Monday, August 2, 2010

Stepping stones for Privacy Consent

Over the last few weeks HHS/ONC have produced lots of reading material. I have not had any trouble falling asleep lately, but it sure is getting hard to get through all of this reading material. The executive summary is that there appears to be a reasonable and comprehensive approach to Security, but Privacy is left behind.

That is to say that HHS/ONC have caught on to the need to use Security Risk Assessment as the prime 'framework' for Security. With the blog post EHR Security: A Top Priority by: Dr. Deborah Lafky of HHS it s clear that low-hanging fruit needs to be identified and picked. This is the lesson that I had hoped they would learn. I have seen many organizations learn this lesson, and indeed have seen many organizations have to learn this lesson multiple times. And so it is with HHS, who learned this lesson back at the original HIPAA Security rule and again now with the current set of specifications including the update to HIPAA.

They also recognized that the Standards and EHR products need to have reasonable security 'capabilities', but that using these capabilities is a policy choice that the provider should be free to choose to do, based on their Risk Assessment. I have further drill down on the Meaningful Use Standards: Meaningful Use Security Capabilities Lacking, Privacy Capabilities NON-existent

The bad news is that they seem to have backed off on Privacy Controls, again. I do understand why they do this, but I don't agree with their approach. What it seems to me is that they feel that if they can't do Privacy right, then it shouldn't be done at all. I think this is an approach that will lead to continued non-action. Unlike Security, that has the Risk Assessment approach to come to the rescue, Privacy is harder. But trying to slice Privacy up into digestible portions is a delicate thing.

What should be done?

HHS/ONC should have focused Privacy within the HIE. I understand how difficult Privacy is to deal with inside the existing healthcare provider organization. There is already policy and procedures and sometimes technology in place to deal with the HIPAA Privacy requirements. This environment is going to be hard to change, eventually it must. But it is the green-fields of HIE that need to be designed from the beginning with Privacy.

From what I read, an Accounting of Disclosures is clearly needed for every communication of PHI in a HIE; so why not require that an EHR interacting with an HIE must record this? There are standards for this, ATNA can inform an Accounting of Disclosures. There is ongoing work to make this better and better (See the new IHE XUA++ supplement soon to be published for Trial Implementation), but the basics are in place. Accountability using ATNA Audit Controls is critical to success.

From what I read in the HHS white paper on Consumer Consent Options, there are some basics of consent policies. Indeed going with the stepping-stones idea, why not require the standards and EHR to support blanket opt-in or blanket opt-out regarding participation in an HIE. This policy would not need to be related to any existing Provider Organizational policy, it would be restricted to the interactions with HIE.

When I say blanket opt-in or blanket opt-out, I really mean without exceptions. I really mean without break-glass. I am too afraid to declare about Government access, such as quality reporting. Seems to me these can already be handled by access to the Provider Organization.  I have been saying this for almost a full year on this blog Opt-In, Opt-Out.... Don't publish THAT! The HIE would still need to choose if they want a default opt-in or a default opt-out; meaning an implicit consent vs explicit consent environment. Then there is the question of if opt-out means that documents are not submitted to the HIE, a very difficult topic.

This choice of exactly 2 policies, opt-in vs opt-out, is not that friendly to those patients that want more control, but lets at least deal with those that are willing to choose YES vs NO. Today we have nothing but chaos, and chaos favors statuesque. An interesting study on the economies of privacy showed:
"When you have privacy, you value it more,” said Mr. Acquisti. “But when the starting point is that we feel we don’t have privacy, we value privacy far less.” More
It is somewhat unsettling that I am agreeing with Deborah Peel . Awareness of Privacy is not enough, action is necessary. I simply want to push for some achievable stepping stones that clearly head in the right direction.
I am excited that the HIT- Security and Privacy Tiger Team has also recommended this, and More

An excellent blog article on this topic Health IT policy intensifies focus on consent.  This article very nicely picks apart the actions going on in DC.

Reference my blog article: The meaning of Opt-Out, Opt-In, Opt-Out.... Don't publish THAT!Consent standards are not just for consent, Consumer Preferences and the Consumer, and RHIO: 100,000 Give Consent.

1 comment:

  1. Having architected and run an Opt-In consent, distributed federated HIE over the past several years (, I have lived through these issues and more. I have found that while 5% of patients get their peace of mind from knowing that they have absolute control over who sees which piece of their clinical data, 95% of patients get peace of mind from knowing that all of their data are available when they show up for care in the ER or at their self-referred specialist's visit or at their new PCP's visit. Thus I think HIEs need to provide 3 levels of transport: First is for order/result transactions that patient can't opt-out of and are covered in the Notice of Privacy. The second is for the 95% of patients that want to Opt-in once, pick and choose which organizations that they definitely don't want connected (e.g. where they work or where they had a psych admission), but after that (unless revoked) the data just keeps flowing to every other place they go, regardless of whether it has Mental Health or HIV information. Then, for the 5% that want more specific control, they don't Opt-In for that second transport mechanism, but instead use a more specific one-time consent mechanism. Using this 3-tier "consent/transport" architecture, everyone gets what they want and need.