In an effort to strengthen the control that patients have over health information privacy, the advocacy group Patient Privacy Rights has co-developed a "trust framework" that IT vendors and their clients can use to help measure whether systems comply with privacy principles.
The framework is a set of more than 75 "auditable criteria" based on 15 key privacy principles, says Deborah Peel, M.D.,, the group's founder and chair. It aims to provide an objective measurement of how well electronic health records and other applications, health IT platforms and research projects adhere to those privacy principles.
"The PPR Trust Framework is ... designed to help organizations ensure that technology and IT systems align with the privacy requirements of critical importance to patients and reflect their legal and ethical rights to health information privacy," Peel says.
The framework was developed by a group within Patient Privacy Rights - the bipartisan Coalition for Patient Privacy - along with Microsoft and the consulting firm PricewaterhouseCoopers, Peel says. It was developed, tested and validated on Microsoft's HealthVault personal health record platform.
Sharon Finney, corporate data security officer of the 37-hospital Adventist Health System, says the goals of the voluntary framework are admirable. But widespread use of the framework could prove tough to achieve without a mandate, given that IT vendors must also implement emerging federal guidelines that deal with privacy and security, she contends.
Among the 15 privacy principles supported by the framework are that patients can:
- Decide how and if their sensitive information is shared;
- Change any information they input themselves;
- Decide who can access their information;
- Easily find out who accessed or used their information.
While these patient controls and capabilities could be built into a commercial health IT systems, they could also be implemented by healthcare providers in that deploy IT, Peel notes.
For instance, "when health systems and health plans deploy patient/member portals, they should at a minimum use the PPR Trust Framework to ensure those portals are designed and deployed with privacy objectives in mind," Peel says. In addition, she says healthcare organizations "ideally should require all health IT systems, applications, and platforms to meet the PPR Trust Framework criteria. Privacy is not protected unless every link in the chain adheres to the privacy criteria."
For now, organizations and health IT vendors "are free to use the auditable criteria and measure their products to see how well they meet the public's expectations," she says. "We hope to be able to offer a formal licensing process in the next few months that is very reasonable cost-wise. It would require that the entity address all the criteria and that the entire set of results would be available on a website for the public to see for themselves."
Commenting on the value of the framework, Finney of Adventist Health System says: "My initial impression is this is definitely where we would all like to be as consumers of healthcare services."
Finney, however, portrays the framework as "somewhat idealistic." She adds: "It will take a great deal of time and effort to establish the degree of adoption and collaboration required to meet the specific audit criteria."
That's, in part, because health IT vendors already are evaluating how to implement emerging federal guidelines for interoperability and secure health information exchange, she says.
"Frankly if they are not mandated to comply and provide the necessary functionality to tie all of this together, it is unlikely they will invest in the costly re-engineering efforts to achieve this degree of consumer control," she says.
Finney suggests the new framework could be used in conjunction with other tools. Those include HITRUST's Common Security Framework for health data security and ISO 27000 set of information security standards. That would help "to ensure that these privacy audit items are implemented to the degree possible given the available functionality and the security maturity of the specific organization," she says.
Peel says her group's trust framework should, indeed, be used in conjunction with other benchmarks, such as the HITRUST framework or the DirectTrust's security and trust framework (see: HITECH: Meeting HIE Requirements).
"HITRUST and DirectTrust are intended primarily for organizations with respect to their operations or operations of their business partners, while the PPR Trust Framework is intended primarily for interactions between organizations and their patients and customers," she says.
Commenting on the concept of the new trust framework, Chuck Christian, CIO at St. Francis Hospital in Columbus, Ga., notes: "Having guiding principles around how sensitive information is shared is very important. But is this the appropriate framework to accomplish that goal? I'm unsure without a lot of additional review and discussion."
Meanwhile, Microsoft, which helped develop the framework, says the privacy principles involved are important to its HealthVault web-based personal health record platform.
"Ensuring the privacy of patient data is a key concern for any healthcare IT vendor," says Sean Nolan, distinguished engineer, Microsoft HealthVault. "Microsoft as a company advocates for a more standardized federal approach to the privacy of data, and this is especially true for the HealthVault team. We believe that it takes a deep corporate commitment to the privacy of patient data in order to support initiatives such as the PPR Trust Framework."