In May, the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) announced that it was selling analysis of accredited hospitals’ data to14 Blue Cross/Blue Shield health plans covering 29 states, and plans to expand its access to and use of hospitals’ patient-level data. For hospitals, this action raises three extremely serious issues and has triggered ongoing discussions between JCAHO and the American Hospital Association (AHA).
- Health Insurance Portability and Accountability Act (HIPAA) compliance issues raised by JCAHO’s plans to seek patient-level data from accredited hospitals and its use unrelated to accreditation.
- Necessity for JCAHO separately to collect patient-level performance data that duplicates the Hospital Quality Alliance’s efforts.
- Apparent conflicts created when JCAHO, as an accrediting body, sells data analyses to insurance companies and other third parties.
During these discussions, significant differences in opinion have emerged over how the HIPAA requirements affect JCAHO’s proposed plans to access and use patient-level data from hospitals in its announced strategy to “over the long haul …[become] a purveyor of performance data analysis for a variety of purposes.”
In 1999, the California HealthCare Foundation (CHCF) released a groundbreaking study of Americans’ attitudes and behaviors concerning health privacy. The study found that nearly three out of four Americans had significant concerns about the privacy and confidentiality of their medical records. Six years later, following implementation of national privacy protections under the Health Insurance Portability and Accountability Act (HIPAA) and the President’s push to adopt electronic medical records, a CHCF survey plumbs consumers’ attitudes about the privacy of their health information.
Conducted by Forrester Research, the survey reveals that — despite federal protections under HIPAA — two in three Americans are concerned about the confidentiality of their personal health information and are largely unaware of their privacy rights.
In addition, one in eight patients reportedly engages in behavior to protect personal privacy, presenting a potential risk to their health. More than half (52%) of respondents are concerned that employers may use health information to limit job opportunities, highlighting the implications of the privacy issue.
Yet despite these concerns, consumers report a favorable view of new health technology, with a majority (59%) willing to share personal health information when it could result in better medical treatment.
As efforts to develop a nationwide health information network proceed, unaddressed concerns about personal privacy could have major implications.
Health information technology legislation is swirling around Capitol Hill this week, and there’s no shortage of recommendations of how it should be done.
Privacy advocacy groups began circulating a petition Thursday to bar employers from viewing patients’ health information and giving patients control over who can see what medical information.
The heads of the two advocacy groups who wrote the petition say that, designed properly, electronic health records can protect privacy better than their paper counterparts
That’s because, unlike paper files, electronic systems can show varying levels of information to different people as well as track who tries to access what information.
But such controls must be mandated from the start, said Deborah Peel, head of the Patient Privacy Rights Foundation.
Click here to read about how providers have come up short on HIPAA privacy compliance.
“If health IT is built without protections, then every American is exposed to the same kind of damaging practices that Wal-Mart is seeking to implement,” she said, referring to a recently leaked memo in which department store executives planned how to hire and retain employees likely to have the lowest health costs.
The petition being circulated by the Patient Privacy Rights Foundation and the Electronic Privacy Information Center states that patients should be able to choose who can view medical records, explicitly bars employers from viewing employees’ medical records and states that sharing private information should not be a precondition of receiving care.
Also this week, the Commission for Systemic Operability released 14 recommendations to ease the creation of systems that could instantly supply a patient’s health information when necessary.
The Commission, a bipartisan group created explicitly to advise Congress, recommended that anyone who knowingly attempts to obtain restricted information face criminal prosecution and that the Department of Health and Human Services figure out how to protect patients from the consequences of unauthorized access.
Though more explicit, these provisions are not so different from HIPAA, which states that employers will generally not be able to view information and lays out criminal sanctions and huge fees for harmful use of medical information.
Peel, however, said that the notion of who is authorized should be determined by patients. To avoid mountains of bureaucracy, the exchange of medical information for “routine use” need not be approved by or disclosed to patients. Peel said that this creates a loophole that thwarts HIPAA’s intentions.
Health IT could restore protections without crippling paperwork, she said. “Consent is a data field. People that design the system could easily put consent in.”
When he read the petition, Scott Wallace, head of the Commission, said that all the positions were reasonable and that none conflicted with the Commission’s recommendations, Ending the Document Game.
The Commission recommended that the government, employers, and health care payors should all offer providers incentives to connect information.
It also urged that policy makers and IT vendors stop squabbling about details and adopt national, consistent standards on issues like assuring patient identity.
“There’s a real risk that Washington can get it completely wrong. A bad bill that preempts the states could become an anti-privacy law.”
In that case, he said, individual states could provide a smorgasbord of possible solutions.
Wallace said that groups focusing on patient confidentiality can overlook the need to connect information, saying that actions required by some states are prohibited by others.
“Conflicting laws between those states stop my medical information from crossing the border. It is far more important that we have access to medical information than that we have states individually defining privacy needs.”
Rotenberg said information technology could be readily designed to adapt to different state policies. For example, appropriate codes and tags could be attached to data so that both data, and privacy protections, could travel with the patient.
But John Halamka, CIO and associate dean for educational technology at Harvard Medical School, said consistent privacy and security policies are essential to connect information, and such policies often extend beyond certain classes of data.
State laws that were reasonable before electronic systems now impede patient care, Halamka wrote in an opinion piece.
The ultimate privacy argument against RFID. Click here to read more.
“In Massachusetts, doctors can’t retrieve a complete electronic medical list from an insurance company, even with patient consent, if a medication related to mental health, substance abuse or HIV treatment is present.
“In Ohio, doctors must use a cryptographic electronic signature to prescribe medications electronically. In California, only paper forms are considered a valid patient consent.”
