Achieving the Right Balance: Privacy and Security Policies to Support Electronic Health Information Exchange Introduction identifies gaps in the legal framework that helps Electronic health records (EHRs) and the assure a trusted, secure digital health ecosystem, electronic exchange of health information have the and suggests areas that merit further attention potential to improve individual and population from federal and state policymakers. health while increasing cost efficiency. In the past Issue Brief three years major initiatives have been launched The Importance of Efficient Health at the federal and state levels to encourage Information Flows and support the adoption and use of health In today’s electronic world, where information information technology (IT). can be located and shared at the click of a mouse, much of America’s health care remains mired Although patients and consumers overwhelmingly in paper-based systems. Some 83% of doctors support health IT, they have concerns about predominantly transmit their patients’ information the privacy and security of their personal health to other medical professionals by paper or fax — information.1 More than 80% of both doctors and not electronically — according to a recent the public believe that requiring protections and nationwide survey by the Markle Foundation.4 safeguards for patient privacy is important.2 At the same time, two-thirds of consumers believe that This lack of efficiency comes at tremendous cost privacy concerns should not stop the progress of to health care providers, the nation’s economy, health IT initiatives.3 and Americans’ health. For example, the Institute of Medicine’s seminal 1999 study estimated that Policy initiatives, therefore, must balance the medical errors in hospitals cause 44,000 to 98,000 sometimes competing aims of sharing data and deaths every year.5 More than a decade later, protecting privacy. Consumer advocates hold the system continues to generate unacceptable that building enhanced privacy and security into statistics. In 2006, the Institute of Medicine electronic health systems will bolster trust while estimated that each hospital patient suffered at supporting the increased use and appropriate least one medication error per day, and more sharing of health data. than 1.5 million adverse and preventable drug errors occurred annually.6 A 2011 study found This issue brief discusses the importance of that adverse events occurred in 33% of hospital building a statewide (and nationwide) system of admissions, most commonly in medications, electronic health information exchange (HIE) and surgery, procedures, and hospital-associated the role that sound privacy and security policies infections.7 should play in building and sustaining the public’s trust. It offers patient- and consumer-based policy Evidence is mounting that electronic health solutions to privacy and security concerns that records and information exchange are critical to balance individual and societal issues. Finally, it reversing these trends. Studies have demonstrated J une 2012 that HIE and EHR technology can improve the quality, of doctors); and improving the nation’s health in areas safety, and efficiency of care, as well as decisionmaking such as heart disease, obesity, diabetes, and asthma (69% and care coordination among patients, doctors, and other of public and doctors).14 caregivers.8 HIE can also improve the public’s health by better predicting and managing chronic diseases, The shift from paper to electronic health records presents epidemics, and health disparities; promoting patient safety new challenges to protecting the privacy and security of and preventing medical errors; and reducing the cost of a patient’s health information; a breach that formerly health care.9 In 2005, the RAND Corporation estimated affected a single paper record now can expose an entire that implementing health IT could save $81 billion or database of patient records. However, HIE presents more per year in efficiency and safety savings alone, and powerful new ways to improve the privacy and security of improvements to prevention and management of chronic patients’ data, including encryption, authentication and disease could double this amount.10 authorization controls, and electronic audit trails. The federal government recently launched an ambitious Framework for Achieving the Right program to build a nationwide system of EHRs and HIE Balance for providers and patients. In the Health Information Patients and consumers want the benefits of information Technology for Economic and Clinical Health Act of exchange, but they also want to be assured of the privacy 2009 (HITECH), Congress dedicated $22.6 billion to and security of their electronic health information. In support the purchase and use of EHRs by providers and 2010, a cross-section of California consumer, patient, and to establish an infrastructure for HIE.11 States (including civil rights organizations came together to frame a set of California) are also dedicating funds to support this principles for health information exchange consistent with movement. these ends. The resulting document, titled “Consumer and Patient Principles for Electronic Health Information Patients and consumers overwhelmingly support these Exchange in California,” is key to ensuring the public’s efforts. Survey data indicate that a large majority of the trust in HIE. (See the Appendix.) public wants electronic access to health information for themselves and for their care providers to improve An overarching message of these nine HIE principles individual and population health. Two-thirds of patients is