e-Prescribing and Privacy

For the most recent treatment of confidentiality and privacy issues, see:
http://www.markfrisse.com/policy

On April 14, 2008, a broad coalition of organizations sent a letter to Senator John Kerry and Representative Allyson Schwartz expressing strong support of their proposed electronic prescribing legislation - the Medicare Electronic Medication and Safety Protection (E-MEDS) Act of 2007.

One suggestion bears particular note. Mindful of the broad public concern over privacy and confidentiality (and the appeals of a small group of privacy advocates that arguably excessively dominate Congressional hearings), the group argues for a systematic evaluation by GAO of prescription data use practices as a necessary part of any legislation.

Rather than focus on a particular technology, the organizations lending support seem to be pointing to a more extensive set of data sale and use practices already in place and often not included in the public debate.

This emphasis places needed attention not only on the future implications of a more comprehensive digital medication management framework but also on the current array of data use practices. Before one argues for more policy and legislation, this writer believes it would indeed be valuable for GAO to conduct this study - even if the E-MEDS bill does not advance.

Quoting from the letter to Senator Kerry and Representative Schwartz:

We believe that efforts to realize the safety and savings benefits of comprehensive health information technology (HIT) must move forward within a framework of privacy and security protections. For example, many consumers have concerns about the data mining of prescription drug information, and the success of efforts to promote widespread adoption of HIT ultimately will depend on the willingness of consumers to accept the technology.

In the absence of a national privacy and security framework for the exchange of health data, we feel strongly that obtaining more definitive information about how prescription data are currently being used is a key step to addressing privacy concerns. Thus, we strongly support including in any e-prescribing legislation a requirement that the General Accounting Office (GAO) investigate the prescription data mining industry and publish a report to Congress. The report should define clearly from whom data miners are getting data, whether it is fully de-identified, how easy it is to re-identify, what the policies/procedures are for ensuring that it is de-identified (or not re-identified), and to whom they are selling data.

[Selective use of bold font added for emphasis in this posting ]

The coalition includes:

• AARP
• AFL-CIO
• American Federation of State, County, and Municipal Employees
• Center for Medical Consumers
• Childbirth Connection
• Consumers Union
• Health Care For All
• National Consumers League
• National Family Caregivers Association
• National Partnership for Women & Families
• SEIU

PKI That Rings

In the May/June 2005 issue of the Journal of the American Medical Informatics Association, Ulrich Sax, Zak Kohane, and Ken Mandl discuss the value of using cell phones as a means of providing strong identification for individuals by rcreating registration authority and an identification service. The full-text article (PDF) is available. Many of the 62 citations are also worth a look.

To cut to the chase, examine the following scenario (quoted from their article):

"Helen arrives at an emergency department and wishes to authorize access to her personally controlled health record. She uses her cell phone to call the toll free number of an authentication service. A challenge message is sent to her handset. The handset decrypts the message and encrypts it again with the private key stored in the USIM. To enable the USIM to re-encrypt the message, Helen is prompted to key in a personal identification number, which she has chosen and committed to memory. Helen is then prompted to key in the hospital ID number prominently displayed over the triage desk. Responding in the affirmative, the authentication service contacts the PHR, Helen's record appears on the registration screen in the emergency department, and hospital staff is granted web access to portions of the record, set according to Helen's pre-specified preferences."

The authors begin their article with the conventional wisdom of using two of the following four criteria:

• something the user knows
• something that indicates where the user is
• something related to who the user is
• something the user carries

The authors then describe the current and future PKI capabilities of the various cell phone technologies in use in the United States and describe how the system could be used in health care applications.

They also identify major challenges, including:

• Expanding the telecommunications infrastructure and busienss models to support medical applications
• Consumer awareness and technical factors affecting useability
• Contingencies. They mention that 10% of cell phone subscribers say they will chane plans in the coming year. They mention the challenges associated with pediatric care and the need for multilayered access approaches ranging from weaker methods like name, password, and information the patient would know. They suggest that there may be a corresponding multi-layered access of information corresponding to the strength of authentication.

