Regarding the Privacy Implications of the Proposed National Health Information Network (NHIN)
Comments Submitted by PrivacyActivism and the Privacy Rights Clearinghouse to the U.S. Dept. of Health and Human and Services
January 18, 2005
To: Office of the National Coordinator for Health Information Technology
Department of Health and Human Services
Hubert H. Humphrey Building, Room 517D
200 Independence Ave., SW
Washington, DC 20201
Filed electronically: NHINRFI@hhs.gov
RE: Comments on National Health Information Network – Request for Information
From: PrivacyActivism and Privacy Rights Clearinghouse
PrivacyActivism and Privacy Rights Clearinghouse (descriptions of our nonprofit consumer advocacy organizations are provided at the end of these comments) welcome the opportunity to comment on the proposed establishment of a National Health Information Network (NHIN) and the development of electronic health records (EHRs) that will comprise that system. Our comments are in response to the Request for Information (RFI) published by the Department of Health and Human Services (the Department and HHS) in the Federal Register on November 15, 2004. The NHIN is expected to become operative over the next 10 years, implementing the executive order to create such a system that was signed by President Bush on April 27, 2004.
The proposed National Health Information Network embodies a presidential mandate to bring information technology to healthcare by making complete patient records available to providers, regardless of location. In theory, this is a good idea; for example, it could take the guess work out of an emergency room scenario with an unconscious or incoherent patient (assuming the person’s identity can be established and that he has a record in the system).
In practice, a uniform healthcare information network raises many questions, not least of which is whether it is technologically feasible. We feel most emphatically that all stakeholders must have a role in debating the entire system and its implications for healthcare and privacy of medical records. In particular, it would be a mistake to allow decisions about the NHIN and EHRs to be driven primarily by the vendors who stand to profit from providing the software and hardware components.
In responding to the questions asked in the RFI, we will discuss matters of privacy and security, and also whether standardization of healthcare information may ultimately be detrimental to patient treatment.
II. The Primary Impetus for Considering a NHIN
Question 1 of the RFI asks for “[a] working definition of a NHIN, particularly as it pertains to the information contained in or used by electronic health records. Please include key barriers to this interoperability that exist or are envisioned, and key enablers that exist or are envisioned.”
A. Privacy and security must be of utmost concern in developing a NHIN.
In order to be effective, a national network of health records would have to include all available data on individuals in the system: examinations by any healthcare provider—including mental health providers, surgeries and other procedures, inoculations, laboratory tests, and prescription records. This is a staggering amount of data, and all of it would be considered extremely private by most people. In our view, the key barrier to interoperability of the national network contemplated is whether the privacy and security of so much intimate information can be maintained.
Given the grave and disturbing consequences that abuse of medical information poses, the necessity of building privacy and security into any system of patient records must be acknowledged at the outset. As Larry Lessig 1 observes, architecture is policy, and the policy of the NHIN should be, first and foremost, to protect the privacy of medical information in the system.
In order to achieve high standards of privacy and security:
- EHRs should be designed to build in granularity of data, so that various providers accessing a record will see only the information they need to know.
- Granularity of data should be reinforced by levels of access to the system; a billing clerk would need only a procedure code, whereas a surgeon might need a complete medical history. Ideally, the system would not be used for administrative purposes at all, so a billing clerk would not have access to it anyway.
- Continuous real-time auditing of access should be built in, and full accounting for disclosures allowed.
- It may be best to maintain records in a decentralized manner, allowing full amalgamation of data across the system only for someone with the proper access code.
- Patient and/or EHR identification numbers present a complex issue that should be thoroughly discussed prior to any implementation.
- There should be liability for exposure of patient records, regardless of how it occurs.
Security of EHRs is essential, and in our experience monitoring the issue of data security, it is difficult if not impossible to achieve. Data security can be breached internally by employees who abuse the system,2 by external hackers,3 and by inadvertence or just plain ignorance on the part of record keepers.4 While encryption is still a cumbersome process, we feel it is the only way to protect patient information from the security failures and breaches that will inevitably occur.
