ONC Releases PHR Model Privacy Notice

Robert Belfort, Project HealthDesign Regulatory and Assurance Advisory Group, Manatt, Phelps & Phillips, LLP

As more individuals begin to use personal health records (PHRs) to manage their personal health information, it is important that they be aware of PHR companies’ privacy and security policies. This is something that we at Project HealthDesign know well. Because of a new PHR Model Privacy Notice (Model Notice) created by the Office of the National Coordinator for Health IT (ONC), we hope that others will soon appreciate the importance of knowing how PHR companies use their data.

ONC released the Model Notice on September 12, 2011. It is a standardized template that a web-based PHR company can use to inform consumers about its privacy and security policies. According to ONC, consumers should think of the Model Notice as similar to a nutrition facts label for food:  it succinctly provides important facts that consumers should know before using a PHR. The Model Notice is meant to provide information to consumers in a uniform format they can understand, compare and use to make an informed decision about which PHR they would like to use.

The Model Notice has two sections: (i) the “Release” section; and (ii) the “Secure” section. Both tell consumers what the PHR company may do with their data. The “Release” section tells consumers whether the PHR company releases their data and for what purposes (e.g., for marketing and advertising). It also describes any data release restrictions the PHR company may have in place and explains whether the PHR company will stop releasing a consumer’s data once they close or transfer their PHR. The “Secure” section includes three points to help consumers identify the PHR company’s data security practices. Specifically, it identifies that the PHR company implements security measures; whether the PHR company stores PHR data in the United States only; and whether the PHR company keeps activity logs that record who accesses a consumer’s PHR and when.

ONC was likely motivated to release the Model Notice, at least in part, because many PHRs are not covered by existing health information privacy laws and regulations (e.g., the Health Insurance Portability and Accountability Act’s Privacy and Security Rules). Thus, there are no clear rules for them to follow when handling consumers’ health information. This is a significant gap in the country’s privacy laws. Although voluntary use of a Model Privacy Notice will not solve the problem, it is a step in the right direction.

ONC released a helpful document titled, “Consumer Guide to Understanding and Using the PHR Model Privacy Notice on PHR Company Data Practices,” which does exactly what its title suggests. We recommend it for anyone who uses a PHR. Additionally, the PHR Model Privacy Notice is available for PHR companies to begin using.

Let us know what you think about the Model Notice. Does it include enough information to be helpful?  Would the participants in your projects be able to understand what it says?  Can you think of any ways that you can employ the concepts behind the Model Notice in your projects?

Tweet

Progress Made on Direct Patient Access to Lab Results

Robert Belfort, Project HealthDesign Regulatory and Assurance Advisory Group, Manatt, Phelps & Phillips, LLP

The federal government recently took an important step to advance its goal of enabling individuals to play a more active role in their health care. On September 12, 2011, the U.S. Department of Health and Human Services (HHS) released a proposed regulation that would amend the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations and the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to allow individuals to gain access to lab test results directly from laboratories. Although individuals could always get their lab test results from their doctor’s office, the potential for health information technology tools to facilitate broader exchange of information and the growing interest of individuals in being more active participants in their care appears to have driven HHS to propose the change.

Why Can’t Individuals Access Their Lab Test Results Directly From Labs Right Now?

Most clinical laboratories are regulated under the CLIA regulations, which provide that labs may only release test results to specified recipients, including “individuals authorized under state law to order or receive tests” and to “the individual responsible for using the test results and the laboratory that initially requested the test.” CLIA does not define “individuals responsible for using the test results.” So to whom labs can disclose test results usually depends on what state law says about who is authorized to order or receive tests. Only a few states place patients in that category. Further, HIPAA exempts the provision of clinical lab results by labs from provisions generally requiring health care providers to give patients access to their medical information.

How Would the Proposed Rule Fix the Problem?

The fix to this problem is surprisingly simple — at least as legal and regulatory changes go. HHS is proposing to add a new section to the CLIA regulations to specify that, upon an individual’s request, the laboratory may provide the individual with access to his or her completed lab test results that, using the laboratory’s authentication processes, can be identified as belonging to that individual. At the same time, HHS would remove the exceptions in the HIPAA Privacy Rule that exempt lab test results from the information that laboratories must provide to individuals upon request. If adopted, the proposed changes to the HIPAA Privacy Rule would preempt any contradictory state laws that prohibit a HIPAA-covered laboratory from directly providing access to an individual.

