At Project HealthDesign, we’ve challenged our grantee teams to push the PHR envelope by designing and testing a broad spectrum of innovations in how consumers can use information technology to better manage their health and more easily navigate the health care system.
While we’re looking toward the next generation of PHRs and personal health applications, it is also key to keep abreast of the current legislative landscape which, depending on how things play out, could significantly influence the development and utilization of these technologies.
Congress may soon pass the first bill with a primary aim of wiring the nation’s health system. The deal isn’t done, and not all parties are entirely pleased with it, but on June 21st, the Wired for Health Care Quality Act of 2007 gained Senate Committee approval. If nothing throws it off course, a version of it could come up for a full Senate vote early this fall. Sponsors of the bill are Senators Edward Kennedy (D-MA), Michael Enzi (R-WY), Hillary Clinton (D-NY), and Orrin Hatch (R-UT).
The Wired for Health Care Quality Act of 2007 (S.1693) would provide more than $320 million in grants and loans to help health care providers purchase and use IT systems and to support the development of local and regional health information exchange networks. It would also establish new and codify existing government bodies that work on health information technology (HIT) and encourage the integration of HIT into clinical education.
The bill also addresses privacy. Privacy is of course, a key topic in HIT policy and PHR design discussions because national polls and surveys—and Project HealthDesign grantees’ user group testing—identify it as a primary concern in this context. People fear that digitization of their health information could lead to embarrassment and to discrimination by employers, insurance providers and others.
The privacy provisions of the Wired Act are relevant to PHR developers and Project HealthDesign on two levels. The most immediate is that they would expand the coverage of the privacy law, HIPAA—the Health Insurance Portability and Accountability Act—to include a number of entities involved in HIT that are not currently covered. While it does not specifically name PHRs and PHR companies, the bill’s definition of a new category of HIPAA “covered entity” is an “operator of a health information electronic database”…which could arguably apply to some PHRs.
Complying with HIPAA could require PHR companies to do some extra administrative work, but whether that work would provide the desired effect is open to debate. HIPAA was designed to protect patient privacy by limiting access to private health data to those involved in the daily business of clinical care, such as doctors and insurance providers, but as a July 3rd New York Times article “Keeping Patients' Details Private, Even From Kin,” recently pointed out, it is frequently misunderstood and misapplied, often to the detriment of patients. For example, because of misguided fears of violating HIPAA, many providers refuse to share critical information about a patient's condition even with their closest relatives. Given that HIPAA was not drafted with PHRs in mind, the likelihood of misapplication could be even higher.
Although the Wired bill as drafted would answer some privacy concerns (it addresses privacy in several specific contexts in addition to expanding HIPAA), according to some consumer advocacy organizations it does not go far enough in establishing—in an overarching way—who should have access to electronic personal health information and why, and what should happen in the event of a privacy leak.
A new addition to the picture is the introduction on July 18th of the Health Information Privacy and Security Act of 2007 (S.1814)—by the same primary sponsor as the Wired bill, Senator Edward Kennedy (D-MA), along with Senator Patrick Leahy (D-VT). This second bill would establish a more comprehensive set of privacy policies, but it’s not clear that both bills will become law. Passage of the Wired Act without the Privacy and Security Act, which is likely to be much more controversial politically, will be studied carefully to determine how it would amend HIPAA’s privacy provisions and to determine its effects on PHRs.
“HIPAA was never intended to be the final word on privacy,” said Ken Goodman, director of the University of Miami’s Bioethics Program and leader of the Project HealthDesign team looking at legal and ethical issues raised by PHRs. “These legislative initiatives make it clear that we are still trying to strike a balance between privacy rights and the benefits of electronic records. What we’ve learned repeatedly is that people will tend to vote with their feet—that is, if they value a technology and trust the safeguards in place to govern its use, some privacy anxiety will be reduced as the technology is adopted.”
“The same is true for PHRs,” Goodman said. “If patients value the convenience and improved care many believe PHRs will help provide, they will balance those benefits against privacy laws reckoned to be just a little too prickly.”
One of the goals of this blog is to keep readers informed about policies that could affect the development of PHRs. We’ve tried here to give you a glimpse at the lay of the land on Capitol Hill—and encourage you to post your opinions and reactions using the Comments link below. The full text of both bills can be found on the Library of Congress’ web site. A summary of the Health Information Privacy and Security Act of 2007 is on Senator Kennedy’s web site.