New HIPAA rules need more clarification

When it comes to the new HIPAA privacy and security standards, it seems like everybody has an opinion. Quite a few organizations are spreading the word about the comments they’ve filed in response to the changes HHS proposed in July…

…On the consumer side, the Coalition for Patient Privacy, led by Dr. Deborah Peel’s Patient Privacy Rights Foundation, is lobbying hard for the final rule to restore the right to patient consent for PHI disclosure that HHS stripped from the HIPAA privacy rule in 2002.

“We strongly recommend that HHS require the use of the consent and segmentation technologies showcased June 29 at the Consumer Choices Technology hearing sponsored by HHS/ONC for all HIT systems, HIE and the NHIN,” the coalition says in its letter. “The innovative, low-cost, effective privacy‐enhancing technologies available that can empower patients to have ‘maximal control over PHI’ should be viewed as what is possible now, not 10 years from now.”

Health IT coordinator attacks rumors that spy agencies would tap into patient information network

Dr. David Blumenthal, national coordinator for health information technology, has strongly denied any plans to develop a national network that would transmit patients’ medical information to the Justice and Homeland Security departments…

…Rather than defusing concerns, privacy advocates said Blumenthal’s remarks only heightened questions about what role NIEM standards, and the law enforcement agencies that developed them, will play in a national health information network.

Dr. Deborah Peel, founder of the Patient Privacy Rights Foundation, said she believes Blumenthal is well-intentioned in his aim to ensure patient information is not transmitted to law enforcement or intelligence agencies. But promises do not have the force of law, she noted.

Privacy concerns surface over ONC data project

There’s an old warning, “Just because you’re paranoid doesn’t mean they’re not after you.”

Last week, David Blumenthal, head of the Office of the National Coordinator for Health Information Technology at HHS, tried to tamp down some blogosphere-based insinuations that work by his office might be contributing to a national surveillance state.

NHIN won’t funnel information to CIA: Blumenthal

David Blumenthal, head of HHS’ Office of the National Coordinator for Health Information Technology, has denied allegations that a framework for selecting data transmission standards for the proposed national health information network would configure the system to afford federal control over patient data and funnel that information to federal agencies, including the CIA, Justice Department and National Security Agency.

Blumenthal’s remarks came more than three hours into the March 25 meeting of the Health IT Standards Committee. The committee is a federal panel created under the American Recovery and Reinvestment Act of 2009, also known as the stimulus law, to advise the ONC on matters concerning health IT standards.

National health records network to hook up with Google, Microsoft

The federal office in charge of creating a national network of electronic health records plans to integrate the system with the health care databases that Google and Microsoft launched last year, on which individuals can store their health records, a top official with the Health and Human Services Department said.

The Office of the Coordinator of Health Information Technology plans this year to expand its Nationwide Health Information Network to also include electronic health records stored in networks operated by the departments of Defense and Veterans Affairs, and the Indian Health Service, and integrated health care systems that span numerous communities, said Charles Friedman, chief operating officer for the health information office, which is part of HHS. Friedman spoke March 26 at the Defense Health Care Information Technology Conference at Georgetown University in Washington.

The NHIN is the primary component of a project that President Bush kicked off in 2004 to create a network that eventually will integrate the electronic health records of every American. Bush set 2014 as the deadline to have the majority of the public’s electronic health records available to any doctor’s office, hospital or clinic hooked up to the network. The original architecture for the national network will be built around four multistate Regional Health Information Organizations that will share their patients’ medical data. HHS set up the four RHIOs in 2005 when it awarded contracts to Accenture, Computer Sciences Corp., IBM and Northrop Grumman.

Friedman provided few details on how the office would incorporate personal health records fromGoogle Health and other organizations developing similar applications, such as Microsoft’s HealthVault, which it launched in October. By the end of this year, HHS will have demonstrated the exchange of different kinds of health information through the network.

Last month, Google launched a pilot project with the Cleveland Clinic to provide patients the results of their doctor visits, prescriptions, tests and procedures through Google’s secure Web authentication proxy service.

Friedman did not say how his office will incorporate multicommunity integrated health care delivery systems, but plans to tie these systems into the NHIN indicate that the HHS office wants to expand the network from the state to the local level, with the network hooking up cities and towns within a state, according to an executive of a health IT vendor at the conference who declined to be identified.

Federal interfaces to the health network will be through an entity called NHIN Connect, Friedman said. NHIN Connect will be based on the National Health Information Exchange Gateway, which Harris Corp. will develop under a contract HHS awarded last week, said Lt. Col. Hon Pak, director of the advanced information technology group of the Army’s Telemedicine and Advanced Technology Research Center at Fort Detrick, Md.

