eHealth Confidentiality Policies

CLIA Notes

2007-03-06T11:57:00.000-08:00

note: significant portions of this posting are taken from a
presentation by Donald E. Horton, Jr. Associate vice President, Public
Policy and Advocacy, LabCorp. His slides presented on March 5, 2005,
will be on the RTI HIPSC site

The Clinical Laboratory Improvement Amendment (CLIA) of 1988

42CFR § 493.129(f)

Test results must be released only to authorized persons.

42CFR § 493.2

Authorized person means an individual authorized under state law to order tests and receive test results or both

"Individual responsible for using the test results is undefined."

Implications

Many people with a legitimate need to review test results for legitimate purposes are not "authorized persons." These groups include:

non-ordering physician specialists participating in care

RHIOS

QIOS

Disease Management

Other population-based programs

Health plans

As a result, many people who need the results for patient care of other services are not "authorized" persons.

Among the proposed solutions

Alternative 1: Distinguish
between mandatory and permissive test result disclosures and eliminate any reference to the undefined term "individual responsible for using the test results"....

Revise
42CFR § 493.129(f) to state:

Test results must be released to the authorized person who ordered the test. In addition, notwithstanding any contrary State law defining who is an individual authorized to order tests or receive test results or both, test results may be released to:

The laboratory that initially requested the test, if applicable;

Any person designated to receive the test results by the authorized person who ordered the test

A "covered entity" as defined in 45 CFR § 106.103; and

A "business associate" of a covered entity as defined in 45 CFR § 106.103. This section shall not be construed to permit the disclosure of any specific type of test result to any of the persons or entities named herein where the disclosure of test results of that type is otherwise prohibited by state or federal law.

Alternative 2: Clarify the meaning of both "authorized person and the section of code in which it appears

Add to 42CFR § 493.2 the following definition of an authorized person:

Authorized person means an individual authorized under State law to order tests or receive test results, or both. In addition, nothwithstanding any contrary State law defining who is an individual authorized to order tests or receive test results or both, authorized
person means:

Any person designated to receive the test results by the
authorized person who ordered the test

A "covered entity" as defined in 45 CFR § 106.103; and

A "business associate" of a covered entity as defined in 45 CFR § 106.103. This section shall not be construed to permit the disclosure of any specific type of test result to any of the persons or entities named herein where the disclosure of test results of that
type is otherwise prohibited by state or federal law.

Alternative 3: Clarify the meaning of "individual responsible for using th test results" and the
section of law in which it appears.

Add to 42 CFR § 492.2 by creating a definition of the "individual responsible for using test results." This term is currently notdefined.

Individual responsible for using the test results means, notwithstanding any contrary State law defining who is an individual authorized to order tests or receive test results or both:

Any person designated to receive the test results by the authorized person who ordered the test

A "covered entity" as defined in 45 CFR § 106.103; and

A "business associate" of; a covered entity as defined in 45 CFR § 106.103. This section shall not be construed to permit the disclosure of any specific type of test result to any of the persons or entities named herein where the disclosure of test results of that type is otherwise prohibited by state or federal law.

Such revisions would maintain the protection of information under HIPAA and would ensure that particularly sensitive types of test results currently confidential will remain so.

Health Privacy Project and AHIC

2007-02-24T11:37:00.000-08:00

The February 22 issue of Healthcare IT News widely publicized the resignation of Paul Feldman (Health Privacy Project) from the AHIC privacy process.

The concerns have to components

Standards for "back end" interoperability are being developed by a HITSP at a pace too fast for adequate deliberation
Standards for privacy protections lag behind the pace of other standards development efforts and hence may lead to technical adoption of standards in 2008 before adequate consideration has been given to privacy and confidentiality

In a letter to the Secretary by the Health Privacy Project, JanLori Goldman and Paul Feldman state that the present accomplishments and proposed plans "are a far cry from a comprehensive and timely approach that would give privacy policy equal and necessary footing with interoperability and systems development efforts."

New GAO Reports on Early Privacy Efforts in HIT

2007-02-12T11:11:00.000-08:00

On February 12, 2007, the GAO issued two products based on its review of privacy and health care confidentiality. Both the testimony (GAO-07-400T) and the report (GAO-07-238) are entitled, Health Information Technology: Early Efforts Initiated but Comprehensive Privacy Approach Needed for National Strategy.