Rationale for Providing Individuals with Direct Access to Lab Test Results

Lab test results are critical to an individual’s efforts to take control over his or her health care. Today, however, lab test results rarely make it to individuals. A 2009 study published in the Archives of Internal Medicine indicated that health care providers failed to notify patients (or document notification) of abnormal test results more than 7 percent of the time. The National Coordinator for Health IT recently put the figure closer to 20 percent.

*****

Consumer groups like the National Partnership for Women and Families are lining up in support of the proposal. Indeed, the proposal seems consistent with Project HealthDesign’s mission of increasing individuals’ engagement in their health care. But we want to hear from the current Project HealthDesign teams and other researchers:

Is HHS’s proposed regulation to enable individuals to directly access their lab test results from labs a positive development? Do you see any potential downfalls that could result from this new policy?

View the proposed regulation.
Read more posts about legal and policy issues.

When is a Mobile App a Mobile Medical App?

FDA Guidance Regulates Mobile Medical Apps, Exempts Mobile Health and Wellness Apps

Deven McGraw, Project HealthDesign Regulatory and Assurance Advisory Group, Center for Democracy & Technology

On July 21, the U.S. Food and Drug Administration (FDA) issued guidance on how the agency intends to regulate certain mobile medical applications. The guidance does not establish legally enforceable rules but instead reflects the FDA’s current thinking on a topic and serves as a set of recommendations.

Congress has already granted the FDA authority to regulate medical devices. The agency has previously said that it considers health IT a medical device, and the agency seems to be moving toward greater enforcement of device regulations in other components of health IT, such as electronic health records. In February, the FDA released a final regulation governing medical device data systems (MDDS). The July 2011 guidance on mobile medical apps is the most recent FDA activity in this area.

What Qualifies as a Mobile Medical App?

The FDA tries to make clear that the guidance applies only to a subset of mobile health-related apps the agency is calling mobile medical apps. A mobile medical app is one that:

• Is used as an accessory to an FDA-regulated medical device (e.g., an app that enables a health care professional to view medical images on an iPad and make a diagnosis);

• Transforms a mobile platform into a regulated medical device (e.g., an app that turns a smartphone into an electrocardiography machine to determine if a patient is having a heart attack).

The “intended use” of an app is what determines whether it qualifies as a mobile medical app. To determine intended use, the FDA will look at factors such as the packaging and the manufacturer’s ads and claims about the app.

What Qualifies as a Mobile Health or Wellness App?

The FDA tries to clarify that the guidance does not apply to "mobile apps that are solely used to log, record, track, evaluate, or make decisions or suggestions related to developing or maintaining general health and wellness." Examples of health and wellness apps are provided in the guidance, and include dietary tracking logs, appointment reminders, dietary suggestions based on a calorie counter, posture suggestions, exercise suggestions, etc. In contrast, a mobile medical app is one that is intended for "curing, treating, seeking treatment for, mitigating, or diagnosing a specific disease, disorder, patient state, or any specific, identifiable health condition."

The Gray Area Between Medical Apps and Health/Wellness Apps

The FDA tries to draw clear lines here and offers more examples of mobile medical apps in the guidance (see appendix A). However, the distinction between mobile medical apps and health/wellness apps is not as clear as the guidance presumes and seems to be based on the medical model of health. Today, medical conditions are significantly improved — and even prevented — by healthy behaviors, and providers might prescribe or at least recommend particular diet or exercise protocols as part of medical treatment. Many mobile health applications in development and in active use today fall in this gray area between medical and health/wellness. For example, the current Project HealthDesign teams are testing the impact of the use of consumer-facing health applications on health outcomes for individuals with chronic conditions.

Apps that Qualify as Medical Devices

In the guidance, the FDA acknowledges other classes of mobile apps that don’t qualify as mobile medical apps but might fit within the medical device definition; these other classes of mobile apps (e.g., apps that allow individuals to self-manage their diseases or conditions) would then be subject to FDA regulation. These apps are not covered by this FDA guidance; the agency does, however, intend to monitor the performance of these apps and “determine whether additional or different actions are necessary to protect public health” (see footnote 13 of the guidance).