that there is no inherent tension between protecting (70%) and doctors (65%) believe that patients should privacy and sharing personal health information for be able to view and download their personal health clinical treatment and other appropriate health-related information online.12 About 74% of doctors prefer to purposes. It is not a choice between privacy or better share a patient’s information electronically with other health care; HIE initiatives should aim to achieve both. providers when needed.13 Both the public and doctors strongly support the following priorities for health IT: These principles balance patients’ various and sometimes requiring doctors and hospitals to share information to competing needs within the overall context of health and reduce medical errors (80% of public, 85% of doctors); health care — for example, health care is coordinated cutting avoidable costs like duplicate tests (79% of public, among patients and diverse providers, and safety and 85% of doctors); better coordinating patient care (77% quality data about providers and treatments are made of public, 84% of doctors); measuring progress on health accessible for the public good, all while the privacy and care quality and safety improvement (75% of public, 73% security of personal health information is assured. 2  |  California HealthCare Foundation The principles are based on fair information practices, (HHS) requires states receiving federal health IT funding which obligate data stewards to use personal data to develop policies that address all of the fair information responsibly and with respect for its sensitivity. Fair practices.16 information practices are the starting point for state, federal, and international policies for the collection, Building and preserving trust in HIE requires entities to storage, use, and disclosure of personal information implement the entire complement of fair information and the foundation for most US and international data practices. Overreliance on one or some of the principles protection laws.15 For example, recent guidance issued significantly weakens their overall efficacy. For example, by the US Department of Health and Human Services some advocates and policymakers emphasize patient Fair Information Practices* 1. Openness and transparency. All data stewards should information needed to accomplish the purpose should make their policies and practices regarding health be used, exchanged, or disclosed. Data stewards information open and transparent to patients and to should immediately notify patients of breaches of the public generally. Data stewards should inform privacy, security, or these limitations regarding their individuals about what personal health information personal health information, and comply with all laws exists about them, for what purpose or purposes it regarding such breaches. may be used, who can access and use it, and who 6. Individual participation and control. Each entity retains it. Data stewards should also maintain and that controls, accesses, or uses personal health data provide individuals with corresponding audit trails. should inform an individual upon request whether 2. Collection limitation. Personal health information it has personal health information relating to the should only be collected for specified purposes, should individual. Each individual has the right to obtain from be obtained by lawful and fair means, and, where the entity a copy of the individual’s personal health data possible, with the knowledge and consent of the data within a reasonable time (at no or minimal charge), subject. and in a form and language that the person can readily understand; if there are legal reasons why a copy 3. Purpose specification and minimization. The cannot be provided, the individual has a right to know purposes for which personal health data are collected why the request was denied and to appeal the denial. should be specified at the time of collection, and Each individual has the right to challenge the collection, only the information reasonably necessary for those content, retention, use, or disclosure of personal health purposes should be collected. information relating to them, including the right to 4. Data integrity and quality. All personal health data have the particular information corrected, completed, collected should be relevant to the purposes for which amended, omitted, or expunged. they are to be used and should be accurate, complete, 7. Local control. Personal health information should and current. Accuracy in identifying both a patient remain in the control of the patient and the physicians and his or her records with little tolerance for error is and institutions that are directly involved with his or an essential element of health information exchange. her health care. Local control also builds upon existing There must also be transparent mechanisms to help infrastructures (augmented as necessary to adhere patients and organizations correct or “clean” their data to these principles, to ensure interconnection and in the event that errors or omissions are discovered. interoperability, and to incorporate innovations), so 5. Use and disclosure limitation. Personal health that we may realize the benefits of health information information should be used, exchanged, or disclosed exchange more quickly. only for the purposes specified, and only the *Based on Markle Foundation/Connecting for Health’s Common Framework of Policy Principles and Technology Principles (2006). See Appendix. Achieving the Right Balance: Privacy and Security Policies to Support Electronic Health Information Exchange  |  3 consent in developing