The Personal Data Privacy and Security Act of 2007

2007-02-10T11:23:00.000-08:00

On February 6, 2007, Senators Leahy and Spector introduced the Personal Data Privacy and Security Act of 2007. According to Senator Leahy's press release, this bipartisan legislation:

Increases criminal penalties for identity theft involving electronic personal data and making it a crime to intentionally or willfully conceal a security breach involving personal data;
Gives individuals access to, and the opportunity to correct, any personal information held by commercial data brokers;
Requires entities that maintain personal data to establish internal policies that protect the personal data of Americans;
Requires entities that maintain personal data to give notice to individuals and law enforcement when they experience a breach involving sensitive personal data; and
Requires the government to establish rules protecting privacy and security when it uses information from commercial data brokers, to conduct audits of government contracts with data brokers and impose penalties on government contractors that fail to meet data privacy and security requirements.

Additional commentary and reactions will be posted on this entry

U.S. Senate Committee on Homeland Security and Governmental Affairs - February 1

2007-02-02T06:03:00.000-08:00

Carol Diamond from the Markle Foundation and others presented at a January 1 hearing reviewing the efforts of HHS to integrate privacy into the HIT national infrastructure and Office of Personnel Management efforts to expand the use of HIT through Federal Employees Health Benefits Program (FEHBP) and the impact such actions have on federal employees’ health information privacy.

The GAO report cites some minor differences in approach to Federal privacy protection. It suggests more "coordination" is perhaps needed. The report states:

"We recommend in our report that the Secretary of HHS define and implement an overall approach for protecting health information as part of the strategic plan called for by the President. This approach should (1) identify milestones for integrating the outcomes of its privacy-related initiatives, (2) ensure that key privacy principles are fully addressed, and (3) address key challenges associated with the nationwide exchange of health information. "

"In written comments, HHS disagreed with our recommendation and referred to the department’s “comprehensive and integrated approach for ensuring the privacy and security of health information within nationwide health information exchange.” However, an overall approach for integrating the department’s various privacy- related initiatives has not been fully defined and implemented. We acknowledge in our report that HHS has established a strategic objective to protect consumer privacy along with two specific strategies for meeting this objective. Our report also acknowledges the key efforts that HHS has initiated to address this objective."

"While progress has been made initiating these efforts, much work remains before they are completed and the outcomes of the various efforts are integrated. Thus, we recommend that HHS define and implement a comprehensive privacy approach that includes milestones for integration, identifies the entity responsible for integrating the outcomes of its privacy-related initiatives, addresses key privacy principles, and ensures that challenges are addressed in order to meet the department’s objective to protect the privacy of health information exchanged within a nationwide health information network. "

EHR Anti-Fraud Measures

2006-12-29T05:24:00.000-08:00

In the December 26, 2006 edition of Government HealthIT, Nancy Ferris describes an ONC contract to RTI to make recommendations on anti-fraud measures for EHRs.

According to the RTI site, ONC in 2005 contracted with the Foundation of Research and Education (FORE) of the American Health Information Management Association (AHIMA) for two complementary projects. The first project examined the state of automated coding software and its development and use to enhance antifraud activities. The objective of the second project was to study how the use of health information technology (HIT) could enhance and expand fraud management. It was during this second project that FORE convened a multi-stakeholder group of experts, the National Executive Committee (NEC), to identify the best opportunities to strengthen the fraud management capability of a nationwide interoperable HIT infrastructure.

The purpose of the RTI project is to develop model anti-fraud requirements for electronic health records (EHRs) based on the Guiding Principles set forth in the FY2005 project. Further, the model anti-fraud requirements will be submitted to the Certification Commission for Health Information Technology (CCHIT) as potential EHR anti-fraud certification criteria.

The RTI team includes leading experts from AHIMA and SPSS and will provide the necessary combination of subject matter expertise, managment experience, and professional relationship with the NHCAA, HITSP and CCHIT to accomplish this important work within the necessary timeframe, and with recognition of the cycles related to the CCHIT calendar.

Wall Street Journal Discusses EMR and Privacy

2006-12-28T05:36:00.000-08:00

In the December 26, 2006 Wall Street Journal, Theo Francis provides some anecdotes to frame concern over confidentiality violations and technology.

The article describes some violations that have little directly to do with EMRs but do describe the policy issues and means by which secondary use of information is covered under broad interpretations of HIPAA and may have consequences. In some instances, it is the scanning of old medical information - often from disparate sources - into new electronic systems that makes it more available and hence subjects the individual to unintended consequences. One example was the scanning of psychotherapy notes into a more general system. This was not done with consent and was againts the wishes of the patient and her psychiatrist but allowed an administrator to scan these psychotherapy into the general record. The individual had signed a consent fo release of the general medical record and once the psychotherapy records were included in this electronic document, they were accessible and their use was not protected under HIPAA. The WSJ has a graphic that shows the number of monthly grievance reported to HHS (and available through HHS' Office of Civil Rights) to have increased from 450 in 2004 to 600-700 monthly in the last year.

