A Nationwide Health Information Network

1
A Nationwide Health Information Network the
Electronic Exchange of Patient Data

• Maya A. Bernstein, J.D.
• Senior Advisor, Privacy Policy
• Office of the Asst Secretary for Planning and
  Evaluation
• U.S. Department of Health and Human Services
• Ryan White Care Act Training and Technical
  Assistance Grantee Meeting
• Washington, DC
• August 30, 2006

2
Agenda

• A Few Words on HIPAA
• Fair Information/Privacy Principles
• The Advent of the NHIN
• Lets Talk About PHRs
• Perplexing Privacy Policy
• Questions, Comments, and Discussion

Disclaimer This presentation does not represent
the views or policies of any agency in the U.S.
government
3
A Few Words about HIPAA

• Legislative news, or lack thereof
• Effort in up-front implementation
• Dont lose momentum
• Train newcomers, refresh old hands
• Increased public awareness
• Increased pressure for enforcement

4
Agenda

• A Few Words on HIPAA
• Fair Information/Privacy Principles
• The Advent of the NHIN
• Lets Talk About PHRs
• Perplexing Privacy Policy
• Questions, Comments, and Discussion

5
Fair Information Principles

• Recordkeepers responsibilities
• No secret record-keeping systems
• Collect what you can directly from subject
• Maintain only what is relevant and necessary
• Records collected for one purpose should not be
  used for another purpose w/o consent
• Maintain records that are accurate, relevant,
  timely, complete
• Prevent misuse of records
• Dispose of records when no longer needed

6
Fair Information Principles

• Individuals Rights
• Find out what data are kept and how used
• See an accounting of disclosures
• Correct or amend records
• Seek some kind of redress

7
Agenda

• A Few Words on HIPAA
• Fair Information/Privacy Principles
• The Advent of the NHIN
• Lets Talk About PHRs
• Perplexing Privacy Policy
• Questions, Comments, and Discussion

8
The Advent of the NHIN

• Nationwide Health Information Network
• HHS Activities Related to Health IT
• EHRs PHRs

9
The Advent of the NHINPresidents Health IT Goal

• Nationwide interoperable health information
  infrastructure and electronic health record (EHR)
  available for most Americans within 10 years.

President George W. Bush, 2004
10
The Advent of the NHIN Executive Order 13335

• Vision of developing a nationwide interoperable
  infrastructure
• Incentives for the Use of Health Information
  Technology
• Establishing the Position of the National
  Coordinator for Health IT in the Office of the
  Secretary of HHS (currently vacant)

E.O. 13335, April 27, 2004
11
The Advent of the NHIN Secretary Leavitts
Priorities for Americas Health Care

• Health Information Technology (2)
• Medical clipboard becomes a thing of the past
• Secure interoperable electronic records are
  available to patients and their doctors anytime,
  anywhere
• Immediate access to accurate information reduces
  dangerous medical errors and helps control health
  care costs

12
The Advent of the NHIN ONC Framework for
Strategic Action

• Inform clinical practice
• Interconnect clinicians
• Personalize care
• Encourage use of personal health records
• Enhance informed consumer choice
• Promote use of telehealth systems
• Improve population health

13
The Advent of the NHIN ONCs Three Areas of
Focus

• Nationwide Health Information Network (NHIN)
• Regional Health Information Organizations (RHIOs)
• Driving EHR adoption

14
ONC Activities Contracts

• Architecture
• 4 consortia to develop NHIN prototypes
• Standards
• Harmonizing health info standards
• Certification
• Develop criteria to certify and evaluate health
  IT products
• Privacy
• Develop solutions for variations in business
  policies, state privacy law that pose challenges
  to the secure communication of health
  information.

15
ONC Activities American Health Information
Community

• FACA Advisory Committee
• Mission to provide input and recommendations to
  HHS
• how to make health records digital and
  interoperable
• assure that privacy and security is protected
• in a smooth, market-led way.
• Chaired by Secretary Leavitt
• 16 other key stakeholder leaders (public
  private)

16
American Health Information Community Activities
Work Groups

• Biosurveillance
• Electronic Health Records
• Consumer Empowerment (PHRs)
• Chronic Care
• Confidentiality and Security

17
American Health Information Community Activities
Breakthroughs

• Consumer Empowerment
• Health Improvement
• Public Health Protection

18
Agenda

• A Few Words on HIPAA
• Fair Information/Privacy Principles
• The Advent of the NHIN
• Lets Talk About PHRs
• Perplexing Privacy Policy
• Questions, Comments, and Discussion

19
Lets Talk About PHRs1 -- What is a PHR?

• Electronic application through which consumers
  can access, manage, share, control PHI in a
  secure and confidential environment.
• Allows consumers to access, coordinate lifelong
  health information
• Allows consumers to make appropriate parts of PHI
  available to those who need it.

Connecting for Health, Connecting Americans to
Their Healthcare, Final Report, 7/2004
20
Lets Talk About PHRs.1 -- What is a PHR?

