for Health Information Technology received comments on this standard and the corresponding certification criterion suggesting that the standard also include to whom a disclosure was made (i.e., recipient) and the reason or purpose for the disclosure. Should an accounting for treatment, payment, and health care operations disclosures include these or other elements and, if so, why? How important is it to individuals to know the specific purpose of a disclosure—i.e., would it be sufficient to describe the purpose generally (e.g., for ‘‘for treatment,’’ ‘‘for payment,’’ or ‘‘for health care operations purposes’’), or is more detail necessary for the accounting to be of value? To what extent are individuals familiar with the different activities that may constitute ‘‘health care operations?’’ On what do you base this assessment?

4

The bipartisan Coalition for Patient Privacy’s member organizations believe that an accounting of disclosures should include all the specific elements listed above, otherwise individuals have no meaningful information about who has seen or used their PHI, or why. The right to an accounting of disclosures has to include critical details such as ‘who’ i.e., which actual person(s) actually receive, use, or disclose PHI and the specific purpose or reason for each use or disclosure. “Treatment” and “payment” are specific reasons or purposes, but “health care operations” is far too broad a category of use to be transparent or comprehensible to individuals. Every specific type of health care operations use should be spelled out specifically, such as “use and/or disclosure of data for quality improvement about the use an antibiotic(s) taken by the individual”, or “use and disclosure of data to evaluate the comparative effectiveness of treatments for diabetes (or depression, etc)”, or the “use and/or disclosure of data for population-based studies on obesity”, or the “use and/or disclosure of data for research by Pfizer on side-effects of an antidepressant you were taking”, or the “use and/or disclosure of data for sale to a specific research corporation studying x, y, or z”. HCO is such broad category that exposes patient data to such great risks, that it requires very comprehensive specification of purpose and data users (i.e., specific named persons employed by each provider or covered entity or business associate should be provided). We find frequently that experts in technology and healthcare are not familiar with the many possible uses of PHI covered under “health care operations”, and the general public is even less aware of what HCO means. The uses and disclosures of PHI for TPO will require meaningful public education. 6. For existing electronic health record systems: (a) Is the system able to distinguish between ‘‘uses’’ and ‘‘disclosures’’ as those terms are defined under the HIPAA Privacy Rule? Note that the term ‘‘disclosure’’ includes the sharing of information between a hospital and physicians who are on the hospital’s medical staff but who are not members of its workforce. (b) If the system is limited to only recording access to information without regard to whether it is a use or disclosure, such as certain audit logs, what information is recorded? How long is such information retained? What would be the burden to retain the information for three years? (c) If the system is able to distinguish between uses and disclosures of information, what data elements are automatically collected by the system for disclosures (i.e., collected without requiring any additional manual input by the person making the disclosure)? What information, if any, is manually entered by the person making the disclosure? (d) If the system is able to distinguish between uses and disclosures of information, does it record a description of disclosures in a standardized manner (for example, does the system offer or require a user to select from a limited list of types of disclosures)? If yes, is such a feature being utilized and what are its benefits and drawbacks? (e) Is there a single, centralized electronic health record system? Or is it a decentralized system (e.g., different departments maintain different electronic health record systems and an accounting of disclosures for treatment, payment, and health care operations would need to be

