National Health Info Network Needs Safeguards

By M.L. Baker  |  Posted 2005-02-07

National Health Info Network Needs Safeguards

Abuses to privacy are inherent in a national health information network. But if configured correctly, an electronic system might actually prevent practices that go largely unnoticed, and so unprotected, in the current system. In fact, technology used to prevent individuals from sharing music and movies could also keep businesses and employers from storing patient information.

Last month, health care information technology and other organizations enthusiastically responded to requests for feedback on a proposed national health information network, but how it would work and who could access what information is contentious.

Proponents of a national health information network posit that it would prevent medical errors and reduce redundant procedures by enabling different health providers to readily access information about care and diagnoses a patient has received elsewhere.

But the potential for third-party organizations, like employers and health insurance companies, to have greater access to patient information has patient advocates worried.

Click here for a column on fears and opportunities surrounding health IT.

Robert Seliger, CEO of Sentillion, an identity management company, said that while the issue of patient confidentiality is included in many responses from IT organizations, "Its remarkable how little commentary theres been in those who have described this [network]."

Concerns about privacy could derail efforts to establish a network, he said: "If even one lab result about one person is transmitted from point A to point B and someone who shouldnt have access gets access, the public will not trust the system."

Seliger said the keys to appropriate information exchange would be certainty both of a patients identity and of the users identity, and then tuning what information was released. A properly implemented electronic system could actually do more to let patients know about who is accessing their information.

Health information is already being shared, and tracking who sees what is very difficult. "You have no idea who has access to information about you today," Seliger said.

"Theres actually much more enforcement in an electronic system than in a paper system," Seliger said, adding that patients could use technology both to decide who could see what information and to be notified when it was accessed.

But with potentially millions of authorized users, tracking access could be unwieldy. And fears of unauthorized access abound, fueled by news stories like one in the Harvard University newspaper showing that an insurers website would reveal what prescription medicines a student or staff member took if provided with that persons name, birthday, and nonconfidential ID number.

Others worry about what information outside businesses might clamor for if it were more easily available and consolidated.

Describing "conflicting business and personal imperatives," Dixie Baker, group vice president for technology and chief technology officer for the health/life sciences practices at SAIC (Science Applications International Corp.), said employers and insurers want as much health information as possible about individuals, while individuals want minimal information to be released and to as few people as possible.

In testimony before the National Committee on Vital and Health Statistics, Subcommittee on Privacy and Confidentiality, Baker said that technology could, at least partially, ease some of these conflicts.

Currently, authorized users can easily gain access to files with protected information, download them, and share them in unauthorized ways. Baker suggested that DRM (Digital Rights Management) could protect private information from third parties. She described current use of the technology in the entertainment industry.

"DRM systems enforce restrictions on what individuals can do with copies of works they have purchased, and also collect information about purchasers activities and report back to the copyright owner."

Next Page: Protecting privacy with technology.

Protecting Privacy with Technology

The same technology could protect patient privacy, Baker said: "A DRM policy applied to an electronic health record might enable an insurance company to view those portions of the record necessary for coverage authorization purposes, but not allow the record to be saved on the companys server." Such technology should also be able to alert patients who has accessed what information.

Another relevant technology is sold by StoredIQ Inc. The companys software analyzes the content of files and email to determine whether they contain information protected by the Health Insurance Portability and Accountability Act. Such files could only be stored and shared according to an organizations official policy, a practice that StoredIQ said will protect against careless and unscrupulous employees.

The national health information network must be set up to protect against discriminatory practices and unlawful use and access of information, said Don Mon, vice president of industry relations at AHIMA (American Health Information Management Association).

"We must protect the privacy and security of a patient by building it into an infrastructure, by using authentication, and [by releasing] only that info that the patient consents to be released; then the system protects itself."

Tony Higgins, a former health information consultant who has lived in the United Sates and Canada, goes further: "EHR (Electronic Health Record) content viewing must be limited to those to whom the individual has given explicit permission, and those persons must be members of the medical services community. No banks, no employers, nobody else."

To read a column on what is vital to health IT, click here.

Of course, adds Higgins, another way to protect the public is to limit the consequences of what might happen to patients if information is shared, namely being denied benefits. "Universal healthcare insurance that cannot be cancelled, capped, or denied to any legal resident will completely eliminate the threat posed by the EHRs contents being seen within the medical community."

Or to approach the problem from still another angle, as one of my readers wrote in, "One way to ensure that loopholes are closed and information is disseminated correctly is to require that ALL Federal government employees must participate during the life of the program. This means the President, Cabinet, Congress, agency appointees, etc. If theyre forced to use it, they will either guarantee a quality product or scrap the idea."

Check out eWEEK.coms for the latest news, views and analysis of technologys impact on health care.

Rocket Fuel