Health Data Flows: Where PETs Can Help PORTIA Workshop on Sensitive Data July 8, 2004 Anna Slomovic, PhD Electronic Privacy Information Center

EHRs Promise Great Things Improve quality of care Improve quality of care Reduce duplication Reduce duplication Reduce medical errors Reduce medical errors Provide the right care at the right time and place Provide the right care at the right time and place Increase access to care Increase access to care Reduce administrative burden Reduce administrative burden Improve research and public health Improve research and public health Implication: broader and more frequent access to PHI

EHRs Create New Privacy Concerns for Patients Reduced ability to shield sensitive information Reduced ability to shield sensitive information Inability to “leave the past behind” Inability to “leave the past behind” Inability to refuse participation in certain activities, e.g., research? Inability to refuse participation in certain activities, e.g., research? Linking between health information and other information, e.g., welfare Linking between health information and other information, e.g., welfare To maximize patient privacy, the best EHR is highly fragmented with fragments under patient control

EHRs Create New Privacy Concerns for Physicians Reduced autonomy in the practice of medicine Reduced autonomy in the practice of medicine Tracking of utilization and compliance with care guidelines Tracking of utilization and compliance with care guidelines “Pay for performance” “Pay for performance” Reduced ability to provide autonomy to patients Reduced ability to provide autonomy to patients To maximize physician privacy, the best EHR allows physicians role-based access

Outline Privacy concerns raised by EHRs Privacy concerns raised by EHRs The current data flows The current data flows How PETs can help How PETs can help

Existing Regulations Permit Data Flows Without Patient Consent Treatment Treatment Payment Payment Health care operations Health care operations Public health Public health “Required by law” “Required by law” Health system oversight Health system oversight Reporting victims of abuse and neglect Reporting victims of abuse and neglect Law enforcement, judicial and administrative proceedings, specialized government functions Law enforcement, judicial and administrative proceedings, specialized government functions Research (with some restrictions) Research (with some restrictions) Permitted disclosures without patient consent number in the dozens

Patients May Not Know What the Terms of “Notice” Mean Health Care Operations Health Care Operations Legal, accounting, auditing services Legal, accounting, auditing services General administration General administration Also Health Care Operations Also Health Care Operations Outcomes evaluation and guidelines development Outcomes evaluation and guidelines development Accreditation of professionals Accreditation of professionals Training of health care and non-health care workers Training of health care and non-health care workers Fundraising for the health care entity Fundraising for the health care entity Data analysis for plan sponsors or customers Data analysis for plan sponsors or customers Detection of “fraud, waste and abuse” Detection of “fraud, waste and abuse”

Who Performs “Health Care Operations”? Consultants Consultants Lawyers Lawyers Accountants Accountants Medical transcription companies Medical transcription companies Software development and maintenance contractors Software development and maintenance contractors Medical equipment manufacturers and service companies Medical equipment manufacturers and service companies Pharmacy benefits managers Pharmacy benefits managers Document scanning or data input companies Document scanning or data input companies Offsite records storage companies Document destruction companies Credentialing organizations Accreditation agencies Licensing agencies Medical schools Training companies Banks External fundraising agents Collection agencies Secondary users not regulated by HHS

“ Consumers who examine the audit trails of access to their data may be surprised by how many different people and entities access their data. These are not security violations, but routine clinical and business uses of identified clinical data. … [C]onsumers will have to be educated about the realities of how their personal health information is used.” D. J. Brailer et al., Moving Toward Electronic Health Information Exchange: Interim Report on the Santa Barbara County Data Exchange, prepared for the California HealthCare Foundation, July 2003 “[T]he very benefit of regional information exchange arises from physician adoption, and if physicians are reticent to participate in something that might be used against them (or simply fear that it could be used against them), then this benefit of physician practice evaluation may have to be foregone for the foreseeable future.”

Outline Privacy concerns raised by EHRs Privacy concerns raised by EHRs The current data flows The current data flows How PETs can help How PETs can help

We Need to Return to Basic Questions Should all health care providers have access to all PHI? Should all health care providers have access to all PHI? Should secondary users have access to PHI without patient or physician consent? Should secondary users have access to PHI without patient or physician consent? How can EHR systems be built to provide greater control to patients and physicians? How can EHR systems be built to provide greater control to patients and physicians?

PETs As Part of the Answer Fully identified records provided only for whose who need identity to do the job Fully identified records provided only for whose who need identity to do the job Pseudonymity (protecting patients from curiosity, e.g., in labs or pharmacies) Pseudonymity (protecting patients from curiosity, e.g., in labs or pharmacies) Group signatures (protecting physician identity in patient interactions; protecting patient identity in some interactions) Group signatures (protecting physician identity in patient interactions; protecting patient identity in some interactions) Complete records only when needed Complete records only when needed Secret sharing (record fragmented until necessary, e.g., in emergency, with patient consent) Secret sharing (record fragmented until necessary, e.g., in emergency, with patient consent) Selective disclosure (disclosing medications without disclosing diagnosis or physician name) Selective disclosure (disclosing medications without disclosing diagnosis or physician name)

PETs As Part of the Answer, Cont’d Secondary users work with de-identified information Secondary users work with de-identified information Private information retrieval (looking for types of cases without disclosing links between identity and case) Private information retrieval (looking for types of cases without disclosing links between identity and case) Research Research Disease and bioterrorism surveillance Disease and bioterrorism surveillance Clinical guidelines development and improvement Clinical guidelines development and improvement Privacy-preserving datamining (looking for patterns without sharing information) Privacy-preserving datamining (looking for patterns without sharing information) Research Research Quality of care analysis Quality of care analysis Fraud detection Fraud detection

System Can Be Built With More Control for Data Subjects Menu of pre-set choices in EHR Menu of pre-set choices in EHR Who and when can access records without further consent Who and when can access records without further consent Contact information to obtain consent outside pre-set parameters Contact information to obtain consent outside pre-set parameters “Expiration” of one-time past episodes of care “Expiration” of one-time past episodes of care

“ Most interviewees were willing to allow the use of their information for research purposes, although the majority preferred that consent was sought first. The seeking of consent was considered an important element of respect for the individual. Most interviewees made little distinction between identifiable and anonymised data.” Willison, Donald J; Keshavjee, et. al, “Patients' consent preferences for research uses of information in electronic medical records: Interview and survey data,” British Medical Journal (International Edition), February 15, 2003.