Health Record Banks Enable Secondary Data Use with Privacy Protection William A. Yasnoff, MD, PhD, FACMI CEO, Health Record Banking Alliance William A. Yasnoff, MD, PhD, FACMI CEO, Health Record Banking Alliance NCVHS Secondary Data Uses Work Group Hyattsville, MD July 19, 2007 © 2007
2 2 Health Record Banking Alliance n Virginia non-profit formed 6/06; first met 9/06 n Purpose: promote the concept of health record banks: l Consumer-controlled independent repositories of health records n Broad participation, no formal membership l HIT vendors & organizations l Health record bank organizations l Consultants (HIT & health policy) l Privacy advocates l 100+ on list n Monthly Meetings n Draft principles developed & posted on web n Virginia non-profit formed 6/06; first met 9/06 n Purpose: promote the concept of health record banks: l Consumer-controlled independent repositories of health records n Broad participation, no formal membership l HIT vendors & organizations l Health record bank organizations l Consultants (HIT & health policy) l Privacy advocates l 100+ on list n Monthly Meetings n Draft principles developed & posted on web
3 3 © Policies Needed to Achieve Effective Secondary Data Use n Strong public support of secondary use l 81% support use of electronic health records for research [Markle Foundation 9/05] But public also wants control of their information [Harris Interactive/WSJ 9/06] 64% of adults said they would like to have access to an electronic medical record (EMR) to capture medical information 62% agree that "electronic medical record use makes it more difficult to ensure patient privacy.” n Strong public support of secondary use l 81% support use of electronic health records for research [Markle Foundation 9/05] But public also wants control of their information [Harris Interactive/WSJ 9/06] 64% of adults said they would like to have access to an electronic medical record (EMR) to capture medical information 62% agree that "electronic medical record use makes it more difficult to ensure patient privacy.”
4 4 © Policies Needed for Secondary Data Use (cont.) n Policies needed: l Individual right to medical privacy l Individual may own a complete copy of all their medical records l Individual controls ALL use of their medical information l Consent required for any use – May be provided in advance – May be granted for person, organization, specific study, etc. – Specific to single purpose only n Policies needed: l Individual right to medical privacy l Individual may own a complete copy of all their medical records l Individual controls ALL use of their medical information l Consent required for any use – May be provided in advance – May be granted for person, organization, specific study, etc. – Specific to single purpose only
5 5 © Adequacy of Privacy Protection Under Current Law n HIPAA regulations are inadequate l Treatment, payment, operations (TPO) exceptions seem reasonable l However TPO determination is done by organization that has data l No disclosure, reporting, or effective oversight l Not consistent with Fair Information Practices (HHS, 1973) n No technical reason why individual consent cannot be obtained n HIPAA regulations are inadequate l Treatment, payment, operations (TPO) exceptions seem reasonable l However TPO determination is done by organization that has data l No disclosure, reporting, or effective oversight l Not consistent with Fair Information Practices (HHS, 1973) n No technical reason why individual consent cannot be obtained
6 6 © Uses of Health Data with Insufficient Protection n All uses have insufficient protection because HIPAA is inadequate n No disclosure of specific uses n Individuals cannot opt out of use of their information n Individuals cannot find out what their information is used n Individuals cannot prevent their information from being used against them n “De-identification” is virtually never absolute -- data can usually be re-identified n Violates Hippocratic Oath n All uses have insufficient protection because HIPAA is inadequate n No disclosure of specific uses n Individuals cannot opt out of use of their information n Individuals cannot find out what their information is used n Individuals cannot prevent their information from being used against them n “De-identification” is virtually never absolute -- data can usually be re-identified n Violates Hippocratic Oath
7 7 © Other NHIN-related health information use issues n Requirements for Community Health Information Infrastructure n Health Record Banking Model n Secondary Use Implications n Policy Recommendations n Requirements for Community Health Information Infrastructure n Health Record Banking Model n Secondary Use Implications n Policy Recommendations
8 8 © 2007 Complete Electronic Patient Information Stakeholder cooperation Financial Sustainability Public Trust Components of a Community Health Information Infrastructure
9 9 © 2007 Complete Electronic Patient Information n Most information is already electronic: Labs, Medications, Images, Hospital Records n Outpatient records are mostly paper l Only 10-15% of physicians have EHRs l Business case for outpatient EHRs weak n For outpatient information to be electronic, need financial incentives to ensure that physicians acquire and use EHRs n Requirement #1: Financial incentives to create good business case for outpatient EHRs
10 © 2007 Complete Electronic Patient Information n Need single access point for electronic information n Option 1: Gather data when needed (scattered model) l Pro: 1) data stays in current location; 2) no duplication of storage l Con: 1) all systems must be available for query 24/7/365; 2) each system incurs added costs of queries (initial & ongoing); 3) slow response time; 4) searching not practical; 5) huge interoperability challenge (entire U.S.); 6) records only complete if every possible data source is operational
11 © 2007 Complete Electronic Patient Information n Need single access point for electronic information n Option 2: Central repository l Pro: fast response time, no interoperability between communities, easy searching, reliability depends only on central system, security can be controlled in one location, completeness of record assured, low cost l Con: public trust challenging, duplicate storage (but storage is inexpensive)
