January 7, 2008
PHRs: Striking a Balance Between Privacy and Purpose
By Elizabeth S. Roop
For The Record
Vol. 20 No. 1 P. 12
While Microsoft’s HealthVault is earning praise for features that favor the consumer, privacy advocates remain concerned with how other platforms treat patient information.
When Microsoft set out to develop HealthVault, it had two objectives: to provide consumers with a secure repository for all their information from every corner of the healthcare delivery system and to put mechanisms in place to allow them to control not only who could access that information but also for how long and to what extent.
“It’s a very short leap to realize that, particularly in terms of health information, people are very conscious about where that information is going and who is using it for what purposes,” says George Scriban, product manager of consumer health platform for Microsoft Health Solutions Group. “So the first promise we had to make to our customers is that we, Microsoft, would not in turn take this data and use it for commercial purposes, consistent with the idea that you are in control of your data and we’re just custodians or stewards of it. You are trusting us with your data, and we will do right by you. We are not going to data mine it for marketing purposes or sell a list of names to a pharmaceutical [firm] or any provider.”
But they didn’t stop there. Because the true value of any personal health record (PHR) comes from the ability of consumers to share that information with providers and other healthcare entities, as well as manipulate and manage it to guide personal care decisions, Microsoft extended its privacy policies to govern access by any third party with whom the patient chooses to share that data.
If an organization wants to offer an application to HealthVault users, it must first sign a partnership agreement with Microsoft to secure a unique key or signature. It must also clearly and explicitly state what data types within HealthVault it needs to access and the level of access required. This information must also be made clear to the user, who can then accept or deny access at the point of authentication.
“Our partners are not allowed to transfer our users’ data onwards without explicit permission,” says Scriban. “That consent has to be granted explicitly up front. It has to be stood off from the rest of their terms of service. It can’t be buried. As a general rule of thumb, what we require of our application partners is that they be as rigorous of our users’ privacy as we are.
“Those are the kinds of decisions we made about protecting user privacy and, most importantly, putting [users] in control and giving them the information transparency to make educated decisions about where their health data is going and how it is being used,” he adds.
As for HealthVault users who want to grant other individuals or providers with access to their data, Microsoft offers three levels: view, view/modify, and custodian. Users are also allowed to be granular with exactly what information each individual can access and for how long, and great pains are taken to ensure HealthVault customers understand what they are granting at each level.
“Transparency is a core principle. Control without the information is meaningless, so we strive for transparency in every regard to the extent that our privacy statements and help are very clear about the kinds of controls that we afford to our users in terms of protecting their privacy with HealthVault,” says Scriban.
Rare Praise
Microsoft’s approach to privacy is one that Deborah C. Peel, MD, founder of Patient Privacy Rights and head of the Coalition for Patient Privacy, wishes other PHR providers would take. She points out that Microsoft took time to reach out to organizations such as hers.
“They’ve set the absolute highest privacy bar in the industry,” says Peel. “They have laid out what privacy controls patients will have and the principles they will adhere to.”
Praise for privacy policies is not something Peel frequently bestows. One of the most visible—and vocal—advocates for total patient control over use of their health data, Peel says that with few exceptions, “There is no one who is doing the right thing.”
What Peel appreciates most about Microsoft’s HealthVault privacy policies is that they are based on the premise of the consumer owning the data within their record and controlling who can and cannot access the information in the record. It is also the company’s willingness to protect this premise with a privacy policy that is not only clearly understood but also extends to any vendor or organization that desires to work with HealthVault users or develop HealthVault-compatible applications.
Too many PHR vendors and sponsors are in the business of selling patient data, she says, noting that “almost all of the vendors offering this technology put in the contract that they use to sell the product that they can data mine and sell the data.”
Several initiatives are currently underway by privacy organizations to help enhance consumer protection against data mining and other misuse of personal information. Most recently, the Coalition for Patient Privacy urged Congress to restore basic privacy protections by creating a foundation for HIT based on privacy principles and protections developed by the bipartisan organization (see sidebar).
Patient Privacy Rights is also in the process of developing a “trusted brand” to certify providers who meet certain security and privacy policy criteria. The goal is to have certifications in place later this year.
Now It Gets Murky
When it comes to ownership and control of information within the PHR, there is actually little disagreement. Most share Peel’s opinion that, when it comes to PHRs, patients should have absolute and total control.