Several interesting quotes in the article remind one of the basic issues.

HIPAA's principal goal was to ensure that people could change jobs without losing insurance coverage for pre-existing medical conditions. When employers and insurers complained about the added cost, the federal government pledged to make it easier for medical providers, insurers and others to swap medical information electronically, potentially saving as much as $30 billion over a decade.

To assuage concerns of privacy advocates, Congress authorized the Department of Health and Human Services to draft privacy regulations. The final rules allow health insurers and medical providers -- including doctors, pharmacies and hospitals -- to disclose medical information for "treatment, payment and health-care operations," among other situations, without specific patient permission. But they aren't supposed to send any more records than necessary for nontreatment purposes.

Complaints of privacy violations have been piling up at the Department of Health and Human Services. Between April 2003 and Nov. 30, the agency fielded 23,896 complaints related to medical-privacy rules, but it has not yet taken any enforcement actions against hospitals, doctors, insurers or anyone else for rule violations. A spokesman for the agency says it has closed three-quarters of the complaints, typically because it found no violation or after it provided informal guidance to the parties involved.

The federal rules allow patients to ask doctors, other medical providers and insurers not to share records with certain people, groups or companies. But medical professionals and insurers can ignore such requests.

United Kingdom

2006-12-13T04:13:00.000-08:00

The "perfect storm" is rising in the United Kingdom over their ambitious electronic medical records system. This writer speculates that the issues have as much to do with an emerging consumer culture colliding with a traditional, geographically-defined "GP" culture as with the technology, or its implementation. Still, some compendium of the many postings on the topic seems relevant.

GPs are reluctant to add information into the database without patient consent. This approach is very similar to the "opt in" approach taken by practitioners in the Massachussets community experiments. Articles include:

ERisk Working Group for Healthcare

2006-12-04T08:24:00.000-08:00

The ERisk Working Group for Healthcare is a consortium of professional liability carriers, medical societies and state board representatives. With resources available through the Medem site, it was established to help physicians and other providers capitalize on the opportunity associated with online communication and related services, while minimizing the risk.

NY Times and the Privacy Agenda

2006-12-03T06:30:00.000-08:00

In what this writer suspects will be an opening round in a series of related articles, the NY Times writers Milt Freudenheim and Robert Pear in the December 3 issue contribute a piece entitled "Health hazard: Computers Spilling your History."

The article touches on a vast array of issues, from access within organizations to specific records (e.g., Bill Clinton's surgery) to access by employers to personal health information. Mention is made to the broad support for more health care technology while at the same time raising the very legitimate concerns over what these technologies can do to threaten personal information.

Reference is made to two surveys. The first is the 2005 California Health Care Foundation survey. The second is a recent survey by the Markle Foundation to be released soon and building on a 2005 survey conducted by the same organization.

Other topics mentioned include:

Lack of enforcement and limitations of HIPAA
Examples of state enforcement where federal enfocement has been less prominent
Concerns over recent efforts to pre-empt state consumer protection laws
The priminent role privacy may play in the congressional agenda (quoting Reps. Dingel of Michigan and Markey of Massachusetts)
Efforts by employers to promote the use of personal health records (Harriet M. Person, IBM's chief privacy officer, is mentioned as a representative of one of "25 companies meeting...to develop a set of principles and best practices ...that would help puersuade people that their employers really did not look at private information stored online."
IBM's work with JanLori Goldman and colleagues

Not mentioned in the current piece is the ambitious effort by AHRQ and others in HHS to examine laws and privacy at the state level. Awarding contracts to 33 states and one territory, this large and complex project is likely to document the prevalence of specific issues across the country. Although these issues are known and well-described by many, the importance of this work may be in the collateral discussions taking place in so many state and regional levels. Focusing on these concerns, it seems, builds a coalition more educated in appropriate use and policies for information technology.

One expects follow-on articles after the Markle release. These articles may place more focus on what can be done today at the local efforts where policy and legal agreements are concerned. The Memphis, MidSouth eHealth Alliance work implementing the Markle Connecting for Health Framework data sharing agreements is but one example.

MSNBC.com's "Privacy Lost" Series

2006-10-29T09:55:00.000-08:00

MSNBC.com has a five-part series entitled "Privacy Lost" that addresses many of the concerns arising from a growing awareness of the introduction of increasingly sophisticated surviellance and information technologies.

Follow this link to the "Privacy Lost" series home page

The series is a high-level review of current issues and includes some Ponemon Institute survey data arguing that although Americans value their privacy and are distrustful of both government and, to a lesser extent, corporatiosn, few take active efforts to increase their personal privacy protection. Of note as well is an article on a comparison between the EU and the US where privacy protection is concerned.