This is one of many thought-provoking articles addressing how "smart cards," call phones, and other commonly used consumer identification methods may be applied to the health care setting. The central lesson in it all: not only may the health care system may not have to start from scratch, but that efforts that do not take into consideration the growing number of authentication techniques will probably fail.

CLIA Notes

note: significant portions of this posting are taken from a
presentation by Donald E. Horton, Jr. Associate vice President, Public
Policy and Advocacy, LabCorp. His slides presented on March 5, 2005,
will be on the RTI HIPSC site

The Clinical Laboratory Improvement Amendment (CLIA) of 1988

42CFR § 493.129(f)

Test results must be released only to authorized persons.

42CFR § 493.2

Authorized person means an individual authorized under state law to order tests and receive test results or both

"Individual responsible for using the test results is undefined."

Implications

Many people with a legitimate need to review test results for legitimate purposes are not "authorized persons." These groups include:

• non-ordering physician specialists participating in care


• RHIOS


• QIOS


• Disease Management


• Other population-based programs


• Health plans

As a result, many people who need the results for patient care of other services are not "authorized" persons.

Among the proposed solutions

Alternative 1: Distinguish
between mandatory and permissive test result disclosures and eliminate any reference to the undefined term "individual responsible for using the test results"....

Revise
42CFR § 493.129(f) to state:

Test results must be released to the authorized person who ordered the test. In addition, notwithstanding any contrary State law defining who is an individual authorized to order tests or receive test results or both, test results may be released to:

The laboratory that initially requested the test, if applicable;

• Any person designated to receive the test results by the authorized person who ordered the test


• A "covered entity" as defined in 45 CFR § 106.103; and


• A "business associate" of a covered entity as defined in 45 CFR § 106.103. This section shall not be construed to permit the disclosure of any specific type of test result to any of the persons or entities named herein where the disclosure of test results of that type is otherwise prohibited by state or federal law.

Alternative 2: Clarify the meaning of both "authorized person and the section of code in which it appears

Add to 42CFR § 493.2 the following definition of an authorized person:



Authorized person means an individual authorized under State law to order tests or receive test results, or both. In addition, nothwithstanding any contrary State law defining who is an individual authorized to order tests or receive test results or both, authorized
person means:

• Any person designated to receive the test results by the
  authorized person who ordered the test


• A "covered entity" as defined in 45 CFR § 106.103; and


• A "business associate" of a covered entity as defined in 45 CFR § 106.103. This section shall not be construed to permit the disclosure of any specific type of test result to any of the persons or entities named herein where the disclosure of test results of that
  type is otherwise prohibited by state or federal law.

Alternative 3: Clarify the meaning of "individual responsible for using th test results" and the
section of law in which it appears.

Add to 42 CFR § 492.2 by creating a definition of the "individual responsible for using test results." This term is currently notdefined.

Individual responsible for using the test results means, notwithstanding any contrary State law defining who is an individual authorized to order tests or receive test results or both:

• Any person designated to receive the test results by the authorized person who ordered the test


• A "covered entity" as defined in 45 CFR § 106.103; and


• A "business associate" of; a covered entity as defined in 45 CFR § 106.103. This section shall not be construed to permit the disclosure of any specific type of test result to any of the persons or entities named herein where the disclosure of test results of that type is otherwise prohibited by state or federal law.

Such revisions would maintain the protection of information under HIPAA and would ensure that particularly sensitive types of test results currently confidential will remain so.

Health Privacy Project and AHIC

The February 22 issue of Healthcare IT News widely publicized the resignation of Paul Feldman (Health Privacy Project) from the AHIC privacy process.

