(Privacy, Security, Consent & Property Rights)
On March 23, the HHS released an excellent Whitepaper on Consent to Electronic Information Exchange of Medical Records. Also on March 23, Dr. Deborah Peel, founder of Patient Privacy Rights has published an opinion in The Wall Street Journal emphasizing the absolute need for obtaining patient consent prior to sharing private information.
The HHS Whitepaper is examining various forms of Consent, various existing implementations of Consent in Health Information Exchanges across the country and abroad, existing laws regulating the need for patient Consent and provides in-depth analysis of the technical challenges in implementing Consent policies.
Before we look at Consent to share records, we should probably clarify what it is exactly that we propose to share, with whom do we share and for what purpose.
All of us at some point or another signed the HIPAA consent form in a doctor’s office and thus, allowed the doctor to share identifiable Personal Health Information (PHI) “for treatment, payment, or health care operations purposes”. While nobody really understands what “health care operation purposes” really are, we assume that our physician will share information with our other care providers and insurance companies and nobody else.
Does this mean that de-identified information (re-identifying is very possible) can be shared with anybody without our consent? Does it mean that our doctor is now empowered to share ALL our information with insurers and other providers? If our employer is self-insured, can the doctor share our information with the employer as well? Do health care operations include public health (Government) and research (private)?
Some answers do exist. For example, the Genetic Information Nondiscrimination Act of 2008 (GINA) generally prohibits the collection and use of genetic information by insurers and employers. So information regarding our family history or anything available from direct genetic testing cannot be shared with insurers and employers. GINA does not prohibit use of such information for other purposes. Other answers are unclear.
Electronic Medical Records can contain information on disease, medications, treatments, social habits, drinking habits, smoking status, sexual activity and orientation, abuse, depression, mental health, financial class, ethnicity, education, family circumstances, diet and exercise, residence, SSN, employment, travel, hobbies and whatever else providers choose to ask and we choose to answer. Electronic Medical Records can be, and will be, the most comprehensive description available for an individual in a computerized discrete data format, ripe for analysis and mining. Unlike their paper counterparts, Electronic Medical Records are “liquid” and easy to share and they will be shared. The only decision left to us is how they will be shared.
Sharing Medical Records between providers to improve an individual patient’s care is an obvious and tested notion. Sharing Medical Records to foster public health is a good intention and certain roads are largely paved by good intentions. Creating rules and regulations to govern Privacy and Security of information by requiring patient Consent and technology to secure data, is imperative, but not nearly enough. Security will be breached (it is so already) and data will be improperly disseminated and used (occurring already). The law should impose real and severe penalties, not just financial slaps on the wrist. And the law should be enforced.
For various constituencies, or “stakeholders”, the wealth of information contained in EHRs is directly translatable into tangible wealth measured in hard dollars. Thus, information in EHRs (identifiable or not) should be considered Property. Treating information as property has precedence. In the business world Intellectual Property is a well understood and well regulated term. Medical Record Property deserves, at the very least, the same protection.
What on call used to mean
4 hours ago