This year personal data privacy has taken a fierce momentum into the consumer mindset like never before. That's due in part by notable blunders. The empowered consumer, and now increasingly the empowered patient, are understanding what it means to be private. That it's not just about encrypting and safeguarding data, but also the relationships guardians of our data are making with others.
That's a new precedent. Every major consumer facing digital implementation will from now onwards be thoroughly analyzed for such relationships. Scrutiny to the privacy and policies of the new ARRA HITECH act even more so.
Why Health Privacy is Different This Time
Back in 2003, the HIPAA Privacy Rule (PDF), enacted by congress, was designed to help with full disclosure of a patient's protected health information. And at a time when that disclosure was controlled exclusively from a provider asking consent from the patient to order labs, tests etc. it made sense. Trust was given to the provider to manage third party vendors. And if the provider used an Electronic Medical Record (EMR), it usually kept track of which healthcare vendors needed the data.
Healthcare institutions have managed as best as they can to control privacy through the use of policies and procedures on how to send electronic data. Everything from SSL encryption, down to faxing documents. It's taken about seven years for the healthcare ecosystem to fully grasp the concept of being aware of securing data between two endpoints.
The HITECH Act changes all of that, in profound ways on a scale that's never been seen before. No longer are providers and healthcare facilities only being asked to ensure the transmission of that data, but also all of the relevant associations to that data being sent. The act introduces an additional tier into the system referred to as a 'Business Associate'. A third party entity, that acts as an intermediary of that health data.
Think of these intermediaries as a router, like the hub you may have at your home, tucked in some corner, quietly managing your own wired and wireless network.
Every time you plug in a device onto your network, the router assigns permission, preconfigured by you, to pass all data through from that device or stop it's traffic altogether.
It's a simple mechanism that works because in your home, that privacy policy is federated by one central authority: your router.
The Weakest Link
Let's jump to the real world of policy, health data and the permutations of privacy. At play is the recent HITECH Act's additional HIPAA ruling, requiring all health care providers, payers and their Business Associates to account for the disclosure of protected patient data included in an electronic health record, even if the information is disclosed for health care treatment or billing purposes (Cadet, CMIO, 5/19).
This scenario becomes orders of magnitude more difficult to manage. A difficulty that was expressed by the Medical Group Management Association MGMA in a letter sent to the Office of Civil Rights (OCR) which is currently deciding on the matter.
At a May 19th Office of the National Coordinator for Health Information Technology (ONC), the agency mandated to construct this effort, Health Information Technology Policy Work Group public meeting, I asked Chair David Blumenthal to clearly define these intermediaries:
Blumenthal responded, "I will try to address it in the future."In regard to the business associate agreement, you discussed that earlier and it would be helpful if there was a lot more clarity because it seems that it might be an issue going from state to state. One state might have weaker regulations on what it does with what a business entity is as far as these intermediaries and that will be the weakest link in the health information exchange (HIE). Maybe a future meeting at something like that can be discussed in more specific terms?"
During the meeting, Blumenthal cited that he must adhere to the laws of the constitution. That the federal government has the rights to mandate national laws, but that states are ultimately going to have to manage this process. And that the HITECH work requirements are about working with the state HIE grantees.
So by act of Congress, the privacy standards aren't going to be, by definition, a standard– a unified definition considered by an authority. It will be made by 50 different authorities. It's up to each individual state to enact their own HIE privacy policies. Hence, each state will determine enrollment of their own Business Associates.
A State of Affairs
Figure A demonstrates what could occur if these associated intermediaries have unfettered routing access to patient data. In 2003, there was much less electronic transaction of that data, and relationships were closer (darker blue). As a scenario for 2012, data that spreads outwards needs to have policy mechanisms so as not to breach privacy. One example, the information could be harmonized to those willing to buy it.
It's reasonable to accept that Business Associates are only one level removed from the provider-patient relationship. Holding them accountable and tracking them, it would seem, could be technically possible. But it doesn't end there. There are also subcontractors to these 3rd party tiered relationships, and that their only enforcement are contractual obligations to each other. And that's what makes this different. The privacy of your health data will be determined through business relationships, not through the efficacy determined by you and your provider (circa 2003). Contracts between private entities, whether a state decides to involve it's affairs into oversight of these contracts or not, will be the determining factor of where your data goes.
What's a State to Do?
I've mentioned that forward thinking States like Oregon are already starting to think of their privacy policies. Several states are looking at an opt-in consumerist model. State level HIE implementation is a huge topic. Privacy, being a subset, is currently focused on a consumer opt-in effort mechanism of consent. It's a broad topic that I may look at in a future write-up.
For now, we need to take into account that a patient alone will not be able to decide which Business Associate contracts and their corollaries to consent to. There needs to be a state level business decision mechanism for that. Otherwise consent could turn into a 30 page double-sided single spaced agreement for each patient to review on an ongoing basis. A Facebook policy like scenario all over again, fifty times over. States will be spending the next few months creating their own mechanisms. I'd like to think some of these mechanisms could include:
- Listening to Blumenthal
We've moved away from looking at privacy as a much more efficient federated model to one that gets decided by the state you happen to reside in. That's a result of the tense political climate that views anything federal as an intrusion on individual rights. National politics aside, States need to keep an open minded approach that the efforts of the Federal ONC are one of guidance and resource, not intrusion. Blumenthal's task is to coordinate multiple federal agencies 1 for a consolidated process model to help states implement their own HIEs. His charter can only allow state guidance by developing standard operating procedures and mechanisms to help states determine how to sort and administer these policies. For example, part of this is a Regional Extension Center (REC) contract that was awarded to Booze Allen for $9.1 Million to plan, implement and maintain training programs. Resources available to the Federal government far out weight any that a single state could provide. - Let Providers Be Providers
At the recent ONC Privacy Workgroup meeting it was asked, "How do you expect that Doctor to hold that Business Associate accountable when they are servicing multiple covered entities with greater bargaining power?" Providers should be in the business of tracking patients, not businesses. If Business Associates are allowed to route our data, which can get complicated, it's only fair that a state or even federal institution keep track of these privacy associations. States should implement and maintain an accreditation database of every Business Associate that needs to handle patient data. Every transaction could also be linked to that Business Associate's stored contract. This mechanism can be similar to the one medicare providers are already using with regional CMS centers for reimbursement, where a provider #ID is given after a thorough credentialing process. This frees up providers to only work with state accredited Business Associate entities under whatever rules the state level HIEs decide on. - Privacy is not Skunk Works
At the same meeting, Paul Tang, Vice Chair of the ONC Privacy Committee gave his sentiments on what he observed as the "standards committee out ahead of the privacy committee." States can learn from this lesson, by creating their own privacy workgroup that runs in parallel when creating overall standards. Privacy needs to be integrated at every decision, not run as a separate skunk works.
In the coming months, both the Federal and State institutions will be working on the impact of Business Associate agreements and specifically with regards to privacy. There needs to be mechanisms that set a process relationship between citizens of healthcare, state HIEs and the ONC. I'm reminded of the old proverb about a man and the friends he keeps. We need to apply that to governance as,
You can tell an institution from the privacy its citizens entrust upon it to keep.
