SERCH Project Recommendations for HIE and Disaster Preparedness

As Helen noted in her post on Thanksgiving, Superstorm Sandy re-emphasized the need for health care organizations to have plans in place for disaster preparedness, data backup and recovery. As New York and New Jersey rebuild, health care organizations are taking a closer look at what they can do to improve the availability of critical health care services for their patients, and in particular, the role of HIE in keeping patient information available.  

This past July, ONC released the results of a two-year effort by the Southeast Regional HIT-HIE Collaboration (SERCH) Project on Health Information Exchange in Disaster Preparedness and Response. The SERCH project began in November 2010 and included representatives from natural disaster-prone states such as Alabama, Arkansas, Florida, Georgia, Louisiana, and Texas. 

Supported by ONC, the SERCH Project was a state-led initiative aimed at identifying information-sharing challenges during natural disasters and developing strategic plans to incorporate HIE into disaster planning. The group developed an actionable plan to improve HIE capabilities in response to disasters, both during and in the aftermath, focusing particularly on interstate communication and information-sharing, and addressing legal and other barriers to the use and disclosure of patient information. 

Although limited primarily to the groundwork that needs to be covered prior to implementation of a fully-operational State HIE, the SERCH Project recommended five steps for any organization planning on sharing information through HIE to take to integrate HIE and disaster planning, especially where information-sharing could occur across state lines.

  1. Understanding the State’s disaster response policies and align with the State agency designated for Emergency Support Function #8 (Public Health and Medical Services) before a disaster occurs.
  2. Developing standard procedures approved by relevant public and private stakeholders to share electronic health information across State lines before a disaster occurs.
  3. Considering enactment of the Mutual Aid Memorandum of Understanding to establish a waiver of liability for the release of records when an emergency is declared and to default state privacy and security laws to existing Health Insurance Portability and Accountability Act (HIPAA) rules in a disaster. States should also consider using the Data Use and Reciprocal Support Agreement (DURSA) in order to address and/or expedite patient privacy, security, and health data-sharing concerns.
  4. Assessing the State’s availability of public and private health information sources and the ability to electronically share the data using HIE(s) and other health data-sharing entities.
  5. Considering a phased approach to establishing interstate electronic health information-sharing capabilities.

These recommendations can also be applied and implemented by individual HIE networks and organizations, not only at the state-level. 

A full copy of the whitepaper can be found on the Health IT website.  You can also find a summary of the report by Lee Stevens, Policy Director for the State HIE Program, as well as his blog post in 2011 on the Joplin Tornado and the role of EHRs at the Health IT Buzz

We "Like" Organ Donor Status on Facebook

This post has been prepared by Christina Strong, Esq.

organ donation like.pngThe addition of “organ donor status”  to Facebook is a tremendous boon for the communication of what is fast becoming a social norm, altruistic donation of one’s body, to take place after death.  Unlike other decisions surrounding one’s body, the decision to donate organs is not a health care decision.  It is instead, a charitable gift, to be given post-mortem, the legal equivalent to a gift made through a will.  While privacy advocates and others in the industry are rightfully concerned about inadequate protection for healthcare decisions provided on the web in general and Facebook in particular, there is no privacy law or issue impacted by listing of donor status of Facebook.  First of all, it is extremely unlikely that designation of donor status on Facebook will be considered a document of gift under the Uniform Anatomical Gift Acts of most states. Thus, to state that one is an organ donor on one’s Facebook Timeline is tantamount to saying:

When I die, and if I die in a time frame and manner which allows for the recovery of something from my body, I would like to give something. 

It is an expression of general support for a concept, followed by a call to action “Register with your State Donate Life Registry”, and a link to do so.  The registration itself takes place on a secure website, which performs legally adequate verification of identity, and information, and in many cases, specific choices as to the scope of the gift.  Facebook does not display actual registration or donor information.  Facebook displays the expression of generous intent.

