Navigating Privacy and SecurityIssues for HIE: A Consumer Perspective

Deven McGrawChief Operating OfficerNational Partnership for

Women & Families

www.nationalpartnership.org

• A nonprofit, nonpartisan consumer advocacy organization in Washington, DC

Our Priorities:• Improve health care quality – Americans for

Quality Health Care project• Promote fairness in the workplace• Advance policies that help women and men

meet the dual demands of work and family.

Our interest in Health IT and HIE

• Health IT and electronic health information exchange hold great promise for realizing dramatic improvements in quality by helping to Reduce medical errors Ensure care is more evidence-based Get patients more involved in their own

care Facilitate measurement and public

reporting of provider performance.

Our involvement• Co-chair of AHIC Confidentiality,

Privacy and Security Workgroup• Member, AHIC Personalized Healthcare

Workgroup• Member, HITSP• NEW: Grant from the Markle

Foundation to engage consumer advocacy organizations in state HIT/HIE efforts & provide them with technical assistance

Barriers to Rapid Implementation

• Consumer/patient concerns about privacy and security. Many believe movement to electronic

records will result in greater risk to patient privacy.

Survey data shows that the public has significant privacy concerns

Promise of e-health won’t be realized unless we ensure adequate privacy and security standards are built in from the start.

Establishing E-Health Networks Presents Enormous Challenges

• Overcoming public distrust• Finding a sustainable business model

and/or securing sufficient financial resources

• Interoperability • Legal/policy uncertainties – HIPAA,

state law variations

National Consumer Principles• Individuals should have a means of

direct, secure access to e-health information.

• Individuals should know how their e-health information may be used and who has access to it.

• Individuals should have control over whether and how their information is shared.

National Consumer Principles (cont.)

• Systems for e-health data exchange must protect the integrity, security, privacy and confidentiality of an individual’s information.

• Governance and administration of e-health networks should be transparent and publicly accountable.

So, what about HIPAA?• Confusion about scope is widespread

Too many use HIPAA as excuse for not sharing health information

At the same time, many believe it is insufficient to protect privacy

In a policy vacuum, fears about insufficient privacy protection take center stage – little room for public debate about risks of not moving forward.

Facing the HIPAA Challenge

• Some options: Start over Do nothing – current law will suffice Clarify - & modify if necessary

(federal response) States still have the option to adopt

more stringent standards vs. single standard

AHIC CPS Workgroup

• Spring 2007: recommended to AHIC that HIPAA “covered entities” include all engaged in HIE (rejection of business associate model)

• Next steps: Should all HIPAA requirements apply to

all HIE entities equally? Do we need more than HIPAA in some

circumstances?

Involve Consumer Advocates in Health IT Discussions

• Consumer advocates should be part of the difficult discussions – particularly with respect to setting policies for privacy and security.

• Consumer advocates can mobilize their constituencies and provide the “push” needed to get systems implemented.

• Not including consumers in the discussion could jeopardize success of the project.