recommendations for protecting first requiring specific authorization from patients, but the privacy of health information. Indeed, providing they do require specific authorization for “unexpected patients with some choice regarding how entities may uses,” such as research and sale of identifiable health use and share their health data is a core fair information information. These laws also require entities to implement practice. But consent alone cannot substitute for reasonable security safeguards for electronic health data. a comprehensive approach to privacy protection; overreliance on patient consent can undermine privacy However, there are gaps in the existing protections; and security in practice. Unfortunately, most patients do they do not address all of the fair information practices not focus on the details of consent forms, and those who outlined by the HIE principles. Many issues require do often do not understand the terms.17 Many wrongly further attention from policymakers: assume that the existence of a privacy policy means their personal information will not be shared, even when the ◾◾ All business entities that access, use, and disclose policy states the opposite.18 Consent forms are typically personal health information should be held drafted by entities seeking the individual’s consent to accountable for complying with comprehensive legal use information, so they are typically phrased in ways to obligations to protect health data. Today, federal secure that consent.19 coverage under HIPAA is limited to traditional health care system entities (e.g., providers and insurers) and Developing effective consent policy in California will their contractors (business associates). California require careful consideration of consumer and patient lawmakers recently extended the CMIA’s scope, values, balanced with the need for information sharing. but it is unclear whether these expansions suffice to Policies must emphasize consent when information provide comprehensive protections for consumers and uses and disclosures do not meet consumers’ reasonable patients regardless of which entity is accessing their expectations, and must promote a “layered” approach to information.23 consent that consumers easily understand, with priority ◾◾ Accountability for compliance with federal and given to the most critical aspects of data sharing.20 state health privacy and security protections should be strengthened. Lack of effective enforcement of Existing Law and Gaps to Address existing law undermines the public’s trust in holders The personal health information of California residents and users of personal health information. At the is protected under federal and state health privacy same time, enforcement policy at both federal and laws. Both federal law (regulations under the Health state levels must be robust without making health Insurance Portability and Accountability Act, or HIPAA) care entities so overly cautious that they fail to share and California state law (mainly the Confidentiality information in ways that facilitate the provision of Medical Information Act, or CMIA) are based on of good health care, both at an individual and fair information practices and provide a foundation for population level. comprehensive privacy and security protections.21, 22 ◾◾ Laws that protect electronic health data, such as The laws set baseline rules for how health care entities the HIPAA Security Rule, should be reassessed may collect, use, and share health information whether to ensure that they are sufficient to meet new in paper or electronic form. In general, these laws permit security challenges and to incorporate technological health care providers to share information for treatment, innovation. For example, reports of data breaches payment, and certain administrative activities without filed with the HHS Office for Civil Rights, which 4  |  California HealthCare Foundation enforces the breach notification requirements under Conclusion HIPAA, strongly suggest that entities covered by Building trust in California’s system of electronic HIE these rules are not consistently using encryption to among providers and patients will require sound privacy protect stored health information. Encryption is one and security policies based on the full complement of of the core protections that electronic health records fair information practices. Such policies should build and information exchange make available. on current law, and most importantly, be designed and implemented to protect consumers and support the ◾◾ Rules on the use of personal health information for information flows that are critical to improving individual marketing purposes should be strengthened. Survey and population health. data demonstrate that this remains a persistent concern of consumers.24 Congress enacted provisions in the HITECH Act to strengthen federal rules on the use of personal health information for About the Authors marketing purposes, but two years later, regulations Mark Savage, senior attorney, Consumers Union to implement those provisions have not been finalized Consumers Union is a nonprofit organization that publishes and could instead weaken them. Consumer Reports, works for a fair and safe marketplace ◾◾ Policymakers should provide more clarity on how for all consumers, and empowers consumers to protect entities are expected to comply with existing and new themselves. Learn more at www.consumersunion.org. health privacy laws. Entities that are uncertain about whether they can use and share information lawfully Kate Black, staff counsel, and Deven McGraw, director of the Health Privacy Project, Center