5

tracked for each system)? (f) Does the system automatically generate an accounting for disclosures under the current HIPAA Privacy Rule (i.e., does the system account for disclosures other than to carry out treatment, payment, and health care operations)? i. If yes, what would be the additional burden to also account for disclosures to carry out treatment, payment, and health care operations? Would there be additional hardware requirements (e.g., to store such accounting information)? Would such an accounting feature impact system performance? ii. If not, is there a different automated system for accounting for disclosures, and does it interface with the electronic health record system? We strongly urge OCR to keep protecting individuals’ rights front and center throughout this process. It would be a mistake to implement this key privacy protection by accommodating the HIT vendor industry, which has been fighting every new consumer protection in HITECH. The accounting of disclosures is one of the KEY, CRITICAL new consumer privacy protections in the HITECH. We hope that OCR will avoid a path that helps industry justify their opposition to new consumer protections and rights. Individual Americans need the OCR to make sure industry complies with the new consumer protections. The limitations in current HIT systems that prevent full and detailed compliance with the requirements in HITECH are minor. Authentication of all users of EHRs and HIT systems is required, so every employee access to every record or piece of PHI is already logged. The login process could be updated to require specific purpose or use, whether it was a “use” or “disclosure” and each user is already known to hospital HIT systems as a physician or employee. Part of the process of initially authenticating a user requires categorizing who has which “role” in the hospital, so generating those details automatically would not be a complex or expensive update. With regard to the burden of data retention, that burden is minimal. The cost of data storage is so cheap now, it should not be accepted as a “burden”—in fact hospitals and providers should view retaining accounting of disclosure data as a way to assure patients their systems are transparent and accountable. Providing the most robust consumer protections could be a positive way for hospitals and covered entities to demonstrate to the public that they want to be trusted and protect consumers’ interests. Here, it seems that OCR is asking the wrong questions. Rather than asking about “what would be the additional burden to also account for disclosures to carry out treatment, payment, and health care operations?”, OCR should be asking instead exactly how quickly existing EHR/HIT systems can comply with the new consumer protections and specifically justify the time and costs to upgrade the system(s). Obviously HIT upgrades take time and there is always some cost associated with upgrades, but these costs for accounting of disclosures should be minimal. In fact, many proprietary HIT companies have already sold and implemented new products that offer detailed accounting of disclosures. There is no reason NOT to require robust accounting

6

of disclosures right away, because the information from the process of authentication and user access to EHR systems has most of the needed data already. It would not be hard to tweak the authentication process to add a few more data fields for users to fill in detailed purpose for use/disclosure, etc. One example is of a robust accounting of disclosure is offered by Imprivata (there are many other authentication technology firms that have similar products):

Imprivata‘s PrivacyAlertTM Detects Snooping and Identity Theft: • detects snooping, identity theft and inappropriate access • automated and scalable privacy monitoring • investigate and report data breaches • investigate employees, patients or both • Out-of-the-box supports all leading healthcare applications---Eclipsys,

GE Centricity Enterprise, MEDITECH Magic, Siemens Invision, etc See: http://www.marketwire.com/press-release/Imprivatas-New-Product-Helps-Hospitals-Proactively-Investigate-Audit-Access-Patient-1123908.htm

7. The HITECH Act provides that a covered entity that has acquired an electronic health record after January 1, 2009 must comply with the new accounting requirement beginning January 1, 2011 (or anytime after that date when it acquires an electronic health record), unless we extend this compliance deadline to no later than 2013. Will covered entities be able to begin accounting for disclosures through an electronic health record to carry out treatment, payment, and health care operations by January 1, 2011? If not, how much time would it take vendors of electronic health record systems to design and implement such a feature? Once such a feature is available, how much time would it take for a covered entity to install an updated electronic health record system with this feature? See answers to #6. The authentication technology providers have already re-purposed the data they collect to turn it into audit trails for the accounting of all disclosures. Since all HIT systems and EHRs require robust authentication, there is no reason to delay this requirement beyond 2011. Again, the features are available and being used in the marketplace right now. 8. What is the feasibility of an electronic health record module that is exclusively dedicated to accounting for disclosures (both disclosures that must be tracked for the purpose of accounting under the current HIPAA Privacy Rule and disclosures to carry out treatment, payment, and health care operations)? Would such a module work with covered entities that maintain decentralized electronic health record systems? There is no need for a module dedicated exclusively to accounting for disclosures. See Answers to #6 and #7. Whether systems are centralized or decentralized every user of every system has to be authenticated, so this is an odd question. Perhaps OCR is concerned about how users of HIEs or HIOs will be authenticated. Every system requires the authentication of individuals-----large entities like hospitals must be

http://www.marketwire.com/press-release/Imprivatas-New-Product-Helps-Hospitals-Proactively-Investigate-Audit-Access-Patient-1123908.htmhttp://www.marketwire.com/press-release/Imprivatas-New-Product-Helps-Hospitals-Proactively-Investigate-Audit-Access-Patient-1123908.htmhttp://www.marketwire.com/press-release/Imprivatas-New-Product-Helps-Hospitals-Proactively-Investigate-Audit-Access-Patient-1123908.htm

