Addressing privacy is a top priority for health IT, but should it trump improving care?

The HHS Office of the National Coordinator (ONC) seems to be putting privacy protections (along with security) high on its list of priorities as it works to make widespread adoption of health information technology a reality. In a publicly released draft of ONC’s updated “Health IT Strategic Framework” privacy and security is one of four major “themes” (the others are meaningful use of health IT, policy and technical infrastructure, and learning health system) characterizing ONC’s federal strategy for health IT. ONC puts particularly emphasis on adhering to the privacy principles enumerated in the “Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information,” which it released in December 2008 with the endorsement of then-HHS Secretary Michael Leavitt. In general, this Framework brought forward and augmented the Fair Information Practices contained in a 1973 report from the Department of Health, Education, and Welfare that formed the basis of the Privacy Act of 1974 and the OECD Privacy Principles. The 2008 Framework has eight core principles, which are essentially the same as what OECD specifies, with the addition of principles of individual access and correction.

From a personal privacy standpoint, it’s hard not to see the implied priority from ONC as a positive development, but given the ambitious goals for health information exchange the government has had since 2004 and re-emphasized in the HITECH Act, some serious balancing among priorities is likely to be needed. The Strategic Planning workgroup of the Health IT Policy Committee has taken up this debate with specific attention to realizing the goal of using health IT to “transform the current health care delivery system into a high performance learning system” in which greater access to information may improve the delivery and quality of health care. While protecting individual rights like patient privacy and honoring consumer preferences is seen as a prerequisite for gaining acceptance of electronic medical records and data sharing through health information exchange, the workgroup seems to understand that some benefits of greater information sharing may be too compelling to be prevented in the name of guaranteeing privacy. As workgroup member Don Detmer said at the group’s March meeting, “We should not force privacy to be more important than health.”

Another point of reference on the relative importance of privacy is the absence of any specific measures, criteria, or standards for privacy in the rules on meaningful use. The healthcare providers, professionals, and organizations eligible to seek the incentive funding to which the meaningful use determination applies are all HIPAA-covered entities, so there is an assumption that these entities’ obligations under the HIPAA Privacy Rule serve to make a separate meaningful use privacy requirement redundant. The language used in the Federal Register publication of the meaningful use Notice of Proposed Rulemaking included a recommendation that providers follow the principles in the Nationwide Privacy and Security Framework, but that direction is advisory, rather than binding. The American Hospital Association, in detailed comments on the proposed rules, objected to references to the Nationwide Privacy and Security Framework principles, primarily because in some instances they exceed what is required of healthcare providers under HIPAA. For others such as the Coalition for Patient Privacy, the lack of explicit privacy requirements for meaningful use is more problematic, particularly the lack of criteria to ensure that individuals (patients) can control the use or disclosure of the information in their electronic health records. The comment period on the meaningful use rules and criteria ended last Monday, so we should know in the next several weeks if any changes are planned with respect to privacy requirements, but the strong emphasis so far on encouraging electronic medical record adoption and enabling exchange of information suggests that to the extent meaningful use incentives are seen as a facilitator of health IT, adding privacy requirements that might constrain the progress sought by ONC seems fairly unlikely.