for Democracy & Technology may err on the side of caution and decide not to share. In circumstances where sharing should be The Center for Democracy & Technology is a nonprofit encouraged, such uncertainty could be an obstacle to public policy organization; its Health Privacy Project progress in leveraging data to improve individual and develops and promotes policies that enable the trusted use population health. of information technology to improve health. Learn more at www.cdt.org. ◾◾ Policymakers should ensure that standards for de-identifying health data remain robust and should establish penalties for inappropriate or unauthorized About the F o u n d at i o n re-identification. The California HealthCare Foundation works as a catalyst to fulfill the promise of better health care for all Californians. ◾◾ Where possible, data-sharing models that favor We support ideas and innovations that improve quality, decentralization and local control should be increase efficiency, and lower the costs of care. For more prioritized in lieu of duplicate databases created each information, visit us online at www.chcf.org. time health information is needed for a particular purpose. Duplication and centralization of data amplify the risk of security and privacy violations. Local control also builds upon existing infrastructures (augmented as necessary to adhere to privacy and security standards, to ensure interconnection and interoperability, and to incorporate innovations), so that the benefits of HIE are realized more quickly. Achieving the Right Balance: Privacy and Security Policies to Support Electronic Health Information Exchange  |  5 Appendix: Consumer and Patient Principles for Electronic Health Information Exchange in California  June 21, 2010 Electronic health information exchange and technology can Principles improve health outcomes, empower patients to participate 1. Important benefits for individual health. Electronic actively in their care, generate research data to improve health information exchange and technology should be population health, and improve the effectiveness of our health designed and used to improve individual health care and system. California’s patients and consumers need the benefits its quality, safety, and efficiency. Patients should have to individual and population health that electronic health ready and complete electronic access to their health data information exchange and technology can achieve. We need as well as relevant tools and educational resources, in their the better health care outcomes for individual patients; the primary or preferred languages, to make meaningful use of better decisionmaking and care coordination among doctors that information. The technology should facilitate active and patients; the greater engagement of patients and families engagement of patients in their health care, and engagement in their care. We need the better public health outcomes; of family members and others as the patient chooses or law the improved quality, safety, and efficiency of health care; provides. It should enable full coordination of the patient’s the reduction of unnecessary care and costs. We need the care among diverse providers and systems. It should enhance deeper, more comprehensive understanding of individual and the privacy and security of the patient’s health information, population health that electronic health information exchange and reduce costs. can provide. 2. Important benefits for population health. Electronic California’s patients and consumers also want the better privacy health information exchange and technology should also and security of health information that health information be designed and used to improve health for the public technology can provide. Comprehensive privacy and security and communities at large, such as promoting healthy protections and fair information practices, in turn, engender the environments and preventing unhealthy environments; public trust necessary to adopt health information technology reducing and preventing chronic diseases, epidemics, and widely and achieve the benefits of electronic health information health disparities; promoting patient safety and preventing exchange across California. medical errors; measuring and reporting the quality and performance of providers and facilities, and the comparative The nine principles below are core expectations and minimum effectiveness of treatments; and reducing the cost of health criteria that should govern the design and implementation of care. health information exchange and technology in California. California’s patients and consumers will use these principles 3. Inclusivity and equality. All Californians should have full to benchmark and evaluate efforts to implement electronic and equal use of electronic health information exchange health information exchange and technology in California. We and technology and their benefits, including California’s will also use these principles to evaluate whether policymakers underserved low‑income communities, communities of and providers ensure the requisite public transparency and color, people speaking primary languages other than English, trust necessary to succeed. We urge California’s policymakers, people with disabilities, seniors and youth, immigrant providers and other stakeholders to adopt and use these nine residents, and rural and inner‑city communities. principles as well. 4. Universal design, accessibility, and interoperability. These principles are interdependent, and the benefits, Electronic health information exchange and technology effectiveness, protections, and balance of any one may depend