“If [individuals have] their own PHR, they should control it entirely. They should be able to determine which medical professionals can use the information, decide whether their health plan has access to the information for care management purposes, and so on,” says David St. Clair, CEO of MEDecisions, which provides payers with collaborative care management software, including a payer-based electronic health record called Patient
Clinical Summary
Where the issue of ownership and control becomes murky is when those records originated elsewhere. Peel and other privacy advocates say it is clear-cut. “We should be able to control all our own data. Our personal information is an incredibly valuable asset. How can anyone make an argument that my valuable data should belong to someone other than me?” she asks.
For others, the line is blurrier. “If the PHR includes information that has been copied from or supplied by other entities, then those entities should not be prohibited from following HIPAA regulations and using that information in the course of treatment,” says St. Clair. “More simply put, if a patient has pulled into a PHR a copy of their clinical information from other sources, the patient has control of that copy and can edit and alter it however they wish. At the same time, the entities that originally supplied the information are in no way precluded from leveraging it for permissible treatment purposes.”
Therein lies the catch. Even though patients may “own” or “control” the medical information once it is inside their PHR, the prevailing consensus is that the originator of that information—whether that be claims data from an insurance company, discharge summaries from a hospital, diagnostic results from a physician, or medication histories from a pharmacy—owns the original copies.
But does this murky ownership question really translate into impending security and privacy breaches? According to St. Clair, the answer is no.
Safeguards for health information as a whole are generally effective, and the deterrents of HIPAA and liability threats are powerful. What would help is if HIPAA regulations were applied to all entities and not just covered entities.
“Essentially,” St. Clair says, “we need to close the loopholes.”
A Change in Focus
St. Clair also says that we have let the entire privacy debate distract us from the real issue—how to make the best use of health information no matter where it is stored.
“Privacy is certainly a big concern and rightfully so. It has become the third rail of healthcare, so to speak. However, I would argue that an even bigger concern is not necessarily the misuse of personal health information but rather the nonuse of it. This poses a far greater danger to patients than the remote possibility of a security breach,” he says. “We should be focusing on sharing clinical information to improve healthcare. Patients should be able to opt out of sharing their clinical information. However, they should then be held liable for any consequences.”
In other words, if a patient denies his or her physician access to crucial information within a PHR or other medical record and that denial leads to complications or negative outcomes, he or she should not be able to sue.
St. Clair would also like to see more attention given to the issue of appropriate use rather than nonuse of PHR data. While MEDecisions does not advocate the collection and sale of patient information for marketing purposes, “A lot of good can be done with collected medical data, not the least of which is using it to protect people, to improve care and research, and contain costs,” he says.
Peel concurs. In fact, one solution she and other privacy advocates have offered to the use vs. nonuse issue is the concept of a health bank. Stored within that bank would be official medical data along with any personal data a patient wishes to contribute.
Should researchers want to access a patient’s data for any reason, they would need to first obtain consent. Then the “banker” would serve as an intermediary, running the query on the researcher’s behalf and supplying the answers rather than the raw data.
“I am a physician. We are very pro-health IT. People often make that mistake,” says Peel. “I really think that getting this right in health information technology is going to clean up all the data disasters in other areas.”
— Elizabeth S. Roop is a Tampa, Fla.-based freelance writer specializing in healthcare and HIT.
The Patient Privacy Commandments
The following are the privacy principles and protections proposed by the Coalition for Patient Privacy:
• Recognize that patients have the right to health privacy.
- Recognize that user interfaces must be accessible so that health consumers with disabilities can individually manage their health records to ensure their medical privacy.
• The right to health privacy applies to all health information, regardless of the source, the form it is in, or who handles it.
• Give patients the right to opt-in and opt-out of electronic systems: ie, the right for patients to give or withhold their consent for the use and disclosure of their health information.
- Give patients the right to segment sensitive information.
- Give patients control over who can access their electronic health records.
• Health information disclosed for one purpose may not be used for another purpose before informed consent has been obtained.
• Require audit trails of every disclosure of patient information.
• Require that patients be notified promptly of suspected or actual privacy breaches.
• Ensure that consumers cannot be compelled to share health information to obtain employment, insurance, credit, or admission to schools, unless required by statute.
• Deny employers access to employees’ health records before informed consent has been obtained.
• Preserve stronger privacy protections in state laws.
• No secret health databases. Consumers need a clean slate. Require all existing holders of health information to disclose if they hold a patient’s health information.
• Provide meaningful penalties and enforcement mechanisms for privacy violations detected by patients, advocates, and government regulators.
— ESR