The Security Scrutinizer with Howard Anderson

Should You Fear HIEs?

Should You Fear HIEs?

And they have a point. Clearly, as more patient information traverses networks so that more clinicians and others can access it, the security risks increase. But so do the benefits.

In theory, HIEs make perfect sense. By making my records available to an emergency room team on the other side of the city, or the country, when I'm in a traffic accident, the networks improve my chances of getting appropriate care.

HIEs make perfect sense, in theory. In practice, getting the security and privacy details right is very tough indeed. 

Many consumer advocates acknowledge the benefits of HIEs. But they call for quick action to ensure that our ability to keep information private and secure keeps up with the growth of data sharing. One recent report found there already are 89 functioning HIEs.

Advocates want patients to be able to spell out exactly who they authorize to access their data before any information traverses an HIE. For example, I'd like any emergency medical team in the nation to be able to access my records. But you might want to limit access to those who work at the local hospital or clinic.

"We have to think very clearly about allowing people to opt in and opt out" when it comes to sharing their records over HIEs, argues Steve Findlay, senior health policy analyst for Consumers Union.

The HIT Standards Committee's privacy and security workgroup, which advises the Department of Health and Human Services on regulatory issues, is holding a series of sessions this spring to weigh the issues involved in managing patient consent for data access. Findlay, a member of both the workgroup and the full committee, says HHS will consider a recommendation later this year.

A recent research report outlined many options that HIEs now use to gain patient consent, but stopped short of endorsing any of them.

It seems to me that before more HIEs get in full swing, federal regulators need to set the ground rules for patient consent. Otherwise, public trust may go out the window.

Meanwhile, Pam Dixon, executive director of the World Privacy Forum, says another essential element in building public trust in HIEs, as well as EHRs, involves providing patients with an audit trail listing everyone who has actually accessed their records. "This is a new era, and we need new rules," she stresses.

But accounting for who has viewed a patient's EHR "is the single most difficult security requirement to figure out" in the HITECH Act, says Lisa Gallagher, senior director for privacy and security at the Healthcare Information and Management Systems Society.

Gallagher notes that HITECH mandates that the HHS Office for Civil Rights come up with the records access disclosure requirements by June 30. But it sure looks like that deadline will be impossible to meet.

Creating requirements that balance the interest of individuals who want an accounting of access, the usefulness of the information, and the cost burden, as required under HITECH, is going to be tough, Gallagher says.

Yes, it's a tough task. But it's worth the effort.

If patients know they can specify, in advance, who can see their data, and then can get an accounting of who has actually seen it, it will go a long way toward softening fears about the security risks of HIEs.

Some skeptics of healthcare data sharing have raised the notion that as HIEs get linked up from coast to coast, thanks, in part, to using the National Health Information Network set of standards and the federal National Information Exchange Model, it could lead to government control over all healthcare information. This, in turn, could lead to sharing of data with law enforcement agencies, the CIA and the like, the skeptics say.

David Blumenthal, HHS' national coordinator for health information technology, recently tried to shoot down that theory. "The Office of the National Coordinator would not participate in a standards development process that led to that," he said, according to media reports.

Findlay, however, calls for "clear rules, guidelines and laws" that make it crystal clear that HIEs won't lead to the creation of databases that law enforcement can access. "People will tell their doctors things that they won't tell other people," he notes. And that information should stay out of the hands of those not involved in making treatment decisions.

HIEs make perfect sense, in theory. In practice, getting the security and privacy details right is very tough indeed.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.