Skip Links

Network World

Curt Monash

Medical privacy affects us all, and Congress keeps missing the point

By CurtMonash on Mon, 01/19/09 - 4:28am.

The New York Times reminds us that President-Elect Obama is committed to the automation of medical records. I think that's great, as there are many reasons why electronic health records a great idea. The specific focus of the NYT article is on legislative initiatives to assure privacy, of which there seem to be many. My feelings about that are more mixed -- I love the idea, but am not so wild about the implementation.

I emphatically believe it is crucial to set up a new legal structure for privacy and the government use of information. When making that case, I usually conflate the two big areas of medical records and security/anti-terrorism/law enforcement. But that's a bit sloppy. The truth is, medical privacy issues should be solved first, before we fully tackle the others. National-security privacy issues are almost certain to fall afoul of partisan politics, at least until an example is set by consensus in a less contentious area. And there are indeed several reasons it should be easier to achieve such a consensus in the medical area than it is in security or law enforcement. In the medical realm, unlike national security:

1. The interests of the information's subject are obviously paramount. There are three main reasons to manage medical information -- to treat patients, to facilitate the business side of health care, and to support general medical research. Treating patients is clearly the most important.

2. Information policies can safely be transparent. In national security matters, there's great secrecy even as to what information is or isn't being stored. The medical area is thankfully free of that complication.

3. It is obvious that everybody is equally deserving of protection, with only the most limited of exceptions. This simplifies the discussion. National security vs. privacy debates are often complicated by arguments to the effect that most people are deserving of freedom, but some need to be carefully watched. Whether or not you think that's true, you hopefully agree it doesn't apply in the medical case.

Unfortunately, much of the legislative effort in medical privacy misses the main point. With the happy exception of the Genetic Nondiscrimination Information Act, privacy initiatives are focused on controlling the accumulation and movement of data, rather than its use. I think that's quite insufficient. No matter how stringent the rules are about acquiring and sharing information, they'll never suffice. Reasons include:

  • Medical information needs to be shared in emergencies. And where legitimate emergencies are common, "social engineering" to defeat security procedures is, at least in principle, child's-play.
  • As a condition of getting medical care and getting it paid for, people are routinely coerced to sign waivers allowing information to be shared.
  • HIPAA procedures are already causing hardship to patients and families. For example, family members are routinely banished from patients' bedsides out of fear that they'll overhear some other patient's private information. (OK, maybe that's a pretext, as hospitals generally will take any excuse they can think of to get rid of visitors.) Yet they don't work. (Think of all the releases of celebrities' medical information.)
  • Over-legislating detailed rules about technology tends to backfire in general.

Here are some examples of laws-about-medical-information-use I would favor:

  • It should be illegal to discriminate in any way based on medical information, subject only to the same common-sense allowances for discrimination found in the Americans With Disabilities Act.
  • It should be illegal to use medical information for marketing purposes. Limited exceptions can be carved out for health-care providers.
  • Unauthorized use of medical information should carry substantial criminal penalties, at least in certain use-cases, such as releasing it for publication. Normally I hate anything that smacks of censorship, but it should be possible to draw bright lines that keep this rule from being overly broad.
  • Doctor/patient confidentiality should be strengthened. In particular, the use of medical data for law enforcement needs to be rolled back. For example, New York City's law -- made famous in the recent matter of Plaxico Burress -- that requires health care providers to rat out patients with bullet wounds is awful. And I say this as a former member of Handgun Control, who wishes it were realistic to repeal the Second Amendment.
  • Aggregation of personal medical information for research should be tightly regulated. Many such uses are worthy and should be permitted, but that can't be allowed to open a path around the rest of privacy protections.

This is not to say that there shouldn't also be rules about a general duty to keep information confidential. But they're a sideshow. The bottom line is this:

Medical information will be exchanged. The legal focus needs to be on ensuring that patients don't suffer as a result.

Side-stepping obstacles

0
By Anon (not verified) on Mon, 01/19/2009 - 12:28pm.

“Medical information will be exchanged. The legal focus needs to be on ensuring that patients don't suffer as a result.”

Good article and great timing, Curt Monash. You succinctly described the privacy obstacle blocking the adoption of meaningful interoperable eHRs, followed by some common sense solutions that just might work. We need solutions fast - before reckless ambition screws things up.

Within the last week, HHS unveiled its plans for an updated online (or paper) family health history that is a free download. (See “Surgeon General's Family History Initiative”)
http://hhs.gov/familyhistory/

I am a general dentist with a solo, paper practice - just like the majority of dentists. If privacy can be assured, such a universal health history would not only provide me as much information about my patients’ health as I would ever need to know, but it would save me money because I would no longer have to wait until patients are finished filling out their paperwork before being seated for treatment. Most importantly, I wouldn’t have to become a HIPAA-covered entity for my patients to benefit from this information.

There’s more. If this works out, dentists will no longer have to mail health history forms to patients prior to their appointments - an arguably expensive and unreliable method of avoiding the non-productive time spent waiting. There are occasions when the patients appear for their appointment just in time, with our health history form in their hands - sometimes in the envelope we sent a few days before. After introducing themselves to Janis, my office manager, they ask for a pen and clipboard.