7

authenticated too (like your check shows both your individual account number and the branch bank’s routing number). In RHIOs, HIEs, HIOs, and NHINs, there must be an accounting of disclosures that shows both the name of entity and the name of the employee(s) or user(s). 9. Is there any other information that would be helpful to the Department regarding accounting for disclosures through an electronic health record to carry out treatment, payment, and health care operations? OCR should make a sustained effort to meet as often with legitimate consumer, patient, and privacy advocates (ie especially those with actual members, as opposed to ‘think tanks’ with no members) as it does with industry. Sincerely, Deborah C. Peel, MD Founder & Chair dpeelmd@patientprivacyrights.org (512) 732-0033

mailto:dpeelmd@patientprivacyrights.org

8

APPENDIX 2

August 1, 2011

Georgina Verdugo

Director, Office of Civil Rights

United States Department of Health and Human Services

200 Independence Avenue, S.W.

Room 509F, HHS Bldg.

Washington, D.C. 20201

Re: RIN: 0991-AB62

Dear Director Verdugo:

Patient Privacy Rights (PPR) is the leading national consumer voice for building ethical,

trustworthy HIT systems. We have 12,000 members in all 50 states and also represent 10.3

million Americans through our leadership of the bipartisan Coalition for Patient Privacy (see:

http://patientprivacyrights.org/coalition-for-patient-privacy/ ). We seek to restore the right of

consent and the right to health information privacy in electronic health systems and data

exchanges. Consent and control are imperative for patients to be willing to participate in

electronic health systems and data exchanges.

We promote privacy-enhancing technologies (privacy-by-design) to ensure patients can move

the right personal information to the right person at the right time -- while preventing unwanted

sale and misuse of protected health information (PHI) by strangers we have no relationship

with.

As a voice for patients, PPR has no conflict of interest, financial or otherwise. We are deeply

invested in this long term process and are eager to help HHS ensure both progress and privacy.

The Coalition urged Congress to include historic new privacy and security rights in the Health

Information Technology for Economic and Clinical Health (HITECH) Act.4 These core protections

are essential building blocks for privacy and HIT and must be fully implemented and enforced.

4 See our letter to Congress at: http://patientprivacyrights.org/media/CoalitionPatPriv_Final01.14.09.pdf

http://www.patientprivacyrights.org/site/R?i=8TeFfgnPbzMaO17we0tPzg..http://www.patientprivacyrights.org/site/R?i=8TeFfgnPbzMaO17we0tPzg..http://patientprivacyrights.org/coalition-for-patient-privacy/http://patientprivacyrights.org/media/CoalitionPatPriv_Final01.14.09.pdf

9

It is important to start with the fact that health information privacy is very important to a

significant minority of the public. At the recent first-ever Summit on the Future of Health

Privacy5 in Washington, DC, legal scholar and privacy expert Alan Westin gave a keynote

presentation titled, “What Two Decades of Surveys Tell Us About Privacy and HIT Today”6. The

surveys affirm that 35-40% of the public is “Health Privacy Intense”. The “Health Privacy

Intense” are:

“Distrustful about many government and business data practices, especially if through

technology systems”

“Worried about secondary uses of their personally-identified health data, by insurers,

employers, government programs”

“Also concerned about researchers getting access to their personal health data without

notice and direct consent”

“Strongest concern: discrimination against persons with potentially stigmatizing

conditions”

“Not impressed by voluntary practices -- want legal controls and strong regulatory

enforcement”

“While the Privacy Intense in general consumer privacy areas are about 25%, health

privacy raises this to 35-40%”

The expectations and rights of this very significant minority of the public are not addressed by

the NPRM, which violates key privacy protections in HITECH. Congress intended patients to have

robust, detailed Accounting of Disclosures of PHI (AODs) by all Covered Entities (CEs) and all

Business Associates (BAs) and did not restrict the AODs to information only from certified EHRs,

narrow the reporting of disclosures, or exclude any CEs or BAs from providing AODs for

breaches, required public health disclosures, or any other disclosures exempted in this NPRM.

