Privacy, Security Solutions Called Crucial to Health IT Expansion

Daniel urged patience by audience members frustrated by slow progress. The next administration’s work in this area will be able to take off thanks to the groundwork being laid, she said. “It’s not wise to try to push adoption before you have standards,” she said. But Wendell Primus, an aide to House Speaker Nancy Pelosi, said budgets reflect priorities, and health IT has not been a Bush budget priority.

The U.S. approach to protecting information typically focuses on the data, not the consumer, Daniel said. Most U.S. privacy laws address a particular type of information or type of entity subject to the law. A consumer-oriented approach would give an individual power to determine who has access to his or her information. New capabilities offered by health IT raise new questions, she said, such as whether the Health Insurance Portability and Accountability Act (HIPAA) should cover health information exchange organizations. Daniel said her office considers questions about new capabilities from the existing privacy foundation, rather than try to develop new policies.

Congress probably will revisit health IT legislation next year, once it has addressed economic recovery bills and a belated appropriations cycle, Primus said. It’s unclear whether health IT will be considered singly or in a larger healthcare package, he said, but he told the group they'd be better off if health IT got its own bill. He said the House Commerce Committee staff continues to work on health IT, and he believes there will be a “good, Democratic” bill next year. The Speaker strongly believes health IT is a basis on which health care reforms can be built, he said. Debates on proper use of information persist, however. “To what extent is your health record a public good?” he asked. As an example, he said, if he took a prescription drug that caused him to have heart attack, others would want to know that information to put it to use for other patients.

That example helps explain the need for more anonymization of data, said Deven McGraw, director of the Center for Democracy and Technology’s Health Privacy Project. Doctors need to know that a male with certain health indicators had a heart attack after taking the drug, she said. “That information doesn’t need to be identifiable to Wendell to be useful,” she said. The core issue, she said, is ensuring data protection regardless of where the data are stored or where they go. New entities are springing up that HIPAA doesn’t cover, and in some cases HIPAA might not be a good fit, she said. Internet companies offering online personal health records, for example, have different business models than healthcare delivery organizations. “Microsoft is a wonderful company. But they weren’t built to deliver you health care,” she said.

Jumping off a keynote speaker’s point about the ubiquity of connected financial systems, McGraw agreed that people love to bank and shop online and willingly give credit card information to do so. But they do because a technological infrastructure is in place and laws limit individual liability in case of a breach, she said. -- Leslie Cantu

HIMSS Notebook…

Both major-party presidential candidates support health IT, though not necessarily agreeing on how to spur adoption. Deb Mizeur, health policy adviser to Obama for America, and Jay Khosla, health policy adviser to McCain 2008, spoke at Tuesday’s HIMSS public policy forum. The subject was health IT, but the two focused on general health care policy, only briefly addressing health IT. Mizeur cited health IT as critical to reducing waste, among Obama’s five “overdue” steps to transform health care. Obama has pledged $10 billion per year over five years to push adoption of electronic systems. Resources must be available to speed adoption, Mizeur said. Khosla said Obama’s $50 billion would be a mere magnet for lobbyists. Instead, he said, interoperability needs attention, with a public-private partnership to set standards rather than government imposing them. Payment reform can spur adoption, he said, citing Medicare payment reforms. Khosla expressed general support for AHIC and other existing efforts, but said some should be streamlined so technologies are certified more quickly. Mizeur said Obama hasn’t taken a position on work already done by AHIC, but generally agreed on the need for an evaluation of what is working. -- LC

----

Most health-care organizations do formal risk analyses on patient data stored electronically, according to a Booz Allen Hamilton survey for the Healthcare Information and Management Systems Society. The survey of 155 IT professionals working at health-care organizations found that 78 percent of surveyed organizations do risk assessments, with 48 percent of those doing them annually. Most respondents weren’t concerned about medical identity theft at their organizations. But 67 percent are considering evaluating the threat as part of overall privacy policy. Most share electronic patient data with others, most often state or federal government or public health entities. Organizations have various ways to control internal access to information. Eighty-one percent limit access based on user identity, 70 percent limit access based on user role, 33 percent limit access by location and 32 percent limit access based on group. Only 14 percent limit access with a rule- based approach. Twenty-five percent allow patients access to their own electronic data, and the type of information most often made available is financial or insurance. Information security generally was reported as a fraction of IT budgets. Twenty-one percent of respondents said their security budget was less than 1 percent of total IT spending, and 36 percent said it was 1 to 3 percent.