This is an annotated timeline documenting the activities of the National Health Information Network. Related documents, when available, are linked. Additional source documents follow the timeline.
The National Health Information Network (NHIN) is an ambitious modernization plan proposed by the U.S. government. The idea is to move as an entire nation from paper medical files to electronic medical files that are shared. Specifically, the government goal is to digitize patients' health records and medical files and create a national network to place the information in. The network, called the NHIN, would be a sophisticated network that hospitals, insurers, doctors, and others could potentially access. Such a network brings patient privacy, security, and confidentiality issues into sharp relief.
Medical privacy | HIPAA | FTC -- According to a legal complaint, CVS pharmacies -- the largest pharmacy chain in the United States -- did not take appropriate steps to protect its customers' and employees' sensitive information when it improperly disposed of documents, labels, prescription bottles, and other items with clearly identifiable and highly sensitive personal information such as SSNs, prescription information, driver's license numbers, and other information still on those materials. CVS agreed to pay $2.25 million to settle its violations of HIPAA as part of a Resolution Agreement with the Department of Health and Human Services. CVS has also signed a consent agreement with the FTC; the public can comment on this agreement until March 20, 2009. The World Privacy Forum will be filing comments with the FTC on the consent agreement with CVS, which we will post here.
Genetic privacy -- The World Privacy Forum presented a talk at the World Congress in Washington D.C. today on the intersection between genetic privacy and marketing, and on genetic issues and medical identity theft. The presentation exposed the list marketing activities surrounding health care data, and examined how the current loopholes in the recently passed Genetic Information Nondiscrimination Act (GINA) would not necessarily ease issues with incidental collection and use of genetic information.
HITSP -- World Privacy Forum executive director Pam Dixon was elected to be the consumer representative on the HITSP board (Health Information Technology Standards Panel). HITSP is a national standards-setting body that is part of ANSI (The American National Standards Institute) and is working on specifications and standards for the National Health Information Network. The term will begin in January of 2009.
SAN DIEGO, Ca., Sept. 24 -- The World Privacy Forum’s latest report, Red Flag and Address Discrepancy Requirements: Suggestions for Health Care Providers, discusses the applicability of the new FTC regulations to the health care sector along with suggestions for providers. The report addresses newly issued regulations by the Federal Trade Commission that require financial institutions and creditors to develop and implement written identity theft prevention programs. Health care providers – whether they are for-profit, non-profit, or governmental entities – may have obligations under the new rules.
Human Subjects Research Protection (OHRP) -- The World Privacy Forum filed comments with the Office of Human Research Protection urging the office to do more to protect the privacy of people who are subjects of research. The comments urge the OHRP to focus more attention on providing privacy-specific training for boards overseeing research, which are often weak in knowledge about the breadth of privacy issues in research. The WPF also voiced its strong support for certificates of confidentiality for research involving human subjects, stating that "nearly all research that involves identifiable health data or other personal data about individuals should have a certificate of confidentiality unless a researcher can state a substantive reason why a certificate is not appropriate for the study."
SACGHS | Oversight of genetic testing -- The Secretary's Advisory Committee on Genetics, Health and Society (SACGHS) released its final report on Oversight of Genetic Testing (U.S. System of Oversight of Genetic Testing: A Response to the Charge of the Secretary of Health and Human Services, April 2008, PDF, 276 pages). This is a substantial, thoughtful report that is likely to have a long-term impact on the field. The World Privacy Forum submitted formal written comments regarding this report when it was in draft form, and also appeared before the Committee in person in February of 2008 to discuss additional information relevant to the report. The final report reflects the World Privacy Forum comments and testimony. The report now includes a discussion about Direct to Consumer advertising and marketing as well as related privacy issues. The discussion in the final report also now acknowledges the implications of Direct to Consumer marketing of genetic tests regarding online privacy. The final report also reflects generally increased attention to privacy issues.
Health Care Innovations workshop -- The World Privacy Forum will be speaking at an upcoming FTC workshop on the topics of medical identity theft, personal health records, and direct-to-consumer genetic tests and marketing. The workshop is April 24, 2008. Workshop information is available at the FTC web site.
Behaviorally targeted advertising | FTC proposed rules -- The World Privacy Forum filed comments in response to the Federal Trade Commission's proposed self-regulatory guidelines for companies targeting online advertising to consumers based on consumer behaviors. The WPF requested a separate, formal rulemaking process for determining how sensitive medical information should be handled online regarding behaviorally targeted advertisements. The WPF also discussed genetic data and requests for genetic tests, and noted that genetic information should be included in any definition of sensitive medical information. The WPF reiterated that the definition of personally identifiable information should include IP address, and encouraged the FTC to work from a rights-based approach regarding online advertising. The WPF also urged the FTC to include all fair information practices in any self-regulatory regime, and to enforce the regime directly.
