Wednesday, February 28, 2007

What is the federal approach to privacy and HIT?

While I was away on vacation last week, HealthcareITNews published the following: "Federal privacy panel leader resigns, raps standards". It describes how privacy expert and advocate, Paul Feldman, has resigned his position as co-chair of the Confidentiality, Privacy, and Security Workgroup of the American Health Information Community (AHIC).

For those of you who don't know, AHIC is an advisory group -- chaired by HHS Secretary Mike Leavitt -- that is supposed to make recommendations to the federal government on how to accelerate HIT adoption. Since 9 out of its 18 members are federal or state government employees, I'm not sure how much of a "community" it really is, but that aside, it's chaired by the Secretary himself so it's clearly important. (Then again, since the government is responsible for 2/3 of all health care spending in the US, maybe the government is under-represented on this panel. And maybe we should more seriously consider a single-payer model since we're almost there anyway. But I digress.....)

It's hard to know from the outside what's really behind public resignations of this type, but the very fact that it's happened is not good. Feldman's letter of resignation cites the following:

We have determined we are unable to continue given that the workgroup has not made substantial progress towards the development of comprehensive privacy and security policies that must be at the core of a nationwide health information network (NHIN)...We support the development of an NHIN with strong and enforceable privacy and security rules in place and believe that the failure to achieve a privacy framework acts as a significant barrier to a robust and secure environment for e-health.

It would be one thing if this was an isolated incident. Unfortunately, it comes on the heels of a GAO report whose title says it all: "Health Information Technology: Early Efforts Initiated but Comprehensive Privacy Approach Needed for National Strategy". And last summer, the National Committee on Vital Health Statistics issued a report with similar findings.

While I wouldn't say this is much ado about nothing, I do think it's much ado about the wrong thing. Both Feldman and the GAO focus on the need for standards for a national network, citing President Bush's goal of having this in place by 2014.

As interesting as that discussion might be, I don't think an interoperable national network is going to happen by 2024, let alone 2014. Indeed, we don't even know what we should argue about because we don't know what such a network would look like, let alone when it would be created. For example, if the only justification for a national network is to aggregate deidentified data for population health measurement, there are a whole host of issues that we don't have to argue about. Worrying about too many of these details now is like fretting over relocation policies for coastal communities displaced by rising seas from global warming -- let's worry about it if the time comes.

Where we should focus attention is on where the action is: state- and local-networks. Many such networks will be up and running in the next few years (including three MAeHC networks before the end of this year). Yet, there is tremendous variation in state privacy policies at present. For many states, HIPAA is the binding constraint. For others, like Massachusetts, state privacy standards are much higher.

Anyone putting systems in place right now is basically making up a whole bunch of stuff as they go (with varying degrees of diligence). They're doing this because they have to. Federal and state laws aren't nearly clear or detailed or coherent enough, lessons learned in one state don't always translate to other states, and the urgency to get systems in place won't wait for the law to catch up.

Yet, the question remains, shouldn't a citizen of Louisiana or Ohio expect to have the same basic privacy protections as a citizen of New York or Massachusetts? That question won't be answered by setting policies for a national network that may never be built -- rather, it requires discussion of how to regulate state- and local-networks that are already being built, and in particular, on whether HIPAA and other federal privacy statutes and regulations provide an adequate floor of privacy protections for such networks.

The federally-sponsored Health Information Security and Privacy Collaborative (HISPC) is currently doing an inventory of state-level privacy policies, which is a necessary step in the right direction. (The MA-HISPC project is doing this work for Massachusetts.) The first results from this work are going to be presented in Washington on March 5-6. Whether this work is progressing nearly fast enough to address what's already happening on the ground remains to be seen.......

No comments: