Interoperable Electronic Health Records, the American Reinvestment and Recovery Act, and Patient Privacy and Confidentiality

1
Interoperable Electronic Health Records, the
American Reinvestment and Recovery Act, and
Patient Privacy and Confidentiality

• Leslie Francis
• Distinguished Professor of Law Philosophy
• Alfred C. Emery Professor of Law
• Adjunct Professor of Internal Medicine

2
Goals

• Outline the concerns for privacy and
  confidentiality associated with the likely
  increase in use of interoperable EHRs
• Demonstrate the inadequacy of the current HIPAA
  regulatory regime
• Explain several areas of current debate
  de-identification, surveillance, research, and
  the protection of categories of sensitive
  health information

3
Distinguishing Privacy and Confidentiality

• Privacy about access to, control over, the
  person
• Confidentiality about control over
  informationhow and on what authority it is
  shared
• The difference matters
• Having information in the system is important for
  many reasons (research, public health
  surveillance, treatment)
• But information may not get into the health care
  system unless people trust control over where it
  goes
• Depending on the context, we may need to protect
  confidentiality to protect privacy, or the
  converse
• Current debates confuse privacy with
  confidentiality

4
Ethically Privacy as Control of Access

• Autonomycontrolling access to the person is
  important to the individuals ability to make
  central choices about his/her life
• Physical securityprotection from bodily harm
  done by intrusion
• Freedom from intrusioninto the body, the home,
  other protected space
• The ability to form intimate relationships
  through controlling access
• Dignitynot being subject to contact, intrusion
  regarded as degrading
• Identityprotecting access as critical to
  individual or group identity
• Equalityease of access to some but not to others
  may affect social positions (e.g. equality of
  women)

5
Ethically Confidentiality as Information Control

• Autonomycontrol of choices about information
• Physical securityharm that may result when
  information is shared throwing lepers off the
  Molokai cliffs or stoning patients with HIV
• Intimacy and identitysharing information as a
  way of establishing intimacy
• Equalityprotection from discrimination e.g.
  ADA, GINA (the Genetic Information
  Non-discrimination Act)

6
Interoperable Electronic Records in Primary Care

• Recent estimates (Health Affairs 2009) are that
  approximately one in eight physicians in the US
  today have even rudimentary electronic records
  systems
• Barriers cited in the literature include start up
  costs, productivity losses, lack of technical
  expertise, questions about which system to choose
• Clinical value of increased use of health IT is
  hypothesized but evidence is limited (e.g.,
  Parente McCullough, Health Affairs 2009) one
  recent study has linked EHR structural capacity
  in primary care practices to improved HEDIS
  measures (Friedberg et al., Annals of Internal
  Medicine 2009)

7
ARRA

• ARRA includes 17 billion for adoption and
  meaningful use of EHRs by Medicare and Medicaid
  providers (up to 44,000 each that would cover
  about 386,000 of the estimated 940,000 physicians
  in the US today)
• Meaningful use includes sharing information
  with other systems functionalities including
  computerized order entry, transmissible
  prescriptions, drug interaction checking, updated
  problem list
• Ultimate goals include patient registries,
  quality improvement, public health promotion

8
Confidentiality and Patient Trust

• The most widely quoted estimate is that a
  significant percentage of patients (1/6) withhold
  information from physicians because of concerns
  about whether it will be protected (California
  HealthCare Foundation, National Consumer Health
  Privacy Survey 2005).
• Almost 10 of patients chose not to opt in to
  Massachusetts interoperable EHR demonstration
  project, many citing privacy concerns (Tripathi
  et al., Health Affairs 2009)
• Harris poll re research using identifiable health
  information 28 no consent or general consent in
  advance 38 study-specific consent, 13 refuse
  to participate or be contacted, remainder unsure
  (2007, referenced in IOM 2009)
• This behavior may increase as the use of
  interoperable EHRs increases (CDT 2009)
• Patient trust is particularly jeopardized by
  unanticipated events, so it will be especially
  important to inform patients about interoperable
  records and confidentiality protection

9
HIPAA CoverageA Solution?

• Mis-described as a privacy rulea
  confidentiality rule
• Applies to covered entities health plans,
  health care clearinghouses, and health care
  providers who transmit health information in
  electronic form for which HHS has adopted
  standardsand their business associates
• Covers protected health information any
  individually identifiable health information
  possessed by covered entities
• Does not cover employment records, educational
  records, or de-identified data, even if health
  information is included in these records and they
  are otherwise possessed by a covered entity
• And . . . Theres much more HIPAA doesnt do

10
HIPAA whats outside coverage?

• Any entities that possess individually
  identifiable health information, but are not
  covered entities or their business associates
  spas, for example
• Many PHR vendors WebMD, Microsoft Healthvault,
  GoogleHealth, except if under business associate
  agreements
• Health 2.0 PatientsLikeMe, 23andMe
• Any data transferred with patient authorization
  out to an unprotected site

11
HIPAA Exceptions to Authorization

• Health care operationsincluding business
  planning, insurance underwriting, quality
  assurance, and fraud and abuse detection
• Law enforcementincluding child abuse, abuse of a
  vulnerable adult, information about victims, and
  information that might implicate family members
  (e.g. DNA from Pap smear)
• Public healthinfectious disease surveillance,
  bioterrorism, any reportable condition
• Employersinformation needed to comply with an
  OSHA request, a Mine Safety and Health
  Administration request, or other required
  workplace-related law
• FDAadverse drug events, post-marketing
  surveillance information
• Researchif IRB has granted a waiver, or
  information is included in a limited data set
• Serious threatto prevent or lessen a serious
  and imminent threat to a person or the public,
  when such disclosure is made to someone believed
  able to prevent or lessen the threat (including
  the target of the threat)

12
Problems with Interoperable EHRs

• Deidentification?and risks of reidentification
• Surveillance and informed consent
• Syndromic
• Registries
• Limits to research?
• Transfer of sensitive health information?

