Consumer Advocates Assess HITECHSizing Up Stage 2 Privacy Provisions
Consumer advocates are praising provisions in the meaningful use rule for Stage 2 of the HITECH Act electronic health record incentive program that require giving patients online access to their records (see: HITECH Stage 2 Rules: An Analysis ).
See Also: Securing the Borderless Enterprise
But one advocate would have liked the rule for Stage 2, which starts in 2014, to include a requirement that healthcare organizations provide patients with alerts about protecting the privacy of their data when they download it.
Other Stage 2 criteria that consumer advocates are pleased about include:
- A meaningful use rule provision requiring healthcare providers to assess the use of encryption for stored information;
- A provision in the EHR software certification rule that requires the software to automatically encrypt patient information stored on end-user devices;
- Another provision in the certification rule that requires an "activity history log" accessible to patients online that tracks who has viewed, downloaded or transmitted health information via a portal.
Access to Information
The meaningful use rule, which spells out what hospitals and physicians must do to qualify for additional incentives in Stage 2 of the program, requires these providers to have 5 percent of patients view, download or transmit to third parties their health data within a 90-day reporting period (see: HITECH Stage 2 Rules Unveiled).
While consumer advocates acknowledge that 5 percent is a low threshold - down from 10 percent in the proposed version of the rule, they believe the small target could actually achieve big results. That's because the promotion by healthcare providers to get just 5 percent of their patients viewing, downloading and transmitting their health data electronically will likely eventually lead to many more patients using these capabilities in a portal.
"You have to overshoot your target to make your target," says Deven McGraw, director of the health privacy project at the Center for Democracy & Technology.
Consumer advocates contend that giving patients easier access to their information can help them to better manage their healthcare, which could lead to improved treatment outcomes.
Ensuring that EHR software enables patients to access records and provides them with an accounting of viewing activity via the patient portal "boosts confidence and transparency," says Christine Bechtel, vice president of National Partnership for Women and Families. By having access to their records, patients will gain trust about the accuracy of the information, she says. And tracking who has accessed records via a patient portal will provide reassurance about privacy.
Meanwhile, the two encryption provisions address the most common cause of major health data breaches - the loss or theft of unencrypted computing devices or storage media. "This is not a 100 percent solution, but it's a step in the right direction," McGraw says. "
Still, the rule doesn't address the encryption of health information that's stored outside of an EHR system, including on personally owned devices, she notes. "If it's not considered part of the EHR, it's not required to be encrypted," she says.
Regulators missed an opportunity to help ensure patient privacy when downloading records, Bechtel contends.
The Markle Foundation's Connecting for Health group had advocated privacy alerts that would appear on portals or elsewhere when patients sign in to view, download, or transmit data.
"The No. 1 thing that will be important moving forward is when patients download their records, they need to see a message to be reminded about being careful when sending, storing or viewing their records," Bechtel says.
But the Office of the National Coordinator for Health IT ultimately decided against including such alerts in the software certification rule.
McGraw, co-chair of Privacy and Security Tiger Team, which advises ONC, says the team determined that the alerts didn't fit as an EHR certification requirement. "It's more of a best practice, not a technical standard," she says. Providers and software vendors, however, have the flexibility of including a patient notice on their portals, she notes.
Bechtel hopes that the dozens of Regional Extension Centers, which have been established with HITECH Act funding to advise smaller organizations implementing EHRs, will recommend the addition of these patient privacy alerts.
Meanwhile, Deborah Peel, M.D., founder of Patient Privacy Rights, an advocacy group, is disappointed that the Stage 2 rules don't require that EHRs accommodate the segmentation of sensitive data, such as mental health or substance abuse records. Such segmentation would make it possible to carry out a patient's request that certain portions of their records not be shared with certain providers.
The Coalition for Patient Privacy , a group of about 50 organizations, advocated records segmentation for Stage 1 and Stage 2 of the HITECH Act EHR incentive program, Peel notes. "It's really quite disturbing that features that patients want the most are ignored," she says.
ONC is studying the feasibility of using data segmentation technology to enable patients to designate what specific portions of their records can be exchanged.