In addition, the problems that outsourcing of medical record transcription pose to data security cannot be ignored. Healthcare providers, particularly large institutions, have embarked on a policy of outsourcing records for transcription, in order to cut their costs. The now notorious case of a Pakistani transcriber was first revealed by David Lazarus in the San Francisco Chronicle.5 The transcriber attempted to extort money she claimed was owed to her from the University of California at San Francisco Medical Center by threatening to publish patient records on the Internet. Clearly, outsourcing transcription can be highly problematic for security, and given the competing interests involved, there is no clear answer for how the work can be done well and also economically. Cost-effectiveness, however, should not take unchallenged precedence over a patient’s right to privacy that is implicit in maintaining maximum security over medical records.
B. Accuracy of medical record data.
If EHRs contain inaccurate information, the NHIN will defeat its own goal of providing more efficient and effective healthcare. Drastic inaccuracies could be introduced by the simple error of transposing or mistyping a single digit in a patient’s identification number, causing an individual to be attached to the wrong records, or perhaps to no records, if none exist for the erroneous ID number.
Inaccuracies are also likely to occur in transcription, given the well-known illegibility of doctors’ handwriting. We believe that this will lead to the development of standardized forms with system-wide applicability, that will strive to eliminate as much hand-written information as possible from patient records. While this may minimize transcription errors, it could also eliminate much of the nuance that is essential in medical diagnosis. For example, what would be the outcome if standard forms included checklists of symptoms presented in an examination? Would it be possible to describe the condition diagnosed adequately? Perhaps if the condition is a fractured femur, standardized descriptions would suffice. If, however, it is a miscellany of symptoms, both physical and apparently psychological, could a standardized form tell the whole story, and what would a different healthcare provider reading the record make of it?
C. How should patient/EHR records be identified?
There is no easy answer to the question of identification of records. Because of already well-known problems with identity theft, we strongly urge against the use of Social Security numbers to identify patient records.6 Furthermore, it is likely that Social Security numbers could not be used on EHRs in California because existing state law limits their public display.7
While we do not have a solution to this matter, we believe that it is a fundamental issue that requires discussion and input from all stakeholders.
III. What Type of Framework Is Needed?
Question 4 of the RFI asks, “What type of framework could be needed to develop, set policies and standards for, operate, and adopt a NHIN?” We believe that the RFI itself is a good start in answering this question. As the Federal Register notice states, “There are many perspectives that can be brought to bear on this important topic. Health information technology organizations, healthcare providers, industry associations and other stakeholders all have important insights that will inform future deliberation.” Indeed, it is vital that that the interests of all stakeholders, especially patients whose records will comprise the system—which is ALL of us—be represented in the process of developing and implementing a NHIN.
We also believe that it is crucial to establish effective oversight as part of the framework. This would include the continuous auditing of access mentioned above. An oversight body should be created that is comprised of all stakeholders, including representatives of government, the health care industry, vendors and technologists, and consumer, privacy and patient advocates. The oversight body would monitor the effectiveness of the system in accomplishing its goal of benefiting healthcare. It would also review compliance issues and stay current with problems that arise. The system should also have its own continuing education program, to train everyone who accesses it in its use and in the importance of compliance with privacy and security policies. All policies concerning the system should be compiled in a handbook (which could be online) that the oversight group regularly reviews and updates.
The oversight body should also include a component to investigate patient complaints, starting at an administrative level with something like the HIPAA Office of Civil Rights (OCR). Unlike HIPAA, however, we believe the NHIN should give patients a private right of action for any damages that result from mishandling of their medical records.
IV. What Concerns Does HIPAA Compliance Raise?
Question 7 of the RFI asks what “privacy and security considerations, including compliance with relevant rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are implicated by the NHIN, and how could they be addressed?”
We believe in the first place that EHRs should have a higher standard with regard to Fair Information Practices8 than HIPAA does. Although HIPAA recognizes that there is a right of patients to medical privacy, it operates by coerced consent to several different types of mandatory access, some of them, such as “healthcare operations,” capable of very broad interpretation. Given the extremely sensitive nature of medical records, we believe it is essential to tip the balance in favor of patient privacy and to build Fair Information Practices into the system.
