Should Privacy/Security be the scapegoat for the slow adoption of IT in health care?
Posted by Thomas Jeffry
Intel CEO Paul Otellini was quoted recently in the Financial Times attacking the healthcare industry as "the slowest moving industry in the world" because it was the least penetrated by IT.
Mr. Otellini’s comments follow several post-mortem reports posted last week by Health Affairs discussing the reasons for the demise of the Santa Barbara County Care Data Exchange (SBCCDE) last December. SBCCDE was considered a pioneer for community-based electronic health information exchange (HIE) also know as regional health information organization (RHIO). In principle, HIEs are intended to create a simple and secure way to electronically share patient data between health care providers, caregivers, and consumers.
When SBCCDE closed down, initial speculation suggested that among the reasons was the inability of the various parties to reach consensus on how to resolve legal issues related to patient privacy and the security of health information exchanged.
In their report Lessons Learned From The Santa Barbara Project, Jonah Frohlich et al. suggest that privacy and liability issues be addressed early on with participation of all stakeholders, including consumers. The report suggests starting with existing local policies and a good understanding of federal and state regulations. Noting that 92 percent of consumers are willing to share personal health information with other health professionals involved in their care who are not their primary care provider, the report is optimistic that privacy concerns can be accommodated within a HIE.
Is the inability to effectively deal with privacy and security issues up front the reason health care is “slow moving” to develop HIEs?
HIPAA doesn’t provide a specific standard applicable to HIEs and concerns over potential liability over a breach of privacy serve to further increase the anxiety of physicians, hospitals and other health care providers who need to participate in the exchange to make it effective. Legislation and regulatory guidance specific to the HIE framework would be helpful. However, privacy and security concerns should not be seen as insurmountable obstacles to adoption of IT in health care or the development of HIEs. As the Santa Barbara Project report suggests, early dialogue with a good understanding of the fundamental principles behind privacy and security good practices will go a long way toward reaching consensus.
Until the time when my medical records become *my* property, rather than that of the provider, I do not want my records (few though there are) to become the medical equivalent of easily portable PDFs. Record portability is a strawman solution to a problem that doesn't exist. It sure will make greater government visibility into our most personal of subjects, though. No thanks.