New Approaches Touted for Health IT Policies

With President Barack Obama's economic stimulus bill calling for at least $20 billion for a national health IT network, a new debate is emerging over an old health IT issue: privacy. Traditionally, privacy advocates have urged patient consent for virtually every transaction within a national IT network.

But a new line of thought about the seemingly inherent privacy pitfalls of health IT is that patient consent is not always necessary or even helpful. In fact, according to the CDT (Center for Democracy and Technology), wholesale, line-item patient consent could result in fewer privacy safeguards, impose greater burdens on patients and undermine the quality of care and services.

In a paper released Jan. 25, the CDT claims that rather than relying on consent in all uses of health information, (PDF) consent should be used in a more focused way. The CDT argues that a new generation of privacy guidelines should allow for the free flow of health information about treatment, payment method and other administrative tasks without the patient's consent. For information outside of these core issues, consent would be mandatory regarding how a patient's personally identifiable data is accessed, used and disclosed.

"Requiring consent for all data sharing in health care will only overwhelm patients, leading them to give blanket consent and providing very weak protection," Deven McGraw, director of the Health Privacy Project at CDT, said in a statement accompanying the report. "If we get away from viewing consent as the be-all and end-all of privacy, and use this stimulus funding to establish a more comprehensive framework of protections, we can break the privacy logjam that has been impeding adoption of health information technology."

Under the CDT plan, the comprehensive privacy framework would also include other privacy principles, such as the right of patient access, implementation of technologies to allow user authentication, providing audit trails for all disclosures, and strong oversight and accountability procedures.

"To build public trust in health information technology, we need a comprehensive policy framework that sets clear enforceable rules for who can access health information and for what purposes," said CDT President and CEO Leslie Harris. "A meaningful role for consumer choice should be part of this framework, too."

McGraw will be one of six witnesses testifying before the Senate Judiciary Committee meeting scheduled on Jan. 27 entitled, "Health IT: Protecting Americans' Privacy in the Digital Age." In addition to McGraw, the other witnesses testifying will be James Hester, director of the Health Care Reform Commission of the Vermont State legislature; Adrienne Hahn, program manager for health policy at the Consumers Union; Michael Stokes of Microsoft's HealthVault program; John Houston of the University of Pittsburgh Medical Center; and David Merritt, project director for the Center for Health Transformation and the Gingrich Group.

The hearing will be Microsoft's second trip in the month of January to Capitol Hill to discuss health IT. On Jan. 15, Microsoft Health Solutions Group Vice President Peter Neupert testified before the Senate Committee on Health, Education, Labor and Pensions. Neupert recently posted some sharp comments in a TechNet blog about the health IT industry.

"The thing is, nobody can make good decisions without good data," Neupert wrote. "Unfortunately, too many in our industry use data 'lock-in' as a tactic to keep their customers captive. Policy makers' myopic focus on standards and certification does little but provide good air cover for this status quo. Our fundamental first step has to be to ensure data liquidity-making it easy for the data to move around and do some good for us all."

Neupert also contends that the country shouldn't wait to develop new health IT standards; instead, personal health data should be separated from the software applications that are used to collect and store the data.

"We understand that IT vendors are in business, and need to create strategic value for their products," Neupert said. "And we are very much in favor of that-in rules, in workflow, in user experience, price and flexibility, and so on. However, vendors should not be able to 'lock' the patient or enterprise data into their applications, and thereby inhibit the ability of customers and partners to build cross-vendor systems that improve care."