We have the following specific concerns about HIPAA and EHRs:
A. Access to the system.
The NHIN RFI calls EHRs a means to facilitate healthcare “delivery.” In coordinating EHRs with HIPAA, the meaning of “delivery” needs to be clearly—and we believe narrowly—defined. HIPAA permits broad access to medical records without meaningful patient consent (i.e., patients are asked to sign a form that says they have received the HIPAA privacy notice). It allows access for “treatment, payment, and healthcare operations.” “Healthcare operations,” in particular, is a very vague term that might include compliance audits by a licensing agency or architectural studies for planning new facility construction. Patients are asked to sign a consent form for these uses, but their consent is assumed whether they sign the form or not. Patients also have no opportunity to object to disclosures to public health authorities, employers, the Food and Drug Administration (FDA), or certain business associations.
We believe emphatically that HIPAA’s provision regarding access to patient records is overbroad. The EHR framework should be specific about who has access, which we feel would best be limited to health care practitioners directly involved in patient care and to patients themselves. It is better to err on the side of restricting access initially and adding others who demonstrate a need to use the system later. That said, we also feel that the usefulness of the system will be enhanced if data can be anonymized for purposes of research and statistical analysis.
A subset of access is levels of access to information in a NHIN. As we noted in our discussion of privacy and security in Section I, information should be granular, and access by healthcare providers should be based on the need to know some or all parts of a patient’s medical history—or, for that matter, to know nothing but the treatment codes, for billing purposes, for example, if the NHIN is to be used for billing. The Department should also consider how many years of retention of medical records is warranted for delivery of health care in certain instances.
B. Patients’ rights: access and consent.
HIPAA gives patients nationwide a very important right -- the right of access to their own medical records. It is imperative that the NHIN provide easy and flexible access by patients to their EHRs. Patients should also be able to correct their records and to have an accounting of disclosures made of their records.
HIPAA proclaims patient privacy rights in theory, while seeming to ignore them in practice. This is particularly true when it comes to consent. We believe that patients should have the right to consent to the use of their records—and even the right to consent to whether or not their records will be a part of the NHIN. Apart from disclosures mandated by law enforcement, including the Patriot Act,9 patients should be allowed to say whether or not they want their records available to all entities or individuals designated as authorized by the NHIN. Patients should be able to say, for example, that they do not want their mental health or gynecological records available to their dentist or ophthalmologist.
C. Function creep.
A fundamental principle of the Fair Information Practices is that information collected for one purpose should not be used for other purposes. The intention of NHIN is to make individual medical histories available for the purpose of better and more effective patient treatment. EHRs created to benefit the individuals whose medical data they contain must not be used for other purposes, or at least not so far as any personally identifiable information in them is concerned.
HIPAA itself includes and condones a number of secondary uses. For example, patient information may be used for fundraising for a care facility without patient consent as a legitimate “operation” of the facility. This type of secondary use carries enormous potential for abuse of patient information. In the worse case scenario information from the EHR could be sold to direct marketers.
NHIN should distinguish itself clearly from HIPAA in this regard. We feel strongly that HIPAA’s routine exceptions for payment and healthcare operations—though certainly not for treatment—are too broad to ensure sufficient patient privacy. Ideally, the NHIN’s EHRs should be for treatment only, not for billing or other uses unrelated to treatment (except in anonymized form, as we have mentioned previously). It is crucial therefore that the Department accordingly define and restrict the appropriate uses of EHRs.
D. Who owns the data?
The problem of ownership of data, and therefore of rights in it, was complicated by a pre-Internet Supreme Court decision called U.S. v. Miller, 425 U.S. 435 (1976). The Miller court held that there is no right of privacy under the Fourth Amendment in information voluntarily turned over to a third party—in this case a bootlegger’s bank deposit receipts. Because of the implications of this decision, Congress has been obliged to pass piecemeal legislation to correct it, for example, financial privacy laws to protect bank records.
It is important to establish at the outset who owns the information contained in EHRs. Patients may have voluntarily turned over their bodies or bodily fluids for examination, but they have done so in the expectation that the information yielded would be used for the intended purpose—their own treatment—and that their privacy would be maintained. HIPAA makes the practitioner or the healthcare plan the owner of medical records, which strips the patient of any apparent interest in his own most intimate data. At the very least, the subject of a medical record should have an ownership interest, even if it is shared with others.
