Transcript Health Data Flows: Where PETs Can Help

Health Data Flows:
Where PETs Can Help
PORTIA Workshop on Sensitive Data
July 8, 2004
Anna Slomovic, PhD
Electronic Privacy Information Center
EHRs Promise Great Things

Improve quality of care






Reduce duplication
Reduce medical errors
Provide the right care at the right time and
place
Increase access to care
Reduce administrative burden
Improve research and public health
Implication: broader and more frequent
access to PHI
EHRs Create New Privacy Concerns
for Patients




Reduced ability to shield sensitive
information
Inability to “leave the past behind”
Inability to refuse participation in certain
activities, e.g., research?
Linking between health information and
other information, e.g., welfare
To maximize patient privacy, the best EHR is highly
fragmented with fragments under patient control
EHRs Create New Privacy Concerns
for Physicians

Reduced autonomy in the practice of
medicine



Tracking of utilization and compliance with
care guidelines
“Pay for performance”
Reduced ability to provide autonomy to
patients
To maximize physician privacy, the best
EHR allows physicians role-based access
Outline



Privacy concerns raised by EHRs
The current data flows
How PETs can help
Existing Regulations Permit Data
Flows Without Patient Consent









Treatment
Payment
Health care operations
Public health
“Required by law”
Health system oversight
Reporting victims of abuse and neglect
Law enforcement, judicial and administrative
proceedings, specialized government functions
Research (with some restrictions)
Permitted disclosures without patient
consent number in the dozens
Patients May Not Know What the
Terms of “Notice” Mean

Health Care Operations



Legal, accounting, auditing services
General administration
Also Health Care Operations






Outcomes evaluation and guidelines development
Accreditation of professionals
Training of health care and non-health care workers
Fundraising for the health care entity
Data analysis for plan sponsors or customers
Detection of “fraud, waste and abuse”
Who Performs “Health Care
Operations”?








Consultants
Lawyers
Accountants
Medical transcription
companies
Software development and
maintenance contractors
Medical equipment
manufacturers and service
companies
Pharmacy benefits managers
Document scanning or data
input companies










Offsite records storage
companies
Document destruction
companies
Credentialing organizations
Accreditation agencies
Licensing agencies
Medical schools
Training companies
Banks
External fundraising agents
Collection agencies
Secondary users not regulated by HHS
“Consumers who examine the audit trails of access to
their data may be surprised by how many different
people and entities access their data. These are not
security violations, but routine clinical and business uses
of identified clinical data. … [C]onsumers will have to be
educated about the realities of how their personal health
information is used.”
“[T]he very benefit of regional information exchange
arises from physician adoption, and if physicians are
reticent to participate in something that might be used
against them (or simply fear that it could be used against
them), then this benefit of physician practice evaluation
may have to be foregone for the foreseeable future.”
D. J. Brailer et al., Moving Toward Electronic Health Information Exchange:
Interim Report on the Santa Barbara County Data Exchange, prepared for
the California HealthCare Foundation, July 2003
Outline



Privacy concerns raised by EHRs
The current data flows
How PETs can help
We Need to Return to Basic
Questions



Should all health care providers have
access to all PHI?
Should secondary users have access to
PHI without patient or physician consent?
How can EHR systems be built to provide
greater control to patients and physicians?
PETs As Part of the Answer

Fully identified records provided only for whose
who need identity to do the job



Pseudonymity (protecting patients from curiosity, e.g.,
in labs or pharmacies)
Group signatures (protecting physician identity in
patient interactions; protecting patient identity in
some interactions)
Complete records only when needed


Secret sharing (record fragmented until necessary,
e.g., in emergency, with patient consent)
Selective disclosure (disclosing medications without
disclosing diagnosis or physician name)
PETs As Part of the Answer, Cont’d

Secondary users work with de-identified
information

Private information retrieval (looking for types of
cases without disclosing links between identity and
case)




Research
Disease and bioterrorism surveillance
Clinical guidelines development and improvement
Privacy-preserving datamining (looking for patterns
without sharing information)



Research
Quality of care analysis
Fraud detection
System Can Be Built With More
Control for Data Subjects

Menu of pre-set choices in EHR



Who and when can access records without
further consent
Contact information to obtain consent outside
pre-set parameters
“Expiration” of one-time past episodes of
care
“Most
interviewees were willing to allow the use of
their information for research purposes, although the
majority preferred that consent was sought first. The
seeking of consent was considered an important
element of respect for the individual. Most
interviewees made little distinction between
identifiable and anonymised data.”
Willison, Donald J; Keshavjee, et. al, “Patients' consent
preferences for research uses of information in electronic
medical records: Interview and survey data,” British
Medical Journal (International Edition), February 15,
2003.