President’s Council of Advisors on Science and Technology Releases Report on Health Information Technology
The President’s Council of Advisors on Science and Technology announced (pdf) the release of a new report on health information technology, which includes a discussion of privacy issues. The report is “Realizing the Full Potential of Health Information Technology to Improve Healthcare for Americans: The Path Forward” (pdf). The White House says: “Unlike conventional electronic health records, which are effectively digital versions of paper charts that are trapped in the offices where they are created, such a [health information-sharing infrastructure] system would allow health data to follow patients wherever they are, with appropriate privacy protection and patient control, while giving patients’ various doctors a more complete picture of those patients’ medical conditions and needs.” The White House also says:
The report […] calls upon the Federal government to facilitate the widespread adoption of a “universal exchange language” that allows for the transfer of relevant pieces of health data while maximizing privacy. Reflecting input from industry and IT experts, privacy groups, healthcare professionals, and others, the report provides specific recommendations for cultivating an information technology (IT) ecosystem that facilitates the real-time exchange of patient information in order to modernize diagnosis and treatment, improve public health, enhance the privacy and security of personal data, and create new high-technology markets and jobs while catalyzing healthcare-related economic reforms needed to address our Nation’s long-term fiscal challenges.
The report notes that the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which created minimum standards (or “a floor”) for medical privacy protections, has failed to adequately protect patient privacy.
A patient cannot make meaningful privacy choices unless he or she understands the flows and uses of information and can therefore make informed choices. That is not the reality today. In practice, the current consent model mandated by HIPAA rarely allows fully informed choices. HIPAA allows many common disclosures (for example, for treatment, payment, and healthcare operations) without any consent at all. Some other disclosures are allowed unless the patient specifically optsout. Some particular transactional flows of data require patient approval, but patients have little real information about those flows or the uses to which they will be put. As seen by the patient, HIPAA protection is often little more than “sign here to acknowledge that you understand your rights under HIPAA,” which, of course, few patients do.
The report recommends an exchange process, which will give patients more control over who has access to their medical data.
We believe that a universal exchange language based on tagged data elements will allow the design of much better privacy and security protection than currently exists for either paper or electronic systems, for two principal reasons. First, the ability to tag an individual piece of data with privacyrelated information, as part of its metadata, enhances privacy safeguards. Second, because tagged data ele ment exchange protocols are designed to be efficient for the rapid exchange of small pieces of data, it is feasible to use security protocols that involve multiple exchanges of challenge and response. We illustrate these points in this and the next subsection.
However, the report also notes that “this model is only as good as the level of security applied to the data itself. If an unauthorized user can compromise data security, and not get caught in doing so, then he can also compromise any patient privacy model.” Therefore:
A health IT infrastructure needs to provide significantly better security than traditional paper records in all respects. It must be designed with very strong technical protection against remote, bulk attacks that compromise large numbers of records, because paper records do not have this vulnerability. The security of a single individual’s information needs both technical protection and also protection by regulation and criminal law. Technical protection alone cannot prevent the suborning of otherwise authorized individuals, but it can greatly raise the bar by making them likely to get caught.
In today’s healthcare sector, there is an astounding range of security practices in handling electronic data, ranging from excellent to poor. Importantly, there is little consistency in security practices. Sloppy practices have led to system failures at multiple levels, such as the massive compromise of personal data in a stolen laptop computer or a burglarized hard disk drive. In a welldesigned system, as one example, it should be technically impossible for any individual to aggregate large numbers of records in an exportable format, and there should be multiple layers of realtime auditing to be sure that it is not in fact happening.
The report also makes recommendations for how to create a secure exchange system in terms of technology — including encryption, two-factor authentication and auditing. There are more interesting points in the full report (pdf).