A recent article in Bloomberg Businessweek warns consumers to be hyper-aware about managing their own privacy for this information, and suggests that it can be used against them. While it is not entirely clear if the authors of the article are actually concerned about the privacy of a person's "donor status" or have simply confused this expression with the privacy concerns that arise when true medical information is shared, in any case it is important to understand that the Organ Donor "Status" referred to on Facebook is reflecting merely the willingness to give a post-mortem gift.  This general willingness, or indeed, even the fact of donor registration does not impact any other aspect of life or health care, any more than a decision to be cremated rather than buried might.  One is not treated differently in an insurance policy, an auto accident or at the hospital based on one’s decision, registered or not.  One is not declared dead on any different criteria, simply because one has indicated a preference about donation.  It is a decision about body disposition, and therefore, not considered health information of any kind, under any law, state or federal.  Donor status is a decision people like to share, like “I root for the Giants” or “I support Planned Parenthood”.  It loses any conceivable protection at the point where one voluntarily shares it with the public one chooses to share with. 

If the article intends to point out that once you put your donor status on Facebook others can see it and judge it according to their own lights, then the authors are absolutely correct.  That is the point.

Christina Strong is an attorney in private practice who concentrates in health law, including anatomical gift law, informed consent, healthcare decision-making and healthcare privacy.  She is a trustee of Donate Life America, and a registered organ and tissue donor in the State of New Jersey.  This means that when she dies, if she dies in a manner and a time frame compatible with donation, her organs can save as many as seven lives, and her tissues may be recovered and used to enhance the lives of hundreds.  This is true of her, and 10 million others who have registered their wish to be an organ donor.  With the help of Facebook we hope that 10 million more donors will sign up in 2012.

According to, the FB Donor Status button and link has spurred thousands of new registrations in just the last few days. To learn more how you can register to become an organ donor through Facebook's links to state registries, visit DonateLife's FB page.

Supreme Court to Hear Arguments on Suit for Damages under the Privacy Act

The Supreme Court is scheduled to hear oral arguments tomorrow, November 30, in a suit for damages under the Privacy Act stemming from a wrongful disclosure of confidential information.  Federal Aviation Administration v. Cooper involves a plaintiff whose HIV information was wrongfully disclosed by federal agencies.  The suit seeks to establish that mental or emotional injuries qualify as "actual damages" for purposes of the civil remedies provision of the Privacy Act, 5 U.S.C. § 552a(g)(4)(A).  The Privacy Act regulations the collection, maintenance, use and disclosure of individuals' information collected by federal agencies.  

A private aircraft pilot since 1964, the plaintiff, Stanmore Cooper, was diagnosed with HIV in 1985. Although required to disclose the illness and any medications being taken on his "airman medical certificate," a continuing certification requirement required by the FAA for any pilot to legally operate an aircraft, Cooper chose to let his certificate lapse because he would not be permitted to fly if he disclosed his illness.  In 1994, he again submitted the application, choosing not disclose his HIV status.  For ten years, he continued to renew the application, intentionally omitting his HIV status. 

However, Cooper's information was exchanged between the Social Security Administration (SSA) and the FAA as a result of a collaboration between agencies that sought to uncover illicit efforts by pilots to obtain FAA licenses although medically "unfit." This exchange occurred without his authorization.  Cooper had provided information regarding his HIV status to the SSA in his application for long-term disability benefits.   Cooper was eventually indited on three counts of submitting false statements to the government and lost his pilot's license.

Cooper sued in 2007 alleging that the federal government had "willfully and intentionally" violated the Privacy Act and caused him “to suffer humiliation, embarrassment, mental anguish, fear of social ostracism, and other severe emotional distress.”  The Southern District of California, where the plaintiff's case was originally brought, admitted that the federal government had violated the Privacy Act, but found that regardless, Cooper had not demonstrated the "actual damages" required by the Act.  The Ninth Circuit on appeal reversed, finding mental or emotional distress was sufficient, "given the nature of the injuries that most frequently flow from privacy violations...."

The Supreme Court accepted the government's petition for certiorari in June of 2011. A key issue expected to be tackled by the Supreme Court, according to the prestigious ScotusBlog, is whether the Privacy Act was intended to broadly protect privacy rights against the government's more limited interpretation, an important step for understanding the nature of privacy injuries and privacy law generally.

