A story published this week in the New York Times highlights some of the key privacy concerns many Europeans have with U.S. data collection practices, particularly those followed under the justification of preventing terrorism. The article focuses on the experiences of European Parliament member Sophie In ‘t Veld, who became so frustrated at her inability to learn exactly what information U.S. government agencies were holding on her that she filed a lawsuit in federal court with the assistance of the Electronic Frontier Foundation. The lawsuit, naming both the Department of Homeland Security and Department of Justice as defendants, was dismissed after DHS asserted that it had performed an adequate search as In ‘t Veld requested (and as it is obligated to due under FOIA under which she sued), leaving the plaintiff in a situation where she believes (correctly or not) that there is more data about her on file within U.S. federal agencies than has been disclosed, and where the government isn’t necessarily disagreeing, but basically says it provided enough information to comply with the request.
This case serves as perhaps the highest profile example of the practical impact of the different philosophical approaches in the U.S. and in Europe regarding the privacy of personal information. Such differences have led to the failure to reach agreements on financial information sharing intended to help combat terrorism by identifying its sources of funding. The collection and maintenance of airline passenger data for comparison to a variety of terrorist watchlists has historically been another sticking point between the U.S. and European Community countries, although the question at issue now is not so much that the data is being collected, but that individual who can presumably demonstrate that they are not terrorists have little or no visibility into the data being stored about them. U.S. authorities have consistently defended its anti-terrorism efforts since 9-11 and before, but in keeping with conventional “ask first” privacy practices that are the rule in Europe, Europeans believe that the U.S. should have to do more to prove that its data collection and use for anti-terrorism purposes are actually necessary, rather than individuals having to prove the practices cause them harm.
On its face, In ‘t Veld’s desire to know what data the U.S. government has stored about her seems quite reasonable, not just because of her repeated experience of being selected for secondary security screening while traveling, but also because the ability for individual to find out what information is stored about them and how it is used is one of the core privacy principles embedded in all of the major privacy frameworks. This principle of access was articulated as one of the five fair information practices included in a landmark 1973 report from the Department of Health, Education, and Welfare entitled “Records, Computers and the Rights of Citizens” and was later reflected in U.S. legislation including the Privacy Act of 1974 and international privacy frameworks such as the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. It should be noted that neither of these important privacy drivers are relevant to In ‘t Veld and her requests to U.S. government agencies, as the OECD Guidelines are just that — guidelines, without the force of law — and the Privacy Act’s provisions for records on individuals only applies to U.S. citizens and permanent resident aliens (5 U.S.C. §552a(a)(2)).
In a follow-up to a HIPAA breach as Las Vegas’ University Medical Center reported last November, the FBI investigation into the matter has resulted in an indictment of the UMC employee allegedly responsible for selling data about medical center patients to personal injury lawyers. The criminal case is being brought by federal prosecutors under the authority of protected health information provisions in HIPAA, and in accordance with the penalties for such violations, the accused could be put in jail for up to five years and fined as much as $250,000. The fact that the investigation has come to this may be slightly less surprising following the announcement this week of the first criminal prosecution under HIPAA to result in jail time, a milestone achieved by federal prosecutors in California. When the Las Vegas matter was first made public, there was speculation in the local media that UMC had little reason to be concerned about the breach, given the rarity of significant penalties resulting from HIPAA violations. The indictment would seem to suggest that HIPAA enforcement is in fact getting stronger since the passage of the HITECH Act. It remains to be seen if the hospital will suffer direct consequences from this incident, presumably based in part on whether anyone can show that UMC was aware or should have been aware of the actions of its employees. Other stories about the investigation have suggested that at least one local physician (not a UMC employee) knew that personal information on patients was being leaked. Both before and after the specific situation under investigation, UMC has had problems with privacy lapses and loss or theft of protected health information. Under the strengthened HIPAA enforcement provisions in the HITECH Act, both federal and state prosecutors would be able to bring civil or criminal action against the hospital, either on behalf of individual patients who suffered some harm due to the breaches, or because of the pattern of HIPAA violations that has emerged since the hospital came under closer scrutiny.
In the wake of privacy concerns expressed by four U.S. senators about Facebook’s decision to change the way it shares user data with third parties, the Federal Trade Commission (FTC) announced it plans to create a regulatory framework of Internet privacy guidelines that would constrain data sharing practices among many types of online businesses, including social networking sites. In a press release posted on his official website, Senator Charles Schumer of New York urged the FTC to provide guidance to social networking sites to prevent the sort of changes in handling of personal information recently implemented by Facebook with the launch of several new services. Schumer seems particularly upset that Facebook now makes public some data that users may have previously kept private through the site’s privacy settings, and did so without users’ consent (there is an opt-out provision, but by default the data is now disclosed, regardless of whatever privacy settings had been in place previously). There are of course very few existing privacy regulations that come into play for social networking sites — aside from those like COPPA that govern personal data collection from children under 13 — particularly since the companies don’t typically have commercial transactional relationships with their users. Schumer wants the FTC to take a close look at the privacy practices employed by Facebook and similar sites under its statutory authority to enforce unfair and deceptive trade practice rules, but he and the other senator are also advocating the development of new privacy regulations that would apply specifically to social networking sites. He went so far as to say if the FTC believes it lacks the authority to specify and enforce privacy practices of social network operators, he would “support them in obtaining the tools and authority to do just that.”