• Medical record under control of individual
• Gives individual and authorized clinician access
  to
• Prescriptions Lab and test results
• Claims Allergies
• Other vital information.
• Most useful for those w/ complex, chronic disease

21
Lets Talk About PHRs.1 -- What is a PHR?

• Permits monitoring of routine health info
• Allows coordination among partner, family,
  providers, institutions
• Promotes independence, healthy living
• Accessible when and where needed by patients,
  authorized users

22
Lets Talk About PHRsPHR Means Different Things
to Different People

• Some current PHR systems
• Application that consumers use to manage their
  personally entered PHI
• Disease management application that allows
  consumers to track their health online
• View into all or part of PHI captured in the
  healthcare systems EMR/EHR

23
Lets Talk About PHRsContent Depends on
Definition
24
Lets Talk About PHRsMany Requirements

• On par with HCS HIT
• Accurate, timely information (EMR data not
  altered)
• Reliable
• Secure
• Accessible
• Flexible, etc

25
Lets Talk About PHRsRelationship of PHR, EMR
Critical

• PHR may be part of the EMR/EHR
• EMR information is a part of the PHR
• Separate v. Tethered

26
Lets Talk About PHRsOne of Two Models Likely

• The EHR, with a PHR application, is the source of
  all PHI about an individual
• Implication maintains current healthcare system
  centric model
• The PHR is the source of all PHI about an
  individual
• Implication move from a healthcare system
  centric model to a consumer centric model

27
Lets Talk About PHRs Consumer Ownership Enables
Consumer Control
Who Exerts Control?
Consumer
HCS
3rd Party
XX
N/A
N/A
?
XX
N/A
?
?
?
Consumer maintains control of the records it
maintains in its systems HCS maintains control
of the records it maintains in its systems
28
Lets Talk About PHRs Consumer Control Has Many
Implications

• Effects of limiting access
• Informed decision making
• Opt-in versus opt-out permissions
• Blanket HCP access or not
• De-identified versus identified

29
The Definition of the PHR (Content) Will
Influence Many Other Sectors
30
Lets Talk About PHRs Many Questions
Challenges

• Where are the consumers?
• How will their needs/concerns be met?
• What is the PHR? What is the ultimate model for
  the PHR?
• Who owns the PHR?
• Will all sources of PHI be available?
• What about research and public health?
• Digital divide
• Decision support informed consumer?

31
Lets Talk About PHRsSummary Thoughts

• The definition and role of the PHR in the larger
  national HIT debate is still unfolding
• How the PHR is viewed will influence its content
  and future
• There are significant consumer issues regarding
  PHI that should be addressed

32
Agenda

• A Few Words on HIPAA
• Fair Information/Privacy Principles
• The Advent of the NHIN
• Perplexing Privacy Policy
• Questions, Comments, and Discussion

33
Perplexing Privacy PolicyConsumer Views

• California Healthcare Foundation Survey Results
  (2005)
• Consumer Focus Groups (ASPE)

34
Survey Findings Highlight Significant Concerns

• Concerned about privacy of PHI (67)
• racial/ethnic minority 73 diagnosed with a
  disease 67
• non-minority 62 No disease 63
• View paper as more secure (66 99 v 58 05)
• Concerned about employer access/use to limit job
  opportunities (36 99 to 52 05)
• 1 in 8 consumers have engaged in behavior
  intended to protect privacy (younger, racial/
  ethnic minority, diagnosed with a disease)

Nat'l Consumer Health Privacy Survey, CA
Healthcare Foundation, 2005
35
Government is Now the Least Trusted Party
36
Doctors Can Use My PHI Researchers less OK
MD
Researchers
Anyone
37
HHS 05 Consumer Focus GroupsHighlighted Points
Regarding PHI

• Have limited access
• Have limited to no control
• Do not trust the government
• Concern about inappropriate access (by employers,
  insurers, etc)

38
HHS 05 Consumer Focus GroupsMany Points
Regarding ePHI

• Demand control
• Want transparency and flexibility
• Stiff penalties
• Want high level of security
• Want notification of access
• Understand benefits
• Concerned about unanticipated consequences

39
Perplexing Privacy PolicyWhat are the Drivers?

• Push to Reduce Health Care Costs
• Reduce reliance on paper records
• Push to Reduce Medical Errors
• Increase networks, data sharing, availability
• Push to Improve Quality
• Availability of records for research
• Obtain aggregate data on measures and outcomes
• Push for Emergency Preparedness
• Electronic storage, availability

40
Perplexing Privacy PolicyWhat are the Drivers?

• Increased Consumer Awareness
• Seeing HIPAA notices
• Data breaches (Eli Lilly, VA)
• Government surveillance (NSA, public cameras)
• Concerns about misuse by employers, others

41
Perplexing Privacy PolicyThe Importance of Trust

• Promotes Individual Health
• Individuals must disclose sensitive, potentially
  embarrassing info to obtain appropriate care
• Promotes Public Health
• individuals with potentially contagious or
  communicable disease not inhibited from seeking
  care
• Promotes Comfort with NHIN, EHRs, PHRs
• consumers can reap the benefits

