Security and privacy rules and regulations insufficient to engender public trust in HIEs

A lawsuit filed last month by the Rhode Island chapter of the American Civil Liberties Union (ACLU) against the state Department of Health charges that the rules the state issued regarding its planned health information exchange (HIE) provide insufficient patient privacy protection and, in particular, fall short of requirements contained in a state law, the Rhode Island Health Information Exchange Act of 2008, and also violate the provisions of the state’s Administrative Procedures Act because they fail to fully address the implementation and enforcement of the provisions in the HIE Act. This is a relatively unusual instance where it is not the privacy provisions in the law itself that are being challenged, but instead the rule-making process on which the implementation of those provisions depends. In the complaint, the Rhode Island ACLU argues that the Department of Health’s rulemaking process was flawed, specifically insofar as questions and concerns raised in detailed comments submitted to the DOH by the RI-ACLU’s executive director were not addressed.  Apparently the RI-ACLU also believes that the decision by the Department of Health to issue policies — not rules or regulations — to address some of the HIE Act’s provisions, is insufficient to meet the DOH’s obligations under the Administrative Procedures Act.

The provisions of the HIE Act that the RI-ACLU deems insufficiently covered in the rules the DOH issued relate specifically to “adoption of regulations on certain specific issues to further promote the confidentiality, security, due process and informed consent due the affected patients.” The RI-ACLU has criticized the state DOH for suggesting that general policy statements are enough to satisfy the law’s requirements, and for excusing the lack of more specific regulations on the difficulty it has encountered in working to resolve privacy, security, and consent issues associated with health information exchange. Stressing the importance of patient health data privacy and confidentiality protections in order to garner public support for the state’s HIE initiative, the RI-ACLU echoes a frequent refrain among policy makers that public trust is essential for the success of health IT initiatives such as electronic health records and HIEs, and that strong security, privacy, and consent provisions are the best way to engender that trust. Writing specifically about the Rhode Island lawsuit, HealthcareInfoSecurity‘s Howard Anderson noted: “To succeed, any HIE in any state needs to build public trust that the information it exchanges will remain private. And if states or HIEs fail to spell out detailed privacy rules and regulations, it will be difficult to develop that trust.”  While it’s hard to argue with that logic, it is vitally important for states to realize that no matter how strong the legal requirements they enact to protect patient privacy, security and privacy regulations and controls alone are insufficient as the basis for individuals to establish the trustworthiness of EHR’s, HIE’s, the entities that provide these services, or the people that use them to get access to personal health information. While states focus on transparency, they should ensure that consumers are provided complete and accurate information about the parties to whom they are asked to entrust their information, including details about their intended uses of health information, their business or mission interests, and their current and past behavior with respect to protecting data under their control.