should be designed and built to meet the diverse needs of all in significant part upon one or more other principles. Californians from the outset, without barriers or diminished function or quality for some. Universal design anticipates 6  |  California HealthCare Foundation and accommodates, for example, the differing needs of older 8. Accountability. Entities that collect, access, or use health people and younger people; of people from diverse cultures data, and the governmental agencies that oversee them, and communities and the need for cultural competency; of must be held accountable for realizing the benefits of people who use diverse languages at home and the need for health information exchange for California’s patients and linguistic competency and translation; of people with diverse communities. abilities and disabilities; of people across the range of income levels; of people across the range of literacy in reading, 9. Enforcement. Entities that collect, access, or use health health care, and electronic technology. Different systems and data, and the governmental agencies that oversee them, different patients and providers should interconnect easily. must be held accountable for enforcing the protections of health information exchange for California’s patients 5. Privacy and security. Health information exchange and and communities. Sufficient resources and adequate legal technology must promote trust and protect the privacy, and financial remedies must exist to address breaches security, confidentiality, and integrity of health data. or violations. The benefits and protections of health Strong privacy and security policies should be established information exchange are public goods, and enforcement to accomplish these ends, which are then supported by proceedings should be transparent and public. the technology necessary to implement and enforce them. To this end, health information exchange and technology Appendix A: Specific Principles for Privacy and should be further governed by the data stewardship rules Security of Health Information* and fair information practices specified in Appendix A, and Under principle 5 above, Privacy and Security, health sufficient security safeguards should protect all health data information exchange and technology should be further against such risks as loss or unauthorized access, destruction, governed by the following data stewardship rules and fair use, modification, or disclosure. Both policy and technology information practices. should incorporate innovations that can enhance individual privacy and security and address new risks. 5a. Openness and transparency. All data stewards should make their policies and practices regarding health 6. Preventing misuse of health data. Electronic health information open and transparent to patients and to the information exchange and technology should protect public generally. Data stewards should inform individuals against misuses of health data, including the use of health about what personal health information exists about them, data to deny or restrict health care or insurance coverage; for what purpose or purposes it may be used, who can restrict or deny credit or other financial benefits; engage in access and use it, and who retains it. Data stewards should unsolicited marketing to patients and consumers; restrict or also maintain and provide individuals with corresponding deny employment or housing; and deny or restrict a patient’s audit trails. rights under the law, including a patient’s rights in matters of law enforcement, national security, and immigration 5b. Collection limitation. Personal health information should enforcement. only be collected for specified purposes, should be obtained by lawful and fair means, and, where possible, with the 7. Partnership and HIT literacy. Electronic health knowledge and consent of the data subject. information exchange and technology should connect patients, providers, public health officials, and consumers as 5c. Purpose specification and minimization. The purposes partners in personal and public health care. Such partnership for which personal health data are collected should be requires that patients and consumers be informed in their specified at the time of collection, and only the information primary languages about how to use health information reasonably necessary for those purposes should be collected. exchange and technology well, and about patients’ rights, remedies, and responsibilities. *Appendix A is based upon Markle Foundation/Connecting for Health’s Common Framework of Policy Principles and Technology Principles (2006). Achieving the Right Balance: Privacy and Security Policies to Support Electronic Health Information Exchange  |  7 5d. Data integrity and quality. All personal health data Organizations Endorsing the Consumer collected should be relevant to the purposes for which and Patient Principles for Electronic Health they are to be used and should be accurate, complete, Information Exchange in California and current. Accuracy in identifying both a patient and as of September 7, 2011 his or her records with little tolerance for error is an Many organizations are working to ensure that electronic essential element of health information exchange. There health information exchange in California fully incorporates must also be transparent mechanisms to help patients and consumers’ and patients’ needs and perspectives. These organizations to correct or “clean” their data in the event Consumer and Patient Principles are currently endorsed by that errors or omissions are discovered. the following organizations: AARP 5e. Use and