The Balance Between Privacy and Technology

By Rebecca L. Williams, RN, JD and Paul T. Smith
Partners and co-chairs of the HIT/HIPAA practice
[June 2005]

Privacy concerns are among the greatest threats to the development of electronic health information networks. Federal and state privacy requirements are complex and sometimes inconsistent and may not match consumer privacy expectations. Threats to privacy (and security, which is inextricably tied to privacy) are heightened when health information is maintained or transmitted electronically. The press of a button could send information to an unintended recipient, and a breach in security could broadcast data to the world. Placing responsibility for managing privacy and security in a third party, such as through a health information exchange collaboration, introduces another level of concern. This article will identify some privacy considerations arising through the use and disclosure of health information in a collaboration for public-interest related purposes. In other articles, we will address other privacy concerns, including the effect of the privacy and security regulations issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) on the exchange of health information.

Research

The Office of the National Coordinator for Health Information Technology (ONCHIT) has issued a Framework for Strategic Action in which it identified several public interest goals that could be accomplished through the electronic exchange of health information. The facilitation of research, and the dissemination of research results, is one such goal. Despite the potential benefits of using electronic health information to accelerate the pace of clinical research toward needed cures, a number of concerns exist, including significant restrictions on uses and disclosures of health information for research purposes imposed by HIPAA privacy regulations, state law, the Common Rule, and the Food and Drug Administration regulations. In light of the myriad protections implemented by the federal and many state legislatures, it seems unlikely that restrictions will be significantly reduced for research functions within a health information collaboration.

Under HIPAA privacy regulations, a covered entity may use or disclose health information for research without individual authorization if, among other exceptions, the authorization is “waived” by an institutional review board or a privacy board. Even with a waiver, however, disclosure is not mandatory and is left to the discretion of the covered entity. If the covered entity desires to disclose the information, it is responsible for obtaining assurances that the waiver is proper and that the disclosure is within the scope of the waiver. If this authority is to be delegated to a participant of a collaboration (or the collaboration itself), then the collaboration will need to have policies and procedures addressing such matters as determining what research-related uses and disclosures will be permitted, confirming that an institutional review board or privacy board has properly approved the research, and verifying that a waiver for authorization (or other exception for the use and disclosure of information for research purposes) exists. It also will need procedures for reporting to participating covered entities information concerning the disclosure of their data for research, so that they can monitor and control these disclosures and provide the required accounting to consumers. The privacy regulations also recognize other exceptions to the authorization requirement for uses and disclosures of protected health information for research purposes, including certain reviews preparatory to research, research on decedents’ information, limited data sets, and de-identification, as long as certain requirements are met. Again, a health information exchange collaboration wishing to participate in such research activities would need to allocate responsibilities and establish appropriate policies and procedures to ensure compliance with applicable requirements.

Public Health

As another recognized goal, ONCHIT is looking to collaborations to provide information for public health surveillance. State laws require reporting of certain illnesses and injuries, but many of the kinds of incidents that interest public health authorities may not be subject to mandatory reporting. In these situations, health information exchange participants have a certain amount of discretion with regard to the disclosure of health information to public health authorities. Certainly, disclosures mandated by state or federal law will not pose particular privacy concerns. Moreover, disclosures of de-identified, aggregated information to public health authorities is unlikely to run afoul of legal requirements or public scrutiny. On the other end of the continuum, to allow public health authorities unfettered access to individual records is unlikely to fully comply with federal and state laws. Additionally, this type of government surveillance will present significant concerns to many consumers. Again, collaboration participants will have to develop policies around a consensus on the proper balance between the well-recognized utility of data sharing networks for promoting public health and the privacy expectations of consumers.

Quality Monitoring

The third public interest-related goal of the Strategic Framework is quality monitoring, which envisages that aggregate data would be used to monitor health care quality in real time and at the point of care. Consumers would have access to information about the cost, quality, and service ratings of the care they were receiving or seeking. The goal of disseminating this kind of information is to enhance consumer choice and involvement in health care and treatment decisions. Obviously, however, it has important implications for health care providers and may affect their decisions whether or not to participate in information sharing networks.

Access for Law Enforcement and Judicial Purposes

State and federal law allows access to health information pursuant to subpoenas, search warrants, court orders, discovery, and other processes, as long as certain requirements are met.There are no special protections for information contained in a health information collaboration, and a consolidated consumer health database would contain a great deal of information that would be useful for law enforcement agencies or litigants in judicial or administrative actions. Collaboration participants should define the process by which health information is used and disclosed for law enforcement and judicial purposes. For example, if one collaboration participant is served with a demand for compulsory disclosure, such as a grand jury subpoena, how much disclosure or access, if any, should that participant give to law enforcement to health information maintained on behalf of the collaboration? It seems reasonable that a health information exchange would want to implement, at a minimum, a notice process so that its participants can appropriately analyze and address the potential disclosure. A collaboration also presents the risk that certain authorities may attempt to avoid legal jurisdictional issues by targeting a participant in one state in an effort to obtain information from participants located in other states. Moreover, collaboration participants will need to assess liability and, to the extent practicable, allocate such liability if a participant properly (or more leniently than other participants may prefer) provides information pursuant to such compulsory disclosure.

Striking a Balance

A health information collaboration is unlikely to be successful in the absence of consumer confidence that the privacy, security, and confidentiality of health information will be safeguarded. It is evident from the failure of unique patient identifiers under HIPAA that the American public desires some level of privacy from intrusion by its federal and state governments. Despite the many potential benefits offered by a health information collaboration there is the potential for abuse.

Even when applicable law permits a use or disclosure for specific purposes without patient authorization or other permissions, significant questions arise about the potential for unauthorized “downstream” use, disclosure, or re-disclosure of such information for non permitted purposes or even for lawful purposes that have the effect of circumventing the protections established by law.

Many privacy groups feared that a national data base was a goal of HIPAA and, now, such groups may more justifiably be concerned about such a data base as the result of the national health information initiative. Seemingly in response to such concerns, a localized or community approach has been identified by ONCHIT as a more palatable approach. Without appropriate privacy protections in place, however, consumer confidence will be eroded for these community collaborations as well.

For more information, please contact:

Author: Rebecca L. Williams, RN, JD Seattle, Washington (206) 628-7769 BeckyWilliams@dwt.com

Author: Paul T. Smith San Francisco, California (415) 276-6532 PaulSmith@dwt.com

This Advisory is a publication of the Health Information Technology Group of Davis Wright Tremaine LLP. Our purpose in publishing this Advisory is to inform our clients and friends of recent developments in health law. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations.

Copyright © 2005, Davis Wright Tremaine LLP.