Mobile medical apps will be expected to meet the device regulatory requirements associated with the risk classification for the app. In brief, the FDA will place more stringent requirements on devices that the agency believes pose a potential high risk for patients; the lowest level of device regulation, reserved for devices that pose minimum risk for morbidity or mortality, involves more general controls. For apps that are clearly not mobile medical apps — or that fall into the gray area between medical apps and health/wellness apps — the FDA recommends that manufacturers voluntarily follow the FDA’s Quality Systems regulations in the design and development of their apps.

Assessing the Guidance

In general, the FDA appears to be striking the right balance with this guidance, focusing on apps that are clearly used in medical treatment and taking a “sit-back-and-wait” approach for health/wellness apps that have implications for treatment. My chief concern about this guidance, however, is the lack of clarity about what is a mobile medical app — which could be subject to regulation as a device — and what is just a health/wellness app. This lack of clarity could be a significant obstacle to innovation in the mobile app space — an area where innovation should be actively encouraged. Some of the most exciting developments in health employ mobile apps to actively engage patients in activities that promote health or that enable them to manage health conditions in more effective and less costly ways.

At a minimum, the FDA should provide more examples of the types of apps that are not considered mobile medical apps, and the agency should select some examples that fall into the gray area — apps that focus on wellness but are intended to improve or mitigate a patient’s medical condition. The agency could also provide an efficient and transparent process for updating this list of examples to try to keep reasonably apace with technological developments. Perhaps a common sense litmus test could distinguish which health apps should be more closely regulated by the FDA: If the consequences of an app malfunction would be significant, it falls into the bucket of what FDA is trying to (and arguably should) more stringently regulate.

Submitting Feedback to the FDA

The FDA has also requested feedback on the regulations; submit your comments to FDA by October 19, 2011.

Good News for Patients Hidden in Health IT Policy Committee’s Meaningful Use Stage 2 Recommendations

Deven McGraw, Project HealthDesign Regulatory and Assurance Advisory Group, Center for Democracy & Technology

Recently, the federal Health Information Technology Policy Committee sent its official recommendations on Meaningful Use Stage 2 to the Office of the National Coordinator for Health IT (ONC) and the Centers for Medicare and Medicaid Services (CMS). In a bit of good news for patients and their advocates, these recommendations significantly increase requirements on providers and hospitals for sharing data electronically with patients.

For example, in Meaningful Use Stage 1:

• Providers and hospitals must provide patients electronic copies of their health information upon request and within three business days.*
• Hospitals must provide electronic copies of discharge instructions to patients upon request.*
• Providers must provide clinical summaries of each office visit to patients upon request, but these do not have to be in electronic format.*
• Providers have the option of providing at least 10% of their patients electronic access to their health information within four days of the information becoming available to the provider.  

For Stage 2, the Policy Committee’s recommendations place greater emphasis on providers and hospitals providing patients direct electronic access to their information. If the recommendations are accepted, patients will not have to request an electronic copy of their health information; they will instead have the capability to electronically view — and securely download on demand — relevant portions of their health information. This could significantly increase the demand for personal health records (PHRs) and applications that help individuals securely store, share and make use of their personal health information.

Specifically, in Meaningful Use Stage 2:

• Providers will be required to provide their patients access to view and download longitudinal health information within 24 hours of an encounter, or within four days of the provider having received the information from a lab or other external clinical site.**  
• Hospitals will be required to provide patients access to view and download information about a hospital admission within 36 hours of the encounter.**

Providers will still be required to provide patients clinical summaries of office visits, and hospitals will still be required to provide patients electronic copies of discharge instructions, but both will be able to use the view and download functionality described above to meet those objectives in Stage 2.

The Policy Committee also recommended that providers offer secure messaging to patients in Stage 2; at least 25 patients must be using this service in order for the provider to qualify for the Stage 2 payment. This is one of several instances in which the threshold is deliberately low in order to give providers time for implementation and to get patients accustomed to using the service.

The Policy Committee also adopted recommendations to deal with the privacy and security issues raised by the view and download functionality in Stage 2. For example, patients must be able to download information securely, and the information must include information on data provenance so that any subsequent users, including other providers, can know the data’s origin and the date it was created. Providers and hospitals also must establish processes to properly identify and authenticate patients who use view and download functionalities.

