Monday, August 2, 2010

Stepping stones for Privacy Consent

Over the last few weeks HHS/ONC have produced lots of reading material. I have not had any trouble falling asleep lately, but it sure is getting hard to get through all of this reading material. The executive summary is that there appears to be a reasonable and comprehensive approach to Security, but Privacy is left behind.

That is to say that HHS/ONC have caught on to the need to use Security Risk Assessment as the prime 'framework' for Security. With the blog post EHR Security: A Top Priority by: Dr. Deborah Lafky of HHS it s clear that low-hanging fruit needs to be identified and picked. This is the lesson that I had hoped they would learn. I have seen many organizations learn this lesson, and indeed have seen many organizations have to learn this lesson multiple times. And so it is with HHS, who learned this lesson back at the original HIPAA Security rule and again now with the current set of specifications including the update to HIPAA.

They also recognized that the Standards and EHR products need to have reasonable security 'capabilities', but that using these capabilities is a policy choice that the provider should be free to choose to do, based on their Risk Assessment. I have further drill down on the Meaningful Use Standards: Meaningful Use Security Capabilities Lacking, Privacy Capabilities NON-existent

The bad news is that they seem to have backed off on Privacy Controls, again. I do understand why they do this, but I don't agree with their approach. What it seems to me is that they feel that if they can't do Privacy right, then it shouldn't be done at all. I think this is an approach that will lead to continued non-action. Unlike Security, that has the Risk Assessment approach to come to the rescue, Privacy is harder. But trying to slice Privacy up into digestible portions is a delicate thing.

What should be done?

HHS/ONC should have focused Privacy within the HIE. I understand how difficult Privacy is to deal with inside the existing healthcare provider organization. There is already policy and procedures and sometimes technology in place to deal with the HIPAA Privacy requirements. This environment is going to be hard to change, eventually it must. But it is the green-fields of HIE that need to be designed from the beginning with Privacy.

From what I read, an Accounting of Disclosures is clearly needed for every communication of PHI in a HIE; so why not require that an EHR interacting with an HIE must record this? There are standards for this, ATNA can inform an Accounting of Disclosures. There is ongoing work to make this better and better (See the new IHE XUA++ supplement soon to be published for Trial Implementation), but the basics are in place. Accountability using ATNA Audit Controls is critical to success.


From what I read in the HHS white paper on Consumer Consent Options, there are some basics of consent policies. Indeed going with the stepping-stones idea, why not require the standards and EHR to support blanket opt-in or blanket opt-out regarding participation in an HIE. This policy would not need to be related to any existing Provider Organizational policy, it would be restricted to the interactions with HIE.

When I say blanket opt-in or blanket opt-out, I really mean without exceptions. I really mean without break-glass. I am too afraid to declare about Government access, such as quality reporting. Seems to me these can already be handled by access to the Provider Organization.  I have been saying this for almost a full year on this blog Opt-In, Opt-Out.... Don't publish THAT! The HIE would still need to choose if they want a default opt-in or a default opt-out; meaning an implicit consent vs explicit consent environment. Then there is the question of if opt-out means that documents are not submitted to the HIE, a very difficult topic.

This choice of exactly 2 policies, opt-in vs opt-out, is not that friendly to those patients that want more control, but lets at least deal with those that are willing to choose YES vs NO. Today we have nothing but chaos, and chaos favors statuesque. An interesting study on the economies of privacy showed:
"When you have privacy, you value it more,” said Mr. Acquisti. “But when the starting point is that we feel we don’t have privacy, we value privacy far less.” More
It is somewhat unsettling that I am agreeing with Deborah Peel . Awareness of Privacy is not enough, action is necessary. I simply want to push for some achievable stepping stones that clearly head in the right direction.
I am excited that the HIT- Security and Privacy Tiger Team has also recommended this, and More

An excellent blog article on this topic Health IT policy intensifies focus on consent.  This article very nicely picks apart the actions going on in DC.

Reference my blog article: The meaning of Opt-Out, Opt-In, Opt-Out.... Don't publish THAT!Consent standards are not just for consent, Consumer Preferences and the Consumer, and RHIO: 100,000 Give Consent.