If the Supreme Court sides with the government, this would not only limit damages to pecuniary ones, but potentially also deter whistleblowers as well as potentially have a negative impact on privacy law in general.  A decision will not be made until spring of next year. For a more in-depth explanation of the issues involved and an overview of tomorrow's Oral Arguments, visit ScotusBlog, or generally,      

Helen to Speak on Solving Privacy Dilemmas with Health Information Exchange at national Health Care Info Privacy Forum

Privacy Forum pic.JPGPrivacy Forum 2.JPGPrivacy Forum 3.JPGPrivacy Forum 4.JPG














To Register, click here.


CDT Analyzes Privacy Issues in Sorrell v. IMS Health, Inc.

In my previous post (Nov 2010) regarding the Sorrell case, I pointed out that the U.S. Supreme Court's decision (either way) will have a profound impact on data-mining and how certain patient information can be used. 

The Center for Democracy and Technology (CDT) has recently taken a closer look at the privacy issues presented in the Sorrell case, and has prepared an excellent memo that "unpacks" and carefully analyzes the legal issues and potential impact the Court's decision could have on current health care policy, and patient privacy in general.  CDT has asked Legal HIE to help get the "word out" regarding the issues presented by Sorrell and covered in the CDT memo, and Legal HIE in turn asks our readers to visit CDT's websiteand review the critical points raised in CDT's Sorrell Memo.  

CDT's blog post on the case and link to the legal memo are also reprinted below: 

A Nuanced Understanding of Privacy

by Brock N. Meeks

March 24, 2011

A case pending before the U.S. Supreme Courthas serious implications for how privacy protections are interpreted.  But understanding the various risks posed in this case requires some careful unpacking of the ways in which "privacy" is—and is not—at issue here.  CDT's Health Privacy Project team has taken a look those risks and published an in-depth memo about its findings.

In this memo CDT focuses on two aspects of the case: First, an explanation of why it is important to recognize the valid distinctions between personally identifiable data and "de-identified" data.  The paper explains that privacy could actually be harmed if the Court were to accept the claims, made in some briefs in the case, that there is no difference between identified and de-identified data.  

The second aspect of the case the paper examines is the claim that doctors have a "privacy" right in their drug prescribing practices.  CDT disagrees and explains here that, while the patient-doctor relationship is based on confidentiality and the trust it generates, it is not useful – and would undermine other health care goals – to speak of doctors as having a "privacy" right in their drug prescribing practices.

The paper concludes by saying:  

So in many ways, Sorrell v. IMS Health is not about privacy in the way that defenders of the Vermont law claim.  Yet a broad ruling by the court on de-identified data could have a negative impact on patient privacy.  And a broad statement by the Court on doctor 'privacy' could derail other very timely initiatives. This is not the case, nor is the Supreme Court the institution, to make policy on either set of issues; the parties have offered other viable rationale for the Court to use to decide this case. There needs to be a policy conversation about the viability of the current de-identification standard, but this case needs to preserve the concept that there is a meaningful distinction between identified and de-identified data. It is up to other processes to ensure a continually robust de-identification standard and strict accountability for re-identification.

A full copy of the CDT Sorrell Memo can also be reviewed under "Continue Reading" below. 

Continue Reading

Kansas Aligns State Privacy Laws with HIPAA as HIE Standard

Today, the State of Kansas’ Senate committee approved (by a vote of 39-0) Senate Bill 133 to align the state’s privacy laws with HIPAA. The Kansas Health Information Exchange, Inc. (the state’s RHIO) testified before the Senate committee to stress that legislation is necessary to harmonize the “patchwork of about 200 statutes and regulations that are primarily focused on particular types of information…”  Representatives of the Kansas HIE explained that creating uniform privacy and security standards in Kansas for electronic HIE is critical because it affects the ability of providers to exchange and share information and coordinate care, which is key to higher quality and more efficient care, and better population health.

Among other things, Senate Bill 133 sets out criteria that providers must meet in order to be protected from prosecution for violating a patient's privacy. Specifically, providers would have to:

  • adhere to the use and disclosure rules in HIPAA;
  • adhere to the requirements in HIPAA for safeguarding patient information;
  • comply with a patient's right to access their own medical information;

The bill also creates a standardized authorization form for providers to give patients before accessing and exchanging their medical information, as well as provides for a "personal representative" for incapacitated adults and minors without legal guardians.

