Uniform Privacy Code Vital for HIEsModel for State Regs Would Ease Health Information Exchange
Gibson, who serves on a workgroup for a statewide HIE being developed in Oregon, says a federal "uniform privacy code," much like the uniform building code, would help build public trust in the regional as well as national exchange of electronic health records.
While enacting a federal mandate that all states adopt the same privacy measures is likely impractical, Gibson argues that providing states with a model privacy law that they could modify as needed would help emerging health information exchanges deal with such issues as sharing data across state lines. That's a particularly important issue for certain metropolitan areas, like Portland, Ore., that are located on state borders.
In an interview (transcript below), Gibson, who has served as an IT leader for two large healthcare organizations:
- Says patients want assurances that their caregivers have access to all the information they need during treatment, but they also want assurances that they'll be protected against inappropriate access to their EHRs.
- Argues that EHR users, as well as HIE developers, should provide audit logs that give patients easy access to a list of everyone who has viewed their records. "That would go a long way toward giving patients confidence that their records are being appropriately used," he says.
- Calls for investigating options for giving patients the ability to designate in advance who can see what parts of their records, while still enabling hospital staff to access records as needed in an emergency.
Federal regulators are now considering rules governing health information exchanges, including guidelines for how to obtain patient consent to exchange their records.
To be certified for the HITECH Act's EHR incentive program, EHR software must include audit log capability.
Gibson is a member of the Oregon State Health Information Technology Oversight Council Health Information Exchange Strategic Workgroup. In that role, he's participating in efforts to build an Oregon statewide health information exchange, which received federal funding and is now in phase one of development.
He also serves as president of the Oregon Health Network, which is using federal funds to build a high-bandwidth network backbone connecting all Oregon hospitals, rural health clinics, federally qualified health centers, and community colleges. The practicing physician, who also holds a Ph.D. in medical informatics, served for three years as senior vice president and chief information officer at Legacy Health. Previously, he served for 11 years as chief medical information officer at Providence Health System, also in Portland.
HOWARD ANDERSON: I understand you are involved in the efforts to create a statewide health information exchange in Oregon. Can you describe your role and the status of the HIE development effort?
RICHARD GIBSON: Oregon is participating in a pilot project authorized by the HHS Office of the National Coordinator for Health IT. The initial funds were dispersed this year, and we are putting together plans for a health information exchange. The bigger states may have more than one exchange. In Oregon there is just one group that is using the funds from the Office of the National Coordinator to build a plan.
I'm on one of the work groups putting the plan together at various phases. Round one of the plan was due to the Office of National Coordinator this past August and our plan was approved. Now we're into phase one of building the health information exchange, which goes through to September 2012. Then phase two is to 2013 and 2014 we put the whole thing together. So you get money for planning and then you get money for putting it together, and it is rolled out in phases.
Oregon has been working for a couple of years getting ready for health information exchange. Part of that is making sure that clinicians have electronic health records, but the main point that we are talking about today is health information exchange and Oregon is putting that plan together. ... There are five groups contributing to the building of the plan for health information exchange in Oregon.
Model Privacy LawANDERSON: You recently testified before a House subcommittee calling for the federal government to draft model rules and laws on healthcare privacy and patient consent that each state could then take through its own legislative process. So why do we need to move toward standardizing state laws? Does that help pave the way for HIEs like the one you are describing?
GIBSON: I think it will. I realize that trying to standardize state laws is controversial and states want to retain the right to determine what is safe and effective in their state. I understand that. The reason that I called for model legislation would be that it would help vendors know how to prepare their products for adoption all across the country without having to worry that they'll have to make 50 different versions of an electronic health record and its exchange in order to get it adopted in 50 states. So the idea is sort of like the uniform building code; each state can modify it. ... States can adapt it where they need to, but large chunks of the national model are adopted in each state. So that when you come out with building hardware or stress limits or that sort of thing, architects can work across the country using those standards. In the same way, people doing electronic health record exchange can do that across state lines without worrying that the product will or will not comply with the specifics in each state. ...
It might be useful to have just one national law, but I don't think that is likely to go through. The idea of model legislation is that we get experts together to proffer a model and offer that to the states that could accept it in whole or could adjust it as necessary to meet their own needs. But the bulk of it would be the same so the electronic record vendors and providers of health information exchanges could be dealing with the universal set of requirements from state government.
Here in Portland, we have a particular issue in that we have the southwestern Washington city in Vancouver across the Columbia River and there is a lot of exchange of patients and healthcare back and forth across state lines. So if you wanted to do a health information exchange just throughout the Portland metropolitan area, you would have to take into account two different state laws in order to make sure you are in compliance with both states. ... And the same thing would be true on the eastern side of Oregon where we interact with people that live in western Idaho. It's even greater in other metropolitan areas that might serve four or five states. So by having model laws, the electronic health record vendors can build their product and the health information exchange vendors can offer services that they know will be acceptable across the country.
Addressing Privacy RisksANDERSON: As a former hospital CIO and chief medical information officer, what would you say your biggest concerns are about potential privacy and security risks in HIEs? What steps should HIEs take to address those risks?
GIBSON: I think that our patients and our providers want records to be secure, meaning that they are available when needed and that people who are using the records are confident that the professional record has not been altered, and that they can use it to make care decisions for that patient. That means following the standard security that information technology in general uses so that the servers are secure that the data is not corrupted, and you can count on it being there when you need it. The more challenging area is the privacy area, and that is worthy of some discussion. ...
