Source: Lorraine Fernandes, global healthcare ambassador, IBM
Date: Jul 12, 2011
Many of the Department of Health and Human Services, Office of the National Coordinator, Privacy and Security Tiger Team discussions over the past year have invoked the FTC's Fair Information Practices. Why? Because the Health Insurance Portability and Accountability Act (HIPAA) does not address one of today's most critical healthcare issues - data sharing. In the absence of updated regulations, the FIPs offer a comprehensive framework for moving forward.
The best way to move forward is to remove the emotion from the privacy and consent debate and instead look at this in a practical, constructive fashion. Perhaps Paul Tang, vice chair of the HIT Policy committee and member of numerous workgroups, said it best during one of the Tiger Team meetings last summer: "What would a patient expect?"
The Markle Foundation submitted a letter to the Department of Commerce on February 18, 2011, concisely articulating the importance of FIPs in today's society. As suggested in the letter, titled "The Need for a Coordinated Department of Commerce Policy on Consumer Protection and Privacy," we must look at data in a broader fashion and recognize that when we talk about data, we are really talking about consumer data, not healthcare data. This broader consumer framework paves the way for us to move away from our current prescriptive system, which focuses too much on regulations, toward a set of principles that allows us to respond to innovation and changing technology. There is a place for regulations, but let's have that dialogue after we have a solid foundation.
Let's ponder for a moment the FIPs and how we can use them to help achieve the goals of improving individual and population health.
Openness and Transparency - Consumers should be able to readily access data-usage policies, understand the collection and use of their data, and be able to limit the use of their data if they choose to do so. This can be achieved by public notices, website postings, social media and other more traditional approaches. Full transparency is crucial to building consumer trust.
Purpose Specification and Minimization - Data use should be specified at the time of collection and use should be limited only to those stated purposes. And if there is a proposed change in the use, the consumer should be notified. The classic "bait and switch" should never occur with consumer data.
Collection Limitation - This might also be coined "minimum data necessary." Don't collect more data than what is needed for the purpose at hand. This is particularly true when dealing with sensitive data like social security number, certain clinical conditions and past histories in a treatment setting. Perhaps the standard question when developing new data collection practices should be: "Do I really need this data to achieve my goals?"
Use Limitation - Data should be used only for the stated purpose. No dissemination or re-use should be undertaken unless consistent with the use limitation. For example, personally identifiable information should not be used for research unless the patient has been notified.
Individual Participation and Control - Consumers should understand how their data will be used. I think Dr. Tang's "What would the patient expect?" question really articulates a clear practice matching this FIP. Consumers should be notified on a timely basis if there is a data breach. The Phase 1 Meaningful Use requirement for patient access to their data also nicely matches this principle. Patients should be able to conduct a "consumer audit" to find out where their data has been used, whether that data is identifiable, de-identified or limited.
Data Integrity and Quality - Data collected (consistent with the other FIPs) should be accurate, complete and up to date. It should also include attribution (the originating source of the data). If problems are identified with the data quality, then the consumer should have remedies consistent with the FIPs.
Security Safeguards and Controls - Reasonable safeguards should be employed to protect against data theft, breach and unauthorized access. Clearly this is a problematic area, given the incidences of laptop thefts that frequently expose unencrypted data.
Accountability and Oversight - Those in control of consumer information must be accountable for following the FIPs. If breaches occur, those responsible must be disciplined consistent with policies and remedies.
Remedies - Remedies should be documented, transparent and must address what happens if there is a breach or privacy violation.
Following these basic practices and associated principles, and tying all discussions about data collection and exchange to the FIPs, would go a long way to building consumer trust and confidence. If we used these practices as a framework, the discussions could be more rationale, pragmatic, understandable and results oriented. And, we can't pick and choose; we must use the FIPS as a whole.
When the FIPS are "front and center," consumers are front and center, and that is the only path that leads to trust in electronic health records and data exchange.
Lorraine Fernandes, RHIA, is the global Healthcare ambassador for IBM.