There is an additional question that NHIN raises of doctor-patient confidentiality. One of the principle justifications for all confidentiality rules is that if certain types of information were not legally protected against disclosure, people would be reticent about revealing them. While some people are willing to discuss openly the most intimate details of their medical history, not everyone is. Those who value privacy or have reservations about the consequences of the disclosure of information not directly related to their treatment by a specific practitioner, may not be willing to offer information that is not protected by a high degree of confidentiality. This self-protective reticence could ultimately affect their care.10
V. Establishing a NHIN That All Healthcare Providers Will Be Able to Use From Any Location
Question 11 of the RFI deals with how to create a NHIN that is available nationally, regardless of the provider’s size and the patient’s location. In order to ensure the maximum possible coverage for NHIN, HHS must first make some fundamental decisions about how the system will operate. We believe an initial, small pilot program based on voluntary participation by healthcare providers with consent of patients is an appropriate starting point. Even this should only be undertaken after a strict set of privacy and security standards have been developed.
Questions of this nature, we believe are premature. HHS must first establish an oversight board to address all the issues a NHIN poses, comprised, as we recommended above, of representatives of all stakeholders, including consumers and patients. Only after strict guidelines are in place can the department proceed with even a pilot project. The implementation of EHRs is set to take place over the next 10 years. To ensure the program is not only operational, but accepted by the public and users, the Department must embark on a slow, systematic approach. In addition to encouraging buy-in from primary stakeholders, testing and gradual implementation will enable an oversight board to experiment with software and hardware that vendors will undoubtedly promote heavily, in order to determine what actually works best. This should be helpful in preventing adoption of less than ideal IT systems.
Vl. The Role of the Federal Government in NHIN
Question 18 of the RFI is an important one: “What roles and relationships should the federal government take in relation to how interoperability standards and policies are developed, and what roles and relationships it refrain from taking.”
The extent of government access and oversight of EHRs must be clearly defined at the outset. We believe that the government’s principle role in the system should be to protect the public and that its access should be limited. The Privacy Act of 1974 already gives the government access for law enforcement purposes. In addition, the government should have access to anonymized data for purposes of research and compiling statistics. Since
§ 215 of the Patriot Act already creates a huge exception for government access to all types of public and private records, we see no reason for deferring to government requests for additional access, such as, for example, a so-called “back door” into the system that agencies like the FBI always lobby to include in telecommunications legislation and rule-making.
The privacy and security of this system are essential to building public trust. With that goal in mind, the public should receive a clear definition of the federal government’s right to access and maintain records in the EHR. The Department of Health and Human Services should also assess the relationship of EHR information to federal privacy and security laws such as the federal Privacy Act and Freedom of Information Act.
In addition, the government has an affirmative enforcement role to play in the operation of the NHIN. It should receive and respond to public complaints about the system. In order to fulfill its role of protecting the public, whatever bureau is created for enforcement purposes should have adequate funding and staff to be effective, rather than being understaffed and underfunded.
We believe that all stakeholders must be brought into the NHIN planning process, including consumer and patient advocates who can represent the individuals who will be the subjects of EHRs. It is important that the system be designed from the ground up with privacy and security in mind, and that such issues as who has access to records and at what level be decided in advance. If, after the system has been operating for a while, it is determined that additional healthcare practitioners should also have access, the list of approved users can be enlarged.
It is also essential that information be collected and used only to benefit the healthcare of individuals. The subject of an EHR should be able to give or withhold consent for certain uses. Anonymized data may be used for research and analysis, but not for other more remote purposes now permissible under HIPAA through the healthcare operations exception to the privacy rule.
In general, we believe that privacy and strong security should not be outweighed by the interests of healthcare practitioners and others in broad access to EHRs. Trust is vital to the effective operation of NHIN, not least of all because people who do not trust the system may withhold important information from it. The way to develop trust is to reassure the public and to demonstrate in practice that their medical information is used only for the purposes for which it was collected and is not compromised by internal and external security breaches.
4026 18th St.
San Francsico, CA 94107
PrivacyActivism is a nonprofit consumer education and advocacy group, established in San Francisco in 2002. We are particularly concerned with issues related databases and data mining, including privacy, security, accuracy of information, and use of data for purposes other than which it was collected.
