Building Trust in HIEs: Key StepsThought Leaders Pinpoint Vital Privacy, Security Strategies
Some thought leaders say building public trust in health information exchanges as well as EHRs depends on many factors, including:
- Tough federal enforcement of privacy and security regulations;
- Adequate security precautions for HIEs;
- Consistent state laws on patient privacy;
- Well thought-out approaches to obtaining patient consent for information exchange;
- Accountability to patients about who has accessed their records.
"The public really needs to know that laws and regulations do exist and are taken seriously and are going to be enforced," says Alan Dowling, CEO of the American Health Information Management Association. "The privacy of information is sacrosanct, and government must support that."
Also essential, he says, is ensuring all regional and statewide HIEs implement adequate security measures. Plus, hospitals, clinics and other healthcare organizations must implement thorough privacy and security policies, train staff on compliance and enforce sanctions against staff members who violate the policies.
Without those steps, "We may, in fact, find we're in a situation where trust is not there and we have very significant adoption problems" for both HIEs and EHRs, Dowling says.
Uniform State Privacy LawsBut without uniform state privacy laws, the effort to build and eventually link statewide HIEs could fail, warns Richard Gibson, M.D., a former hospital CIO who's involved in the formation of a statewide HIE in Oregon.
Gibson recently testified before Congress, calling for the federal government to draft model patient privacy legislation that states can fine-tune to meet their needs. Because it's impractical to force every state to adopt identical laws, Gibson calls for model legislation "that states could accept or adjust as necessary to meet their own needs."
This is particularly important for HIEs, he notes, because healthcare organizations in many communities, including Portland, Ore., treat patients from bordering states. Exchanging patient records across state lines, he notes, could prove difficult if the states have widely varying privacy laws.
Uniform state laws would make it easier for EHR vendors and HIE organizers to build in the necessary technical capabilities to meet all state as well as federal requirements, Gibson argues. And they would help pave the way for the national exchange of data among various HIEs, he adds.
Control of EHR AccessAnother critical step to winning consumer support for HIEs, Gibson argues, is enabling patients to control who gets to see their records, including specifying what parts of the record can be accessed.
He points out that in emergencies, clinicians need to have instant access to patient records, no matter where they reside. But he contends that allowing patients to otherwise designate who can see their records by accessing them via an HIE "will go a long way toward giving patients comfort and confidence that their record is being used properly."
Mark Savage, senior attorney for Consumers Union, points out that his organization is advising organizers of a statewide HIE in California to adopt the "fair information practices" as well as the "meaningful consent" model recommended by the Privacy and Security Tiger Team advising federal regulators about proposed guidelines. That model calls for, among other things:
- Giving patients enough time to make a decision about consent.
- Providing a clear explanation of the consent choices and all their consequences.
- Refraining from making the granting of consent for data exchange a condition of receiving necessary medical services.
- Enabling patients to revoke consent at any time.
A state advisory board that's recommending guidelines for the Cali-Connect HIE will meet Dec. 9 to consider the issue of obtaining patient consent. It voted earlier to require patients to opt-in for exchange of their information via the HIE. But Savage says that an opt-out strategy, which automatically authorizes the exchange of a patient's information unless they opt out, might be appropriate if the HIE also follows all of the tiger team's recommendations.
In Oregon, HIE organizers is tackling privacy and security policy decisions in anticipation of completing all guidelines in 2012, Gibson says.
EHR Audit LogsAnother important way to build public trust in HIEs is to ensure that consumers can obtain a list of everyone who has viewed their EHR, Gibson contends.
All organizations using EHRs, as well as all HIE organizers, should offer easily accessible audit logs, he says. "That will go a long way toward giving patients the comfort and confidence that their records are being used appropriately. And it's not difficult to do technically."
To be certified as qualifying for the HITECH Act's EHR incentive program, EHR software must include this audit capability. Federal regulators also are drafting a rule on how to account for disclosure of EHRs to those outside of the organization that created the record. And they're in the early stages of crafting rules for HIEs.