Is Your HIE Taking Privacy Seriously Enough?

In late June, it was reported that the Rhode Island affiliate of the American Civil Liberties Union (ACLU) was bringing suit against the Rhode Island Department of Health, claiming that the rules adopted by DOH to establish a statewide HIE do not go far enough, nor are they explicit enough, to protect patient privacy.

In its suit, the ACLU asks the Rhode Island State Superior Court to declare the rules made public by the DOH “incomplete and not compliant with HIE requirements.” The ACLU’s suit asks that the state follow the normal regulatory process and that regulations setting up the HIE should be as detailed as possible. DOH had previously announced that the details of the HIE’s privacy and security guidelines would be addressed through the adoption of policies that would be made public through policy statements. However, under RI law, such policy statements need not be as detailed nor are subject to the same level of public notice and comment required for permanent regulations, which have the force of law.

The Rhode Island story should be taken as a cautionary tale for other statewide, as well as community-based HIEs. HIEs must be better positioned to respond to the concerns of patient privacy advocates and an increasingly aware, and growingly skeptical, public. But they apparently are not doing so. For some insight into the current “state of the art,” so to speak, I recommend you read the Patient Privacy section of the latest eHI HIE survey, published earlier this year. Here are a few “lowlights” from the results of the 2010 survey. eHI received 199 responses, though not all entities responded to all questions.

At a minimum, all initiatives are required to abide by HIPAA standards, although the majority of respondents indicated that they have policies that go beyond HIPAA. However:

• 36 respondents, 13 of which are state designated entities, said they have no policies in place or in development beyond HIPAA
• While 86, including both private and state-designated entities, allow patients to decide which providers can have access to their data, 56 reported that they do not allow patients to choose
• Only 36 initiatives have an opt-in policy where patients must give consent to have their data included
• 81 initiatives have an opt-out policy, where patients’ data is automatically included but they can choose to withdraw
• Of the 81 with an opt-out policy
  • 61 initiatives use a global opt-out/opt-in policy
  • 36 allow patients to prohibit access to data by healthcare provider organization
  • 34 allow patients to prohibit access to data at the individual provider level
  • 14 allow patients to prohibit access to Emergency-related encounters
  • Only 13 allow patients to block access to individual data elements
  • 27 were unsure of their policy (!!), and 56 chose not to answer

In my opinion, it is facts such as these that suggest other local ACLU chapters around the country will be looking closely at how events in Rhode Island evolve. What do you think?  If your organization participates in some form of data sharing, whether only within your health system or as part of a wider community, what kind of privacy policies are in place?  Do you think they are adequate?



Related Posts:

• Shifting Privacy Landscape Complicates HIE Efforts
• Privacy & Security Tiger Team Hunts Balance
• My Top Security Priorities for 2014
• Creating A Security Culture
• EHNAC Opens Comment Period on HIE Accreditation