There is also a brief "pop-up" of varies means of authenticating identity accessible through an article on the Real ID initiative. Follow this link to access the pop-up.

Is Identity Theft a "Scare"?

2006-10-16T12:05:00.000-07:00

An October 14, 2006 article in the Washington Post by Fed H. Cate entitled "The Identity Theft Scare" argues that teh concerns over identity theft may be over-emphasized. Cate, director of the Indiana University Center for Applied Cybersecurity Rsearch, states that, as was the case in the heavily published VA data theft story (the laptop was recovered with no access to data), "few if any such breaches lead to identity theft or other consumer injuries."

He states that a "2005 study by ID Analytics, which operates a nationwide fraud-detection network, found that even when the missing information included credit card numbers or other account-level data, the risk of identity theft was no greater than for accounts from which no information was lost or stolen. Two years after a theft, only one out of every 1,020 account holders whose information had been stolen -- less than one-tenth of 1 percent -- had been targets of any attempted fraud."

His explanations include:

A broad definition of security "breach" that includes equipment theft. Most security breaches are accidental losos and not deliberate.
Most identity theft is the result of taking data directly from victims - often by people they know or through a lost walled or credit card.
In April the Justice Department said that 3.6 million Americans were affected in the second half of 2004 and more than half of these are credit card fraud. further analysis suggests that there were 538,700 cases of true identity theft where such identities were used to open bank accounts in the vicitms name. (Why this number - "far fewer" than the most commonly cited media figure of 10 million - should assure one is beyond this blogger.)

The author's primary point is that identity theft distracts individuals from the "greater threats" like more sophisticated frauds and the involvement of organized crime.

Second Nationwide Health Information Network Forum: Health Information Network Security and Services

2006-10-08T16:42:00.000-07:00

On October 16 & 17, ONC will host a second nationwide health information technology forum. The topic will be on security and policy......

Follow this link to the announcement and draft agenda

Quoting from the release

The Second Nationwide Health Information Network forum will focus on the services and security needed to advance health information networking. The forum will include presentations and discussion of the balancing of technology solutions, policy implications and impact. The forum will include plenary presentations, panel presentations with discussion and some focused breakout
sessions on particular issues.

The Second Nationwide Health Information Network forum will be open to the public and include participants in key processes supported by the Office for the National Coordinator for Health Information Technology (including the four consortia developing prototype Nationwide Health Information Network architectures, the National Institute for Standards and Technology, the AHIC Confidentiality, Privacy and Security Work Group, Health Information Security and Privacy Collaboration (HISPC), The Health Information Technology Standards Panel (HITSP), the Certification Commission for Health Information Technology and key representatives from other public, private, and non-profit health information technology stakeholders.

GAO Report on Medicare Security

2006-10-08T09:51:00.000-07:00

An October 8 New York Times article published by Robert Pear cites a "new report" from the GAO that claims:

Information securuity controls are missing from the complex and enormous communications infrastructure used by CMS.
Such weaknesses lead to a risk of modification, disclosure, or deletion of personally identifiable information
The system lacks strict password controls
The system does not encrypt data
The system does not "keep complete records of who uses the network, so it cannot be determined who views or modifies files"
These weaknesses lead to a serious potential to disrupt services.

Follow this link to the August, 2006 GAO Report

Workshop Case Studies And Day One Findings(September 2006)

2006-09-20T16:10:00.000-07:00

The following link leads to a summary of findings from the first day of a two-day workshop involving over 100 people representing over 15 states and national organizations. The second link leads to the workshop site. Following these are links to case studies used in the workshop.

These case studies were used in a September 2006 privacy and confidentiality workshop sponsored by the Vanderbilt Center for Better Health and the eHealth Initiative. All materials are copyright but may be used in educational, non-profit settings settings. We would be interested in your feedback. Please send any remarks to mark.frisse@vanderbilt.edu

Ancillary use of data. What needs to be done to expand use of data in an exchange
Auditing and reporting. General issues on audits and reports
Banks and pharmacies for disease management. “Over-the-top” look at how credit cards, banks, and consumer protection laws really make things confusing
Clinical Trials and the Information Altruist. How “anonymous” is anonymous?
Crossing state lines. Reconciling policy and expectations across state jurisdictions.
Emergency department. Addresses mandatory reporting, break the glass, and related
issues.
Governance. General questions concerning expansion of policies over time to accommodate changes
Hacking and obtaining personal health information. Explores implications of communication of loss of personal health information
Identity theft. Similar to the hack but emphasizing consumer law more.
Immigrant using an alias. What is an alias? How do new MPI technologies change their value? What policies should be set?
Informing the patient. What are the privacy and confidentiality provisions where patients are concerned?
Informing the practitioner. What are the privacy and confidentiality provisions where physicians are concerned (can be generalized to all clinicians, including pharmacy, nursing, etc.)
Lab errors. A lab is incorrectly reported, published through an exchange, and then corrected but not registered or logged consistently. Has to do with non-repudiation, technical updating of lab tests, CLIA, etc.
Liability. Who is liable where data-sharing agreements are concerned?
Merging records imperfectly. What are the implications of fuzzy matches?
Nurse using doctor’s identity to refill a medication. How are e-Rx provisions different from general data exchange provisions. Addresses identity management, enforcement of violations.
Opting-out. A general purpose case to turn your brain into a pretzel.
Test performed but results unavailable. Explore the obvious information inherent when you know a test is performed but you don’t know the results.