Pak, who serves as the Defense representative on NHIN Connect, said the network will use software developed by Defense and VA for the Bidirectional Health Information Exchange, which clinicians in both departments use to share electronic patient information, and software developed by the National Cancer Institute for its Cancer Biomedical Informatics Grid. The NHIN Connect gateway integrates health care IT information from several federal agencies into the NHIN. This includes VA, Defense and the Indian Health Service as well as the Centers for Disease Control and Prevention and the Centers for Medicare and Medicaid Services, Pak said. NHIN Connect is in an early development stage; the first multiagency planning meeting was held yesterday, he added.

The NHIN gateway will save the government significant money by correlating simple demographic information with federal programs, such as determining who is alive and who has died, said Dr. Stanley Saiki Jr., director of the Pacific Telehealth and Technology Group, a joint Defense and VA research organization funded by the Army’s Telemedicine and Advanced Technology Research Center.

Health Information Privacy: What Do Doctors and Patients Want and Need?

n the last few weeks we have had a number of reminders that management of the privacy of patient records remains a contentious and difficult area. The first key reminder came in late February 2007 when Paul Feldman, co-chair of the American Health Information Community’s (AHIC) Confidentiality, Privacy and Security Workgroup, submitted his resignation to the interim National Coordinator for Health Information Technology at the Department of Health and Human Services (HHS).

AHIC (which has the same role as the Australian Health Information Council also rather co-incidentally AHIC) is the peak health IT policy advisory board in the US and provides advice directly to the US Secretary for Health and Human Services (the equivalent of our Federal Health Minister).

In his resignation letter Feldman writes that the workgroup “has not made substantial progress toward the development of comprehensive privacy and security policies that must be at the core of a National Health Information Network (NHIN).”

Given this resignation comes after six meetings and many months of work, the degree of difficulty in reaching a consensus between parties is obvious.

The second reminder came with the April 2007 release of a survey conducted among UK GPs regarding the sharing of clinical records electronically with the UK NHS ‘Spine’ which is a secure repository of shared electronic patient records which under appropriate conditions can be accessed to assist in patient management anywhere in the UK.

{Australian health blog about how electronic health records and privacy rights are handled around the world features Patient Privacy Rights as the “one organisation and advocacy entity in the US that ‘gets it’”—‘it’ meaning the need for patient control of records in electronic health systems. In the UK, physicians are FAR more protective of their patients medical records than in the US. 40% will not share patient records with the national data base, 80% believe that electronic sharing of records can threaten patient confidentiality, and 60% oppose ‘opt-out’ of records sharing, preferring that patients ‘opt-in’. ~ Dr. Deborah Peel, Patient Privacy Rights}

NCVHS Letter to HHS

On June 22, 2006, the National Committee on Vital and Health Statistics (NCVHS) sent (HHS) a letter report, Privacy and Confidentiality in the Nationwide Health Information Network. Among the 26 recommendations was the following: R-12. HHS should work with other federal agencies and the Congress to ensure that privacy and confidentiality rules apply to all individuals and entities that create, compile, store, transmit, or use personal health information in any form and in any setting, including employers, insurers, financial institutions, commercial data providers, application service providers, and schools.

The NCVHS held a series of three hearings in 2006-2007 to learn more about the health privacy practices of entities that make significant use of health information in their day-to-day operations but are not covered by the Health Insurance Portability and Accountability Act (HIPAA). At the first two hearings, we heard from representatives of life insurers, insurance regulators, human resource professionals, occupational health physicians, financial institutions, primary and secondary schools, and colleges. The third hearing focused on health care providers and other entities in the health industry that are not covered by the HIPAA privacy rule. We inquired about the degree to which they are regulated by other federal or state laws and the possible effects that federal health privacy coverage would have on their operations. What we learned from the testimony strongly reinforces our conviction that all entities that deal with personally identifiable health information should be covered by some federal privacy law. The NCVHS would like to share with you some additional observations in support of our earlier recommendation with respect to this last group of non-covered entities, those operating in the health care arena.

{The National Committee on Vital and Health Statistics’ (NCVHS) letter to Secretary Leavitt recommends that “HHS and Congress should move expeditiously to establish laws and regulations that will ensure that all entities that create, compile, store, transmit or use personally identifiable health information are covered by a federal privacy law.” But the problem is what exactly is “privacy”? So far, Congress has NOT defined privacy, which has resulted in Americans having no right to privacy in electronic health systems. If Congress does not pass a law that provides a standard definition of health information privacy, we will simply get more bad laws and regulations that talk about privacy but do not actually protect health privacy. Privacy is defined by NCVHS as the right to control access to personal health information. ~ Dr. Deborah Peel, Patient Privacy Rights}

Download Letter