What I've heard across the country and in Oregon is patients want their providers to have all the information that this important when they are taking care of them. All patients want to make sure that their providers have everything they need to know in front of them when they are trying to take care of them. I don't think there is much question about that. I think there is question about how we get there.
Patients don't want their data used in ways that could adversely affect them and that could be making it harder for them to be able to get health insurance, make it get harder for them to get a job, or even lose a job, heaven forbid. They want to make sure that only people who are taking care of them look at the records. They don't want people surfing through the data. They don't want other family members looking at their data without permission. They don't want their next-door neighbors who might work in the health system looking at their data. ... So our challenge with privacy is how we strike the balance between the appropriate use of healthcare information to take care of a person and making sure that the people that don't need to know that information don't have access to it.
I don't know all the parts that will go into managing the challenge between providing access to information when clinicians need it and maintaining the privacy that patients expect. I don't know exactly all the technical pieces that will go into that. There are groups all across the country, including in Oregon, trying to figure that out.
Two Privacy StepsWhat I would propose for going forward is at least a two-step conceptual platform. Number one, what I would ask every health record vendor and health information exchange in the country is to make sure that there is an audit log that can be exposed to the patient at any time so that he or she can see who has seen their record in the last period of time. That will go a long way toward giving patients comfort and confidence that their record is being used appropriately. I don't think that is very difficult to do technically, certainly with the technologies we have now. We might ... need a policy expecting health records vendor and health information exchanges to keep those audit records so that a patient could go in at any particular time and say "Yeah that orthopedist looked at my record, the cardiologist did, and yes I appeared in this emergency department out of state," and be confident that was all appropriate. It's similar to the same way that all of us are encouraged to go on to our credit reports each year ... and you can also see who asked for information about you, and if you have any concerns then you can pursue that. I think that is a reasonable model for health information.
Part two that would be challenging ... is that patients have specific control of who gets to see their record, and not only which providers use the record, but what parts of the record they get to see. I think this is going to be way more challenging ... I was a former emergency doctor, and you can't tell who is going to see your patient next, certainly if you are in the hospital. If you are in the hospital, you are not certain which consultant will next see a patient. Clinicians need to have access to a patient's record on an urgent basis, and sometimes it's not clear in advance who that is going to be. So I would be reluctant to have really strong tools that didn't allow the people taking care of you to get access to your record right now. Again, we need to balance that with making sure that only people who are appropriately taking care of you have access to your record.
We want to make sure that when providers have access to the record that they have access to the whole record, and that significant parts have not been redacted. It would be very dangerous to have access to only part of the record and not the whole record, especially in the case of prescribing. You need to know all the other medications that a person is on and all their allergies. I would argue you even need to know all their lab work and all their diagnostic imaging studies so that you don't repeat them, because all of those hold some degree of risk to the patient.
If you are only reporting some of the data to the clinician, it's hard to say, "Doctor; you're responsible for all of my care even though I'm only showing you part of my information." But that doesn't mean that every provider of medical care needs to have access to the full text report of an office visit for psychotherapy or every transcript of every interaction for substance abuse or that sort of thing. I think there are reasonable limits to put on that. But we need to make sure that providers have in front of them all the medications, all the allergies, all the pertinent lab reports, and all the diagnostic reports, and major transcribed text documents so that they know what is going on before they treat you for some current medical problem.
ANDERSON: Has the Oregon health information exchange determined how it's going to gain patient's consent to exchange their records?
GIBSON: We're still working on that. That is part of phase one, and those plans are due by December 2012. ... This will be very challenging, but I think it is what our patients expect, and they like to see a model that balances access to the record with appropriate constraints on who sees their record.
Linking Health Information Exchanges
ANDERSON: Finally the HITECH Act envisions a day when HIEs will be linked nationally to provide access to patient information wherever it is needed. Do you believe we can achieve that goal? And what is the key to gaining public trust?
GIBSON: Yes I do believe we can achieve that goal, and the key to gaining that public trust is some of the things we've talked about before. Number one is having a model policy that is adopted by most of the states. That means that the information that is out there about how patients give consent to people looking at their records will be relatively uniform state to state. That breeds familiarity and makes patients more comfortable that they understand the system. ... And then what we'll be doing in Oregon will be entirely consistent with national standards that are being built right now as we speak. So that if there is model legislation that is adopted and if the health records vendors build their products to comply, then you're going to see consistency across the states. ...
We do have to manage this challenge of balancing access to the complete record against limiting inappropriate access to the record ... using full disclosure, transparent systems and technology that works the same across all 50 states. ... For example, if I come to Oregon Health and Science University here in Portland and I'm seen in the emergency department ... I might authorize them to go get my records from the other organizations where I've been treated. If it turns out that I was also in Washington, D.C., this summer and I was seen at an emergency department there, they could go get it from there as well. So by having model laws across the multiple states and the District of Columbia, vendors could provide the software that asks for my permission to exchange records with others, records that I gave the permission, and then it is able to exchange that permission. ... That will promote confidence that health records are being used appropriately, especially if that audit is in there right away. I think that will lessen much of the anxiety. I'm not saying that we shouldn't have other laws in place, but simply putting that technology in place that creates the ability to see who has looked at my record ... would promote a lot of confidence that my record is being used appropriately.