NCVHS to Secretary Leavitt - HIPAA Lessons

2006-09-30T06:00:00.000-07:00

On June 22, 2006, NCVHS sent a letter to Secretary Leavitt quoted extensively on this posting.

Follow this link for the letter

The National Committee on Vital and Health Statistics (NCVHS) has responsibilities for assessing the impact of the adoption and use of transactions and code sets adopted under the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Because it has been ten years since this landmark legislation was passed, NCVHS felt it was appropriate to solicit testimony to assess the status and lessons learned from HIPAA. Since 2002, we have held 17 hearings with more than 200 testifiers from various stakeholder groups on a wide range of HIPAA-related issues, including HIPAA compliance, claims attachments, and ICD-10 adoption. All of this input has significantly increased our understanding of HIPAA and its effects on the delivery and payment of health care. It has further reminded the Committee that HIPAA changes the business processes as well as the systems used by the healthcare industry.

Observation 1: Implementations.

HIPAA implementation has taken longer than anticipated in the HIPAA legislation.
actual publication of the rules has taken much longer than expected
while payers were required to implement all standards, adoption by providers was not required
reluctance by the vendors to build the range of necessary software for the non-revenue-related HIPAA transactions (such as the eligibility transactions 270/271 and claim status notification 276/277).
reluctance by some payers to robustly implement the HIPAA non-revenue transactions. For example, payers in many cases included only minimum information in the eligibility transactions, which resulted in providers not being able to gain full benefit.
There are still health care organizations that are not yet compliant with HIPAA standards

Recommendation 1:

HHS should undertake a comprehensive evaluation of HIPAA implementation in order to identify barriers to timely, efficient and effective implementation, as well as areas for future improvements.
Once these impediments and areas of improvement are identified, the NCVHS pledges to work closely with the Department and the industry to identify ways to best address them.

Observation 2:

The process for changing versions or updating versions of HIPAA standards is slow and cumbersome.
The HIPAA final rule requires covered entities to use a particular version of a standard, without modification.
It does not permit voluntary adoption of new versions; in contrast, this is permitted under the electronic prescribing final rule.
The administrative requirements under the Administrative Procedures Act (APA) necessitate notice and comment rulemaking. This has taken several years from issuance of a Notice of Proposed Rulemaking (NPRM) to implementation.
The HIPAA process requires that changes to standards be vetted through various standards development organizations (SDOs).

Recommendations pertaining to observation 2:

The Department should immediately explore ways to facilitate quicker updates and implementations of HIPAA transaction standards in a manner that can reduce or eliminate areas of redundancy in this process, including the possibility of not requiring HHS notice and comment rulemaking for a version update of an already existing HIPAA transaction standard.
This recommendation does not apply to the HIPAA privacy and security regulations.
The exploration should include:

- An in-depth review of the applicable statutory and regulatory requirements;; a comprehensive exploration of permissible options; and a determination as to whether legislative changes to HIPAA should be initiated.
- Consideration of regulatory changes to permit the voluntary adoption of
backward compatible updates to named HIPAA standards.
- Consideration of how to include public comment on business process issues as well as functional and technical standards issues in the review process.

The Department should expedite issuance of the NPRM on current HIPAA modifications.
The Department should determine what would be necessary to facilitate synchronization of the timing of implementation of changes to HIPAA code sets (including medical and non-medical data code sets) to minimize the scope and quantity of changes experienced by the providers, payers, clearing houses and vendors. Alignment of the timing of changes and updates to the code sets would allow the industry to coordinate, test and implement on a more orderly schedule and reduce rejected claims.

Observation 3:

The testifiers who were using only the HIPAA health claims transactions indicated that they were not yet able to show a positive ROI. It is important that we improve the ROI for HIPAA transactions and code sets so that they will serve as a driver for further adoption of health information technology and standards in the healthcare field.

