Clearing the Air About eHealth Security
Privacy and data security are in the news a lot lately. As healthcare moves online, it’s understandable that folks increasingly wonder about their health data and what steps are being taken to protect it. Unfortunately there is also increasingly misinformation and confusion out there.
One recent example does not even involve health data, though opponents of the Affordable Care Act hope the confusion continues. In their efforts to prepare for October 1st enrollment, the federal government is setting up a data hub that will query government databases in order to provide real-time eligibility information for insurance applicants using the Affordable Care Act’s online exchanges. Certain members of Congress caused an uproar recently by questioning the security of this data hub. Their efforts to derail the ACA are further fueled by misleading reports that describe the hub as a massive database of sensitive health and financial information without proper security safeguards.
However, astute observers have noted, there will be no health data stored in the hub. More importantly, the data hub will not actually store any personal data at all, but instead will route it temporarily from existing secure government databases in order to determine eligibility for Medicaid and private health insurance subsidies. While some important questions have yet to be answered, CMS has reiterated the privacy and security safeguards will be paramount once the hub is operational. These details receive little to no press, while countless editorials and blogs have fretted about a massive government database and its potential security risks.
The confusion surrounding this relatively simple and important IT strategy for the ACA is emblematic of broader misunderstandings about health data security and privacy. The Health Insurance Portability and Accountability Act, or HIPAA, contains strong provisions to safeguard and protect sensitive health information. However, in the course of doing so, this law and its associated regulations have together managed to confuse and scare patients, advocates and providers alike, often preventing them from using eHealth tools to communicate.
Many patients fear and do not understand what HIPAA allows or could enable their doctors and insurance companies to do with their personal information. Many doctors do not know that that HIPAA does allow for electronic communications with patients, such as common unencrypted email or SMS. Many advocates and personal caregivers wonder what health information they should be able to view in order to serve their constituents, wards and loved ones. Unsurprisingly, existing guides to HIPAA compliance are written primarily by attorneys and regulators; they are not consumer- or patient-friendly.
Given this frustrating state of affairs, I was encouraged by David Harlow’s MedStartr proposal “Hacking HIPAA.” Why, you may ask, does Mr. Harlow want to “hack HIPAA” in the first place? There are a number of reasons to try to do this, but his efforts are admirable because they focus on improving the patient’s primary interaction with HIPAA: an exam room form called the Notice of Privacy Practices (NPP). As Mr. Harlow explains in his blog post, the NPP is different at virtually every physician’s office and hospital across the country. Every time they see a new provider, patients are expected to read and understand the NPP’s legal-ese in the context of the broader HIPAA regulations and then comprehend how it applies to their care and the management of their health data.
Mr. Harlow’s important proposal and the MedStartr campaign would “hack” the patient form by creating a common NPP form for all physicians’ offices. This would be a huge step in the direction of clarity and transparency. It also would clarify to patients that they can use SMS and email to communicate with their doctors, provided they understand and give the proper permissions.
I would take Mr. Harlow’s proposal a step further. Not only do patients deserve a clearly written and standardized NPP form, but an even simpler patient privacy “Bill of Data Rights” should be posted in large font on the walls of every waiting room. This placard should clarify and reinforce the key rights and protections guaranteed to patients under HIPAA. While most patients want online access to their health records and would like to use SMS to communicate with their doctors, many are unaware of their rights under HIPAA. They have the right to request their health data in the electronic or paper format that works for them.
The current state of affairs is pervasive and affects patients and providers across geographic, socioeconomic, ethnic and immigration status groups. Unsurprisingly, though, concerns and misconceptions over privacy rights and security risks pose an even greater threat to underserved groups. Underserved patients exhibit higher levels of distrust in the health care system, and many are particularly reticent to share their health data because of immigration and legal status issues in their families. Disparities in literacy, health literacy and English proficiency further complicate this issue.
The fear and confusion surrounding HIPAA and its lack of clear guidelines will serve as a huge barrier to achieving eHealth equity. I encourage readers to check out and consider supporting Mr. Harlow’s MedStartr campaign. Hopefully it represents the first step toward a meaningful Patient Bill of Data Rights and regulations that enable instead of hindering electronic communications in healthcare.
Evan Gallagher is a policy analyst at ZeroDivide who has led projects and delivered market insights to Fortune 500 clients in the life sciences, pharmaceuticals, medical devices and healthcare logistics industries. He holds an M.P.P. from University of California, Berkeley.