Protecting Electronic Healthcare Information Letter

I attended a panel discussion yesterday on Capitol Hill that was put on by the Healthcare Leadership Council (HLC)entitled "Protecting Electronic Healthcare Information: Implementing Sound Security and Privacy Practices". (Thanks to APsaA member Deborah Peel, M.D. for alerting me to the program.) There was a variety of speakers but the most interesting and significant were Dixie Baker, Chairman of the The Healthcare Information and Management Systems Society (HIMSS) Privacy and Security Advocacy Task Force and Bill Pewen, Health Legislative Assistant (LA), from the office of Senator Olympia J. Snowe (R-ME).

I was struck by the fact that the speakers and the handouts seemed to stress the importance of health information privacy and supported some of the points and positions we have taken with respect to HIT legislation. My impression is that the tide is turning in favor of greater privacy protections driven, I believe, by the many electronic privacy breaches that are reported each week and by the analyses we have provided.

For example, the first speaker, Dixie Baker, began by defining the right to health information privacy as a "fundamental right", that is "associated with control" over one's health information, and that it is essentially "the right to be let alone". She stated that "all of us have a right to privacy." She further stated that while it is important to have timely access to health care information, "patients should be able to decide" whether and how their health information is used.

Dr. Baker also stated that we all should have a right to "anonymous care"—this is, the right to pay privately and not have identifiable health information disclosed to anyone. She also said, however, that this information might have to be reported in anonymous form to an integrated delivery system. She further supported the idea of using health IT to account for all disclosures of health information but said that some latitude should be allowed so that existing HIT systems could have time to accommodate this requirement.

Finally, Dr. Baker stated that the definition of health care operations in the HIPAA Privacy Rule is "fuzzy" and has been abused. She said that abuse needs to be constrained.

Health LA Bill Pewen of Senator Snowe's office was next up, and he was the only speaker among the five who pointed out that:
(a) the privacy of 42 million electronic health records has been breached in the past 5 years;
(b) more than 2 million Americans fail to seek treatment for mental illness each year due to privacy concerns and
(c) nearly 600,000 Americans fail to seek earlier diagnosis and treatment for cancer for the same reasons. (This is information APsaA has brought to the Senator's attention.) He also mentioned that some have said that electronic health records are more secure than paper records, but that is simply not true. The juxtaposition of the fact of 42 million electronic health record breaches with the admission that health information privacy is a fundamental right would seem to reveal a constitutional crisis.

Information distributed at the session showed that the Healthcare Leadership Council has assembled a "Confidentiality Coalition" that has developed nine "Principles on Privacy". Interestingly, HLC's privacy principles do not reference the right to privacy or consent in constitutional law, privilege or professional ethics. By contrast, the ten privacy principles developed by APsaA are all grounded in federal and state constitutional and statutory law or ethical standards.

The mission statement of the HLC's Confidentiality Coalition (HLC-CC) states that it is "to advocate policies and practices that safeguard the privacy of patients and health care consumers while, at the same time, enabling the essential flow of information that is critical to the timely and effective delivery of health care, improvements in quality and safety, and the development of new lifesaving and life-enhancing medical interventions." In other words, privacy is essential unless it is inconvenient.

The Principles on Privacy of the HLC-CC include the following:

1. Confidentiality of patient medical information is of the utmost importance in the delivery of medical care. We must maintain the trust of the American patient as we strive to improve health care quality.
2. Patients' private medical information should have the strictest protection from others outside the medical delivery system and should be supplied only to those necessary for the provision of safe and high quality care.

The principles go on to endorse the "framework" established by the HIPAA Privacy Rule and rely on "implied consent" for the disclosure of treatment, payment and health care operations. Apparently, this picks up on the position of the American Medical Association (AMA) that consent for disclosures for a temporary protective order (TPO) is implied when a patient is made aware of the disclosures that a covered entity can make under the HIPAA Privacy Rule and does not object. Of course, this permits a patient to demand a right of consent which would destroy the "implication" of consent.

This was an interesting session and indicates that the privacy arguments and analyses we have been developing are having an effect.

Jim Pyles

James C. Pyles, Principal
POWERS PYLES SUTTER & VERVILLE PC
1501 M Street NW, Seventh Floor | Washington, DC 20005-1700
tel 202.466.6550 | fax 202.785.1756
jim.pyles@ppsv.com | www.ppsv.com