12 © 2007 Complete Electronic Patient Information n Need single access point for electronic information n Requirement #2: Central repository for storage
13 © 2007 n Voluntary Impractical n Financial incentives l Where find $$$$$? n Mandates l New Impractical l Existing – HIPAA requires information to be provided on patient request n Requirement #3: Patients must request their own information Stakeholder cooperation
14 © 2007 n Funding options l Government – Federal: unlikely – State: unlikely – Startup funds at best l Healthcare Stakeholders – Paid for giving care – New investments or transaction costs difficult l Payers/Purchasers – Skeptical about benefits – Free rider/first mover effects l Consumers – 72% support electronic records – 52% willing to pay >=$5/month n Requirement #4: Solution must appeal to consumers so they will pay Financial Sustainability
15 © 2007 A.Public Trust = Patient Control of Information n Requirement #5: Patients must control all access to their information Public Trust
16 © 2007 B.Trusted Institution Via regulation (like banks) impractical ?? Self-regulated Community-owned non-profit Board with all key stakeholders Independent privacy oversight Open & transparent Requirement #6: Governing institution must be self-regulating community- owned non-profit Public Trust
17 © 2007 C.Trustworthy Technical Architecture Prevent large-scale information loss Searchable database offline Carefully screen all employees Prevent inappropriate access to individual records State-of-the-art computer security Strong authentication No searching capability Secure operating system Easier to secure central repository: efforts focus on one place Requirement #7: Technical architecture must prevent information loss and misuse Public Trust
18 © 2007 Health Record Banking Model n All information for a patient stored in Health Record Bank (HRB) account n Patient (or designee) controls all access to account information [copies of original records held elsewhere] n Each HRB has three interfaces: l Withdrawal window - record access l Deposit window - receives new info l Search window - authorized requests n When care received, new records sent to HRB for deposit in patient’s account n All data sources contribute at patient request (per HIPAA) n All information for a patient stored in Health Record Bank (HRB) account n Patient (or designee) controls all access to account information [copies of original records held elsewhere] n Each HRB has three interfaces: l Withdrawal window - record access l Deposit window - receives new info l Search window - authorized requests n When care received, new records sent to HRB for deposit in patient’s account n All data sources contribute at patient request (per HIPAA)
19 © 2007 Clinical Encounter Health Record Bank Clinician EHR System Encounter Data Entered in EHR Encounter data sent to Health Record Bank Patient Permission? NO DATA NOT SENT Clinician Inquiry Patient data delivered to Clinician YES Optional payment Clinician’s Bank Secure patient health data files Health Record Banking
20 © 2007 Secondary Use Implications n Privacy is protected through consumer control l Each consumer customizes their own privacy policy n Health record banks facilitate secondary use l Searches over populations easy – Not necessary to release data – Counts of matches with demographics normally sufficient – Eliminates issues of “de-identification” and reuse l Can combine searches over multiple banks l Banks can notify individuals without knowledge of searchers (e.g. for clinical trial recruitment, drug withdrawal from market) l Banks collect fees to share with consumers n Privacy is protected through consumer control l Each consumer customizes their own privacy policy n Health record banks facilitate secondary use l Searches over populations easy – Not necessary to release data – Counts of matches with demographics normally sufficient – Eliminates issues of “de-identification” and reuse l Can combine searches over multiple banks l Banks can notify individuals without knowledge of searchers (e.g. for clinical trial recruitment, drug withdrawal from market) l Banks collect fees to share with consumers
21 © 2007 Policy Recommendations (1 of 2) 1. Consumer has complete legal ownership and control of health record bank information l No exceptions needed as copies of information are elsewhere l Information protected from – Change in ownership – Failure of customer payment – Bankruptcy l Consent for single-purpose access only l No coerced consent 2. All holders of electronic medical information required to provide it within 24 hours of creation at no charge (on patient request) 1. Consumer has complete legal ownership and control of health record bank information l No exceptions needed as copies of information are elsewhere l Information protected from – Change in ownership – Failure of customer payment – Bankruptcy l Consent for single-purpose access only l No coerced consent 2. All holders of electronic medical information required to provide it within 24 hours of creation at no charge (on patient request)
22 © 2007 Policy Recommendations (2 of 2) 3. Include health record banks as covered entities under HIPAA l Cover personal health information in all locations 4. Require independent privacy & confidentiality audits of health record banks l Certification of auditing entities l Public disclosure of audits 5. Require security procedures sufficient to enforce privacy & confidentiality policies 3. Include health record banks as covered entities under HIPAA l Cover personal health information in all locations 4. Require independent privacy & confidentiality audits of health record banks l Certification of auditing entities l Public disclosure of audits 5. Require security procedures sufficient to enforce privacy & confidentiality policies
23 © 2007 Questions? William A. Yasnoff, MD, PhD, FACMI 703/ For more information: