Monday, April 16, 2012

Privacy and Security Considerations for Emerging Health Information Exchanges: Notes from Utah and New York

Earlier this month the Utah Department of Health issued a press release describing a cyber attack on its server, in which hackers removed information for approximately 780,000 individuals. According the Department of Health, the information contained personal records of individuals within the state, including Medicaid and Children’s Health Insurance Plan recipients.

Permutations of this scenario- whether hacking into a computer server, losing a USB key, or a stolen laptop- are all familiar news headlines announcing a security breach of individuals' health and personal information. Human error and human opportunism make it likely that we will continue to see such information breaches in the future, despite steps to mitigate potential security threats.

As states begin to develop legislation and promulgate rules to govern their electronic health information exchanges (HIE), they should carefully balance residual security and privacy risks with the potential promises of a functional HIE when determining policies relating to how a system enters an individual’s electronic health record (EHR) and what portion of the EHR the state enters into the HIE.

Last month, the New York Civil Liberties Union (NYCLU) issued a report, Protecting Patient Privacy: Strategies for Regulating Electronic Health Records Exchange, which articulated numerous privacy, security, and functional concerns with the state’s emerging HIE. Currently, New York employs a blanket consent procedure for record access and enrolls patients of participating providers into the state's regional health information organizations (RHIOs). 

Among numerous concerns, NYCLU’s Report highlights two distinct issues with this approach:

(1) New York does not provide a mechanism for patients to limit sharing stigmatizing sensitive information such as substance abuse records or mental health treatment if they consent to participate in the exchange; and

(2) Although physicians must obtain consent to view patient information in the exchange, participating providers enter patient medical information into the exchange without patient consent and patients cannot opt-out of the record locator system.

The Office of the National Coordinator for Health Information Technology’s HIT Policy Committee has asserted that a form of granular control over health data can protect the confidentiality of narrow categories of sensitive health information while fostering patient autonomy, promoting trust in medical providers, and building confidence in the growing use of HIT. Although too much data segmentation or exclusion options could confuse patients and undermine the purpose of the HIE as a comprehensive record system, some groups, such as the NYCLU, argue that existing state law requires the capacity for granular control over statutorily identified categories of sensitive medical information. This assertion serves as a reminder that each state contains varied protected categories of sensitive medical information as well as different standards defining additional measures relating to sharing and accessing this information. Earlier this month, the New York Department of Health and the New York eHealth Collaborative established the State Health Information Network of New York Policy Committee to examine these and numerous other concerns over the state’s current policies and procedures governing the exchange.

Patients may also be wary of the security of their identifying records available in the HIE registry system, as a breach could reveal both personal information and the entirety of the patient’s medical records that providers have entered into the HIE. A breach of the HIE would not only invade the patient’s abstract notion of privacy over sensitive information, but could also expose the patient to quantifiable concrete harms such as identity theft, fraud, and the costs associated with investigation and mitigation.

Some victims involved in major medical security breaches have asserted that once information such as social security numbers, patient demographic information, and medical records are accessible in a breach, victims face an imminent and continuing risk arising from the security breach itself regardless of whether an outside party has used the information. Currently, some courts have ruled that even where a third party steals media containing patient information, if the victims cannot prove that a third party actually accessed or used the information, then claims for future financial harm arising from a security breach are insufficient to constitute an actionable injury. To address these legitimate concerns, jurisprudence should evolve with the recognition that potential third party use of this information may be difficult to identify and costly to monitor. Further, months may pass following the initial breach before victims notice fraudulent activity, such as in the substantial TRICARE data breach.

State legislatures should remain cognizant of both patients' desire for privacy and their corresponding wish to limit access to sensitive medical information as well as security concerns from both accidental as well as intentional breaches of patient information during the initiation or expansion of the state's HIE .
-Katherine Drabiak-Syed

No comments: