Work with federal information systems? Responsible for risk management, continuous monitoring, or FISMA compliance? Check out my book: FISMA and the Risk Management Framework.

Wednesday, September 22, 2010

Health data privacy remains a key factor in slower U.S. adoption of EHRs

A newly released paper by four academic researchers comparing electronic health record adoption in the United States and European Union concludes that concerns over privacy of health record data remain the key obstacle to broader EHR use in the United States. The paper, "Privacy and Security in the Implementation of Health Information Technology (Electronic Health Records): U.S. and EU Compared," co-authored by Wade Chumney of Georgia Tech, Janine Hiller and Matt McMullen of Virginia Tech, and David Baumer of North Carolina State, assesses the legal privacy protections in place for health information in both the US and EU, and attribute the much greater penetration of EHRs in many European countries (such as Holland, where nearly all residents have EHRs) to the stronger privacy regulations. Specifically, the researchers point to a notable lack of public support for health IT such as EHRs in the United States, and key differences in legal and policy approaches to data privacy in the US and EU, where the American stance is seen as more reactive compared to the EU's proactive approach. The recommendations in the report include suggestions that US health data privacy laws be strengthened (beyond the impact of HITECH on HIPAA) in areas such as giving a private right of action to individuals who suffer from violations of privacy laws, implying that affording redress rights to individuals would help overcome privacy-driven reluctance about using EHRs. It remains to be seen whether the Department of Health and Human Services' Office for Civil Rights, has the resources and resolution to follow through on its stated intentions to more vigorously and proactively enforce federal health data privacy and security regulations, and if so, what impact stronger enforcement might have on public perceptions about data privacy in healthcare.

While it's hard to argue against implementing better protections for health data and stronger enforcement of current privacy laws, greater efforts are also needed to educate consumers (and healthcare providers) about health IT and its capabilities. In a blog post published on Tuesday, MEDecision's Eric Demers warns that excessive fears about health information privacy threaten to needlessly slow EHR adoption, a situation that could be avoided with a combination of better enforcement of existing legal safeguards like those under HIPAA overseen by HHS' Office for Civil Rights, and with broader education of consumers about the strength and effectiveness of existing EHR security. When available security mechanisms are actually implemented and configured correctly, it is probably true that the risk of loss of confidentiality or integrity for electronic health record data is commensurate with online retail or banking, as Demers suggests. But if a consumer's data is stolen in those domains, there is typically very little loss incurred (with the obvious exception of cases where the stolen data enables identity theft), because laws and business practices in e-commerce and banking mean that the businesses shoulder all the financial burden, so the customer is rarely if ever hurt out of pocket. This is not the case for health data, or more importantly perhaps it is not perceived to be the case, as people seem to take think the loss or theft of their medical record data is much more dire than losing some personal financial information. Also, the personal data associated with retail and banking transactions is not nearly as sensitive (to most people) as their health data is — it's trivially easy to change an account number, get a new credit card, or restore stolen funds. What this may mean is that EHR vendors and health care users of health IT may need to convince people that health data privacy and security protections are more robust or provide better protection than controls in situations with which they are already familiar.

No comments:

Post a Comment