Monday, October 29, 2007
We often hear about how blessed we are to live in a state with such world-class medical institutions -- and it's true, we are. What gets less attention, however, is that we in the Commonwealth have such terrific health plans -- non-profit, well-managed, focused on our state, and community-minded.
Health insurers get a lot of criticism -- and not all of it undeserved (my parents are physicians -- believe me, I've heard it all). Yet, in our overly complicated "non-system" that we call a health care system, health insurers are for many patients -- and especially the sickest ones -- the glue that holds the whole thing together. So, let's give some credit where credit's due and praise our local health plans who have shown themselves to be world-class in their own right.
Okay, I'm finished with today's blog and now it's time to get back to running the business.....Next year's premiums are going up by how much?!
Thursday, October 25, 2007
This has left open the question of what to do about secondary uses of de-identified data, however. HIPAA does not require patient permission if the data being used is fully de-identified, and many HIE projects are operating on the presumption that secondary uses are okay as long as they release only de-identifed data, which HIPAA allows them to do.
I've been in an increasingly large number of conversations with HIE projects around the country who are saying that even though HIPAA allows it, they're going to ask for blanket permission from patients before they release even de-identified data. And they're hoping that this "belt and suspenders" approach fully protects their activities.
Some new work sponsored by the Institute of Medicine suggests that this approach may be the minimum requirement for satisfying increasing patient demands for privacy protection (see Striking a balance between privacy and health). Of over 300 patients surveyed:
- 38% said that they'd want researchers "from each research study....to first describe the study to me and get my specific consent for such use";
- 19% would allow use of de-identified data without consent as long as the research was overseen by an IRB;
- 13% would not want their data used for research "under any circumstances";
- 8% said an upfront "general consent" would be enough for use of their data in future research projects;
- 1% said researchers could use their data without their consent
The implications are pretty startling. We have a serious disconnect between what the law allows and what patients want (and expect). Over 80% of people would NOT want their data to be used for research without their consent, even if it was de-identified and overseen by an IRB. And while it's hard to read from the survey's summary data, a large fraction may want some type of consent for each use.
There's a lot of hope that health trusts and personally controlled health records will solve all of this by giving patients ultimate control of their health information. We're a long long way off from being able to give patients that type of control, so we'll be facing these issues for a long time to come.
There's obviously no "right" or "wrong" here because it is what it is. On the other hand, we should always be cautious about surveying people about abstractions -- a little education and concrete experience may change people's perceptions dramatically. That said, the threshhold on privacy protection is clearly getting higher, and what may have seemed like conservative approaches to privacy protection yesterday may become barely adequate tomorrow.
Wednesday, October 24, 2007
Unauthorized disclosures of patient information happen all the time. Most of the time it's unintentional and no harm is done. With intentional disclosures, there is a temptation to tailor punishment to motive -- specifically, to separate cases where a person looks at a record "with malice" from cases where it's "without malice". That's clearly what's going on at Palisades, and implicitly, in Mr. Clooney's head. I assume that the punishment would be different if an employee was found to be stealing Clooney's identity, or looking for his address or phone number to stalk him.
As more health care institutions convert to electronic medical records, there is increasing concern about privacy protection, and most of that concern is understandable and well-placed. The enormous benefits that can come from greater use of EMRs will go unrealized if we adopt a cavalier attitude on technologies and policies related to patient privacy. Suspending workers without pay in this case strikes me as being unbelievably lenient. If I was a patient at Palisades Medical Center, I would switch immediately to an institution that has greater respect for the trust that I've placed in them as the custodian of my records.