42
Perplexing Privacy PolicyNHIN Consumer Control
Models

• Most Flexible Environment
• Promotes individual choices control
• overly complex? unwieldy to navigate?
• expensive to design, implement, operate?
• individuals may inadvertently withhold info
  necessary for appropriate treatment
• jeopardize improvements in health outcomes that
  provide major justification for NHIN

43
Perplexing Privacy PolicyNHIN Consumer Control
Models

• Most Uniform Environment
• Fewer consumer choices promotes standardization
• Simple, easy to use, understand, navigate
• Less expensive to design, implement, operate
• Privacy and confidentiality protections
  ineffectual?
• Loss of public support for NHIN?
• Privacy concerns inhibit candor to providers
• Some individuals forego health care altogether

44
Perplexing Privacy PolicySome Questions for
Thought

• Should an individual have the right to insist PHI
  is maintained only on paper?
• Potentially protects privacy
• Loses benefits of NHIN
• Burden on providers to keep separate systems

45
Perplexing Privacy PolicySome Questions for
Thought

• Should participation in the NHIN be mandatory?
• No exceptions special cases ? less costly
• More comprehensive coverage of population
• Mistrust, lack of options ? less candor
• Mistrust, lack of options ? some forego treatment

46
Perplexing Privacy PolicySome Questions for
Thought

• If not mandatory, Opt-Out?
• Default PHI available via the NHIN
• individual may elect not to participate
• Simpler to administer
• Less costly to administer
• Likely greater NHIN participation rates

47
Perplexing Privacy PolicySome Questions for
Thought

• If not mandatory, Opt-In?
• Default PHI not available via NHIN
• Explicit permission required to transmit
• Increases individual autonomy
• Increases administrative burden
• More expensive to implement
• Likely lower participation rates

48
Perplexing Privacy PolicySome Questions for
Thought

• May providers condition treatment on
  participation in NHIN?

49
Perplexing Privacy PolicySome Questions for
Thought

• Should patients control the content of their
  health records? (Some say No)
• Essential to maintain the integrity of the
  contents EMR
• Changing EMR illegal in some states
• Amendments by addition adequate
• Interferes w/ appropriately informed provider
  decisions
• Individuals not competent to decide
• Possible malpractice liability for missing data

50
Perplexing Privacy PolicySome Questions for
Thought

• Should patients control the content of health
  records? (Some say Yes)
• Old, sensitive info not relevant to current
  clinical decisions
• Potentially embarrassing info accessible
  indefinitely
• Availability may lead to stigma, humiliation,
  even discrimination.
• Individual right to withhold, even if bad
  outcomes result
• Lack of control inhibits seeking treatment,
  endangering patient, publics health
• ER care adequate with standard limited data
  current diagnoses, meds, allergies, immunizations
• Additional PHI or access can be obtained with
  consent

51
Perplexing Privacy PolicySome Questions for
Thought

• What type of control should patients have?
• Based on age of PHI
• e.g., access denied only to records gt10 yrs old
• Based on condition or treatment
• e.g., reproductive health, mental illness, HIV,
  substance abuse
• Based on provider type or provider name
• No access to records of OB/GYNs or Dr. Q

52
Perplexing Privacy PolicySome Questions for
Thought

• What type of control should patients have?
• Entire record of provider or class of providers
  kept out of NHIN (e.g. all psychiatric providers,
  Dr. Q)
• Some parts blocked from access
• Some elements of record deleted altogether from
  the EMR, never make it to NHIN
• Can clinical decision support advise providers of
  problems by reviewing blocked records?
• Should blocked info be made available in
  de-identified form for statistical, data
  aggregation, quality, other purposes?

53
Perplexing Privacy PolicySome Questions for
Thought

• What controls, if any, should be placed on the
  use of consent to obtain medical information for
  non-medical use?
• Insurance Employment
• Education Credit
• Minimum necessary? Relevance?
• Role-based access criteria (who you are)?
• Contextual access (what youre doing)?

54
Perplexing Privacy PolicyConclusion

• Ideal world significant consumer control,
  available choices
• Consumers must understand the implications of
  withholding or disclosing information
• To benefit consumers, we need diligent education
  effort
• Education, Information must be understandable,
  culturally sensitive
• We must help consumers to
• Make the decisions they want to make
• Understand the implications of their decisions
• Make decisions that are good for them

55
References

• Executive Order 13335
• http//www.whitehouse.gov/news/releases/2003/01/20
  030124.html
• ONC, AHIC web sites
• http//www.hhs.gov/healthit/
• http//www.hhs.gov/healthit/ahic.html
• Natl Comm. on Vital Health Statistics
• www.ncvhs.hhs.gov
• Connecting for Health
• http//www.connectingforhealth.org/

56
Questions, Comments, Discussion?

• Maya A. Bernstein, J.D.
• Senior Advisor, Privacy Policy
• Office of the Asst Secretary for Planning and
  Evaluation
• U.S. Department of Health and Human Services
• 202.690.7100
• maya.bernstein_at_hhs.gov