The Department of Health and Human Services announced its plans to propose a new set of rules strengthening privacy and security of personal health information protected. The rules will implement various provisions of the Health Information Technology for Clinical and Economic Health (HITECH) Act, which served to augment protections originally established under HIPAA. The forthcoming rules will make explicit several of the changes in the privacy portion of the HITECH Act (Subtitle D, §§ 13400-13410). The public notice announcing the intent to issue rules gives no details on what specific aspects of the law the rules will address, but based on a short note posted by HHS, the current focus seems to be on business associate liability for complying with HIPAA Privacy and Security Rule requirements; limits on the sale of protected health information; improve right of access by individuals to their health data; and new restrictions on personal data disclosure. Rules have already been released related to some of the other privacy provisions in this same section of the law, covering health data breach notification and stronger enforcement of HIPAA Privacy Rule violations, including a private right of action for individuals. The legal actions initiated against by the Connecticut Attorney General against HealthNet after its data breach were made possible by the enforcement rules. Looking at the text of the law in these areas, the new rules appear likely to cover the following:
Another interesting briefing coming out of the ONC Health IT Policy Committee meeting this week was a presentation from Privacy and Security Workgroup chair Deven McGraw, which highlighted the workgroup’s current focus on privacy protections in health information exchanges, with particular emphasis on the question of how to handle consumer/patient preferences, consent, and control over use and disclosure of personal health data. While the workgroup is not ready to take a formal position on this issue, McGraw explained that they hope to present specific recommendations at the next Policy Committee meeting, currently scheduled for May 19. The workgroup’s focus on privacy and security from a patient-centric perspective appears to complement the five essential elements the NHIN Workgroup has proposed to constitute a trust framework that includes sufficient security and privacy provisions, oversight and enforcement, and technical capabilities to serve as an enabler of health information exchange (HIE). The NHIN Workgroup is focusing on trust as a prerequisite for HIE participants to realize the value of exchanging data, while the Privacy and Security Workgroup is looking at building trust among individuals, especially including providers and patients as well as the public in general.
While everyone is in violent agreement that a better foundation of trust is needed before the grand vision for health information exchange can be achieved, it shouldn’t be lost on anyone that it is exceedingly difficult to arrive at a common framework of trust when different stakeholders have different goals and priorities for adopting electronic health records and exchanging the data those records contain. Many of the anticipated benefits from the interoperable electronic health records rely on widespread adoption of health information technology and universal participation among individuals, stemming from President Obama’s January 2009 call for every American to have an electronic health record by 2014. For patients, the key challenge seems to be ensuring sufficient privacy and security protection to give individuals confidence in the EHR systems and the use of their data, to get them to want to have their health records in electronic form at all. Putting patients in control of their data and capturing and using patient consent and usage preferences seems to be the favored way to engender trust among individuals, but in doing so the value of health information exchange in improving quality of care may be negatively impacted. If consent is enabled at a level of granularity that allows individuals to keep certain portions of their health records hidden, the result for anyone requesting access to those records through health information exchanges may be incomplete data. Depending on the nature of the data omitted from an ostensibly comprehensive view of a patient, the risk of clinical mistakes due to incomplete records goes up, threatening the improvements in quality of care and reduction in medical errors that electronic health records are intended to produce.
The importance of complete information in clinical care settings is well established. It’s not by accident that data disclosure for the purpose of treatment is explicitly exempt from consent requirements that apply to some other uses of health data under the HIPAA Privacy Rule. The Health IT Policy Committee has among its members practicing physicians whose views illustrate the two sides of the granular consent debate: Dr. Charles Kennedy of Wellpoint shared an example of situations where the access by one type of practitioner to health record data related to a different type of care (specifically, an internist seeing medications prescribed for a patient by a psychiatrist) upset the patient in question and fell short of yielding the sort of privacy protections patients seem to want. In contrast, Dr. Michael Klag of Johns Hopkins objected to the idea of giving patients such granular control over their health records, even if patients are made aware of the potential dangers of withholding medical information. The approach of requiring data disclosure for treatment (that is, of exchanging data without seeking consent) might satisfy clinicians, but we noted in this space last week, surveys suggest that absent some degree of control over health data disclosure, many patients may opt to withhold information from their doctors rather than have the information become part of their records. It is hard to imagine how better health care outcomes can result if individuals are able to selectively withhold data from medical providers.
Finding the right balancing point between patient privacy and consent and optimizing the utility of data shared through health information exchange is more a business and policy problem than it is a technical challenge, although the technical means of enabling granular consent in EHR or supporting health IT systems are far from trivial. It seems that managing consent on the basis of the purpose for which health data is requested might be a more suitable starting point for finding a workable solution to this issue. Such an approach has the advantage of following the requirements of all the major federal privacy laws and being consistent with the Nationwide Privacy and Security Framework that includes the core privacy principles upon which the Privacy Act and other legislation are based and which privacy advocates argue should be directly reflected in health IT initiatives like the NHIN and in health IT adoption programs like meaningful use.