Recommendations pertaining to Observation 3:

HHS should take additional steps to increase the adoption and use by providers and payers of all those HIPAA transaction standards beyond the health claims transactions, such as eligibility (270 / 271), claim status (276 / 277), payment and remittance (835), and referrals (278). These transactions when incorporated into daily processes can reduce staff and increase efficiency.
HHS should actively work with payers to facilitate inclusion of enough information in their responses (eligibility standard 271 and claim status standard 277) to allow providers to use the information to actually improve their processes.
Continuing participation by CMS is needed in the work by the Council on Affordable Quality Healthcare (CAQH), a voluntary group representing payers, providers, vendors and associations, on standardization of the data in an eligibility transaction.
HHS should actively work with vendors to encourage their inclusion of the aforementioned non-claim transactions in practice management software used in provider offices.
HHS should continue to support ongoing work by the industry and standards development organization to reduce unnecessary variability of business rules, as currently documented in companion guides. Several actions are necessary. The first is to support processes to identify common business practices that are included in the different payers’ companion guides. Second, harmonization of the business practices that are not common must be promoted, to the extent possible. In addition, some independent initiatives are underway to further evaluate those differences in business rules. Continued support of these efforts by HHS would advance the original intent of standardization.
HHS should facilitate and encourage the adoption of one of the currently non-mandated acknowledgement transactions (e.g., 997 or 999) to standardize the acknowledgement process between providers, payers, clearinghouses and vendors.
HHS should continue the use of pilot testing new HIPAA standards, such as the pilot conducted with the proposed claims attachment standard, to obtain a real look at the actual benefits, issues, business impacts and system changes surrounding the proposed standard. Even small-scale pilots can yield valuable information that could help speed implementation.

Language: How Can I Consent If I Don't Understand You?

2006-09-16T04:46:00.000-07:00

The literature on informed consent is vast. Concerns and interest over cultural competency are growing.

Recently the State of New York began enforcing a requirement that translators be present. A news summary of this requirement can be found at: http://news.yahoo.com/s/ap/20060914/ap_on_he_me/hospital_translators_1

The Transportation Worker Identification Credential Program: A Fedarl Approach to Identity Management

2006-09-13T05:24:00.000-07:00

Transportation Worker Identification Credential. TSA has tested a system-wide common credential that can be used across all transportation modes. TWIC can be used for all personnel requiring unescorted physical and/or computer access to secure areas of the national transportation system. It was developed in response to threats and vulnerabilities identified in the transportation system and in accordance with the legislative provisions of the Aviation and Transportation Security Act (ATSA) and the Maritime Transportation Security Act (MTSA).The TWIC will positively tie the person to their credential and to their threat assessment. The credential can then be used with the local facility access control system to allow unescorted access to those in possession of a valid TWIC card.
The program is currently preparing for production. The Prototype test was successful and ended on 30 June 2005. The first two phases involved developing the plan for the program and evaluating the data storage technology. The third phase has tested the business processes that include enrolling workers, conducting the security assessment, issuing cards and daily usage of the credential.
TSA and the United States Coast Guard (USCG) have jointed to develop a proposed rule to implement the TWIC for the maritime mode. As a result of this effort, USCG is providing significant input to TSA regarding the impacts and processes involved in a future TWIC program. TSA and USCG have issued a joint New Proposed Rule Making (NPRM) that outlines various requirements and applicability for the TWIC. The regulation will seek to achieve the security benefits that Congress expected when the MTSA was enacted without imposing unnecessary burdens on the regulated community. The Credential was introduced at 26 different sites including ports in the East/West and Florida. Each site used a biometric technology to provide authorized transportation workers access to controlled areas.
The TWIC Program will enhance security at U.S. transportation facilities while boosting the efficiency of commercial activity. Up to 850,000 maritime port transportation workers are expected to participate in the initial rollout of the program over eighteen months starting by the end of 2006. This initial effort will include enrollment centers in 125 different ports located in 38 states.

Emergency Department Issues

2006-08-13T06:02:00.000-07:00

Emergency Departments are increasingly the source of activity to evaluate the power of health information exchange. The rationale - dominant for over a decade - is self-apparent:

Emergency department patients are often extremely ill
Complete and timelely information may be life-saving (or prevent harm)
Patients in distress (or even unconscious) cannot give a clear medical history
The psychology of the provider is to order more tests because information is not usually available and a broader range of diagnostic tests will accelerate and improve decision-making

As a result of these phenomena, a number or challenges arise:

Emergency departments also perform tests where similar tests have recently been performed at other sites but not available. Hence, from an external perspective, such testing is "redundant" in retrospect and drives up costs
Emergency departments also perform tests to address what are often chronic health problems and deliver diagnostic and therapeutics services better delivered in an ambulatory care setting. Because of the cost structures and traffic in an emergency room, treating such patients in the ED setting creates "bottlenecks" in patient flow and testing that may lead to delays in treatment of more acutely ill individuals
Emergency departments are also the focus of individuals with critical chronic pain issues as well as those with drug-seeking behaviors.
They are also a focal point for individuals with psychiatric disorders or other behavioral health problems.
Because of the controversy surrounding these illness and the tension between providing the best care and protecting the wishes of the individuals, emergency departments are a test bed for medical confidentiality policies.

