MEDICAL PRIVACY: Nonpartisan Panel Issues Recommendations
A diverse, nonpartisan panel on health privacy yesterday released a report detailing steps that should be taken to ensure the privacy of medical records. Most notably, the panel recommended that all patient information be kept as "non-identifiable" as possible and that any recipients of health information be prohibited from re-disclosing the information in personally identifiable form without specific patient authorization. The blueprint by the Health Privacy Working Group -- staffed by the Health Privacy Project (www.healthprivacy.org) of Georgetown University's Institute for Health Care Research and Policy, and funded by grants from the Robert Wood Johnson Foundation and the California HealthCare Foundation -- comes only weeks before Congress' August 21 deadline to take action on health privacy legislation, after which HHS will issue its own guidelines. Janlori Goldman, director of the Health Privacy Project, stressed that the recommendations provide a only a baseline for a change, not a substitute for enforceable rules. They may, however, be timely in that regardless of congressional action, there will be significant developments with regard to privacy in the next two years. Bernard Lo, director of the Program in Medical Ethics at the University of California-San Francisco and the chair of the Working Group, said as Congress --and more likely HHS -- takes up the issue of privacy, he hopes that the group's findings will be "widely disseminated" for use in the formulation of policy, as well as its implementation. Goldman stressed that the Working Group comprised several "very diverse interests," including representatives from health plans, providers, patient advocates, ethicists and patients.
Goldman said absent proper assurances of confidentiality, patients withhold information, lie to doctors, avoid getting care and "doctor-hop" from provider to provider. Lo added that new forms of information technology have "unprecedented potential" to revolutionize medicine, but also create a whole host of new problems, in that it allows medical information to be much more readily transmitted to a variety of new recipients. He said the Working Group's mission in their recommendations was to strike a balance between allowing patients control of their own information without impeding the normal flow of data. The group's 11 principles, intended to be implemented as a whole, are as follows:
- Health care organizations should remove personal identifiers to the fullest extent possible, consistent with maintaining the usefulness of the information.
- All recipients of health information should be bound by all the protections attached to the data when first collected.
- Except in certain cases, an individual should be able to access and supplement their own information.
- Individuals should be informed of their rights with regard to their health information.
- Health care organizations should implement safeguards for the security and use of health information.
- Patients should authorize the use of their information, on two tiers: A single, one-time authorization for core health activities, such as treatment and payment, followed by (as necessary) a second authorization for such cases as marketing or disclosure to an employer. The standard would not apply in the case of legally enforced disclosure for public health purposes.
- Health care organizations should establish policies regarding the collection, use and disclosure of information.
- Health care organizations should use an objective process to review the use and disclosure of personally identifiable information.
- Information should not be disclosed to law enforcement, absent a compulsory legal process.
- Privacy protections should be implemented so as to enhance laws preventing discrimination on the basis of health status.
- Effective remedies for privacy violations should be established.
Speaking of Which
House Ways and Means health subcommittee Chair Bill Thomas (R-CA) announced yesterday he will hold a hearing Tuesday on patient privacy legislation. He said, "The importance of information to America's modern health care delivery system cannot be overstated. The rapid exchange of information, much of it personal in nature, is critical to the delivery of high quality care, the increasingly complex financing of care, and ongoing efforts to improve quality" (Jeff Dufour, California Healthline).