The Key to Health IT’s Success: A Comprehensive Privacy and Security Framework

Health information technology ("health IT") has been widely recognized as an essential tool in achieving a number of health care reform goals, including improving health care quality, reducing costs, increasing efficiency, and boosting consumer participation in their own health care. But without strong privacy and security protections in place, the risk of electronic health data falling into the wrong hands and being used for inappropriate purposes is amplified.

Survey data shows that the public is cognizant of both the benefits and risks of health IT. A large majority of consumers would like electronic access to their health data (for themselves and their providers), but are still concerned about the privacy of their data. How can we allay consumer fears, while building trust in health IT? The short answer is we need a comprehensive privacy and security framework that sets clear parameters for access, use and disclosures of personal health data for all entities engaged in health IT. Such a framework will build consumer trust in health IT, and help us to fully realize its benefits.

Fortunately, the timing for such efforts could not be better given the "perfect storm" of developments in health care reform in general, and health IT in particular. Health care reform bills currently circulating in Congress underscore the importance of health IT in making health care reform a reality. And, with the passage of the American Recovery and Reinvestment Act of 2009 (ARRA) back in February, which committed billions to the expansion of health IT, doctors and hospitals are likely to adopt health IT (through financial incentives) at a faster pace over the next several years. ARRA also includes the most significant improvements in health privacy that we've seen in a decade, including substantive changes to the federal health Privacy Rule under the Health Insurance Portability and Accountability Act (HIPAA), which limits how "covered entities" (including health plans, health care providers, and health care clearinghouses) can use and disclose personal health data.

What ARRA does not articulate, however, is a clear, comprehensive framework that can guide policymakers, key regulatory agencies tasked with fleshing out the health privacy provisions in ARRA, and developers of health IT systems in establishing proper privacy and security protections for personal health data.

Luckily, a framework for health IT already exists in the form of the generally accepted "fair information practices" (FIPS) that have been used to shape policies governing use of personal data in a number of contexts, including the HIPAA Privacy Rule. While there is no single formulation of the FIPS, the Common Framework developed by the Markle Foundation's Connecting for Health initiative would implement core privacy principles, adopt trusted network design characteristics, and create oversight and accountability mechanisms.

One important element of the Markle framework allows for consumer engagement in health care through informed decision-making. But while consumers must be informed about uses and disclosures of their health data, and there are uses and disclosures that should require consumer authorization, consent alone cannot be a substitute for a comprehensive approach to privacy and security that protects consumers and builds trust. Relying solely on consent places an unfair burden on consumers, and often leads to "all-or-nothing" blanket consents that provide them with little meaningful ability to control how they want to share their personal health data, and with whom. An over-reliance on consent can also create a sense of immunity among those who keep personal health data and impede their motivation to develop strong privacy and security protections for this data. A comprehensive approach can avert some of these unintended consequences, and provide meaningful choice and protections for consumers.

Health IT adoption is already underway and will likely ramp up as more providers qualify for financial incentives under ARRA. As such, the time to establish effective privacy and security protections for personal health data is now. Trying to institute protections retroactively, and restoring public trust that has been significantly undermined is a lot harder than building it from the get-go. A comprehensive privacy and security framework can help facilitate this process for both traditional and non-traditional entities that keep personal health data.