As of January 27, 2011, ONC has approved over $547 million dollars to states in order to further HIE efforts.  Yet, as states gear up to tackle implementing the Operational Plans that they have submitted to ONC, they continue to be faced with many of the same privacy and security questions and issues that have slowed and even stalled HIE progress in the past. 

Before the ONC was established, the Health Information Security and Privacy Collaborative (HISPC) tackled privacy and security law issues for several years.  In HISPC’s Final Report regarding Harmonizing State Privacy Laws, which is posted on ONC’s website, specifically recognizes that inconsistency in state and federal laws in terms of definitions, organizational structure, and content is often cited as a barrier to participation in and implementation of HIE.  In addition, the report notes that stakeholder groups have long indicated that a greater harmonization of state laws would be beneficial and that reform of state laws, combined with revisions in federal laws, must be considered.

During Phase 1 of HISPC's work, extensive discussions and activities with stakeholders determined that lack of clarity and divergent interpretation of legal standards have created barriers to participation in and implementation of HIE. The Report goes on that while some impediments to the exchange of health information are essential to protect privacy interests

[u]nnecessary and unintended barriers resulting from confusion or inconsistency can prevent the timely and appropriate exchange of information essential for medical treatment and population health activities. Whether the movement to transform health care through HIE involves private grassroots efforts, state-specific initiatives, a single federal approach, or any combination thereof, the availability and use of common tools and resources is essential for establishing workable information exchange standards and practices within and among states.

Yet, while these obstacles are now widely-recognized and exhaustively written about, the inconsistencies in varous state laws as they relate to desired federal HIE objectives continues to create confusion and drain resources.  Thus, to date, HIPAA continues to be the main federal legal source that states can look to in order to define what privacy and security standards should apply to electronic HIE – which is what Kansas has done.   

Doctors and Patients Mostly Agree on IT

Government Health IT reported yesterday that according to a national survey released January 31st by the Markle Foundation, patient and physicians share many similar views regarding increasing beneficial use of health information technology to improve delivery of care, as well as the necessary privacy protections that should go along with the shift to utlize electronic medical records.  The Markle Foundation states on its website that the Markle Survey of Health in a Networked Life is

[t]he first of its kind to compare the core values of physicians and the general public, referred to here also as patients based on their opinions as consumers of health care, on deployment of information technology in health care.

Key findings in the Markel Survey include:

  • 74% of the doctors surveyed would prefer computer-based means of sharing patient information with each other.
  • 47% of the doctors would prefer computer-based means of sharing records with their patients. (Only 5% do so today.)
  • 74% of doctors said patients should be able to share their information electronically with their doctors and other practitioners.
  • 10% of the public reported currently having an electronic PHR (up from 3% who reported having one in Markle’s 2008 survey).
  • 70% of the public and 65% of the doctors agreed that patients should be able to download their personal health information online.
  • 70% of the public said patients should get a written or online summary after each doctor visit, but only 36% of the doctors agreed. (Only 4% of doctors say that they currently provide all their patients a summary after every visit).

Other findings from the survey include:

  • 70% to 80% of both patients and doctors support privacy-protective practices, such as letting people see who has accessed their records, notifying people affected by information breaches, and giving people mechanisms to exercise choice and correct information.
  • 65% of the public and 75% of doctors agreed that it’s important to have a policy against the government collecting personally identifiable health information for health IT or health care quality-improvement programs.
  • If there are safeguards to protect identity,however, at least 68% of the public and 75% of the doctors expressed willingness to allow composite information to be used to detect outbreaks, bioterror attacks, and fraud, and to conduct research and quality and service improvement programs.
  • 75% of the public and 73% of the doctors said it will be important to measure progress on improving health care quality and safety to ensure the public health IT investments will be well spent. Both groups (each at 69%) agreed on the importance of specific requirements to improve the nation's health in areas like heart disease, obesity, diabetes, and asthma.
  • Many are unaware of the health IT incentives: 85% of the public and 36% of doctors describe themselves as not very or not at all familiar with the health IT incentives program, which makes subsidies available for doctors and hospitals to increase use of information technology.

For a detailed copy of the report, visit Markle Foundation's Latest Surveys.