Additionally, in a move that’s sure to interest patients, the Policy Committee once again signaled its intent to include in Stage 3, which is scheduled to begin in 2015, requirements that deal with accepting electronic data from patients.

The Policy Committee’s Meaningful Use Stage 2 recommendations are not the final word on Stage 2. The final Meaningful Use criteria are set by CMS, and CMS’ proposed rule for Stage 2 likely will not be released until the end of the year. However, CMS relied significantly on the Policy Committee’s recommendations for Stage 1, so these recommendations are a strong signal of what’s to come in the very near future.

Do you see these recommendations as good news for patients and patient advocates? Tell us what you think by leaving a comment.

Read more posts about legal and policy issues.

---

* Providers and/or hospitals must successfully execute these processes in response to at least 50% of patient requests in order to qualify for the Meaningful Use Stage 1 payment.

** Providers must provide this functionality to at least 10% of their patients in order to qualify for Meaningful Use Stage 2 payment.

Who’s Seen My Health Care Information?

Proposed Changes to HIPAA Privacy Rule Would Help Patients Learn the Answer

Robert Belfort, Project HealthDesign Regulatory and Assurance Advisory Group, Manatt, Phelps & Phillips, LLP

On May 27, the United States Department of Health and Human Services (HHS) issued a proposed regulation (the Proposed Rule) that would amend the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule to provide patients with more information about who has accessed their protected health information (PHI). The Proposed Rule is the latest in a series of regulatory changes HHS is making in response to the Health Information Technology for Economic and Clinical Health (HITECH) Act .

Some of you may already be familiar with HIPAA’s “accounting of disclosures” provision. The provision requires health plans and health care providers, upon request, to give patients a list of the disclosures of their PHI. This “accounting” must describe, among other things, when the PHI was shared, for what purpose and who received it.

Under existing rules, accountings do not have to include the most common disclosures that covered entities make:  those for treatment, payment and health care operations.  Many covered entities have claimed that even this limited accounting obligation is burdensome. But privacy advocates have argued that the routine disclosures should be accounted for as well, especially if they are made using electronic record systems that have the capacity to automatically track disclosures.

The Proposed Rule weighs in on the side of the privacy advocates by requiring covered entities to give patients an “access report” that lists who has accessed their PHI in an electronic designated record set (that is medical records, billing records or other information that is used by covered entities to make payment or treatment decisions and that is maintained electronically) for any purpose, including treatment, payment and health care operations.

• If a patient requested an access report, a covered entity would have to include the following information:
• The date and time of access;
• The name of the natural person (if available) or the name of the entity accessing the electronic designated record set information;
• A description of what information was accessed (if available); and
• A description of the action by the user, if available (e.g., create, modify, access or delete).

There is significant debate about how difficult it will be for covered entities to provide this new access report. HHS has stated that covered entities are already supposed to be electronically tracking much of the information required in the new access report under the HIPAA Security Rule in order to generate required audit trails. But the extent to which covered entities actually do this is unclear.

In a nod to concerns expressed by covered entities, the Proposed Rules would also streamline the Privacy Rule’s current accounting of disclosures provision. For example, the Proposed Rule excludes research disclosures from the accounting requirement in response to complaints that it is difficult for providers to track the large number of records accessed in many research projects.

From the Project HealthDesign perspective, it is important to know that today, very few patients take advantage of their right to know who has seen their health information. Indeed, covered entities often point to the small number of accounting requests to support their arguments that the accounting requirement is unduly burdensome. But as patient-generated information like observations of daily living (ODLs) become more integrated into clinical health records, patients may take greater notice of their right to know who sees their health information and for what purposes.

For a more detailed summary of the Proposed Rule, please read the summary I wrote with my colleague Susan Ingargiola.

Read more posts about legal and policy issues.

Upcoming Cross-Cutting Legal and Policy Issues Paper to Include Best Practices from Current Project HealthDesign Teams

Deven McGraw, Health Privacy Project Director, Center for Democracy & Technology

Project HealthDesign’s regulatory assurance team, which includes advisers from Manatt, Phelps and Phillips and the Center for Democracy & Technology, is drafting a cross-cutting policy issues paper that addresses potential legal obstacles to the collection and use of observations of daily living (ODLs) to improve health care (read my last post on the topic for background information). We plan to use the experiences of the current Project HealthDesign teams to both identify these obstacles and also suggest practical ways to address them. We hope this paper can help pave the way for a more certain policy environment that encourages bi-directional communication between health care providers and patients using innovative technologies like smartphones and personal health records (PHRs).

