Keep the Information Flowing
Small contributions go a long way. Your donation to Consumer Action, a 501 (c)(3) nonprofit, nonpartisan organization, can help us cover the cost of research, writing, and translation of our materials. To keep our services free for those who need them. Select an amount to give.
Published: October 2010
Give patients the tools they need to control their personal health information
Coalition: Coalition for Patient Privacy
In a letter that underscores the importance of patients controlling their medical information via privacy-enabling technology, Consumer Action and the Coalition for Patient Privacy answered the Department of Health and Human Services's call for comments on modifications to the HIPAA Privacy, Security and Enforcement Rules in the new HITECH (Health Information Technology for Economic and Clinical Health) Act.
Below is an excerpt from the letter:
The bipartisan Coalition for Patient Privacy is pleased to submit comments regarding the proposed rule-making on 45 CFR Parts 160 and 164. We applaud the efforts of the Department of Health and Human Services (HHS). Ensuring Americans’ health records are private is critical for health care and the success of health information technology (HIT).
We agree with many of the proposed rules. We also note that the new rights and requirements of the HITECH Act necessitate robust electronic consent and segmentation tools. For example, electronic consents that enable segmentation empower consumers to:
- consent to the sale of PHI
- disclose the “minimum necessary” information from EHRs for a particular purpose
- segment PHI if the treatment cost was paid out-of-pocket so that information is not disclosed to a health plan
- segment sensitive PHI as required by state law
- give consent to disclose addiction treatment records as required in 42 CFR Part 2
- enable veterans to consent to disclose PHI as required by USC 7332, Title 38, Veteran’s Benefits, Subchapter III—Protection of Patient Rights
We strongly recommend that HHS require the use of the consent and segmentation technologies showcased June 29th at the Consumer Choices Technology Hearing sponsored by HHS/ONC for all HIT systems, HIE, and the NHIN. The innovative, low-cost, effective privacy-enhancing technologies available that can empower patients to have “maximal control over PHI” should be viewed as what is possible now, not ten years from now. We urge you to go farther and faster to make President Obama’s commitment to building a truly patient-centric healthcare system a reality today.
The key way to build trustworthy systems that ensure consumer control over health information is to require robust electronic consent and segmentation systems in all certified EHRs, all HIEs, and all NHIN models.
It is essential for public trust to require purpose specification and authorization for all new uses or disclosures of PHI. Moreover, these protections must be required now. Public distrust is already so high that the success of the massive stimulus investments we are making in HIT and HIE are at great risk.
Ending secondary uses, onward data transfers, and disclosures of PHI can be achieved very quickly if HHS requires the use of privacy-enhancing technologies, such as Private Access , Critical Management for Behavioral Health Sciences , or the Department of Veterans Affairs consent systems for data use and/or exchange. Innovative technologies can enable robust electronic consent and segmentation functionalities. Consumers can be contacted automatically via computers or cell phones for any exceptions to their standing consent ‘rules’ or directives, or when new consents or authorizations are sought when CEs (Covered Entities), BAs, and health data users want to use PHI for new purposes. An example of a cell phone contact system the VA uses to contact patients to obtain consent to access PHI is Anakam’s Two Factor Authentication Platform. Anakam delivers authentication through the use of devices - such as cell phones, home phones, web-connected computers, office phones, voice biometrics, or OATH-compliant tokens.
Patient privacy can be assured with trustworthy systems using consent and segmentation systems. With meaningful enforcement of security and privacy we will be able to reap the benefits of HIT while preventing most harms. We stand with you to help this Administration carry out its new policy to put patients in control of who can access PHI.
We urge HHS to recognize that now is the time to require technology companies and their development teams to support our privacy rights and build consent and segmentation functionalities into the next generation of HIT systems.
Not long ago providers, CEs, BAs, and industry cited technology challenges and cost as excuses for not encrypting PHI; but HHS was not distracted by those voices. HHS’ requirements for breach notification and encryption fundamentally changed the market and raised the bar for critical consumer protections in electronic systems. What industry claimed was not practical or possible just 24 months ago, has quickly become standard practice.
Unless HHS makes similar clear and unambiguous recommendations to implement robust functionalities that support privacy, consent, and segmentation in HIT and HIE, HHS will set the nation on a privacy-destructive course that will take us well into the next decade to resolve and repair. During the next decade, if these privacy-enhancing requirements are not added to the meaningful use criteria, millions of health records will be endlessly disclosed, collected, misused, and sold, compromising people’s lives and reputations for generations. If HHS does not impose meaningful and comprehensive consent and segmentation requirements, industry will never improve existing primitive HIT and HIE systems and technologies.
Now is the time for HHS to build upon the strong privacy protections in existing federal law (not just in the HIPAA and the HITECH Act) to ensure that the stimulus billions are not wasted and the public’s trust in government, health technology, research, and the physician-patient relationship is not destroyed. Once trust is lost, it is very difficult to restore. Our best chance to build effective, efficient, high quality, useful HIT systems and data exchanges is to build in consumer control over PHI at the front end, as soon as possible.
Lead Organization
Other Organizations
American Association of People with Disabilities | American Civil Liberties Union | Cyber Privacy Project | The Doctor Patient Medical Association | The Fund for Genetic Equity | Gun Owners of America | JustHealth | The Multiracial Activist | Patient Privacy Rights | Private Citizen, Inc. | U.S. Bill of Rights Foundation | Representative Nancy Barto (R-AZ), Chairman, Health & Human Services Committee | Christine L. Borgman, Professor & Presidential Chair of Information Studies, UCLA | Prof. Chip Pitts, Stanford Law School & Oxford University; President, Bill of Rights Defense Committee
More Information
Notice of Proposed Rulemaking to Implement HITECH Act Modifications
Download PDF
No Download Available
Quick Menu
Support Consumer Action
Join Our Email List
Consumer Help Desk
- Help Desk
- Submit Your Complaints
- Presente su queja
- Frequently Asked Questions
- Links to Consumer Resources
- Consumer Service Guide (CSG)
- Alerts
- Consumer Booknotes