Are Cloud-based HIEs Subject to Twitter-Google-Facebook-like Subpoenas?

In a recent New York Times article, Google, Twitter and other internet companies raise concerns regarding the wave of requests they receive for customer data from law enforcement agencies. Last year, Google counted more than 4,200 such requests in the first half of 2010.  Other internet and telecommunications companies, like Twitter and Facebook, are also feeling inundated with such requests for information. The NYT articles reports that Verizon told Congress in 2007 that it received some 90,000 such requests each year, and Facebook told Newsweek in 2009 that subpoenas and other orders were arriving at the company at a rate of 10 to 20 a day. 

These companies and others are saying that the main law governing communication privacy — the Electronic Communications Privacy Act of 1986 (ECPA) -- is outdated, and affords more protection to letters in a file cabinet than personal information maintained on a server. The current ECPA does not explicitly afford protections for the vast majority of private content stored on the Internet, allowing law enforcement agencies to obtain a person’s online data with a simple subpoena from a prosecutor. This weak level of protection has created tension between privacy advocates and law enforcement agencies that consider internet data to be a valuable source of crucial information.  In fact, Google, along with other Internet companies such as Verizon, Facebook, and Twitter, have increasingly been targeted by law enfo­rcement for personal data information.

Unlike Twitter, whose policy is to notify users before releasing personal information, most Internet companies are not required to provide users with any notice, and law enforcement officials can even demand that requests be sealed from targets of investigation. Since there are no straightforward standards in the ECPA governing Internet information, courts in different jurisdictions have interpreted them differently and created a piecemeal collection of rules. Under the ECPA, emails can be accessed by the government without a warrant under certain storage conditions or after a certain amount of time has passed.

According to the Center for Democracy and Technology’s (CDT) Digital Due Process coalition, the current rules are inadequate and do not meet the Fourth Amendment’s due process clause. In December 2010, two federal appeals court decisions supported CDT’s stance, ruling that the ECPA standards for government surveillance have not kept up with technological progress and do not meet Constitutional standards. Over the past year, the CDT, along with privacy advocates, legal scholars, and major telecommunications service providers, have developed a set of standards under which they believe the ECPA should be updated. The ACLU has also created proposals designed to simplify, clarify, and strengthen the ECPA:

  1. Robustly Protect All Personal Electronic Information. Current loopholes in our privacy laws need to be closed to protect electronic information without regard to its age, whether it is "content" or "transactional" in nature, or whether an online service provider has access to it to deliver services.
  2. Safeguard Location Information. The law should require government officials to obtain a warrant based on probable cause before allowing access to location information transmitted through cell phones, which 82% of Americans own.
  3. Institute Appropriate Oversight and Reporting Requirements. To ensure adequate oversight by Congress and adequate transparency to the public, existing reporting requirements for wiretap orders must be extended to all types of law enforcement surveillance requests.
  4. Require a Suppression Remedy. If a law enforcement official obtains non-electronic information illegally, that information usually can’t be used in a court of law. The same rule, however, doesn’t apply to illegally-obtained electronic information. Such a rule only encourages government overreaching and must be changed to require a judge to bar the use of such unlawfully obtained information in court proceedings.
  5. Craft Reasonable Exceptions. Currently ECPA sometimes allows access to the content of communications without a true emergency, without informed consent and without prompt notice to the subject. ECPA must be amended on each of these fronts if electronic records are to receive the protections Americans need.

For now, it is up to Congress to decide whether to not to adopt these proposed updates and negotiate the critical balance between the protection of personal expectation of privacy and the government’s need to protect the public.  However, for RHIOs, HIOs, and software vendors offering PHR and HIE solutions via the internet, the impact of the ECPA should be evaluated as well, particularly with respect to whether data maintained in internet-based HIE repositories may be subject to disclosure pursuant to this federal law.

Prepared with assistance from Melody Hsiou, MPH Columbia University, J.D. expected from Seton Hall Unversity 2013.

