By Neil Versel
August 19, 2008 | CAMBRIDGE, Mass.—Are patient privacy rules effective? The answer is not a simple yes or no.
“It’s working, but it’s got a ways to go,” suggests William Braithwaite, chief medical officer of San Diego-based security and identity management company Anakam. He says that current federal and state privacy rules generally do not address new technologies such as mobile Internet access and personal health records (PHR) platforms.
Deborah Peel, founder and chair of Patient Privacy Rights and the affiliated Coalition for Patient Privacy, begs to differ. She says the August 2002 amendments to the original HIPAA privacy rule effectively eliminated the patient’s right to consent to the use of protected health information by adding permission to share such data for “treatment, payment, and health care operations.”
Braithwaite, known as “Doctor HIPAA” because he helped draft the rules last decade when he was a senior advisor on health-IT policy in the Department of Health and Human Services (HHS), and Peel were part of a lively roundtable discussion and debate Tuesday morning at the Sixteenth National HIPAA Summit and related Privacy Symposium on the Harvard University campus.
Joining them on the panel were Karen Grant, chief privacy officer at Partners Healthcare System in Boston, and Linda Sanches, senior advisor for HIPAA privacy outreach and training in the HHS Office for Civil Rights. Jodi Daniel, director of the Office of Policy and Research in the Office of the National Coordinator for Health Information Technology, participated via telephone.
Peel believes a stronger privacy law that requires patient consent could promote data exchange between health care entities that currently are wary of sharing information with competitors. “The consent tool can really enable regional data exchange,” says Peel, an Austin, Texas, psychiatrist.
“The person who can really move the data safely is in the consumer,” according to Peel. “We can be pinged on our cell phones if someone we don’t know wants access to our data.
Sanches says health care professionals and the public alike may mistakenly believe HIPAA enforcement has been lax because HHS has imposed few monetary penalties. “We see enforcement as the improvement of privacy activities among covered entities,” she says.
“That normally requires them to take drastic action,” Sanches says. She notes that people have been disciplined for taking unauthorized looks at the medical records of celebrities, such as the more than two dozen employees at Palisades Medical Center in New Jersey were suspended last year for peeking at the records of actor George Clooney.
But Peel says that health care organizations generally only take action when there is a high-profile breach such as with Clooney because electronic health records (EHRs) systems are set up to follow the HIPAA requirement that there be an audit trail of who viewed protected health information and when. EHRs, she argues, generally do not take proactive steps to prevent unauthorized access to specific records by people who have network passwords.
In fact, according to Peel, EHR vendors, which often are not covered entities under HIPAA, routinely aggregate and sell patient data without patient consent. “It is cheaper to have a consent-management tool than to search retroactively for needles in a haystack,” Peel says.
Braithwaite says it is unfair to blame vendors as a bunch because products and security protocols vary greatly. “You can’t make a blanket statement like that. It’s ridiculous,” he contends.
And so the debate continues.