In most instances, the obstacles that create headaches for the current Project HealthDesign teams are not specific legal prohibitions. For example, the law does not say that providers cannot communicate with patients using mobile health tools. But there are a lot of uncertainties about the potential application of current privacy and security rules to how patients and providers use these innovative e-health tools — and this lack of certainty will hinder more widespread adoption.

The Project HealthDesign teams have identified three categories of cross-cutting issues to address in the paper. They are:

• Assuring the security of information transmitted between patients and providers using portable devices and other computer systems;
• Provider liability concerns about collecting ODLs from patients; and
• Lack of privacy and security protections for consumer health tools, which often are not covered by federal or state health data protection laws.

We have already begun to get specific examples from the teams of policy and technology solutions that they have deployed to address the first two sets of issues. In a recent webinar, the teams provided examples of how they have assessed the risks and benefits of communicating with patients using mobile health tools. They also shared the best practices they’ve implemented to secure the data in a way that doesn’t overburden the provider or the individual and establishes an environment of accountability. We are currently developing best practice recommendations based on their experiences, and will be seeking additional feedback before the recommendations are finalized.

The focus on health data security issues is timely, as the HHS Office of the Inspector General recently released reports critical of both the Office of Civil Rights (OCR), which enforces HIPAA, and the Office of the National Coordinator (ONC), which manages the provider electronic health record certification program, for insufficiently addressing and holding providers accountable for deploying comprehensive security protections. The reports could prompt both OCR and ONC to establish more specific health data security requirements for providers.

At a recent Project HealthDesign workshop, we discussed the issue of provider concerns about liability for collection and use of ODLs. Some clear themes emerged:

• Ultimately, we need to build trust in both the technology and the processes (including clinical workflow) for collecting, accessing, using and disclosing patient ODLs.
• It is critical to set and consistently manage expectations – on the provider side and the patient side— for what ODLs will be collected, how they will be collected, how often they will be reviewed, who will review them, what the plan and timeframe are for responding to ODLs, etc. The Chronology Project is deploying an “ODL Prescription” as a tool for managing expectations; this is the type of best practice that we want to highlight in the paper.

As with the data security issue, we are working to develop best practice recommendations for managing risk of liability based on the teams’ experiences and will seek additional feedback before they are finalized.

The third category of issues is lack of protections for consumer health tools, which often are not covered by federal and state health privacy and security rules. As I noted in a previous post, the Federal Trade Commission (FTC) and the Department of Commerce released draft reports on consumer privacy concerns in late 2010 that will be finalized in 2011 and could lead to stronger Administration initiatives on this issue. In addition, bills have been introduced in both chambers of Congress establishing baseline privacy rules that apply to personal data, including health data. We expect to include the approaches to privacy and security promoted in these bills and Administration initiatives in our discussions with grantees about best practices in this category. Stay tuned for further developments!

Patient Engagement: A Key Ingredient in Accountable Care Organizations

Bob Belfort, Manatt, Phelps & Phillips, LLP

On March 31, the Centers for Medicare and Medicaid Services released a proposed rule governing the approval and operation of Accountable Care Organizations (ACOs) under the new Medicare Shared Savings Program.

The program creates financial incentives for providers to work together to treat patients across multiple care settings, including physician offices, hospitals, and in the home. Under the proposed rule, an ACO would consist of a group of providers that have agreed to collaborate to coordinate care for patients enrolled in Medicare Parts A and B. ACOs are intended to be patient-centered organizations that deliver integrated, efficient and cost-effective care. ACOs that successfully provide lower-cost care and that achieve quality targets will be eligible to retain a portion of the savings shared with the Medicare program.

ACOs would have to define processes to promote evidence-based medicine, patient engagement, and care coordination. They would also have to report on quality and cost measures.

In some cases, the proposed rule is prescriptive about the health IT tools providers should use to achieve these objectives. One example is the requirement that at least 50 percent of an ACO’s primary care physicians must be meaningful users of electronic health records at the beginning of the second year of the ACO’s existence.