Beth Givens, Director
Tena Friery, Research Director
Privacy Rights Clearinghouse
3100 - 5th Ave., Suite B
San Diego, CA 92103
The Privacy Rights Clearinghouse is a nonprofit consumer education and advocacy organization based in San Diego, CA, and established in 1992. The PRC advises consumers on a variety of informational privacy issues, including financial privacy, medical privacy and identity theft, through a series of fact sheets as well as individual counseling available via telephone and e-mail. The PRC also represents consumers’ interests in legislative and regulatory proceedings on the state and federal levels.
2. “Red Cross Worker Charged in ID-Theft Plot,” Jennifer Kay, Washington Times, 12/3/04,
Red Cross employee and two others accused of stealing the identities of 40 blood donors and using the information to obtain about $268,000 in cash and merchandise. “Cops Bust Massive ID Theft Ring,” Michelle Delio, Wired, 11/25/02; help-desk worker at a company providing hardware and software to credit reporting bureaus charged with selling client access codes to two other men, who used the codes to obtain more than 15,000 customer credit records.
3. “Hacker penetrates T-Mobile systems,” Kevin Poulsen, SecurityFocus, 1/11/05, http://www.securityfocus.com/news/10271; computer hacker accessed T-Mobile servers for at least a year, monitoring U.S. Secret Service e-mail, obtaining customers' passwords and Social Security numbers, and downloading candid photos taken by Sidekick users, including Hollywood celebrities. “Vital Files Exposed In GMU Hacking,” Jonathan Krim, Washington Post, 1/1/05, http://www.washingtonpost.com/wp-dyn/articles/A64150-2005Jan10.html; computer hacker apparently broke into a George Mason University database, compromising 32,000 student and employee Social Security numbers. “Taking Aim At Acxiom” Rick Whiting and Thomas Claburn, Information Week, 10/25/04, http://www.informationweek.com/showArticle.jhtml?articleID=51000113; the owner of a spam
company called Snipermail, Scott Levine, of Boca Raton, Fla., who hacked into Acxiom and allegedly stole was 8.2 gigabytes of data between April 2002 and August 2003, was indicted.
4. “Government agency exposes day-care data: Daily whereabouts of hundreds of children posted on public Web site,” Bob Sullivan, MSNBC, 2/8/04, http://msnbc.msn.com/id/4186130/; government subcontractor posts names, birthdates and daily whereabouts of hundreds of upstate New York children to the Internet, where the information remained publicly available for weeks until MSNBC.com notified authorities. “UCD[avis] patient data disclosed in survey glitch, Lisa Rappaport, Sacramento Bee, 12/10/04,
http://www.sacbee.com/content/news/medical/story/11716497p-12604893c.html; private medical information of 200 patients at UC Davis Medical Center exposed when online patient survey responses were inadvertently linked to each other. “Data Security Breached at Wells Fargo, E. Scott Reckard, Los Angeles Times, 11/3/04, http://articles.latimes.com/2004/nov/03/business/fi-wells3; computers with Wells Fargo client information stolen for the third time in 2004.
7. California Civil Code, Sec. 1798.85-1798. Under this 2002 law, which applies to business, government and other entities, SSNs may not be printed on ID cards or badges or on documents to be mailed unless required by law; may not be printed visibly on any kind of mailer; may not be embedded in a bar code, chip or magnetic strip; and may not be sent over the internet or required to log into a web site. See the California Office of Privacy Protection web site: http://www.privacy.ca.gov/sheets/cis4english.htm.
8. For more information about the Fair Information Practices, read “A Review of the Fair Information Principles” by the Privacy Rights Clearinghouse (1997) at http://www.privacyrights.org/ar/fairinfo.htm.
9. We believe that § 215 of the Patriot Act, which gives the government access to many forms of individual records without a warrant and which prohibits informing the subject of the request, also applies to medical records.
10. In fact, there is evidence that a significant number of individuals already limit the information they give to their healthcare providers. A 1999 report by the Georgetown University Health Privacy Project stated: “To protect their privacy—and avoid embarrassment, stigma, and discrimination —some pay out-of-pocket for medical care for which they have insurance coverage. Others “doctor-hop” to avoid entrusting their medical record to a single provider or health plan. Still others withhold information, lie, or avoid health care altogether. In Promoting Health, Protecting Privacy: A Primer. (1999), p. 12, found in http://www.chcf.org/documents/ihealth/conprimer.pdf.