Building Patient Trust Is Vital To Health Information Exchanges

Posted on May 17, 2013 by Frank J. Rosello

In recent weeks, federal regulators and their advisers have been deliberating about how best to earn patient trust that their privacy will be protected as their data is shared among providers via evolving health information exchanges.

Keeping a focus on patient trust will be vital as HIEs grow. A handful of well-publicized breaches involving HIEs could lead to intense scrutiny that could derail the entire movement toward sharing potentially life-saving data. That’s because many patients might choose not allow their data to be shared via HIEs.

One of the key areas that still needs to get sorted is how to protect patients’ most sensitive information from being inappropriately accessed on these exchanges.

Consider this example. An elderly “snow bird” patient with a heart condition who spends summers in Vermont, but winters in Florida, might consent to have his health information shared across an HIE in hopes that his care will be better coordinated among his many doctors.

But would that same patient be as willing to have his data shared if, in the past, he had been treated at a substance abuse center or mental health facility, and that information might also be readily accessible? Perhaps yes, perhaps no. Depends on the person.

The point is that many patients, for whatever reason, might want to have some of their health information shared for emergency care, but not necessarily all their deep dark secrets uncovered during the course of routine treatment.

Trust Principles

The Office of the National Coordinator for Health IT last week issued its initial, somewhat slender, version of voluntary guidelines organizations that operate or use HIEs should consider when sharing patient data

See: HHS Outlines Voluntary HIE Guidelines. (.pdf)

The guidelines include “trust principles,” such as making sure that patients are:

• “Provided with meaningful choice as to whether their personally identifiable information can be electronically exchanged;” and
• “Able to request data exchange limits based on data type or source, such as substance abuse treatment.”

Those are good starting principles for gaining the trust of patients. The problem is that, right now, there are no standard technologies or solid best practices identified for HIEs to use in making sure principles are carried out.

A discussion at a HIT Policy Committee meeting this week clearly illustrated that there is still lots of work that needs to be done. The committee, which advises ONC, is trying to identify appropriate privacy “guardrails” for the exchange of health data, especially in cases when a provider sends a non-targeted query to discover all the other clinicians that hold records for a particular patient.

A record locator service for an HIE only tells a querying clinician that a patient record is available from other healthcare providers that participate in the exchange. However, a query response that confirms a patient has records located at a substance abuse treatment facility or a mental health institution is, in itself, a disclosure that could be too sensitive for some patients, some committee members said.

“The biggest issue we have still that’s not getting enough attention is how we deal with sensitive information,” John Houston, vice president and privacy and information security officer at the University of Pittsburgh Medical Center, told me in an interview.

“A lot of states’ laws are antiquated and don’t support the sharing of sensitive health information electronically, and the technologies to support that are still in their infancy,” says Houston, who is a member of the HIT Policy Committee’s Privacy and Security Tiger Team, but is speaking on his own behalf. “These are complex issues.”

Trusting Providers

Meanwhile, the trustworthiness of the providers sharing health data is also vital for building patients’ trust.

“I agree that gaining the trust of patients is the ultimate goal, but an HIE service provider is unlikely to have direct interactions with patients,” says Dixie Baker, senior partner at consulting firm Martin, Blanck and Associates, and also a member of the tiger team. “Rather, the HIE service provider will need to gain the trust of the exchanging entities who use its services – and who, in electronic health exchange, will act as trust agents for patients. That is, patients trust their providers to use services that the providers themselves deem trustworthy.”

The push is on for healthcare providers to exchange patient data – it’s among the requirements of Stage 2 of the HITECH Act electronic health record incentive program. So it’s urgent that regulators, healthcare providers – and especially HIE organizations – remain vigilant in sorting out important issues around protecting sensitive data and fostering patient trust.

It’s also important that ONC continue beefing up its voluntary guidelines for HIEs and perhaps eventually consider whether certain best practices for protecting patients’ most sensitive data should be mandatory.

Article written by Marianne Kolbasuk McGee

• Recent News

  • Texas Launches Certification Program To Bolster HIPAA Compliance
  • Internet Explorer Vulnerability: Steps To Take
  • Five Misconceptions About Cloud Computing
  • ONC Chief’s Perspectives On Patient Privacy and Security
  • ONC Chief DeSalvo Charts New Course

• Press Release Archives

• EI Connections Newsletter Archive

  
  

  Sign up for the
  EI Connections Newsletter

  * Email

  
  

• Categories

  • ACA
  • ACO Rule
  • ACOs
  • Cloud Computing
  • CMS
  • CMS eRx Rules
  • CMS Final Rule
  • CMS Proposed Rule
  • e-Health
  • EHR Adoption
  • EHR Data Sharing
  • EHR Implementation
  • EHR Incentives
  • EHR Information Security
  • EHR Meaningful Use
  • Electronic Health Records
  • Electronic Medical Records
  • EMR
  • Environmental Intelligence
  • Health Information Exchange
  • Health IT
  • Health IT Best Practices
  • Health IT Data Security
  • Health It Interoperability
  • Health IT Policy
  • Health IT Services
  • Healthcare
  • Healthcare Information Security
  • Healthcare Leasing
  • HHS
  • HHS Final Rule
  • HHS Initiatives
  • HIE
  • HIPAA 5010
  • HIPAA Complicance
  • HIPAA Omnibus Rule
  • HIPAA Privacy and Security Rule
  • ICD-10
  • Meaningful Use
  • medical practice best practices
  • mHealth
  • ONC
  • Patient Privacy
  • Personal Health Record
  • PHI Data Security
  • Press Releases
  • Radiology Systems
  • Telehealth
  • Telemedicine

• Tag Cloud

  CMS CMS EHR Incentives CMS Policy EHR EHR Adoption EHR Best Practices EHR Cloud Hosting EHR Consulting EHR Hosting EHR Implementation EHR Incentives EHR Study EHR Technology Enhancements EI Connections Newsletter Electronic Health Records Electronic Medical Records EMR Environmental Intelligence Healthcare Health Information Exchange Health IT Health IT Best Practices Health IT Information Security Health IT Policy Health IT Services Health IT Standards Health IT Tips HHS HIE HIE Standards HIPAA Compliance HIPAA Privacy and Security Rules HIT ICD-10 Meaningful Use medical practice best practices OCR ONC Patient Experience PHI PHI Data Breaches PHI Data Security PHI Security Stage 2 Meaningful Use Rule Stage 3 Meaningful Use