HIEs Need to Get Serious on Privacy
The Rhode Island affiliate of the American Civil Liberties Union has sued the state department of health, alleging it did not do enough to make sure patient privacy is protected when information is exchanged via the state's emerging HIE.
The ACLU is asking the state's Superior Court to declare the policies governing the HIE "null and void" and require the state to issue more complete privacy and security regulations.
Other emerging HIEs should pay attention to the points the ACLU made in Rhode Island when calling for more detailed privacy regulations.
ACLU argues that under the Rhode Island Health Information Exchange Act, the state must enact detailed regulations after getting public comments. In its suit, ACLU says the state adopted sketchy policies, rather than formal regulations, on privacy and security and did not hold hearings as required.
In a statement, the ACLU said it is "crucial that regulations setting up the system be as detailed as possible, explaining, for example, the rights patients have to opt out of the system, to correct information contained in it, and to ensure appropriate confidentiality of the data."
Other emerging HIEs should pay attention to the points the ACLU made in Rhode Island when calling for detailed privacy regulations, regardless of applicable laws in their states. And keep in mind, the HITECH Act sets tougher penalties for violations of the HIPAA privacy and security rules and spells out certain patient rights.
To succeed, any HIE in any state needs to build public trust that the information it exchanges will remain private. And if states or HIEs fail to spell out detailed privacy rules and regulations, it will be difficult to develop that trust.
In a recent interview, Irene Koch, executive director of the Brooklyn Health Information Exchange, stressed that HIEs must focus on privacy and security as they develop new functions and features. Koch is working with leaders of other HIEs in New York to iron out the difficult issues involved in sharing data among the various exchanges.
Meanwhile, a privacy and security "tiger team" advising federal regulators on HIE-related issues is scrambling to come up with detailed guidance this summer that states and others can use as they launch networks.
Let's hope all necessary privacy and security rules and regulations are in place at both the state and federal level before HIEs begin facilitating the exchange of mass quantities of patient data. Otherwise, they could face serious risks of data breaches.
And if consumers have no faith that their data will remain secure when a physician sends it to a hospital via an HIE, they'll likely opt out of information exchanges. That could derail the whole movement toward HIEs.
And that would be a shame, because, as mentioned in an earlier blog, HIEs hold great promise for giving clinicians improved access to potentially life-saving information, such as records for patients who show up in an ER after an accident.