Many alarming violations of patient privacy in American healthcare of late worry officials who are advocating a 10-year plan to develop and implement a nationwide electronic health information infrastructure (NHII). The Substance Abuse and Mental Health Services Administration (SAMHSA) commissioned a study in February to examine other countries’ respective consent practices to protect the privacy of patient health information while developing NHIIs. The consent mechanisms and technology used in these countries could potentially be used to help protect sensitive health information in the United States.
The SAMHSA report, The Implementation of E-Consent Mechanisms in Three Countries: Canada, England, and the Netherlands, is co-authored by Joy Pritts, JD, a privacy lawyer and associate research professor at the Georgetown University Health Policy Institute, and Kathleen Conner, a senior consultant with FOX Systems. It focuses on Canada, England, and the Netherlands because each is further along in its development of NHII and consent policies, or practices that control whether individuals have the right to control how health information can be shared.
While some healthcare providers in the United States allow some restriction of patient data, there is no uniform process across the industry for protecting privacy. That can mean trouble. A security lapse for the Department of Veterans Affairs occurred when a portable computer hard drive that contained the personal information of 535,000 individuals went missing. In March, a violation of privacy was exposed in Providence, R.I., when a woman searched her name on Google, and discovered a website that contained information on 2,242 Westerly (R.I.) Hospital patients, including names, addresses, Social Security numbers and some medical conditions. In another unrelated incident, a missing compact disc containing confidential medical and personal information on 75,000 Empire Blue Cross and Blue Shield members was delivered by mistake to a residence in Philadelphia, Penn.
“These recent incidents demonstrate that people are not doing enough right now with the available technology to protect health information,” Pritts says, noting that the disc that was found was not encrypted, and that encryption is one easy-to-deploy means of protecting health information that should always be used. “But no matter what you do, there’s always going to be human error, and given that, no one system is 100 percent failsafe,” she says.
Canada, the Netherlands and the United Kingdom are ahead of the U.S. in setting privacy policies that allow more patient control and the right to restrict the flow of their health information, according to Pritts. Allowing Americans the option to have a choice as to how their information is shared is especially important as more and more healthcare facilities move to all-digital environments using EHRs. Healthcare providers are starting to collect health information, share it, and transmit it, but they are not subject to federal or state regulation, Pritts says.
“In some ways the technology is getting ahead of the policy,” she added.
Canada’s privacy framework
Canada regulates health information privacy at the provincial level, so the report examined how providers use masking technology in Alberta, British Columbia, and Ontario. All three have endorsed the Pan-Canadian Privacy framework, but the ways they’ve implemented privacy protective features differ.
Alberta's Physician Office System Program uses an electronic medical record system that can mask data, giving patients the choice to partially opt out of sharing data. By 2008, according to the report, these IT systems also must allow patients to restrict data to specific providers and circumstances, such as emergency visits.
British Columbia's PharmaNet project allows patients to mask their entire prescription record and let only selected providers see that record by sharing a password, keyword, or what they call a “shared secret.” Emergency departments can gain access to the records if it’s imperative that they do so, however.
The Ontario Emergency Department Access to Prescription Drug History Initiative gives patients the ability to completely opt out from data-sharing, as well as mask specific drugs that a patient may prefer to keep private.
Security in the U.K.
In England, the NHII organized by the National Health System currently allows individuals to restrict access to sensitive information in their Summary