National Health Info Network Needs Safeguards

Digital rights management technology could keep businesses and employers from storing patient information, survey respondents suggest.

Abuses to privacy are inherent in a national health information network. But if configured correctly, an electronic system might actually prevent practices that go largely unnoticed, and so unprotected, in the current system. In fact, technology used to prevent individuals from sharing music and movies could also keep businesses and employers from storing patient information.

Last month, health care information technology and other organizations enthusiastically responded to requests for feedback on a proposed national health information network, but how it would work and who could access what information is contentious.

Proponents of a national health information network posit that it would prevent medical errors and reduce redundant procedures by enabling different health providers to readily access information about care and diagnoses a patient has received elsewhere.

But the potential for third-party organizations, like employers and health insurance companies, to have greater access to patient information has patient advocates worried.

/zimages/6/28571.gifClick here for a column on fears and opportunities surrounding health IT.

Robert Seliger, CEO of Sentillion, an identity management company, said that while the issue of patient confidentiality is included in many responses from IT organizations, "Its remarkable how little commentary theres been in those who have described this [network]."

Concerns about privacy could derail efforts to establish a network, he said: "If even one lab result about one person is transmitted from point A to point B and someone who shouldnt have access gets access, the public will not trust the system."

Seliger said the keys to appropriate information exchange would be certainty both of a patients identity and of the users identity, and then tuning what information was released. A properly implemented electronic system could actually do more to let patients know about who is accessing their information.

Health information is already being shared, and tracking who sees what is very difficult. "You have no idea who has access to information about you today," Seliger said.

"Theres actually much more enforcement in an electronic system than in a paper system," Seliger said, adding that patients could use technology both to decide who could see what information and to be notified when it was accessed.

But with potentially millions of authorized users, tracking access could be unwieldy. And fears of unauthorized access abound, fueled by news stories like one in the Harvard University newspaper showing that an insurers website would reveal what prescription medicines a student or staff member took if provided with that persons name, birthday, and nonconfidential ID number.

Others worry about what information outside businesses might clamor for if it were more easily available and consolidated.

Describing "conflicting business and personal imperatives," Dixie Baker, group vice president for technology and chief technology officer for the health/life sciences practices at SAIC (Science Applications International Corp.), said employers and insurers want as much health information as possible about individuals, while individuals want minimal information to be released and to as few people as possible.

In testimony before the National Committee on Vital and Health Statistics, Subcommittee on Privacy and Confidentiality, Baker said that technology could, at least partially, ease some of these conflicts.

Currently, authorized users can easily gain access to files with protected information, download them, and share them in unauthorized ways. Baker suggested that DRM (Digital Rights Management) could protect private information from third parties. She described current use of the technology in the entertainment industry.

"DRM systems enforce restrictions on what individuals can do with copies of works they have purchased, and also collect information about purchasers activities and report back to the copyright owner."

Next Page: Protecting privacy with technology.