WASHINGTON — The push for universal electronic health records, a long-simmering issue in the healthcare debate, is gaining fresh momentum with the new administration and Congress, but privacy concerns continue to confound policymakers.
President Obama has set a goal of digitizing every American’s health record by 2014, and he included $19 billion to that end in the economic stimulus package. In April, Sen. John Rockefeller, D-W.Va., introduced a bill that would create a new federal panel and grant program to spur universal e-health records built on open source software. Major technology firms such as Microsoft, Google and IBM have jumped on the bandwagon, and IT figures to play a major role in the coming debate over healthcare reform.
But the question remains, how do health IT providers ensure that patients remain in control of their most sensitive personal data in a digital healthcare regime?
At the Computers, Freedom and Privacy conference today, a panel of experts took up that question, acknowledging that it doesn’t really have an answer at this point.
“This is one of those issues that has been going round and round and round for years,” said Joel Slackman, managing director at the BlueCross BlueShield Association.
But in the case of the stimulus money, that debate is going to be cut short. The Department of Health and Human Services has formed committees to gather public comment on the privacy protections for e-health records, with rules due by the end of the year.
“The time in which things have to be done is incredibly compressed,” Slackman said.
The IT provisions in the stimulus bill amended the Health Insurance Portability and Accountability Act, broadening its scope to cover tech firms offering personal health portals. But the specific requirements for IT companies remains unclear, according to Frank Torres, Microsoft’s director of consumer affairs.
“I don’t know if we’ve gotten there yet,” Torres said. “The business community would appreciate some more certainty.”
The advent of the Web-based personal healthcare portal was greeted with significant privacy concerns. Companies like Microsoft and Google, who generate significant revenue from targeting advertisements based on information they know about Web users, have made privacy assurances a central part of their product roll-outs.
“At Microsoft we decided very early on with our HealthVault product that consumers should control what goes in, who sees it going out,” Torres said. “We thought trust was so fundamental to adoption of this.”
Torres said that patients can control the information that is entered into their files, as well as which doctor gets to see it. That means that a patient seeing a dermatologist, for instance, could set the access controls to conceal the fact that he is taking lithium.
The appropriate granularity of these controls is one of the thorniest issues facing policy-makers as they set privacy rules for e-health records. On the one hand, patients would be reluctant to sign on to a system that offered minimal controls over which doctors get to see which pieces of information. However, giving patients the capability to add and alter information in their records can add a fresh uncertainty to the integrity of records, particularly when systems like Microsoft’s HealthVault funnel into the records used in doctor’s offices and hospitals.
“Consent is the 800-pound gorilla for medical privacy,” said Ashley Katz, executive director of the advocacy group Patient Privacy Rights.
The prospect of bringing IT firms into the business of managing medical records can also introduce a significant challenge in ensuring compliance with a bewildering complex of state laws. Many states have stricter standards for ensuring health privacy than what HIPAA requires. Often these obscure statutes are at odds with one another, meaning that a tech firm managing records across several states conceivably could be prohibited from a certain practice that is required in another.
“You don’t even know that a law’s conflicting until it smacks you in the face, sometimes,” Slackman said.