Maine Considers Opt-In Requirement for HIEs

New legislation has been proposed by privacy advocates in Maine that would govern how patient information is shared through the statewide HIE, HealthInfoNet.  LD 1337, which is entitled "The Act to Ensure Patient Privacy and Control with Regard to Health Information Exchanges", would require, among other things, that patients' "written informed authorization" be obtained before the HIE could collect, store, access or disclose any health care information of a patient.  

This marks a significant departure from HealthInfoNet's current procedures.  Currently, patients of HealthInfoNet-participating providers and hospitals are automatically enrolled in the HIE, but must be given the opportunity to actively opt-out of participation. If a patient exercises his or her choice and opts-out of HealthInfoNet, all of their health information is deleted from the central data repository maintained by the HIE.  Stakeholders had decided early on in the HIE's development that an opt-out approach would be in the best interest of patients, providers and the HIE.  HealthInfoNet's executive director and CEO stated,

All agreed that an opt-in policy was impractical and would not lead to enough participation to be of value.

Notably, a majority of HIEs currently in operation utilize the opt-out approach.  A survey conducted by the eHealth Initiative in July 2010 found that only 18 percentof the HIEs that were surveyed had policies requiring patients to opt-in to the HIE.  The minority of HIEs that utilize opt-in view privacy as paramount and as such, despite the higher burden, require patient consent before including their information in the HIE. 

However, while HIE privacy and consent discussions somehow always seem to regress back to the "opt in" versus "opt out" debate, the truth is that neither approach, on its own, will ensure patient privacy. The ONC's Privacy and Security Tiger Team stated in its August 19th Letter to the National Coordinator that patient consent currently accommodates both the opt-in and opt-out approach combined with "meaningful consent." 

In my view, the question of whether or not a patient should consent to -- or 'opt in' -- to having a third party HIO "aggregate and store" their information is far less important than the question of what happens to that information after it is stored there?  The HIO, after all, has contractual obligations pursuant to its HIPAA BAA with the covered entity data contributors, and as a result of HITECH, the HIO can be directly assessed for penalties if it runs afoul of HIPAA.  So then, one might ask,

what additional and real benefit is there to having patients 'opt in' to having their information stored by such third party HIO that is already required, pursuant to contractual (the HIPAA BAAA) and legal (HITECH) obligations, to safeguard that information to prevent unauthorized access or use?

Thus, whether the HIO implements an opt-in or an opt-out approach may not be the most important question.  Rather, time discussing privacy may be better spent on questions such as:

  • Are there clear access policies, and are user roles appropriately defined?
  • What is the authentication processes?
  • Are users adequately trained (and I mean really) on what are "appropriate" reasons and inappropriate reasons to access information in the HIE?
  • Has the HIE clearly defined what are "permitted" and "prohibited" uses of PHI in the HIE? 
  • Who audits for inappropriate access? 
  • Is there accountability, and how are violators punished?

CDT Analyzes Privacy Issues in Sorrell v. IMS Health, Inc.

In my previous post (Nov 2010) regarding the Sorrell case, I pointed out that the U.S. Supreme Court's decision (either way) will have a profound impact on data-mining and how certain patient information can be used. 

The Center for Democracy and Technology (CDT) has recently taken a closer look at the privacy issues presented in the Sorrell case, and has prepared an excellent memo that "unpacks" and carefully analyzes the legal issues and potential impact the Court's decision could have on current health care policy, and patient privacy in general.  CDT has asked Legal HIE to help get the "word out" regarding the issues presented by Sorrell and covered in the CDT memo, and Legal HIE in turn asks our readers to visit CDT's websiteand review the critical points raised in CDT's Sorrell Memo.  

CDT's blog post on the case and link to the legal memo are also reprinted below: 

A Nuanced Understanding of Privacy

by Brock N. Meeks

March 24, 2011

A case pending before the U.S. Supreme Courthas serious implications for how privacy protections are interpreted.  But understanding the various risks posed in this case requires some careful unpacking of the ways in which "privacy" is—and is not—at issue here.  CDT's Health Privacy Project team has taken a look those risks and published an in-depth memo about its findings.