The point is that Congress intended patients to know where their PHI went. Congress wanted

patients to have AODs that cover all PHI in HIT systems and data exchanges, not some PHI in

some places. It is also critically important that patients be able to receive AODs from health

information exchanges (HIEs), health information organizations (HIOs) and all other types of

data exchanges.

This NPRM is the third time that HHS has proposed regulations that violate the federal statute

HHS was supposed to implement. The first instance occurred when HHS eliminated the right of

consent in the Amended Privacy Rule on 2002; the second was the introduction of a “harm”

standard for breach reporting, which Congress specifically rejected during its own

5 See www.healthprivaysummit.org

6 See slides from Westin’s presentation at the summit at:

http://patientprivacyrights.org/wpcontent/uploads/2011/06/AFW-SUMMIT-6-13-11.pdf.

http://www.healthprivaysummit.org/http://patientprivacyrights.org/wpcontent/uploads/2011/06/AFW-SUMMIT-6-13-11.pdf

10

deliberations7. This is the third time HHS has violated statutory protections by weakening the

strong requirements for AODs Congress intended to provide via regulations.

The history of the AOD requirement in HITECH is important

If HHS does not require robust and complete accounting of all disclosures of PHI, as Congress

intended, patients in the US will not know where their data flows, who sees it, or how it is used

(purpose). The healthcare system will have no accountability or transparency, and at least 35-

40% of the public already do not trust electronic systems. Knowing about all uses, disclosures,

and access to our PHI is particularly critical in today’s systems because HHS eliminated

Americans’ longstanding legal and ethical rights to decide who can see and use our PHI in 2002.

HHS amendments to HIPAA violated Congress’ intent to provide a federal right to privacy and

consent:

“The consent provisions…are replaced with a new provision…that provides regulatory

permission for covered entities to use and disclose protected health information for

treatment, payment, healthcare operations.” 8

The resulting lack of health privacy causes many millions of people in the US to avoid treatment for cancer, mental illnesses, addiction, and sexually transmitted diseases every year (see HHS’ figures on page 7 in “The Case for Informed Consent” by Deborah C. Peel, MD and Ashley Katz, August 31, 20109).

Patients refuse treatment and omit sensitive data when they know treatment records are not

private. These are very significant unintended consequences that worsen the quality and

effectiveness of healthcare. It is very significant fact that millions of patients actually put their

lives and health at risk because they know their health data will be exposed and disclosed

without their consent.

Further, today there is no accountability and transparency in HIT systems or far beyond healthcare where PHI flows unbounded to secondary and tertiary entities. Informed consent is not required for each new use of data, so Robust AODs are essential. According to Latanya Sweeny, in her testimony at a congressional briefing last year10:

7 In the October 1, 2009 letter to HHS Secretary Sebelius, the Chairmen of the House Energy & Commerce

and House Ways & Means Committees confirmed that the harm standard contradicted Congressional

intent. Committee members “specifically considered and rejected such a standard due to concerns over

the breadth of discretion that would be given to breaching entities, particularly with regard to determining

something as subjective as harm from the release of sensitive and personal health information.” 8 67 Fed. Reg. 53,183

9 http://patientprivacyrights.org/2010/08/the-case-for-informed-consent/

10 The Congressional briefing on April 22nd was a roundtable discussion on the “Implementation of Health

Information Technologies in a Healthcare Environment”. The briefing was hosted by Representatives

Patrick Kennedy and Tim Murphy and sponsored by the Capitol Hill “Steering Committee on Tele-health

http://patientprivacyrights.org/2010/08/the-case-for-informed-consent/

11

“Since the passage of HIPAA, there has been an explosion in the collection and sharing

of patient information. While HIPAA explicitly identifies covered entities that handle

patient information, there is no identification of the vast number of business

associates who receive patient information from covered entities, or of the business

associates of those business associates, and so on, as secondary sharing is

unbounded. Data sharing through business associate arrangements is widespread yet

hidden from patients, making harms difficult to trace.”