Patient Safety Organizations | Proposed rulemaking -- The World Privacy Forum filed extensive comments today regarding privacy protections for patients whose health care information will be shared with patient safety safety organizations under newly proposed Department of Health and Human Services regulations. After a landmark Institute of Medicine report on the prevalence of medical errors and their harmful impact on patients (To Err is Human), the U.S. Congress eventually passed the Patient Safety Act (2005). The Patient Safety Act allows extensive health care data of patients to go to patient safety organizations. The idea is to provide a form of quality control. The Agency for Heathcare Research and Quality (AHRQ), part of HHS, has published its proposed regulations implementing the Act. The World Privacy Forum has made 14 recommendations for substantive changes in the proposed rules to protect patient privacy. The World Privacy Forum asked the Agency to expressly mandate that all patient data be de-identified or anonymized to the greatest extent possible, that the proposed rule should expressly require data use agreements for any data sharing, that the patient information be labeled as subject to the Patient Safety Act, and strongly urged that patient safety organizations be required to maintain an accounting of disclosures at least equal to HIPAA, among other recommendations.
Medical ID theft -- Based on interviews with numerous victims and others involved in the crime of medical identity theft, and based on our own work with victims, the World Privacy Forum has added some new information to its 2006 consumer tips for medical identity theft. We have also slightly updated some of the older tips based on new information. The Forum has also updated its medical identity theft landing page to reflect our new and ongoing work in this area.
PHRs have been promoted in recent years as being an empowering panacea of benefits for consumers, but there has been little meaningful discussion of the complex and serious privacy issues PHRs can raise. For example, very few consumers know that not all PHRs are protected by HIPAA, the federal privacy rule that applies to medical files held at, for example, hospitals.
In PHRs, important information about privacy procedures and policies is contained in the fine print, and the fine print really matters. That’s because some PHRs are covered under HIPAA privacy protections, but many PHRs are not covered under HIPAA privacy protections. Few consumers understand that their health care files are not always protected under HIPAA when their files are in a PHR.
New publication | PHRs and privacy -- The World Privacy Forum has published a new legal and policy analysis examining Personal Health Records -- or PHRs -- and the privacy issues associated with them. This analysis, Personal Health Records: Why Many PHRs Threaten Privacy, was prepared by Robert Gellman for the World Privacy Forum. The analysis finds that significant, serious threats to privacy exist in some PHRs.
Consumer advisory | PHRs and privacy -- The World Privacy Forum has issued a consumer advisory about the privacy of PHRs to help consumers understand and approach the complex privacy issues PHRs can raise. Consumers need to know that not all PHRs protect privacy in the same way, and some PHR systems can undermine consumer privacy in serious ways that consumers may not be expecting.
This report is a legal analysis of PHRs and what privacy issues are at stake in PHRs, especially PHRs that exist outside of HIPAA, the federal privacy rule.
Personal health records – or PHRs – are a relatively new phenomenon in health care today. As discussed here, a PHR is a health record about a consumer that includes data gathered from different sources (e.g., health care providers, insurers, the consumer, and third parties such as gyms and others) and is made accessible, often online, to the consumer and to those authorized by the consumer. Businesses large and small are moving to take advantage of the potentially lucrative new business model PHRs provide, especially as leveraged through the Internet. Some of the newest PHR players include large and well-known technology companies, but some health care providers, insurers, and employers also promote PHRs. There are dozens of different PHR vendors.
The HIPAA privacy rule provides a degree of privacy protection for covered health records. The rule has problems and gaps, but it does establish minimum national privacy standards for disclosure, access, correction, and other elements of fair information practices. State laws that provide additional privacy protections remain in effect and can provide additional legal protections for privacy.
Many people are aware that health information may be privileged, but few – including some physicians – fully understand what that means. The physician-patient privilege (and the sometimes separate psychotherapist-patient privilege) offers some protections for confidential communications between physician and patient.
Health records, like just about any other record containing personal information held by a third party, can be subpoenaed under a variety of circumstances. For example, a consumer’s records could be sought in a tort suit (e.g., auto accident or medical malpractice), in a divorce or other family lawsuit, or sought if the records are relevant to someone else’s lawsuit. The rules governing subpoenas for health records are complex, and HIPAA includes some significant procedural protections.
Perhaps the biggest single concern about commercial PHRs is the possibility that a consumer’s health information will leak into the marketing system. The terms under which a PHR operates could allow the sale or rental of consumer information in the same way that magazines, catalog companies, magazines, charities, or other merchants and activities share information with limited or no consumer knowledge or consent. Consumers generally have some sense about how readily companies and agencies pass personal information around, but they do not expect the same kind of sharing when it comes to personal health information.
Some PHRs present themselves as a depository of health information under the control of the consumer. The suggestion is that the records have inherent privacy protections because the consumer has some choices or control over the record, including who may see, add to, or change the record. By contrast, covered entities under HIPAA can disclose health records to many institutions for many purposes without consumer consent. That is one of the controversial aspects of HIPAA. HIPAA allows many disclosures without the consent of – and indeed over the objections of – the consumer.
Some privacy protections exist because independent health care providers maintain separate records about consumers. A dentist has one set of records; a family doctor has another set. It will often be the case that the two sets of records are not linked or shared routinely. However, those who obtain health care from a single health maintenance organization may already have centralized records. Linkage of health records offers some advantages, but not all linkages are necessarily welcome to consumers.
Security is an important part of privacy. Are PHR records more secure? The answer depends on who maintains the PHR and whether the security of the PHR is sufficient. Information held by health care vendors and insurers is subject to the HIPAA health record security rule. For what it is worth, the HIPAA security rule has attracted less criticism than the HIPAA privacy rule. Whether any given health record keeper is actually doing a good job of complying is hard to say.