Peel did not see separate state privacy laws as essential, providing that current national privacy policies were strengthened. She warned that patients worried that their health information could be used to harm them would find ways to keep that information out of the system, even if it meant forgoing care.
In that sense, she said, the ability to protect information is a prerequisite for the ability to connect it.
“Information technology can bring us the best of both worlds. It’s not an either/or proposition, and it shouldn’t even be framed that way.”
Copyright (c) 2005 Ziff Davis Media Inc. All Rights Reserved.
HHS would recommend to Congress a single federal privacy standard to promote electronic medical records and e-prescribing, replacing state and federal laws, under legislation introduced by Rep. Nancy Johnson (R-Conn.). The bill also would set up a certification process to ensure health information technologies meet interoperability standards; direct HHS to revamp its 30-year-old diagnosis coding system; and require the HHS secretary to report to Congress within two years on the progress of the American Health Information Community initiative to develop a national strategic plan to implement a health IT infrastructure.
Earlier this month, the federal government proposed relaxing rules to allow hospitals and doctors to share IT hardware, software and training. Johnson’s bill would codify that effort.
PRESIDENT Bush and Congress have pledged to support the people of Louisiana, Mississippi, Alabama, and now Texas, as they embark on an unprecedented rebuilding of their communities on the Gulf Coast. But at least when it comes to health care, rebuilding should not necessarily mean replacing what was lost. Instead, we have the opportunity to give the Gulf Coast the first 21st Century health-care system in the country.
There are a number of Gulf Coast hospitals and countless doctor’s offices, nursing homes, clinics, labs, and pharmacies that are beyond repair. In the words of an official from the hospital-accrediting body, “Essentially the health infrastructure of New Orleans is gone — it no longer exists.” Because of the scope of the damage, the Gulf Coast communities have the opportunity to design their health-care systems from scratch.
A condition of federal assistance for the rebuilding of the health systems should be that they be designed for the information age.
Although technology has revolutionized nearly every corner of society, only 14 percent of physician practices have electronic medical records, according to a new survey by the Medical Group Management Association. Hospital numbers are not much better. One of the primary obstacles to investment has been the cost to providers, because much of the financial return on investments in health information technology — 89 percent, by one study — accrues to those who pay the bills.
But on the Gulf Coast the entire infrastructure is being rebuilt anyway, with the federal government largely paying the bills. There we can build a smarter, safer, more efficient system, and probably save money in the process. Out of the wreckage of Hurricanes Katrina and Rita would emerge a model for what health care can be.
We should begin by making a personal health record available to every citizen in the affected areas. Under the leadership of the national coordinator for Health Information Technology, Dr. David Brailer, there is already a crash program under way to make these patient-owned Web-based health records available to evacuees in shelters. That way, when they move to more permanent housing, their health information will not be lost.
We also need to rebuild our facilities for the information age. There is no reason that any doctor’s office should be rebuilt with big rooms for storing paper records, or without broadband-Internet access. Hospitals should be heavily wired and built with robust tele-medicine capabilities, so that rural populations can have better access to high-quality care. We should ensure that every provider in the new facilities who wants to switch to electronic medical records is assisted in doing so.
By integrally incorporating these technologies, we will be able to design health-care facilities differently. In an electronically enabled health system, for example, we may need fewer hospital beds, because length of stay is reduced and remote monitoring of patients from less intensive settings is available. Waiting rooms may become unnecessary as computers improve scheduling and reduce paperwork. With this sort of streamlining, building new, re-engineered facilities may actually prove cheaper than rebuilding what was lost.
The benefits of moving health care into the information age would be enormous for the Gulf Coast residents. It could mean the end of those infuriating clipboards, of photocopying health-insurance cards, of being sent for duplicate tests. It could mean that a doctor or nurse would always see emergency-room patients with critical information, instead of asking them what color the pills in their medicine cabinet are and how often they take them. Most poignantly, no Gulf Coast resident would ever have to worry again about his or her medical history’s being washed away.
Patients could communicate with their providers by e-mail and schedule appointments online, and their chances of being harmed by a mistake or of missing important preventive care would drop. Meanwhile, doctors could see the number of claims rejected by health plans fall, and the administrative burdens of coding and billing decrease, as electronic medical records automatically generated bills to electronically send to health plans.
This revolution could have particular benefit for those living in poverty — provided we are sure to include their health-care providers in these efforts. Low-income people move more often than others, are less likely to have stable relationships with care providers, and are more likely to have chronic diseases. There is no substitute for providing reliable health insurance, but at least with personal health records, these people could consolidate their information and make it available to any provider who was authorized — thus raising the quality of the health care received.
I do not minimize the challenges in realizing this vision. It will require speedy, collaborative action by a number of stakeholders to ensure that privacy and security are iron-clad, that the right data are available when needed and authorized, and that physicians have the necessary support to make implementation and maintenance smooth. It will involve changes that will take time to figure out. But these are not technological or even fiscal challenges; they are challenges of vision and leadership.
Here in Rhode Island, we know these challenges, and we are making great strides toward bringing our health-care system into the information age. On Oct. 20, Dr. Brailer, the Health Information Technology national coordinator, will make his second visit to see our progress and explore how the federal government can accelerate it. Still, as any of the dedicated Rhode Island stakeholders can attest, building this revolution into a complex existing system is difficult.
Nobody would ever ask for the tragedy that befell our neighbors on the Gulf Coast. But there is lemonade to be made of the lemons — if we can summon the initiative to build the future of health care, rather than rebuilding its past.
Patrick J. Kennedy represents Rhode Island’s First Congressional District.