Privacy front and center for health IT

Since the 2004 call for widespread adoption of electronic health records (EHRs) by 2014, one of the primary barriers to implementation of health information technology solutions and to achieving interoperability of existing health data sources is concerns over establishing and maintaining the privacy of the information contained in medical records (electronic or otherwise). While there is no shortage of opinions, recommended privacy practices, and regulatory requirements, to date no single set of privacy requirements has been established. In December, then-Secretary of Health and Human Services Michael Leavitt announced the Nationwide Privacy and Security Framework for electronic exchange of individually identifiable health information. The framework is structured around a set of eight core privacy principles, both similar to and consistent with the Fair Information Principles first promulgated by the U.S. Department of Health, Education, and Welfare in 1973, and with the OECD “Guidelines on the Protection of Privacy and Transborder Flows of Personal Data,” one or both of which serve as the foundation for most major governmental privacy policies in both the U.S. and the European Community. The release of the new privacy and security framework is intended in part to facilitate adoption of existing and emerging standards governing the exchange of health information among public and private sector entities.

A greater catalyst in this arena looks to be the pending economic stimulus plan proposed by the Obama administration. The version of the bill already passed by the House of Representatives includes an objective to computerize all health records within five years, and billions of dollars in new funding in the form of increased spending on health IT infrastructure and direct incentives to healthcare providers to adopt new technologies and participate in electronic health information exchanges. This past week the Senate Judiciary Committee held a hearing on “Health IT: Protecting Americans’ Privacy in the Digital Age” which once again brought privacy concerns to the fore. One likely result of this attention is the modification of the privacy and security provisions in the Health Insurance Portability and Accountability Act (HIPAA). More significantly, it appears likely that there will be an expansion of the definition of “covered entities” under HIPAA to include likely health IT intermediaries such as network infrastructure providers that have no direct role in the provision of health care but nonetheless have at least temporary custody of and access to data as it passes between health information exchange participants. It will be interesting to see how this plays out over time, but one notable aspect about the Judiciary Committee hearing was the similar concerns and priorities expressed by each of the individuals testifying, despite the entities they represented (collectively, the software industry, consumer and privacy advocates, state-level information exchanges, and conservative think tanks).