The concerns have to components

1. Standards for "back end" interoperability are being developed by a HITSP at a pace too fast for adequate deliberation
2. Standards for privacy protections lag behind the pace of other standards development efforts and hence may lead to technical adoption of standards in 2008 before adequate consideration has been given to privacy and confidentiality

In a letter to the Secretary by the Health Privacy Project, JanLori Goldman and Paul Feldman state that the present accomplishments and proposed plans "are a far cry from a comprehensive and timely approach that would give privacy policy equal and necessary footing with interoperability and systems development efforts."

• Follow this link for a print copy of Diana Manos' February 22 article
• Follow this link for a printer-friendly copy of the article
• Follow this link for a copy of the HPP resignation letter
• Follow this link for the January 2007 GAO Report on privacy standards progress (GAO-07-238)
• Follow this link to the Health Information Technology Standards Panel (HITSP) site
• Follow this link to the October 20 2006 Standards endorsed by the Secretary in January 2007
  

New GAO Reports on Early Privacy Efforts in HIT

On February 12, 2007, the GAO issued two products based on its review of privacy and health care confidentiality. Both the testimony (GAO-07-400T) and the report (GAO-07-238) are entitled, Health Information Technology: Early Efforts Initiated but Comprehensive Privacy Approach Needed for National Strategy.

• Follow this link to the GAO-07-400T
• Follow this link to GAO-07-238

The Personal Data Privacy and Security Act of 2007

On February 6, 2007, Senators Leahy and Spector introduced the Personal Data Privacy and Security Act of 2007. According to Senator Leahy's press release, this bipartisan legislation:

• Increases criminal penalties for identity theft involving electronic personal data and making it a crime to intentionally or willfully conceal a security breach involving personal data;
• Gives individuals access to, and the opportunity to correct, any personal information held by commercial data brokers;
• Requires entities that maintain personal data to establish internal policies that protect the personal data of Americans;
• Requires entities that maintain personal data to give notice to individuals and law enforcement when they experience a breach involving sensitive personal data; and
• Requires the government to establish rules protecting privacy and security when it uses information from commercial data brokers, to conduct audits of government contracts with data brokers and impose penalties on government contractors that fail to meet data privacy and security requirements.

Additional commentary and reactions will be posted on this entry

• Follow this link to Senator Leahy's release
• Follow this link to the proposed legislation

U.S. Senate Committee on Homeland Security and Governmental Affairs - February 1

Carol Diamond from the Markle Foundation and others presented at a January 1 hearing reviewing the efforts of HHS to integrate privacy into the HIT national infrastructure and Office of Personnel Management efforts to expand the use of HIT through Federal Employees Health Benefits Program (FEHBP) and the impact such actions have on federal employees’ health information privacy.

• Follow this link to the proceedings
• Follow this link for the GAO report of February 1 on the same issues

The GAO report cites some minor differences in approach to Federal privacy protection. It suggests more "coordination" is perhaps needed. The report states:

"We recommend in our report that the Secretary of HHS define and implement an overall approach for protecting health information as part of the strategic plan called for by the President. This approach should (1) identify milestones for integrating the outcomes of its privacy-related initiatives, (2) ensure that key privacy principles are fully addressed, and (3) address key challenges associated with the nationwide exchange of health information. "

"In written comments, HHS disagreed with our recommendation and referred to the department’s “comprehensive and integrated approach for ensuring the privacy and security of health information within nationwide health information exchange.” However, an overall approach for integrating the department’s various privacy- related initiatives has not been fully defined and implemented. We acknowledge in our report that HHS has established a strategic objective to protect consumer privacy along with two specific strategies for meeting this objective. Our report also acknowledges the key efforts that HHS has initiated to address this objective."

"While progress has been made initiating these efforts, much work remains before they are completed and the outcomes of the various efforts are integrated. Thus, we recommend that HHS define and implement a comprehensive privacy approach that includes milestones for integration, identifies the entity responsible for integrating the outcomes of its privacy-related initiatives, addresses key privacy principles, and ensures that challenges are addressed in order to meet the department’s objective to protect the privacy of health information exchanged within a nationwide health information network. "