disclosure limitation. Personal health information should be used, exchanged, or disclosed only American Civil Liberties Union of Southern California for the purposes specified, and only the information needed Asian & Pacific Islander American Health Forum to accomplish the purpose should be used, exchanged, Association of Asian Pacific Community Health or disclosed. Data stewards should immediately notify Organizations patients of breaches of privacy, security, or these limitations regarding their personal health information, and comply California Pan-Ethnic Health Network with all laws regarding such breaches. California Rural Indian Health Board 5f. Individual participation and control. Each entity that Center for Democracy & Technology controls, accesses or uses personal health data should Congress of California Seniors inform an individual upon request whether it has personal Consumer Action health information relating to the individual. Each individual has the right to obtain from the entity a copy Consumers Union of United States of the individual’s personal health data within a reasonable Family Bridges, Inc. time (at no or minimal charge), and in a form and language that the person can readily understand; if there are legal Health Access reasons why a copy cannot be provided, the individual has Latino Coalition for a Healthy California a right to know why the request was denied and to appeal National Council of La Raza the denial. Each individual has the right to challenge the collection, content, retention, use or disclosure of personal National Partnership for Women & Families health information relating to them, including the right Pacific Business Group on Health to have the particular information corrected, completed, amended, omitted, or expunged. Planned Parenthood Affiliates of California Prevention Institute 5g. Local control. Personal health information should Privacy Activism remain in the control of the patient and the physicians and institutions that are directly involved with his or Southern Christian Leadership Conference of Greater her health care. Local control also builds upon existing Los Angeles infrastructures (augmented as necessary to adhere to these Summit Health Institute for Research and Education, Inc. principles, to ensure interconnection and interoperability, and to incorporate innovations), so that we may realize the The Children’s Partnership benefits of health information exchange more quickly. ZeroDivide 8  |  California HealthCare Foundation Endnotes 1. Markle Survey on Health in a Networked Life 2010 (January 1 4. Markle Survey, 2011, p. 5. 2011): 6, www.markle.org; California HealthCare 1 5. The notion of “fair information practices” comes from Foundation, Consumers and Health Information Technology: a 1973 report, “Records, Computers and the Rights of A National Survey (April 2010): 20, www.chcf.org. Citizens,” commissioned by the US Secretary of Health, 2. Markle Survey, 2011, p. 6. Education, and Welfare’s Advisory Committee on Automated Personal Data Systems. 3. Markle Survey, 2011, p. 26. 1 6. Program Information Notice, “Privacy and Security 4. Markle Survey, 2011, p. 6. Framework Requirements and Guidance for the State 5. Institute of Medicine, To Err Is Human: Building a Safer Health Information Exchange Cooperative Agreement Health System (Washington, DC: National Academies Program,” March 22, 2012, www.healthit.hhs.gov. Press, 2000): 26, www.nap.edu. 1 7. Nathaniel Good et al., “Stopping Spyware at the Gate: 6. Institute of Medicine, Preventing Medication Errors A User Study of Privacy, Notice and Spyware” (July 8, (Washington, DC: National Academies Press, 2007): 4, 2005), www.cmu.edu. www.nap.edu. 8. Joseph Turow, Deirdre K. Mulligan, and Chris J. 1 7. David C. Classen et al., “‘Global Trigger Tool’ Shows That Hoofnagle, “Research Report: Consumers Fundamentally Adverse Events in Hospitals May Be Ten Times Greater Misunderstand the Online Advertising Marketplace” Than Previously Measured,” Health Affairs 30, no. 4 (October 2007), www.berkeley.edu. (April 2011), www.healthaffairs.org. 1 9. Janlori Goldman, Zoe Hudson, and Richard M. Smith, 8. See, e.g., Congressional Budget Office, Evidence on the “Privacy: Report on Privacy Policies and Practices of Costs and Benefits of Health Information Technology (May Health Web Sites” (January 2000), www.chcf.org. 2008): 1, 3–17, www.cbo.gov. 2 0. Federal Trade Commission, “Protecting Consumer 9. Randall D. Cebul et al., “Electronic Health Records Privacy in an Era of Rapid Change: Recommendations for and Quality of Diabetes Care,” New Engl. J. Med. 365 Businesses and Policymakers” (March 2012), www.ftc.gov. (September 1, 2011): 825, www.nejm.org. 2 1. Health Insurance Portability and Accountability Act of 1 0. RAND Corporation, Health Information Technology: 1996, Pub. L., No. 104–191, 110 Stat. 1936 (1996); 45 Can HIT Lower Costs and Improve Quality? (2005), C.F.R. §§ 164.500–534. www.rand.org. 2 2. California Civil Code §§ 56–56.37. 1 1. Health Information Technology for Economic and Clinical 2 3. California Civil Code §§ 56.06(a). Health (HITECH) Act, Title XIII of Division A and Title IV of Division B of the American Recovery and 2 4. Markle Survey, 2011, p. 7. Reinvestment Act of 2009, Pub. L, No. 111-5 (February 17, 2009), codified at 42 U.S.C. §§300jj et seq.; §§17901 et seq. U.S. Department of Health and Human Services, Recovery Act Funding: Health Information Technology, rev. January 2011, www.hhs.gov. 1 2. Markle Survey, 2011, p. 3. 1 3. Markle Survey, 2011, p. 4. Achieving the Right Balance: Privacy and Security Policies to Support Electronic Health Information Exchange  |  9