In their September 18, 2009, meeting, the HIT Policy Committee focused their attention on privacy and security, declaring these to be “foundational requirements for appropriate management and exchange of individuals’ health data.” The committee sought testimony and comments in four broad categories: (1) individual choice/control and data segmentation; (2) use, disclosure, secondary use, and data stewardship; (3) aggregate data use, de-identification/re-identification, and models for data storage; and (4) transparency, accountability and audit.
The overview that was presented reviewed how ARRA “changes the game,” extending privacy and security beyond what was previously covered by HIPAA. Custodians of personal health information (PHI), such as EHR vendors, or anyone involved in the collection and transmission of PHI, need a Business Associate (BA) agreement. Breach notification requirements now extend beyond EHRs, and include PHR vendors (which were not included under HIPAA previously). One principle highlighted was that an individual has the right to restrict disclosure of PHI, and to limit the use and request for PHI to the “minimum necessary” information for the purposes intended – mainly, this applies to health plan and other third-party payor, restricting PHI disclosure to only what is needed for bill payment.
Testimony around the question of privacy showed consensus around individual control of one’s own PHI, rather than any rules that would govern all health care consumers in a one-size-fits-all fashion. At the same time, the Coalition for Patient Privacy recognizes that (1) most HIT systems today do not have patient privacy and control over access to PHI “wired in up-front”; (2) it will thus need time to transition their technology; and (3) working together with industry and government to assure meaningful and comprehensive privacy protection in EHR systems is the best way to achieve progress and reap the benefits envisioned.
How does the issue of privacy apply to Practice Fusion’s cloud-based EHR, especially as we build our chart-sharing capabilities? Unlike legacy systems that were designed and built prior to the emergence of national health IT policy, Practice Fusion addresses the question of privacy and permission as part of its “up-front wiring.” Patterned similarly to traditional workflows in paper-based physician office environments, when a patient is referred by one physician to another, and sends relevant clinical information (usually by fax) to the consultant, the Practice Fusion model would document patient permission and expose the physician’s clinical chart to the consultant so that the same chart can be shared by both physicians. This is a dramatic step forward from past technology – the achievement of “one patient, one chart” will have very significant impact on coordination of care between practitioners. Individual patient permission is central to this technology, and the creation of a “permissions rules engine” represents the next step in the evolution of EHRs. It may well turn out that shared, web-based technologies like Practice Fusion’s cloud-based EHR will achieve exactly the kind of protected, privacy-assured health data exchange platform that is envisioned by the HIT policy process.
Robert Rowley, MD – Chief Medical Officer, Practice Fusion, Inc.
