HIEs: Protecting Civil LibertiesACLU Chapter Spells Out Privacy Recommendations
Although the dozen health information exchanges in New York require that patient consent be obtained before physicians access their records via HIEs, that step is an inadequate privacy protection, argues Corinne Carey, the author of the report.
"The major problem is that information from a patient's medical records is currently, in New York state, being uploaded into a system capable of sharing [records] among providers without patient knowledge and without patient consent," she contends in an interview with HealthcareInfoSecurity. "These systems, no matter how hard we try to make them foolproof, are vulnerable to hackers and to malfeasance," she adds. As a result, the New York chapter of the American Civil Liberties Union argues that HIEs in the state - and those in other states as well - should enable patients to "determine what the risks are for themselves before their private medical information is put into a system that enables it to be accessed."
Other Privacy Protections
In the interview, Carey explains some of the report's other recommendations:
- Patients should be able to grant consent for the exchange of specific portions of their records, and not just the entire record. "The technology that exists that enables this kind of rapid information sharing at the click of a mouse doesn't erase all of the traditional privacy controls that patients have under current law," she stresses.
- Patients should be notified when their healthcare provider becomes a data supplier to an HIE.
- HIEs should be required to automatically send a patient's correction to an electronic health record to any provider who has previously accessed the patient's record.
- Regulators should punish providers who misuse medical information, such as to deny pain medication to a patient who was successfully treated for substance abuse decades earlier. "We do a good job of punishing breaches ... but not so much for punishing misuse," she says.
- HIEs should be prohibited from selling patient information, even if it is de-identified.
- States should regulate personal health records vendors, which are not covered under federal HIPAA rules. Some PHR vendors work with HIEs to provide patients with access to certain records.
Carey is hopeful that regulators in New York and other states, as well as those at the federal level, will adopt many of the report's recommendations. She acknowledges that federal regulators are considering some privacy provisions as part of various regulations, including the pending Nationwide Health Information Network Governance Rule.
An attorney, Carey is assistant legislative director at the New York Civil Liberties Union, a chapter of the ACLU. She specializes in public health and criminal justice issues. Before joining the New York organization, she, was as researcher at Human Rights Watch, where she focused on domestic human rights issues.