The options as I see them:

Option 1: If a dentist has a paperless practice, soon the uniformly-accepted document will be available for automatic download into the patient’s digital file, any time of the day, without anyone in the office lifting a finger. However, for the modern convenience, there are modern liabilities. The dentist must be a HIPAA-covered entity and assume significant risk of a breach that can adversely affect the welfare, and trust of the dentist’s patients.

Option 2: If a dentist has an office computer, but the patients’ treatment records are paper, the digital information can be printed for insertion into the patient’s folder, and then deleted. HIPAA is not involved unless the information is stored digitally - as in, “We are sorry to inform you, Mrs. Aschbacker, but (insert name) neglected to delete your digital health history from one of our computers, and regretfully, we were hacked.”

Option 3: If a dentist does not have a computer, then a simple fax link will work swell. HIPAA can be completely avoided. But most importantly, patients’ privacy is not risked in a modern way.

Conclusion:

I consider this to be either the first chance for healthcare providers to take control of the establishment of interoperability for the benefit of the principles in healthcare (providers and patients), or it is the last chance for it to happen if left to the stakeholders (everyone else).

Consider this: The HHS health history includes not only the patient’s health information, but also questions the health of his or her relatives. If one’s relative has cancer, emotional problems or even an addiction, how likely is it that the participant will be honest if he or she fears data breaches? Breaches must be stopped for e-miracles to appear in healthcare. That is a fact.

Dream with me a second. Imagine the research capabilities if citizens are allowed to opt-in to an Internet platform and readily confide even their most personal health secrets. It is simple to understand that the tightly held real or imagined symptoms are sometimes the most important. These are also the secrets that some will not discuss with anyone but the doctor.

It is my opinion that until we reliably de-identify eHRs, install a double-key security to access the records controlled by the owners of the information, and put the control of the development of miracles in the hands of the principles, eHRs will be dangerous, forever. Trust only happens once in a lifetime. We must not betray the interests of our patients for short-term, wasted bailout money.

A uniform government-supported hybrid solution to interoperable health records is a beautiful idea in so many ways - especially expense. It simply makes common sense to include fax connections in the CCHIT requirements. Consider what might happen in a hospital emergency room if the Internet goes down for some reason - it happens. My advice is, don’t destroy those fax machines just yet. They might come in handy - especially in a disaster. That is why aircraft are built with redundant controls. Please consider it.

Information is the product and digitalization the tool. Not the other way around. D. Kellus Pruitt DDS

Medical privacy affects us all....it is already solved...

0
By Tim Magee (not verified) on Tue, 01/20/2009 - 2:07pm.

Before this discussion gets out of control, we do not need to hold up the most important use of data processing for national health with "white noise".

The need for privacy of medical information that the government controls is understood. But let's not "re-invent the wheel". Keep this basic fact in mind, today the US government owns and manages all of our financial information (i.e. you may have heard of the IRS). This information is released to banks (by loan applications, etc) by request with approval of the person affected. The same processes and procedures can be in place for medical information.

Privacy of information managed by the government is understood and already in place. Let's move on to implementation.

Yes....but

0
By Daniel Kortsch, MD (not verified) on Tue, 01/20/2009 - 2:23pm.

Nice and succinct post. What I would like to add is the importance of prioritizing your "three main reasons to manage medical information". Your recognition that "treating patients is clearly the most important [issue]" is a start, but what is needed is an electronic health record that is, first and foremost a tool to improve patient care.

The problem is the disconnect between what president Obama wants from an electronic health record, and what currently exists in electronic health records. What our president wants is to improve medical care and minimize overhead costs, what he will get is only slightly reduced medical overhead costs, and minimally improved patient care. What we need is a radical departure from the traditional electronic forms that are great at creating data, but poor in data analysis. Without the electronic medical records being tied into electronic medical diagnosis and disease management, an electronic medical record is only a electronic piece of paper.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • You can use BBCode tags in the text.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <p> <strong> <i> <br /> <br> <ul> <ol> <li> <dl> <dt> <dd> <blockquote>

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Welcome, visitor. Register Log in
About A World of Bytes

Curt Monash is a leading analyst of and strategic advisor to the software industry. Praised by Lawrence J. Ellison for his "unmatched insight into technology and marketplace trends," Curt was the software/services industry's #1 ranked stock analyst while at PaineWebber, Inc., where he served as a First Vice President until 1987. He subsequently co-founded Evernet, Inc., a $40 million networking systems integrator. Since 1990, he has owned and operated Monash Research, an analysis and advisory firm covering software-intensive sectors of the technology industry. In that period he also has been co-founder, president, or chairman of several other technology startups.

Curt has served as a strategic advisor to many well-known firms, including Oracle, Microsoft, SAP, AOL, CA, and Netezza. Curt earned a Ph.D. in mathematics (Game Theory) from Harvard University. He has held faculty positions in mathematics, economics and public policy at Harvard, Yale, and Suffolk universities.