“Having meaningful users of EMRs (electronic medical record systems) as encouraged

by ARRA [6] will further increase data sharing, but the most dramatic increase will be

a consequence of benefits made possible by nationally sharing patient information

over the NHIN.”

Congress’ intent to require an accounting of disclosures was to provide individuals with

accountability and transparency about the use of their sensitive health information; they could

know who accessed, used, or disclosed their PHI. When certified EHRs are in widespread use

and the proposed NHIN models are working data sharing will vastly expand, as Dr. Sweeny

pointed out. Without meaningful AODs, all of those uses and disclosures would remain hidden

from patients, making the HIT system neither accountable nor transparent. Requiring business

associates (BAs) to produce AODs and include them in the AODs provided by covered entities

(CEs) is a significant improvement that will add more transparency and accountability to

healthcare.

Patients expect to know how their PHI is used and for what purposes. If they cannot find out

how their information was shared, with whom, and for what purposes, more than one in eight

will either refuse treatment or refuse to fully communicate with providers11, undermining

electronic health information exchange and resulting in erroneous and incomplete data.

“Treatment” and “payment” are specific reasons or purposes for disclosing PHI, but “health care

operations” is far too broad a category of use to be transparent or comprehensible to

individuals. Purposes must be specific. Many more patients won’t trust HIT systems if the

accounting of disclosures is narrowed, and if the purpose is not required.

Congress intended for patients to have a full, detailed accounting of the uses and disclosures of

all PHI because the Amended HIPAA Privacy Rule eliminated patients’ consent and control over

the use and disclosure of PHI for routine purposes. Therefore, Congress wrote very strong, clear

language in HITECH requiring robust, detailed AODs to enable transparency and accountability

instead of narrowing the definition of Healthcare Operations (HCO). The bipartisan Coalition for

and Healthcare Informatics” and the Institute for e-Health Policy. See:

http://patientprivacyrights.org/wpcontent/uploads/2010/04/Sweeney-CongressTestimony-4-22-10.pdf

11 See National Consumer Health Privacy Survey 2005, Conducted for the California HealthCare

Foundation by Forrester Research, Inc. November 9, 2005

http://patientprivacyrights.org/wpcontent/uploads/2010/04/Sweeney-CongressTestimony-4-22-10.pdf

12

Patient Privacy was the key consumer coalition pressing for robust accounting of disclosures in

HITECH (see our letter to Congress about HITECH12).

Another problem posed by not requiring the purpose for disclosures or access is Congress

intended that consumers who pay for treatment out-of-pocket can restrict the use and

disclosure of PHI to health plans and insurers. If AODs do not include the purpose of the use or

disclosure then when CMS audits CEs and BAs, or when patients receive AODs, neither will be

able to tell if patients’ rights to restrict the flow of data were honored or violated by a CE or BA.

The failure to record the purpose of a disclosure will also impede the ability of the Office of Civil

Rights and law enforcement to determine whether a violation of the HIPAA and HITECH laws

was due to “reasonable cause” or “willful neglect” which makes a significant difference in the

penalties that are to be assessed. Not knowing the purpose of a use or disclosure will make it

impossible to assess “willful neglect” by CEs and BAs, making it impossible to assess compliance

with HITECH’s new patient rights and protections.

The Coalition and other consumer organizations pressed for these provisions so patients can

understand what happens today to their PHI in electronic health systems and data exchanges.

Unfortunately HHS did not require patients’ longstanding legal and ethical rights to control and

segment data in the “Meaningful Use” regulations or other new regulations, even though

Congress intended HIPAA to be the “floor” for privacy rights, not the “ceiling”. Congress

intended that more stringent privacy protections in state and federal law, in common and

Constitutional law, and in medical ethics would prevail over weaker HIPAA privacy protections.