13
Deidentification

• Deidentified data created either by stripping
  out all of 19 listed types of identifying
  information (safe harbor rule), or by meeting
  expert standards regarding risk of
  reidentification
• Vastly increases the possibilities for use of
  informationbut data are not covered by HIPAA
  once deidentified
• Concerns
• Risk of re-identification when data sets are
  combined, especially with publicly available data
  sets statistically unusual patterns, genetic
  information and growth of personalized medicine,
  PHRs, health blogs, Health 2.0
• Data miners (marketers, for example) may try to
  reidentify deidentified data in the public domain
• Harms from data uses even when identifiers are
  absent important personal beliefs, community
  identity, group stigmatization the 13 who would
  refuse to allow their data to be used in research

14
Surveillance

• Syndromic surveillancedata are monitored for
  unusual patterns that may represent disease
  activity or terrorist activity
• Novel types of data usedgoogle hits predicting
  flu outbreak
• Significance of a particular data point becomes
  apparent only after the pattern is discerned, so
  there is no way to engage in patient informed
  consent ex ante compare traditional public
  health reporting, where the significance of a
  finding can be explained in advance (Source
  Francis et al., Journal of Bioethical Inquiry
  2009)
• Risks of stigmatization, job loss, even physical
  threat, e.g. to an index patient or to someone
  who has been identified as a danger

15
Disease Reporting New Yorks Ha1C Registry

• Reporting of all Ha1C results by lab to registry
  (no opt out)
• Results reported only to patients, providers (not
  insurance companies or employers)
• Patients may opt out of reporting (but not
  registry)
• Preliminary results 17 of patients say
  receiving the letters prompted them to make
  appointments 50 remembered receiving the letter
• Justice concerns pilot in South Bronx
  neighborhoods, stigmatization and racialization
• (Source, Chamany et al., Milbank Quarterly 2009)

16
Research

• Concern that the HIPAA privacy rule is impeding
  health researchboth too protective and too weak
• HIPAA and disclosure of PHI for research
• By patient authorization requires a description
  of each purpose of the requested use or
  disclosure authorization that is specific and
  meaningfulvery difficult to apply to stored
  specimens, biobanks, patient registries, where
  new research questions are proposed
• By waiver of authorizationif no more than
  minimal risk, adequate safeguards, research not
  practicable without the waiver or without
  access to the PHI
• No clear standards for minimal risk to
  confidentiality or for impracticability

17
IOM Recommendations (2009)

• New, uniform privacy, confidentiality security
  standards for all health research
• With these standards, exempt research from HIPAA
• Distinction between information-only research and
  direct, interventional research
• With informational research, certify institutions
  with protective policies and practices to
  facilitate use of large data sets for research
  without individual consent

18
Sensitive Information

• Some patients regard particular categories of
  health information as especially sensitive, and
  would not want it shared with all providers as
  information is transferred across a RHIO or an
  NHIN
• Examples genetic information, social history,
  reproductive history (e.g. abortion), substance
  abuse, mental health history
• Providers are concerned that incomplete records
  may lead to inadequate clinical care and do not
  want to make medical judgments without seeing the
  full interoperable record (but what do they see
  now, with siloed records?)
• Privacy/confidentiality advocates are concerned
  that if interoperable design fails to implement
  protections, patients will opt out of RHIO/NHIN
  (if given that choice), or will protect
  confidentiality by not accessing the health care
  system

19
NCVHS Proposal

• EHR design should build in the capacity to
  segregate pre-designated categories of sensitive
  health information, which could be masked on
  transfer at patient request
• Flag to indicate that masking has occurred
• Break the glass feature for emergencies
• Drug interaction alerts maintained

20
MAeHCOpt in/out preset categories

• Opt-in not opt-out
• Preset categories of information medication
  list, problem list, diagnoses, immunization,
  allergies, smoking status, vital signs,
  procedures, lab results, radiology results
• Not text notes, consult letters, scanned reports
• An approximately 90 opt in rate among
  patientsbut 10 of patients chose not to
  participate, many citing privacy concerns
• (Source Tripathi et al., Health Affairs 2009)

21
Conclusions

• The use of interoperable electronic health
  records in primary care will continue to grow
• Patient confidentiality concerns are significant
  and inadequately protected with HIPAA
• If patients are to trust providers use of EHRs,
  it will be important to avoid surprises about
  their health information

22

• Areas of particular concern
• Entities outside of HIPAA and data transfers to
  them (even at patient request)
• Deidentification and data mining
• Syndromic surveillance and disease reporting
• Research biobanking and personalized medicine
• Protection of categories of sensitive
  information, even as records are transmitted
  among providers