| 
The Balance Between Privacy and Technology
By Rebecca
L. Williams, RN, JD and
Paul T. Smith
Partners and co-chairs of the HIT/HIPAA
practice
[June 2005]
Privacy concerns are among
the greatest threats to the development of electronic health
information networks. Federal and state privacy requirements
are complex and sometimes inconsistent and may not match consumer
privacy expectations. Threats to privacy (and security, which
is inextricably tied to privacy) are heightened when health
information is maintained or transmitted electronically. The
press of a button could send information to an unintended recipient,
and a breach in security could broadcast data to the world.
Placing responsibility for managing privacy and security in
a third party, such as through a health information exchange
collaboration, introduces another level of concern. This article
will identify some privacy considerations arising through the
use and disclosure of health information in a collaboration
for public-interest related purposes. In other articles, we
will address other privacy concerns, including the effect of
the privacy and security regulations issued under the Health
Insurance Portability and Accountability Act of 1996 (HIPAA)
on the exchange of health information.
Research
The Office of the National Coordinator for Health
Information Technology (ONCHIT) has issued a Framework for Strategic
Action in which it identified several public interest goals
that could be accomplished through the electronic exchange of
health information. The facilitation of research, and the dissemination
of research results, is one such goal. Despite the potential
benefits of using electronic health information to accelerate
the pace of clinical research toward needed cures, a number
of concerns exist, including significant restrictions on uses
and disclosures of health information for research purposes
imposed by HIPAA privacy regulations, state law, the Common
Rule, and the Food and Drug Administration regulations. In light
of the myriad protections implemented by the federal and many
state legislatures, it seems unlikely that restrictions will
be significantly reduced for research functions within a health
information collaboration.
Under HIPAA privacy regulations, a covered entity
may use or disclose health information for research without
individual authorization if, among other exceptions, the authorization
is “waived” by an institutional review board or
a privacy board. Even with a waiver, however, disclosure is
not mandatory and is left to the discretion of the covered entity.
If the covered entity desires to disclose the information, it
is responsible for obtaining assurances that the waiver is proper
and that the disclosure is within the scope of the waiver. If
this authority is to be delegated to a participant of a collaboration
(or the collaboration itself), then the collaboration will need
to have policies and procedures addressing such matters as determining
what research-related uses and disclosures will be permitted,
confirming that an institutional review board or privacy board
has properly approved the research, and verifying that a waiver
for authorization (or other exception for the use and disclosure
of information for research purposes) exists. It also will need
procedures for reporting to participating covered entities information
concerning the disclosure of their data for research, so that
they can monitor and control these disclosures and provide the
required accounting to consumers. The privacy regulations also
recognize other exceptions to the authorization requirement
for uses and disclosures of protected health information for
research purposes, including certain reviews preparatory to
research, research on decedents’ information, limited
data sets, and de-identification, as long as certain requirements
are met. Again, a health information exchange collaboration
wishing to participate in such research activities would need
to allocate responsibilities and establish appropriate policies
and procedures to ensure compliance with applicable requirements.
Public Health
As another recognized goal, ONCHIT is looking
to collaborations to provide information for public health surveillance.
State laws require reporting of certain illnesses and injuries,
but many of the kinds of incidents that interest public health
authorities may not be subject to mandatory reporting. In these
situations, health information exchange participants have a
certain amount of discretion with regard to the disclosure of
health information to public health authorities. Certainly,
disclosures mandated by state or federal law will not pose particular
privacy concerns. Moreover, disclosures of de-identified, aggregated
information to public health authorities is unlikely to run
afoul of legal requirements or public scrutiny. On the other
end of the continuum, to allow public health authorities unfettered
access to individual records is unlikely to fully comply with
federal and state laws. Additionally, this type of government
surveillance will present significant concerns to many consumers.
Again, collaboration participants will have to develop policies
around a consensus on the proper balance between the well-recognized
utility of data sharing networks for promoting public health
and the privacy expectations of consumers.
Quality Monitoring
The third public interest-related goal of the
Strategic Framework is quality monitoring, which envisages that
aggregate data would be used to monitor health care quality
in real time and at the point of care. Consumers would have
access to information about the cost, quality, and service ratings
of the care they were receiving or seeking. The goal of disseminating
this kind of information is to enhance consumer choice and involvement
in health care and treatment decisions. Obviously, however,
it has important implications for health care providers and
may affect their decisions whether or not to participate in
information sharing networks.
Access for Law Enforcement and Judicial Purposes
State and federal law allows access to health
information pursuant to subpoenas, search warrants, court orders,
discovery, and other processes, as long as certain requirements
are met.There are no special protections for information contained
in a health information collaboration, and a consolidated consumer
health database would contain a great deal of information that
would be useful for law enforcement agencies or litigants in
judicial or administrative actions. Collaboration participants
should define the process by which health information is used
and disclosed for law enforcement and judicial purposes. For
example, if one collaboration participant is served with a demand
for compulsory disclosure, such as a grand jury subpoena, how
much disclosure or access, if any, should that participant give
to law enforcement to health information maintained on behalf
of the collaboration? It seems reasonable that a health information
exchange would want to implement, at a minimum, a notice process
so that its participants can appropriately analyze and address
the potential disclosure. A collaboration also presents the
risk that certain authorities may attempt to avoid legal jurisdictional
issues by targeting a participant in one state in an effort
to obtain information from participants located in other states.
Moreover, collaboration participants will need to assess liability
and, to the extent practicable, allocate such liability if a
participant properly (or more leniently than other participants
may prefer) provides information pursuant to such compulsory
disclosure.
Striking a Balance
A health information collaboration is unlikely
to be successful in the absence of consumer confidence that
the privacy, security, and confidentiality of health information
will be safeguarded. It is evident from the failure of unique
patient identifiers under HIPAA that the American public desires
some level of privacy from intrusion by its federal and state
governments. Despite the many potential benefits offered by
a health information collaboration there is the potential for
abuse.
Even when applicable law permits a use or disclosure
for specific purposes without patient authorization or other
permissions, significant questions arise about the potential
for unauthorized “downstream” use, disclosure, or
re-disclosure of such information for non permitted purposes
or even for lawful purposes that have the effect of circumventing
the protections established by law.
Many privacy groups feared that a national
data base was a goal of HIPAA and, now, such groups may more
justifiably be concerned about such a data base as the result
of the national health information initiative. Seemingly in
response to such concerns, a localized or community approach
has been identified by ONCHIT as a more palatable approach.
Without appropriate privacy protections in place, however, consumer
confidence will be eroded for these community collaborations
as well.
For more information, please contact:
This Advisory is a publication
of the Health Information Technology Group of Davis Wright Tremaine
LLP. Our purpose in publishing this Advisory is to inform our
clients and friends of recent developments in health law. It
is not intended, nor should it be used, as a substitute for
specific legal advice as legal counsel may only be given in
response to inquiries regarding particular situations.
Copyright © 2005, Davis Wright
Tremaine LLP.
|