As HHS stated in issuing the Amended Rule: “The Privacy Rule provides a floor of privacy

protection. State laws that are more stringent remain in force. In order to not interfere

with such laws [affording a right of consent] and ethical standards, this Rule permits

covered entities to obtain consent. Nor is the Privacy Rule intended to serve as a 'best

practices' standard. Thus, professional standards that are more protective of privacy

retain their vitality.13"

In addition, without full, robust, and clear AODs, the US could experience the same kind of

public rejection of HIT and data exchange witnessed in the United Kingdom. When the UK

decided to add PHI to the National Health data base without patient consent there was a public

outcry.14

12 See our letter to Congress at: http://patientprivacyrights.org/media/CoalitionPatPriv_Final01.14.09.pdf

13 67 Fed. Reg. at 53,212 (August 14, 2002). 14

See: UK Telegraph, Controversial medical records database suspended. A controversial scheme to

upload confidential medical records to a national database has been suspended following public outcry,

Kate Devlin, Medical Correspondent, 17 Apr 2010 at:

http://www.telegraph.co.uk/health/healthnews/7598520/Controversial-medical-records-database-

suspended.html

http://patientprivacyrights.org/media/CoalitionPatPriv_Final01.14.09.pdfhttp://www.telegraph.co.uk/journalists/kate-devlin/http://www.telegraph.co.uk/health/healthnews/7598520/Controversial-medical-records-database-suspended.htmlhttp://www.telegraph.co.uk/health/healthnews/7598520/Controversial-medical-records-database-suspended.html

13

The project triggered anger when it was revealed that information could have been

logged on the system without patients’ knowledge.

The British Medical Association (BMA) warned that many people were not even aware

of the scheme, let alone the fact that they could ‘opt out’.

AODs for Research and Public Health Use and Disclosure of PHI, the HIPAA

“Research” and “Public Health” Loopholes

We recognize that the IOM and many respected scientific and research institutions believe that

many kinds of researchers, public health authorities, quality improvement organizations, patient

safety organizations, and epidemiologists should have open access to PHI without patient

knowledge or consent and believe that obtaining patient consent is a burden. They oppose AOD

requirements.

Unfortunately, the public wants to know about and prefers to give consent for all research,

public health, quality improvement, biosurveillance, patient safety, pay-for performance,

comparative effectiveness research, and epidemiology and population health uses of PHI. The

IOM’s lack of support for AODs is short-sighted. Legitimate researchers, public health

authorities, and epidemiologists should recognize that one of the main ways PHI flows out of the

healthcare system to secondary and tertiary users for data sales and misuse is via the “research”

and “Public Health” loopholes in HIPAA. They should support AODs and access reports so that

patients can learn when and how their data is being used legitimately for research and not

conflate the use of PHI for business analytics by for-profit corporations with legitimate research

and public health uses of PHI that actually benefit patients by improving health, healthcare

quality, and lowering costs.

Further, the public strongly opposes unfettered research access to PHI. Alan Westin’s survey for

the IOM in 2008 on the effects of the HIPAA on research15 found:

Only 1% of the public agreed that researchers would be free to use personal medical

and health information without consent

Only 19% of the public agreed that personal medical and health information could be

used as long as the study “never revealed my personal identity” and it was supervised

by an Institutional Review Board.

Unfortunately the IOM, most researchers, and HHS ignore Westin’s findings.

15 Westin/Harris Survey for the Institute of Medicine, Results of a National Survey, on “Health Research

and the Privacy of Health Information: The HIPAA Privacy Rule” by Dr. Alan F. Westin, See: http://patientprivacyrights.org/media/WestinIOMWkshp2-28-08.ppt

http://patientprivacyrights.org/media/WestinIOMWkshp2-28-08.ppt

14

Mark Rothstein16 concluded that the IOM “missed the mark” when it recommended open access

to PHI without consent for research purposes.

He wrote, “Clinicians, researchers, and their institutions do not have the moral authority to

override the wishes of autonomous agents. Individuals seeking treatment at a medical facility

are not expressly or impliedly waiving their right to be informed before their health information

and biological specimens are used for research. The recommendation of the IOM Report would

automatically convert all patients into research subjects without their knowledge or consent”.

Even more troubling than the lack of concern about the public’s attitudes toward research on

PHI without consent is the fact that the legitimate clinical and academic research communities

and public health authorities do not acknowledge the commercial exploitation of the “research”

and “public health” loopholes by for-profit health “research” corporations17, such as

prescription data mining corporations, insurers, hospitals, labs, pharmacies, and technology and

hardware vendors.