Links relevant to these issues will be posted here.

Concerns over the Real ID Act of 2005

2006-05-06T08:49:00.000-07:00

An April 26 report has raised administrative and financial concerns over the implementaiton of the RealID legislation by 2008. This report is of importance to health confidentiality policies because it outlines the difficulties in establishingi identy and, more peripherally, should suggest possible synergies between the establishment of identity with subsequent processes to authenticate identities for health care and to determine authorization to access inforamtion.

The report was sponsored by the National Governors Association, the National Conference of State Legislatures, and the American Association of Motor Vehicle Administrators and is directed to the Department of Homeland Security. The concern is summarized in a recent NY Times article where Governor Huckabee of Arkansas used the term "absurd" and where state legislative efforts allow an "opt out" of this madate are under discussion. The Times article also reminds the reader of the viscreal sentiment among some where a national ID is concerned.

Like other concerns over privacy and confidentiality, this issue has created a common purpose among organizations as diverse as the Cato Intitute and the ACLU.

Quoting from the report summary:

Even with the most advantageous construction of the regulations, according to the survey responses, the Act could increase equivalent visits to State Motor Vehicle agencies by over 75% annually.
Implementing REAL ID requirements will require additional staff, facilities, training and equipment, including the development, expansion and deployment of the five verification systems required by the Act.
Because driver licensing is a state function, each jurisdiction will face the challenges of implementation from a different demographic, operational, legislative, technological and fiscal status. Regulations must therefore provide maximum flexibility to ensure compliance can be achieved.
There is simply not sufficient time to implement the requirements as defined by the statute. The absence of timely regulations, systems and resources will ultimately overwhelm all good intentions and desire for swift implementation, and must be acknowledged and addressed.
Implementation costs will be significant and potentially problematic. States are in the process of conducting a fiscal impact survey to accurately and credibly define the level of resources needed to meet federal standards.

Among the concerns raised in the report are concerns over collection and use limitation (consistant with similar themes articulated in the Connecting For Health principles), definition of principal residence, and inclusion of a broad range of identity information on a common card. They also raise concern over the cost of verification of eligibility documents and details like "what is a full legal name" familiar to anyone with hyphenated or changed names due to marriage.

When reading the report, one cannot help but be amazed by the number of federal databases that are out there, including databases with names like the Systematic Alien Varification for Entitlements (SAVE) and Electronic Verificaiton of Vital Events (EVVE) as well as the numerous data silos known to each state through its various services (especially the Medicaid tangle).

Still, this reader cannot help but believe that identity management is essential to protect certain rights (like privacy) and that "opting out" for some legitimate purposes should have consequences (e.g., if I "opt out" to state-regulated speed limits, I impose certain risks to myself and others and should bear the consequences). It also seems clear that these broader issues of identity management cannot and should not be addressed systematically without a strong emphasis on both the care of the individual and the public health. A middle ground can - and must - be found and will no doubt be the result of complex relationships between technologies, policies, and social systems.

Even the Pentagon!

2006-05-03T12:20:00.000-07:00

The May 1 GovExec.com details an intrusion

Follow this link to the article

Department of Defense on Friday announced that hackers have accessed the Pentagon's health insurance information systems that had the personal data of more than 14,000 people through TRICARE management activity public servers. The databases included names, Social Security numbers, the last four digits of credit card numbers, personal phone numbers, e-mail addresses and home addresses. No medical record databases were accessed.

Those affected were sent letters notifying them of the intrusion and their risk of identity theft. It is clear that security and confidentiality are fundamental components of a national heatlh inforamtion structure (and even organizational systems) that increasingly must be developed, aligned, and made coherent.

Mark

AHIMA Survey Shows Privacy Compliance Challenges and Growing Public Concern

2006-05-01T04:25:00.000-07:00

A recent survey published by AHIMA suggests that organizations are having more difficulties complying with the HIPAA Privacy Rule.

Quoting from the April 19 Government HealthIT Article:

When asked what areas of the HIPAA privacy rule should the federal
government change, more than a quarter of respondents said they should not have to account for all disclosures of protected health information. The rule gives patients the right to know who has seen their records beyond the necessary people involved in their treatment, payment or health care operations. More than half of the respondents cited some difficulties in complying with this provision.

