Deven McGraw, Health Privacy Project Director, Center for Democracy & Technology
Project HealthDesign’s regulatory assurance team, which includes advisers from Manatt, Phelps and Phillips and the Center for Democracy & Technology, is drafting a cross-cutting policy issues paper that addresses potential legal obstacles to the collection and use of observations of daily living (ODLs) to improve health care (read my last post on the topic for background information). We plan to use the experiences of the current Project HealthDesign teams to both identify these obstacles and also suggest practical ways to address them. We hope this paper can help pave the way for a more certain policy environment that encourages bi-directional communication between health care providers and patients using innovative technologies like smartphones and personal health records (PHRs).
In most instances, the obstacles that create headaches for the current Project HealthDesign teams are not specific legal prohibitions. For example, the law does not say that providers cannot communicate with patients using mobile health tools. But there are a lot of uncertainties about the potential application of current privacy and security rules to how patients and providers use these innovative e-health tools — and this lack of certainty will hinder more widespread adoption.
The Project HealthDesign teams have identified three categories of cross-cutting issues to address in the paper. They are:
- Assuring the security of information transmitted between patients and providers using portable devices and other computer systems;
- Provider liability concerns about collecting ODLs from patients; and
- Lack of privacy and security protections for consumer health tools, which often are not covered by federal or state health data protection laws.
We have already begun to get specific examples from the teams of policy and technology solutions that they have deployed to address the first two sets of issues. In a recent webinar, the teams provided examples of how they have assessed the risks and benefits of communicating with patients using mobile health tools. They also shared the best practices they’ve implemented to secure the data in a way that doesn’t overburden the provider or the individual and establishes an environment of accountability. We are currently developing best practice recommendations based on their experiences, and will be seeking additional feedback before the recommendations are finalized.
The focus on health data security issues is timely, as the HHS Office of the Inspector General recently released reports critical of both the Office of Civil Rights (OCR), which enforces HIPAA, and the Office of the National Coordinator (ONC), which manages the provider electronic health record certification program, for insufficiently addressing and holding providers accountable for deploying comprehensive security protections. The reports could prompt both OCR and ONC to establish more specific health data security requirements for providers.
At a recent Project HealthDesign workshop, we discussed the issue of provider concerns about liability for collection and use of ODLs. Some clear themes emerged:
- Ultimately, we need to build trust in both the technology and the processes (including clinical workflow) for collecting, accessing, using and disclosing patient ODLs.
- It is critical to set and consistently manage expectations – on the provider side and the patient side— for what ODLs will be collected, how they will be collected, how often they will be reviewed, who will review them, what the plan and timeframe are for responding to ODLs, etc. The Chronology Project is deploying an “ODL Prescription” as a tool for managing expectations; this is the type of best practice that we want to highlight in the paper.
As with the data security issue, we are working to develop best practice recommendations for managing risk of liability based on the teams’ experiences and will seek additional feedback before they are finalized.
The third category of issues is lack of protections for consumer health tools, which often are not covered by federal and state health privacy and security rules. As I noted in a previous post, the Federal Trade Commission (FTC) and the Department of Commerce released draft reports on consumer privacy concerns in late 2010 that will be finalized in 2011 and could lead to stronger Administration initiatives on this issue. In addition, bills have been introduced in both chambers of Congress establishing baseline privacy rules that apply to personal data, including health data. We expect to include the approaches to privacy and security promoted in these bills and Administration initiatives in our discussions with grantees about best practices in this category. Stay tuned for further developments!