Reproduction permitted for personal use only. For reprints and reprint permission, contact firstname.lastname@example.org.
If healthcare organizations truly want to protect patient privacy and earn public trust regarding electronic health records (EHRs), they need to let go of the notion that institutions control individual data and look for technology that lets patients take charge of information flow, a well-known healthcare privacy advocate told a Madison audience Tuesday.
Dr. Deborah Peel, founder of the Patient Privacy Rights Foundation
, noted that many commercial EHRs started as systems to improve the operational side of healthcare and increase reimbursement, not to improve clinical care. Meantime, a culture of data-selling has emerged over the years. "We're stuck with these frankly primitive and privacy-disruptive systems that need to be fixed," Peel said at WTN Media's 11th annual Digital Health Conference.
To Peel, last week's revelations that the National Security Agency has been tracking phone calls and e-mails of virtually every American for at least six years shined a light on an issue that long has been prevalent in the healthcare industry. "In healthcare we actually have a total surveillance economy, too," said Peel, an Austin, Texas, psychiatrist.
Lost in the hubbub over the NSA surveillance, Peel said, was a June 5 story in Bloomberg Businessweek
about states from coast to coast selling "deidentified" health data from healthcare providers that actually can easily be matched to individual patients. It is a "fallacy" to think data can be protected with deidentification techniques, according to Peel.
"We don't actually know where our health data goes. We have no chain of custody, much less control over our health information," she said. Having personal information get out could lead to "health discrimination" in employment or insurance coverage for patients with mental health disorders, sexually transmitted diseases or cancer, Peel added, and the threat of a breach often leads to care avoidance.
"Millions of people refuse to get treatment because they know records aren't private," Peel said. She cited a 2005 Forrester Research survey
commissioned by the California HealthCare Foundation survey showing that one in eight patients hides or withholds health information to safeguard their own privacy.
The time to implement tighter privacy protections is now, according to Peel, just months before Stage 2 of the federal EHR incentive program known as Meaningful Use gets underway. Stage 2 requires a degree of health information exchange between organizations and mandates that providers engage a small percentage of patients in their own care through online portals or personal health records. The third stage, which will not start before 2016, likely will increase the imperative to share information.
"We've got to close the barn door before we start chasing after horses," Peel said in her folksy Texas drawl. "That's a Whac-A-Mole deal."
She expressed optimism that the Direct Project
, an open-source protocol for health information exchange that already is getting wide acceptance, might put patients at the center of data movement and help ensure greater privacy. Patient Privacy Rights' new CTO, physician-entrepreneur Dr. Adrian Gropper, helped create a secure e-mail system for Direct. E-mail addresses can serve as the unique patient identifiers necessary for health information exchange, and individuals can have different addresses for different providers so they can segment out sensitive data, Peel said.
"The patient gets to know where the data goes."
One attendee, Gene Thomas, vice president and CIO at Gulfport Memorial Hospital in Gulfport, Miss., expressed concern that patients might download health data through a secure portal or via a Direct e-mail address, but then open themselves up to a breach by forwarding messages by standard, unencrypted e-mail. Peel acknowledged that it will take a lot of effort to educate the public about security, but expressed disappointment that regular e-mail is not encrypted.
"We need to make this stuff easy for regular humans," Peel said. "To run my refrigerator, I don't need to learn how to install Freon."