Making records available to relatives or partners of patients was the next most often-listed trouble spot in the rules, followed by giving patients their own records after treatment has ended and releasing information to law enforcement officers.

The survey results also suggested that patients could be becoming more concerned about the privacy of their medical records, as more patients are asking questions and refusing to sign release of information forms.

Many observers have cited public concerns about privacy of their medical records as a potential barrier to development of a national health information network. AHIMA’s report on the survey concurred, stating, 'Without consumer confidence, the national health information network will never succeed.'

National Consumer League

2006-03-08T06:44:00.000-08:00

The NCL has a number of publications concerning confidentiality and privacy. Soon to release a set of principles for consumer access for health information exchange along the lines of some of the Markle Connecting for Health work, NCL has other useful resources.

health care comunications provided by retail pharmacies.

Returning to the principles - soon to be released, the only weakness (and it is generic to all such declarations) is that they set an expectation so high that it may become an impediment to more robust markets based on health informaiton exchange (e.g., direct access by consumers to their electronic health information is a formidable technical and policy challenge). These principles would be strengthened if there were additional information on the current state of health information use. At present, consumer protection, use limitations, and many other aspects covered in these principles are not addressed systematically. I would claim that despite survey data to the contrary, the thinking on access to digital HIE is often based on the belief that the current world is somehow perfect. Rather than start from the mud and mire or our current technology policies and address an evolutionary path, many HIE privacy principles create the same skeptics jump immediately to a Utopia and to be critical of any positive steps inconsistent with this ultimate ideal.

These are not weaknesses of the principles but instead realities of community psychology when dealing with health information exchange. Or so I would hypothesize. More data are needed to understand if this premise is correct.

Ponemon Institute Survey on Trust in Banking

2006-03-06T09:04:00.000-08:00

The Ponemon Institute has multiple surveys on privacy.

Follow this link to the Ponemon Institute

Their most recent survey on banking trust shows a decline in part (they believe) to the disclosed security breaches. Several interesting notes. More consumers are receiving notification; this might be a good thing if it is the result of better awareness and communications. Also, consumers are as trustful of on-line banking as retail banking in person.....

Follow this link to the summary of their February 2006 survey

Robert Wood Johnson Foundation Studies Legal Barriers to Health Information

2006-03-06T05:09:00.000-08:00

Follow this link to the GW Health Information Law site

from a press release issued March 2, 2006 by George Washington University

Washington, DC—The George Washington University School of Public Health and Health Services (SPHHS) announced establishment of a project to assess the legal issues that affect the broader use and transparency of health information critical to quality improvement and reducing racial and ethnic disparities in healthcare. Supported with a grant from the Robert Wood Johnson Foundation (RWJF), the project, Legal Barriers to Health Information, is part of the Foundation’s initiative to improve healthcare quality and reduce racial and ethnic disparities in healthcare. Educational materials and tools as well as products will be available at the project’s website, http://www.healthinfolaw.org/.

Legal Barriers to Health Information is the next expanded phase of an earlier RWJF grant to The George Washington University to assess the legal environment for health information. As information technology improves the availability and quality of health information, the legal imperative to use health information to improve healthcare quality and reduce healthcare disparities increases as well. For this reason, healthcare leaders urgently need to understand the legal barriers that inhibit the responsible use of health information.

Under the direction of Sara Rosenbaum, JD, Harold and Jane Hirsh Professor of Health Policy and chair of the Department of Health Policy, the project has three purposes:

To educate consumers, health professionals and policy makers about legal barriers that may impede the use of safe and secure health information to improve quality and reduce racial and ethnic healthcare disparities;
To identify balanced approaches for resolving barriers; and
To provide tools to aid the dissemination of legal innovations and to provide technical assistance on legal questions related to health information.

The project is being conducted under the guidance of a Standing Committee, whose members are drawn from the fields of healthcare, health insurance, patients’ rights and civil rights. The report from the first phase, Charting the Legal Environment of Health Information, can be found at http://www.rwjf.org/. Michael Painter, JD, MD, who leads the healthcare disparities program at the Foundation, said, “Many people are spending hours of every day trying to figure out how to make health information more usable by providers, plans and consumers in order to drive sustainable improvements in the quality of care—improvements that will also reduce disparities. Change is certainly in the air, and these changes will naturally hit legal barriers. We are very hopeful that this project will help us identify and understand these barriers.”

Professor Rosenbaum said, “Current trends in healthcare information represent opportunities to improve the quality of healthcare and reduce disparities. We think this project is critical in helping stakeholders take advantage of these opportunities by understanding current legal policies that shape the use and dissemination of healthcare information.”