HHS head calls for voluntary e-health privacy guidelines

Secretary Leavitt says government mandates for guarding the private medical information in personal electronic records could stymie the adoption of e-health record systems nationwide.

The head of the Health and Human Services Department called for the health care industry to develop voluntary guidelines to ensure the privacy of patient-controlled personal health records rather than allow the federal government to mandate rules.

HHS Secretary Mike Leavitt, speaking Monday at the Nationwide Health Information Network Forum in Washington, said if the government mandated how vendors must protect the privacy of personal electronic health records, then he would not see widespread adoption of e-health records "in my lifetime."

He said the government should develop basic privacy guidelines, but should not establish privacy rules.

Government is moving rapidly to adopt e-health records under the belief that moving from paper records to digital ones will improve health care quality and reduce costs. HHS and the Defense Department's Military Health System recently launched personal health record trials in hopes the projects would jump-start their use nationally. MHS began testing a patient-controlled personal health record program this month. The project provides patients at the Madigan Army Medical Center in Tacoma, Wash., the chance to use online health records programs provided by Google and Microsoft.

Last month, the Centers for Medicare and Medicaid Services tapped Google Health, HealthTrio, NoMoreClipBoard.com and PassPortMD to participate in a personal health record trial in Arizona and Utah, which is scheduled to start in early 2009.

Leavitt said members of the public should be allowed to choose the level of privacy they want associated with their health records, and they should understand the balance of risks and rewards of sharing either too much or too little health information with a network of health providers. Consumers already have a wide choice of personal health record vendors, he said, and the marketplace develops systems that guarantee the security of sensitive health information.

Leavitt developed a set of guidelines to ensure the privacy of personal health records, including sharing health information from personal health records. Patients should be able to identify the clinicians who can have access to their information. A system also should include an easy to read summary of the physicians who received a patient's information and how it was shared, he said.

HHS has started to develop a voluntary tool kit for personal health record vendors that would demonstrate the vendors' commitment to transparency and security. Leavitt said the tool kit would be available before President-elect Barack Obama is inaugurated on Jan. 20.

George Scriban, senior global strategist for the Microsoft health group, said the company has built privacy, strong user controls and transparency into its Health Vault's personal health record based on serious consumer concerns about the collection, sharing and storage of health information.

Health Vault users have explicit control over who can share their information and how it is shared, "and we are very clear that the central tenet of Health Vault is consumer control," Scriban said.

As a healthy, 40 year old, Scriban wants to tightly control the release of his health information. But, he said, if he developed life-threatening pancreatic cancer, for example, he would want his patient information shared with a range of clinicians, including those who use experimental therapies. Health Vault has built-in controls that allow widespread sharing of medical information, he said.

The industry needs minimum and mandatory privacy guidelines for personal health records so the "vendor community views privacy and security seriously as the price of admission" into the market, said Jeff Donnell, chief marketing officer for NoMoreClipBoard.com.

NoMoreClipBoard.com, like Microsoft, allows subscribers to control who has access to their health information, which in some cases might be limited to five health care providers. But, subscribers also have the option to allow information to be shared through the National Health Information Network, so an emergency room doctor in any city can access their health data in case of an accident.

Dr. Deborah Peel, who founded Patient Privacy Rights, an advocacy group working to ensure medical information remains confidential, said transparency is meaningless unless effective audit trails are present that show who accessed a patient's health information, when it was accessed and where. For example, Peel said transcription of medical records has been outsourced to Pakistan and in 2003 a transcriber in Pakistan threatened to post online the medial records from the University of California's San Francisco Medical Center unless she received money.

Scriban said Health Vault includes an audit function that provides highly detailed information, including, when blood pressure was taken and how that data was uploaded from a particular device to the personal health record.

Leavitt said he views personal health records as a way to provide information for research purposes like determining the percentage of diabetics in the population, after all personally identifying data is removed. Microsoft and NoMoreClipBoard don't make medical information available because of consumers' concerns about the privacy risks of medical data, Scriban and Donnell said.

Health information, stripped of its personally identifiable information, still poses a privacy threat that HHS has not addressed, despite warnings that smart researchers can identify patients despite redacted information. Critics point to a 1997 case involving Latanya Sweeney, a Carnegie Mellon University computer science professor, who demonstrated how the medical record of William Weld, governor of Massachusetts at the time, could be identified among a database of medical records using his date of birth, gender and ZIP code. Sweeney said 87 percent of the U.S. population is uniquely identified by date of birth, gender and five-digit ZIP code.

Leavitt believes the incoming Obama administration will back health information technology, including finding a place for it in the planned economic stimulus package. But developing a nationwide electronic record system by 2014 as envisioned by President George Bush will require "hard, boring work" on standards and regional health information exchanges not discussed "by the two-minute speech on health IT that everyone now seems to have," Leavitt said.