PATIENT PRIVACY RIGHTS URGES THE HIT POLICY COMMITTEE: REQUIRE PRIVACY VENDORS WILL BUILD IT, DOCTORS WILL BUY IT, AND MOST IMPORTANTLY, PATIENTS WILL TRUST IT

Washington, D.C. — Patient Privacy Rights’ Founder & Chair, Deborah Peel, MD, testifies before the Health Information Technology (HIT) Policy Committee today to urge the Committee to ensure privacy and patient engagement with HIT. Ensuring privacy, control of personal information, is the only way to build trusted electronic health systems and the only way to reap the incredible benefits technology can bring to health.

“Americans care deeply about privacy and controlling their personal information. Put simply, we want the power to decide who can see our own private, personal medical records and what can be done with them,” Deborah Peel, MD.

Dr. Peel highlights key findings from a final report just released from the Agency for Healthcare Research and Quality that describes the results of twenty focus groups held across the country. The focus groups explored consumers’ awareness, beliefs and fears concerning HIT and how consumers wish to be engaged with HIT . Of key significance:

* A majority want to “own” their health data, and to decide what goes into and who has access to their medical records (AHRQ p. 6).
* There was near universal agreement that if medical data are stored electronically, consumers should have some say in how those data are shared and used. (AHRQ p.29)
* A majority believe their medical data is “no one else’s business” and should not be shared without their permission. This belief was expressed not necessarily because they want to prevent some specific use but as a matter of principle. (AHRQ p. 18)
* Participants overwhelmingly want to be able to communicate directly with their providers with respect to how their PHI is handled, including with whom it may be shared and for what purposes. Most believe they should automatically be granted the right to correct misinformation (AHRQ p.33)
* There was no support for the establishment of general rules that apply to all consumers. Participants thought they should be able to exert control over their own health information individually, rather than collectively. (AHRQ p. 29)

PPR asks the Committee to set a high bar for privacy that complies with existing law and medical ethics, meets the historic new privacy requirements in ARRA, and just as importantly, meets Americans’ expectations. The healthcare and health data mining industries will not willingly build and use privacy-enhancing electronic health records and systems unless you act to set a high bar.

The only legal and ethical way to get a complete and accurate picture of Americans’ health and health data is to ask for permission to use the data up front; to obtain informed consent for specific information in records that patients have checked for accuracy, and explain for what purpose, to whom and for how long the information will be used.

The only privacy policy to which everyone can agree is for each person to set their own policy.

“We are not talking about blanket consents, coerced consents or all-or-nothing policies,” says Peel. “Patients want, expect, and are very capable of expressing their preferences about how their personal information is used and who can use it. Patients are becoming more savvy, not less. Don’t underestimate the strong public will to control sensitive health information.”

Technology offers the solutions to ensure privacy and progress. Technology is not an impediment. In fact, technology can offer exquisite privacy empowering patients to segment their information and exercise the control they desire. “Require privacy–Patients will trust it. Require privacy–Vendors will build it. Require privacy–Physicians will buy it,” says Peel.

In addition, in order for the Committee to assure patient engagement, choice, and trust PPR recommends the following broad policies:

1. No protected health information should be “exchanged” without the informed consent of the patient.
2. The patient has a right to designate a place where their provider must send a copy of their electronic medical information shortly after each encounter at no charge;
3. All access to patient records via HIEs must be with the explicit permission of the patient, and must include the ability of the patient to selectively prevent the release of specific information to specific providers at specific times.

PPR recommends that the HIT Policy Committee engage privacy-innovative vendors and organizations that build, use, and develop privacy-enhancing products and HIT systems. Both open source and proprietary solutions being used today permit segmentation at a granular level, easy to read audit trails, easy to understand privacy “profiles” so consumers have models of how to set their own defaults or profiles, and other consent management solutions.

PPR also urges the Committee to address specifically all other privacy protections in the HIPAA and the ARRA to ensure that taxpayer dollars are not used to fund EHRs that do not comply with existing law. These important protections have real deadlines some past, and some that are as early as February 2010. To highlight the privacy requirements the HIT Policy Committee has not yet addressed:

* Patients must be able to keep their information from being shared with a health plan if they pay for the care privately (required by the ARRA). Patients must be able to keep their information from being disclosed without consent if their provider agrees (required by the HIPAA). This requires segmentation and a need to register a patient’s choice.
* Covered entities and business associates must first get a patient’s valid authorization before selling PHI. This requires that all disclosures of PHI are tracked via audit trails so that the presence of a valid authorization for data sale can be proven.
* For EHRs purchased in 2009 or later, entities must provide an audit trail to patients of all disclosures as early as 2011 and no later than 2013.

###

About Patient Privacy Rights:

Patient Privacy Rights is the nation’s leading health privacy watchdog. Our mission is to ensure the right to control your medical privacy to protect jobs and opportunities. Patient Privacy Rights has over 10,000 members in all 50 states. We lead the trans-partisan Coalition for Patient Privacy representing over 10 million Americans.

CONTACT:
Ashley Katz
akatz {at} patientprivacyrights(.)org
(512) 732-0033
(512) 590-2953