The existence of a large commercial “research” industry whose “research” does nothing to

improve health or benefit patients will blacken the reputation of the legitimate research

community, blacken the reputation of public health authorities, and cause a loss of faith in

healthcare professionals and government for not protecting patients’ rights to health

information privacy. Commercial use and sale of PHI for corporate business analytics and data

analyses will corrode patient trust in legitimate research and public health uses of PHI. This

difficult problem cannot be solved by denying it exists or by re-defining “research” and “public

health” data uses to exclude commercial “research and public health” use of PHI. This

destructive situation makes robust AODs and access reports essential for public trust. Without

the right of consent and control over data, transparency for all uses and disclosures is

mandatory for the accountability of electronic healthcare systems and data exchanges.

Public health access to medical records and PHI has always been granted by statutes that

address specific diseases such as TB, HIV/AIDS, SARS, etc. The public has never debated or

agreed to unlimited access to medical records or PHI without consent by public health agencies.

Congress did not consider that the “Public Health” loophole would result in a massive expansion

of the mission and definition of public health. This expansion has never been debated, much less

endorsed by the public. The history of public health is a story of vigorous public debate over the

collection and use of health information about specific infectious diseases, leading to public

consensus and lawmaking that addressed specific threats posed by deadly infectious diseases.

Public consensus on the collection of personal health information was built disease by specific

disease, threat by threat. Public health authorities and the government have never sought,

16 “Improve Privacy in Research by Eliminating Informed Consent?” IOM Report Misses the Mark. In The

Journal of Law, Medicine & Ethics, Volume 37, Issue 3 (p 507-512) by Mark A. Rothstein. See:

http://patientprivacyrights.org/wpcontent/uploads/2010/02/Rothstein-ReIOM-Report.pdf 17

See Evidence of Disclosure, The Sharing, Selling, Re-selling and Unauthorized Use of our Personal Health

Information: Identifiable Data, “De-identifiable Data”, and Why it Matters, compiled by Patient Privacy

Rights: http://patientprivacyrights.org/media/Evidence_of_Disclosure.pdf

http://patientprivacyrights.org/wpcontent/uploads/2010/02/Rothstein-ReIOM-Report.pdfhttp://patientprivacyrights.org/media/Evidence_of_Disclosure.pdf

15

much less achieved public support for unlimited use of PHI for any problems public health

authorities seek to affect. The consequence must be transparency and accountability of all

public health uses of PHI, because these expanded uses are not known to the public.

Further, HHS has ignored the fact that informed consent is required for “research” and “public

health” uses of PHI by ethical codes for research18 and by international treaty19. Patients will

avoid treatment, out of fear that their health information will be used for research or public

health uses they do not support. Many religious people object to the use of their health

information for research about certain conditions they find objectionable. The ethical codes of

all health professions require informed consent before use or disclosures of personal health

information20.

“The well- being of the human subject should take precedence over the needs and interests of

society.”21

News stories confirm that the public is not willing to have sensitive personal health information,

such as genetic information, used or sold without consent. Texas parents were very upset to find

out that the State of Texas sold their newborn’s bloodspots for research without their consent22.

The Havasupai Indians of New Mexico sued researchers at Arizona University for using their

blood for genetic studies of schizophrenia without their permission23.

Recently Kaiser Permanente announced the development of a new research data base of 100K

EHRs with genomic records. But instead of using the existing Kaiser Permanente HIT system for

robust email communication with patients to obtain informed consent for the use of PHI for a

specific research project or specific categories of research, Kaiser Permanente decided to use

blanket advance consent for all research uses of the data base.24 It is puzzling that Kaiser

Permanente made this choice when it could have easily empowered patients to set up a broad

array of personal directives to consent to approved research uses and contacted them

electronically for any exceptions or new uses not covered by their personal directives.

If Kaiser Permanente does not permit patients to give consent for research on their data,

shouldn’t those patients be able to see all research uses and disclosures of that data?