In this memo CDT focuses on two aspects of the case: First, an explanation of why it is important to recognize the valid distinctions between personally identifiable data and "de-identified" data.  The paper explains that privacy could actually be harmed if the Court were to accept the claims, made in some briefs in the case, that there is no difference between identified and de-identified data.  

The second aspect of the case the paper examines is the claim that doctors have a "privacy" right in their drug prescribing practices.  CDT disagrees and explains here that, while the patient-doctor relationship is based on confidentiality and the trust it generates, it is not useful – and would undermine other health care goals – to speak of doctors as having a "privacy" right in their drug prescribing practices.

The paper concludes by saying:  

So in many ways, Sorrell v. IMS Health is not about privacy in the way that defenders of the Vermont law claim.  Yet a broad ruling by the court on de-identified data could have a negative impact on patient privacy.  And a broad statement by the Court on doctor 'privacy' could derail other very timely initiatives. This is not the case, nor is the Supreme Court the institution, to make policy on either set of issues; the parties have offered other viable rationale for the Court to use to decide this case. There needs to be a policy conversation about the viability of the current de-identification standard, but this case needs to preserve the concept that there is a meaningful distinction between identified and de-identified data. It is up to other processes to ensure a continually robust de-identification standard and strict accountability for re-identification.

A full copy of the CDT Sorrell Memo can also be reviewed under "Continue Reading" below. 

Continue Reading

Security Breach Response: Lessons Learned from the Epsilon Breach

Does the notice below look familiar?

Chase is letting our customers know that we have been informed by Epsilon, a vendor we use to send e-mails, that an unauthorized person outside Epsilon accessed files that included e-mail addresses of some Chase customers.  We have a team at Epsilon investigating and we are confident that the information that was retrieved included some Chase customer e-mail addresses, but did not include any customer account or financial information.

If it does, congratulations on being one of the unlucky millions affected by the data breach which occurred at Epsilon last week.  The largest distributor of "permission-based" email marketing, Epsilon serves some 2,500+ clients from JPMorgan and Chase to Target and Walgreens, sending over 40 billion emails on their behalf each year. 

At some point on Wednesday, March 30, Epsilon's systems were hacked, resulting in millions of email addresses and names being stolen, presumably in order for hackers to send mass spam and convincing "phishing" emails to consumers.  The first I became aware of the breach was Monday, April 4, when I received the above notice from Chase, followed quickly by Target, 1-800-Flowers and a variety of other smaller companies over the next two days. 

As I received the latest emails this morning (World Financial Network National Bank, or WFNNB, and Citibank), I couldn't help but be impressed with how quickly Epsilon was able to detect the data breach, notify law enforcement, and notify its clients affected by the breach, reportedly about 50 companies.  The turnaround time within which many of the affected clients notified their consumers was equally impressive, especially given that these companies likely only received notice from Epsilon right before or over the weekend.

I automatically wondered: would such a response have been equally efficient and effective if the data breach had occurred within the HIT systems of a business associate of a hospital or within the hospital itself?  Maybe yes and maybe no. 

HITECH places stringent security breach notification requirements and timeframes on covered entities and business associates who experience breaches of PHI.  In addition, state laws such as the New Jersey's Identity Theft Prevention Act, also place breach notification requirements on these and other entities with regard to certain personal information.   

Covered entities, as we are all too aware, are certainly not immune from the risk of security breaches.  Many covered entities may not have detailed policies and procedures for detecting and responding to breaches of PHI.  For those that do, are these procedures effectively communicated to key management and employees so that they know how to appropriately react from the first sign of a breach through the sending of required notices?  In addition, how soon and by what mechanisms are business associates required to report breaches, or even suspected breaches, of PHI to the covered entity?

Although only emails and names were hacked, the Epsilon breach stresses how important it is for covered entities to assess their security breach notification policies and procedures and ensure key personnel know the steps for detecting, assessing and mitigating breaches of PHI and their respective roles and responsibilities BEFORE these individuals are placed in such a situation.

A mere five calendar days (including the weekend) is quite impressive for a breach response involving so many different companies.  Although perhaps five days might be improbable or even impossible for a covered entity under the circumstances of a given breach, immediate and efficient action and communication are still crucial to an effective breach response.