In other cases, the proposed rule does not establish specific criteria. In the area of patient engagement, for example, the proposed rule allows ACOs the flexibility to choose tools that are most appropriate for their practitioners and patients. Activities that promote patient engagement may include, but are not limited to, use of decision-support tools and shared decision-making methods that help patients assess the merits of various treatment options in the context of their specific values. Patient engagement may also include methods for fostering basic knowledge about maintaining good health, avoiding preventable medical conditions and managing existing conditions.

It is worth noting that the proposed rule encourages ACOs to use remote monitoring and telehealth to coordinate care; however, the rule does not specify exactly when or how such tools should be employed.

We think that knowing a patient’s observations of daily living (ODLs) could help ACOs meet quality improvement goals under the Medicare Shared Savings Program. We also believe that the program, with its focus on patient engagement and care coordination, could go a long way toward convincing health care providers to incorporate patient-defined, patient-generated health information into the clinical care setting.

Do you agree? What are your predictions about what health care providers will do to satisfy the proposed rule’s patient engagement and care coordination requirements?  What about your big picture reactions to the ACO concept? Will ACOs help improve health care quality and efficiency or are they just another passing fad?

To learn more about the proposed rule, read the summary prepared by Manatt, Phelps and Phillips, LLC.

More Patient Engagement in Meaningful Use

Bob Belfort, Manatt, Phelps & Phillips, LLP

As National Program Director Patricia Flatley Brennan and Deven McGraw of the Center for Democracy & Technology have discussed in recent blog posts, Stage 2 of Meaningful Use may set higher standards for health care providers’ engagement with patients. For example, in Stage 1, providers need only provide patients with an electronic copy of their health information upon request 50 percent of the time. But under Stage 2, providers may be required to use online secure patient messaging to communicate with patients via e-mail.

This move toward more patient engagement in Meaningful Use leads to an important question, which PricewaterhouseCoopers (PWC) explored in a recent research paper titled “Putting Patients into Meaningful Use”: How can health care providers use health IT tools, such as personal health records (PHRs), to effectively expand the care team to include patients?

A recent study suggests that less than half of all physicians are willing to use patients’ PHRs as part of their clinical work. Mistrust of patient-generated data, time constraints, lack of financial incentives and liability concerns are several issues that could contribute to this sentiment. To truly exploit the transformative potential of health IT tools, health care providers will have to become comfortable with engaging patients as more active partners in managing their own care. This is why Project HealthDesign is so important to ensuring that the government’s larger health IT adoption efforts succeed.

We are looking forward to talking about the issue of provider liability for reliance on patient-generated data and other related issues at an upcoming meeting with our five current project teams. In the meantime, we encourage you to let us know what you think about the steps PWC outlined for using PHRs to effectively expand the care team to include patients and consumers:

• Make providers (doctors, nurse practitioners) the face of the PHR.
• Define expectations for active participation by patients.
• Keep family members in the loop.
• Work side-by-side with patients as they use their PHRs.

They seem like good baseline recommendations to us. How would you build on them to be more specific?

Related resource:

• Read the full PWC report.

Stakeholders Weigh in on PCAST Report

Deven McGraw, Health Privacy Project Director, Center for Democracy & Technology

Project HealthDesign Director Patti Brennan recently blogged about the report issued by the President’s Council of Advisors on Science and Technology (PCAST), which set forth recommendations to facilitate more effective use of technology for health information exchange. In the post, she praised the more expansive vision of exchange promoted by PCAST and noted the absence of a robust discussion on the need to include patient-generated data as part of this broad vision.

Efforts to analyze the PCAST report and determine how its vision of greater health data liquidity can be achieved have begun in earnest. The Health IT Policy Committee (HITPC) has established a PCAST Report Workgroup, which held a day-long public hearing on Feb. 15.

Stakeholder groups testifying included consumers and patients, providers, technology experts, and health information exchanges. Nearly all agreed with the goal of facilitating more widespread electronic exchange of health data for treatment and secondary data uses like public health and research. But stakeholders also raised a number of concerns about some of the recommendations in the report, including:

• fears that exchange of information at an “atomic data element” level would rob the information of the context necessary for providers and researchers to understand it;
• concerns that providing patients with very granular choices about how their data is shared could be difficult for patients and providers to manage;
• uncertainty about whether the PCAST recommendation for a “universal exchange language” would disrupt (or build on) existing data standardization efforts; and
• questions about whether the designated approach to protecting privacy – tagging data elements with meta data about privacy preferences and other applicable data sharing constraints – would be workable and effective.

