March 9, 2012 10 Comments
I’d like to draw your attention to two reports that were released this week. They highlight some of the wrinkles in the emerging area of the privacy of digitized patient information, data portability and patient centeredness in all of this.
NYCLU: Consent is King with PHI and HIEs
The New York Civil Liberties Union made headlines for releasing a report criticizing New York State’s information exchange policies. Specifically, the report says that patients are not given enough notification or authorization to share their personal health information (PHI), that information should not be shared across the board, but only for relevant information. There are a few different grievances aired:
Consent: Opt-in vs. Opt-out: NYCLU would prefer a complete opt-in model but recognizes the limitations (low uptake no info in case of emergencies). New York uses a hybrid, where patient information is included by default, but they can veto when a provider actually wants to access information. In the case of an emergency, there is a ‘break the glass’ provision where providers can act on the patient’s best interest in the event of an emergency. NYCLU offers this third model, “opt out with exception” as one to consider for HIEs and RHIOs.
Geographic Reach: Patients who want to include their record on a local RHIO, with doctors they may have known for years, may decide against sharing it with a more extended network of doctors and hospitals.
Information Completeness: Also known as ‘granularity,’ this is a tricky one. Patients may not want to share all of their information with all of their doctors. NYCLU provides a smattering of potential offensive cases: sharing history of a hemorrhoid with a podiatrist, psychiatry with a surgeon, etc. Recognizing that there are lots of opportunities for potential misuse or transmission of sensitive PHI, NYCLU recommends that HIEs mandate increased granularity of what information is available to who.
There are a whole slew of recommendations in the actual report. But the general takeaway is that the way current HIE’s are planned, patient consent and concerns about the privacy of their information is woefully overlooked by state governments, HIE governance and commercial vendor communities.
HealthAffairs: Include Psychosocial Information in EHRs
The other article is a HealthAffairs piece (login required) advocating for the integration of psychosocial health information into mainstream clinical EMRs. The premise is that data on behavior, mental health, self-assessments etc. is invaluable to the treatment of individual patients, preventative population health management and public health/biomedical research efforts. In the article, a panel of bigwigs from various academic institutions lay out a series of cogent points: this information is increasingly readily available with technology, it needs to be put into standardized formats for easy incorporation into broader medical software, and more broadly psychosocial considerations are at the core of effective treatment and research.
Fine. But a quick search of “privacy” only produced one hit:
“It will be possible to collect data from a majority of patients on sensitive psychosocial issues only if patients are informed about what will be done with the data they provide and assured that their privacy will be protected. They need to be told what their information will be used for, who will see it and for what purposes, and how their confidentiality will be safeguarded.”
That’s it. The piece even goes so far as to pre-emptively counter some objections to the inclusion of psychosocial data, and the authors left out privacy concerns altogether.
What does this mean?
It’s just another example of how our healthcare system has people working against each other. Supposed patient-centered advocacy groups such as the NYCLU are reduced down to nagging whistleblowers who don’t seem to acknowledge the challenges of technical integration or the difficulty of developing intricate, piecemeal consent models on granular levels. Supposed health care experts from Harvard and the NIH blow off privacy concerns as a red tape issue without even paying lip service as to how patients – people – might feel about sharing their more intimate life details (sex, drugs, mental health) with doctors, nurses, administrators and researchers.
Where’s the middle ground? Are there any examples of health care systems who are at the cutting edge of technology, science and patient-centeredness? What about systems who have figured out the longstanding problem of behavioral health integration into the clinical and technological workflow without compromising the sensitivity of those issues? Would love to hear your thoughts.