Correspondence
Shifts in Health Information
N Engl J Med 2008; 359:209-210July 10, 2008
- Article
To the Editor:
In their Sounding Board article on shifts in health information, Mandl and Kohane (April 17 issue)1 observe that “companies providing PCHRs [personally controlled health records] are not covered entities under the Health Insurance Portability and Accountability Act (HIPAA),” but incorrectly suggest that extending HIPAA to them would improve privacy. Publicly available PCHR systems are already prohibited from releasing information to private parties without the consent of the account holder under the federal Electronic Communications Privacy Act.2 However, HIPAA's privacy rule provision for disclosure without consent for “treatment, payment, or healthcare operations” (TPO) actually eliminates privacy. Although it at first appears to be quite reasonable, the decision about whether a specific disclosure is for TPO is made solely by the entity that holds the information, with no notice to the patient, no possibility for review or appeal, and no required audit trail. Clearly, the information holder is conflicted in making this decision and would tend to classify all desired disclosures as TPO. Further, the lack of audit-trail requirements for TPO disclosures means that there is no way to detect or assess abuse or violations. Therefore, extending HIPAA coverage would allow the use of PCHR information without consent, nullifying consumer control and privacy.
2 ReferencesWilliam A. Yasnoff, M.D., Ph.D.
NHII Advisors, Arlington, VA 22201
william.yasnoff@nhiiadvisors. com Deborah C. Peel, M.D.
Patient Privacy Rights Foundation, Austin, TX 78767James C. Pyles, J.D.
Powers, Pyles, Sutter, and Verville, P.C., Washington, DC 200051
Mandl KD ,Kohane IS . Tectonic shifts in the health information economy. N Engl J Med 2008;358:1732-1737
Full Text | Web of Science | Medline2
18 U.S.C. pt. I, ch. 121, §§ 2701-2712 (1986). (Accessed June 20, 2008, at http://www.access.gpo.gov/uscode/title18/parti_chapter121_.html.)
To the Editor:
Mandl and Kohane have tilted toward a more optimistic scenario for PCHRs than is currently warranted. Although they mention several potential problems, they have failed to mention one of the most serious issues: the potential undermining of the value, accuracy, and completeness of provider records. In this brave new world, every provider will still have the obligation to keep a clinical, legal, and business record of all patient encounters, and indeed, physicians will still rely primarily on these records when seeing their patients. Although the providers could also be granted access to the patient's PCHR, they will probably not bother to do so in many cases. Even if they do, clinical data may have been altered by the patient (e.g., HealthVault allows this). Although the patient's PCHR could provide automatic updates to the provider's electronic health record, this will require significant changes in priorities and motivation regarding data interchange. Couple this with decision support in the PCHR (e.g., drug-interaction alerts leading to patients' discontinuing medications), and physicians may be operating with less accurate information.
Donald W. Simborg, M.D.
407 Old Downieville Hwy., Nevada City, CA 95959
dsimborg@sbcglobal.net Author/Editor Response
Comprehensive electronic health information has extraordinary value for health care quality, research, discovery, and cure. A policy too protective of privacy that chokes information flow for these core health care functions would have a chilling effect on patient safety and medical progress. Use of data with institutional safeguards or institutional-review-board (IRB) approval but without individual consent — for example, under an IRB protocol with a HIPAA waiver — is appropriate to support research and quality outside the PCHR context. Nonetheless, we would discourage PCHR platform vendors from aggregation, secondary use, or disclosure of data — personally identifiable or not — from PCHRs without consent. A guarantee of strong individual control is critical for building the trust of consumers who may be enticed to use a PCHR. Therefore, sharing of PCHR contents should be the choice of an individual patient or the patient's proxy, and in the case of minors, family members may participate in that choice. Yasnoff and colleagues raise the legitimate concern that even if current HIPAA regulations were extended to PCHR vendors such as Google and Microsoft, consumers would not be guaranteed the very control over health-information disclosures that is the C in PCHR. Yet Yasnoff and colleagues misread us; we point out that extension of HIPAA to PCHRs is under consideration but we do not suggest that HIPAA strikes the right balance. Rather we predict that protections would probably arise through a combination of mechanisms, including federal regulation.
Simborg is appropriately forward-looking in his comments. Should there be a tipping point in consumer adoption of PCHRs, providers could, with the permission of the patient, rely on the PCHR at health care encounters as a source of complete information integrated across sites of care. However, they will not trust PCHRs if the health care provider data in them may have been altered. Hence, personal control over manipulation of data must be balanced against the need for a useful record. In the Indivo deployment at Children's Hospital Boston, we allow annotation of data and granular control over sharing of individual documents in the record. However, no data uploaded from a clinical source may be edited, and the original source is always evident.
Kenneth D. Mandl, M.D., M.P.H.
Isaac S. Kohane, M.D., Ph.D.
Children's Hospital Informatics Program, Boston, MA 02115- Citing Articles (1)
Citing Articles
1
Corey M. Angst. (2009) Protect My Privacy or Support the Common-Good? Ethical Questions About Electronic Health Information Exchanges. Journal of Business Ethics 90:S2, 169-178
CrossRef