The key task for the PCAST Workgroup, the federal advisory committees, and ultimately HHS will be to find a path forward to promote the PCAST vision in a way that builds on work that has been done in the past and effectively responds to implementation concerns raised by stakeholders. Here are a few possibilities:

• Ramp up the requirements for health information exchange in Stages 2 and 3 of meaningful use, including active exchange of data with patients.
• Adopt and implement standards that will allow patients and providers to exchange computable data with one another no matter which EHR, PHR or software application is being used.
• Develop the infrastructure for a query-response model of health data exchange that is based on the needs of the patient.
• Pilot privacy-enhancing technologies (including but not limited to the meta data tagging approach recommended by PCAST) and research both their efficacy and impact on care.

This first year of the meaningful use program provides us with an opportunity to test the efficacy of current strategies for effective use of health IT to improve health and health care. The PCAST Report provides yet another opportunity to consider whether these efforts are headed in the right direction and how we can accelerate progress toward the goals we share.

This week, those interested in HIT have another opportunity to influence future public policy in this arena: HITPC is soliciting public comments on proposed Meaningful Use Stage 2 objectives through Friday, Feb. 25.

Could 2011 Be a Big Year for Consumer Privacy?

Deven McGraw, Health Privacy Project Director, Center for Democracy & Technology

A number of developments at the end of 2010 suggest that 2011 could be an important year in the advancement of consumer personal information protections, which would include health information protections.

• The Department of Health and Human Services (HHS) Office of the National Coordinator (ONC) hosted a day-long roundtable, “Personal Health Records – Understanding the Evolving Landscape,” on December 3, 2010. The roundtable explored the current state and evolving nature of personal health records (PHRs), the value of PHRs to consumers, and privacy and security protections for PHRs.
  
  Three Project HealthDesign principal investigators submitted to the ONC comments demonstrating that a lack of comprehensive protections on PHR data, uncertain application of the law and failure of current law to keep up with technological innovation all hinder progress toward innovative care approaches that leverage innovations in information technology. This testimony will inform a congressionally mandated report on privacy and security protections for entities not covered by HIPAA (which includes many PHRs); this HHS PHR report is expected to be issued in 2011.

• Two days before the PHR Roundtable, the Federal Trade Commission (FTC) issued a comprehensive report on consumer privacy, “Protecting Consumer Privacy in an Era of Rapid Change.” The report was based in part on a series of public roundtables the FTC hosted in 2009 and 2010. In the report, the FTC notes the growing collection of consumer personal data (particularly on the Internet), consumers’ limited understanding of data collection practices and inability to make meaningful choices about them, the importance of privacy to consumers, the significant benefits that result from the increased flow of consumer data, and the blurring distinction online between personally identifiable information and information purported to be “anonymous” or de-identified.
  
  In response, they proposed a new framework for addressing the use of consumer data, both online and offline. This framework has three main components:
  1. Businesses should embrace a full complement of fair information practices and build consumer privacy protections into their everyday business practices (also known as “privacy by design”).
  2. Consumers should have more simplified, streamlined choices about how their data is accessed, used and disclosed.
  3. Businesses should increase the transparency of their data practices.

          The FTC is accepting comments on this report until February 18, 2011.

• Two weeks after the FTC released its consumer privacy report, the U.S. Department of Commerce (DoC) released its own report, “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.” This report calls for the U.S. to improve its privacy protection framework and better align itself with global data protection initiatives. DoC also calls for a framework based on a full set of fair information practice principles. Those principles would then be used to create industry-specific codes of conduct that would be developed through negotiations with multiple stakeholders.
  
  The report recommends that any new commercial data privacy framework not conflict with existing laws that provide important protections, such as laws governing the health industry and the financial sector. The report also called for “nationally consistent” security breach notification laws.
  
  DoC is accepting comments on this report until January 28, 2011. Submit comments via e-mail.

At a minimum, these reports indicate a renewed federal focus on privacy protections for consumer data. The reports also suggest that privacy initiatives could garner congressional attention, and that the private sector could also become more engaged in developing strong, voluntary codes of conduct. All of this activity is occurring just as the HITECH meaningful use incentive program begins in earnest, ensuring that a focus on the use and protection of personal health data will remain front and center in 2011.