Drug Database Firms Have Much to be Thankful for this Past Thanksgiving as Second Circuit says "Good-Bye" to Vermont's Drug Marketing Restrictions

On November 23, 2010, the Court of Appeals for the Second Circuit issued its ruling that Vermont’s drug-marketing restrictions were unconstitutional. The law banned the use, sale or transmission of prescriber-identifiable data for prescription drug marketing or promotional purposes without first obtaining the prescriber’s consent. Several data mining companies had brought the suit alleging that the statute impermissibly infringed upon their freedom of speech.  

As the Court of Appeals noted, data mining companies typically collect aggregate data to determine prescribing patterns and sell the information to pharmaceutical companies which, allegedly without this information, would be prevented from more effective marketing efforts, directing important information to prescribers, tracking disease prevention, and conducting clinical trial programs and post-marketing surveillance programs.  Researchers and insurance companies also use the data generated by data-mining companies, as do state law enforcement and other state agencies, and federal agencies such as the FDA, CDC and DEA.

Noting that the First Amendment protects “even dry information, devoid of advocacy, political relevance, or artistic expression,” the Court of Appeals found the Vermont statute was clearly aimed towards influencing “the supply of information,” central to First Amendment concerns, and that it restricted the data mining companies’ commercial speech.  The Court held that the statute failed to satisfy the intermediate scrutiny test because it did not assert a substantial state interest that was “directly advanced” by the statute nor was it “narrowly tailored” to achieve that interest. 

In doing so, the Court of Appeals rejected the substantial state interests alleged by Vermont - that the restrictions protected the public health and the privacy of prescribers and prescribing information (medical privacy) and the state’s interest in containing health care costs in the private and public sectors.  The Court noted that data-mining and the use of the data generated from such activities was still permitted in other contexts and found the state’s concerns for medical privacy too “speculative” under the circumstances to qualify as a substantial state interest.  Although the Court did agree that Vermont had a substantial interest in lowering health care costs and protecting public health, it found that the statute did not advance these interests in a ”direct and material way.”  The Court also found that the statute was not narrowly tailored and that Vermont had more direct and less restrictive methods available that it failed to utilize that would better serve its asserted interests.

The Vermont decision could have paramount implications for HIEs.  Secondary uses of de-identified information are often touted as a potential solution to the elusive long-term financial sustainability issue faced by all HIEs. The fact that the Second Circuit struck down as "unconstitutional" a state law enacting restrictions on data mining will most certainly give database firms and HIE stakeholders confidence that similar uses of information in other contexts could be similarly protected under the First Amendment.

The text of the court’s full decision may be found at   

The Spirit of Holiday Giving, er, Penalties...

The California Department of Public Health (CDPH) will be collecting a whopping $667,000 in administrative fines and penalties from six hospitals charged with privacy violations.  The CDPH imposed penalties ranging from $5,000 to $250,000 on the hospitals under new privacy and confidentiality regulations enacted in 2008 aimed at cracking down on widespread patient privacy violations.  Under the new legislation, penalties may be assessed for violations up to $25,00 per patient whose information was accessed, used or disclosed improperly and up to $17,500 for subsequent violations. 

By far the most astounding of violations was Kern Medical Center which was hit with a $250,000 penalty after the theft of laboratory reports from storage lockers used for distribution of the reports.  A staff member had placed daily laboratory reports in storage lockers that were no longer on the premises of the hospital but outside and accessible to the general public.  He was aware that the locks were not functioning and that the locker door was broken, a condition that the storage locker had been in for several months.  Although the Privacy Officer alleged that keeping the reports in the outside lockers was not a hospital permitted practice, it appeared to have been occurring for some time.  Another hospital was assessed a $225,000 penalty for failing to prevent unauthorized access and use of patient information by a hospital employee who had memorized the information while purging older hospital records in order to help other individuals open fake Verizon accounts.

The imposition of these fines and penalties impress even out-of-state hospitals with the importance of securing both paper and electronic health information.  From safeguarding computer printouts such as laboratory reports to preventing unauthorized access to or uses of electronic health information, hospitals must be vigilant and proactive in safeguarding patient information.  Not only must hospitals monitor access to and uses of patient information, but they must also continue to educate and re-educate staff on confidentiality and security policies, conduct periodic audits and physical security sweeps, and strictly enforce all policies by imposing sanctions where appropriate.

The full CDPH press release may be found at