Archive for Privacy

Confusing “Consent” Terminology Emerges

In its August 19th letter to the Office of the National Coordinator, the HIT Policy Committee creates the term “meaningful consent” related to the coming choices patients will be asked to make about the sharing and use of their clinical data. In the recommendations, the committee clearly states that the recommendations apply to exchange of identifiable health information in order to meet Stage 1 meaningful use requirements. So now is the perfect time to ensure that the difference between the two types of consent remain distinct in the mind of the patient population. » Continue reading “Confusing “Consent” Terminology Emerges”

Leave a Comment

Some Thoughts on Privacy

Imagine that the following is true:

  1. There is no social stigma attached to any disease or health condition. You have what you have, and no one cares but you and your physician.
  2. You are not denied coverage, care, or a job because you have any particular disease or health condition.

How would that change things?

For one thing, there would be much less incentive to know things about each other in order to benefit from that knowledge. Our efforts to ensure privacy would focus on personal respect and professional behavior. Today however, we make and enforce rules and regulations (HIPAA, breach notification, etc.) and we create technology (encryption, disclosure tracking and reporting, etc.) to reduce the risks. Despite huge expenditures to reduce that risk, we’re learning that it’s not so easy. In fact, the HITECH legislation passed last year in the US makes an interesting assumption: by including breach notification requirements, legislators assume that breaches of protected health information (PHI) will continue. And how can they not?

Just last week there were two stories of health information falling outside of the control of providers. Wellpoint’s website glitch revealed information on thousands of customers to anyone who knew how to modify the URL; meanwhile FedEX apparently lost a package destined for Lincoln Medical and Mental Health Center in New York. The package contained CDs filled with PHI from one of its vendors. In the Wellpoint case, it is believed that a third-party vendor responsible for system upgrades and security did not make all of the necessary changes during an upgrade. In both of these instances, the breach occurred not because of a failure of technology, but due to a failure in the way it was integrated into the organizational information flow and related processes. The reality is that people make mistakes. As systems evolve and become ever more complex, the quality control process is more likely to include lots of crossed fingers.

Again, this is part of the larger question of just how we manage the process of coming to first trust, then rely upon our technology solutions. As of today, there are 107 posted notifications of breaches involving 500 or more individuals on the US Health and Human Services (HHS) website. That’s just between late September, 2009 and today. This is going to be a huge challenge. It will be interesting to see if we continue to settle for breach notification and free credit monitoring, or if we solve this another way.

While I don’t expect that the scenario imagined above could come about without massive cultural changes, it is a different way to look at the problem. And even if we could change numbers 1 and 2 above, there is a 3rd piece that would require change as well: as long as identity theft is accepted as a cost of doing business, it remains a profitable enterprise. And that means someone will be looking for our data.

-Rod Piechowski

Copyright © 2010, Rod Piechowski, Inc., Consulting

Leave a Comment