New legislation has been proposed by privacy advocates in Maine that would govern how patient information is shared through the statewide HIE, HealthInfoNet. LD 1337, which is entitled "The Act to Ensure Patient Privacy and Control with Regard to Health Information Exchanges", would require, among other things, that patients' "written informed authorization" be obtained before the HIE could collect, store, access or disclose any health care information of a patient.
This marks a significant departure from HealthInfoNet's current procedures. Currently, patients of HealthInfoNet-participating providers and hospitals are automatically enrolled in the HIE, but must be given the opportunity to actively opt-out of participation. If a patient exercises his or her choice and opts-out of HealthInfoNet, all of their health information is deleted from the central data repository maintained by the HIE. Stakeholders had decided early on in the HIE's development that an opt-out approach would be in the best interest of patients, providers and the HIE. HealthInfoNet's executive director and CEO stated,
All agreed that an opt-in policy was impractical and would not lead to enough participation to be of value.
Notably, a majority of HIEs currently in operation utilize the opt-out approach. A survey conducted by the eHealth Initiative in July 2010 found that only 18 percentof the HIEs that were surveyed had policies requiring patients to opt-in to the HIE. The minority of HIEs that utilize opt-in view privacy as paramount and as such, despite the higher burden, require patient consent before including their information in the HIE.
However, while HIE privacy and consent discussions somehow always seem to regress back to the "opt in" versus "opt out" debate, the truth is that neither approach, on its own, will ensure patient privacy. The ONC's Privacy and Security Tiger Team stated in its August 19th Letter to the National Coordinator that patient consent currently accommodates both the opt-in and opt-out approach combined with "meaningful consent."
In my view, the question of whether or not a patient should consent to -- or 'opt in' -- to having a third party HIO "aggregate and store" their information is far less important than the question of what happens to that information after it is stored there? The HIO, after all, has contractual obligations pursuant to its HIPAA BAA with the covered entity data contributors, and as a result of HITECH, the HIO can be directly assessed for penalties if it runs afoul of HIPAA. So then, one might ask,
what additional and real benefit is there to having patients 'opt in' to having their information stored by such third party HIO that is already required, pursuant to contractual (the HIPAA BAAA) and legal (HITECH) obligations, to safeguard that information to prevent unauthorized access or use?
Thus, whether the HIO implements an opt-in or an opt-out approach may not be the most important question. Rather, time discussing privacy may be better spent on questions such as:
- Are there clear access policies, and are user roles appropriately defined?
- What is the authentication processes?
- Are users adequately trained (and I mean really) on what are "appropriate" reasons and inappropriate reasons to access information in the HIE?
- Has the HIE clearly defined what are "permitted" and "prohibited" uses of PHI in the HIE?
- Who audits for inappropriate access?
- Is there accountability, and how are violators punished?