18 NCVHS Report to HHS, (June 22, 2006)

19 Ethical Principles for Medical Research Involving Human Subjects, World Medical Association

Declaration of Helsinki, June 1964 20

NCVHS Report to HHS, (June 22, 2006) 21

Ethical Principles for Medical Research Involving Human Subjects, World Medical Association

Declaration of Helsinki, June 1964 22

The Texas Tribune, TribBlog, Lawsuit Alleges DSHS Sold Baby DNA Samples, Becca Aaronson, December 8, 2010 at: http://www.texastribune.org/texas-state-agencies/department-of-state-health-services/lawsuit-alleges-dshs-sold-baby-dna-samples/ 23

New York Times, Indian Tribe Wins Fight to Limit Research if Its DNA, Amy Harmon, April 20, 2010 at:

http://www.nytimes.com/2010/04/22/us/22dna.html?ref=us 24

Healthcare it News, Kaiser genomics project completes first phase, Molly Merrill, Associate Editor, July

25, 2011 at: http://www.healthcareitnews.com/news/kaiser-genomics-project-completes-first-phase

http://www.texastribune.org/about/staff/becca-aaronson/http://www.texastribune.org/texas-state-agencies/department-of-state-health-services/lawsuit-alleges-dshs-sold-baby-dna-samples/http://www.texastribune.org/texas-state-agencies/department-of-state-health-services/lawsuit-alleges-dshs-sold-baby-dna-samples/http://www.nytimes.com/2010/04/22/us/22dna.html?ref=ushttp://www.healthcareitnews.com/news/kaiser-genomics-project-completes-first-phase

16

Absent informed consent for the use and disclosure of PHI for research, robust AODs and access

reports are essential so the public can know when and what diseases and conditions are being

studied by researchers and public health authorities.

Researchers argue that they must have access to entire populations for some kinds of research.

That has never been possible; researchers have always had to extrapolate to provide good

enough answers to research queries. The choice is between having less data than some

researchers want to have and driving significant numbers of patients away from treatment

because they will know there is no other way to protect their privacy. When patients learn that

they can trust HIT systems, data exchanges, and researchers, they will provide MORE data and

MORE accurate data because they trust that it will not be used or sold to harm them. Counter-

intuitively, privacy (patient consent and control over data for routine uses and all research uses)

will improve data quality, accuracy, and integrity. The most chilling effect in research will come

not from requirements for human subject research as stated on page 31432, but from

eliminating the foundational ethical principle of obtaining informed consent for research. Why

do that when technologies can make finding potential research subjects cheap and easy with

consent.25

Finally, the burdens on researchers to provide AODs are no more difficult than for any other

users of HIT and PHI. Thanks to the required HIPAA and HTECH data security requirements, the

minor additions so users can add a “purpose” for the use or disclosure and adding technology to

automatically allow patients to download AODs means researchers will have minimal burdens.

Consent in Future HIT Systems and Data Exchanges, the Need for a

Patient-Centric Vision based the Law and Medical Ethics

HHS does not appear to envision a future where patients will easily be able to electronically set

up and change consent directives in one place for broad categories of data use, for any narrow

specific uses and disclosures of PHI, and for any specific or broad exclusions of access or

disclosure to selected people or entities to data for treatment, payment, and/or healthcare

operations. HHS does not appear to support the use of technology to improve consent or

control over PHI. Instead, stimulus funds are being invested in technologies that violate the

public’s rights and expectations to control the use of PHI for routine uses, research, and public

health (unless required by law).

Trustworthy HIT systems and data exchanges should enable patients to easily exercise their

longstanding rights to health information privacy and control over PHI in one place, rather than

being forced to set consents everywhere their data exists, which there is no way of knowing

25 Private Access consent technologies were developed to aid researchers looking for appropriate subjects

quickly and easily using electronic tools for informed consent. See “live” demonstration at the Consumer

Choices Technology Hearing in 2010 at: http://nmr.rampard.com/hit/20100629/default.html

http://nmr.rampard.com/hit/20100629/default.html

17

today. In the future, all holders of PHI should check electronically with patient consent

directives before using or disclosing PHI, similar to the way that pharmacies electronically and

instantly check with PBMs to determine patient co-pays and drug formularies. With consents in

one place, as patients’ preferences change they can instantly change their directives.

Robust consent management and segmentation technologies exist and have clearly worked well

for over 9 years26,