Health Hazard

Warning: Patient privacy could complicate the blueprint for an electronic medical records system.

Implementing a nationwide system of electronic medical records as prescribed by President Obama's economic stimulus package is a herculean task that will require a complex new matrix of policies and standards. Two Health and Human Services Department advisory committees are hard at work on blueprints for both, but some worry privacy safeguards will be an afterthought.

Such a system would link doctors' offices, hospitals and other health care entities electronically so paper records eventually would become obsolete. The Obama administration and leaders on Capitol Hill endeavored to craft a bill that would bring down costs for everyone in the health care food chain-from providers to insurers to patients-while simultaneously curbing medical errors through more integrated information sharing. Obama's stated goal is for all U.S. residents to have e-health records within five years.

Much of the early work is being done by the HHS health IT policy and certification panels, which were created by the 2009 American Recovery and Reinvestment Act. The committees aim to send an array of recommendations to the agency's top brass-from guidelines for acceptable methodologies and technologies for protecting sensitive data to parameters for a network of regional health information exchanges and extension centers. Under the statute, HHS is required by Dec. 31 to adopt an initial set of health IT standards. About $17 billion in Medicare and Medicaid incentives will start flowing to doctors and hospitals in 2011 to encourage adoption of electronic records.

Members of the panels-chosen by the Government Accountability Office, HHS secretary and congressional leaders-represent health care providers, consumers, insurance carriers, technology and security vendors, researchers and agency officials.

Roger Baker, chief information officer at the Veterans Affairs Department, called attention to privacy risks at a summer meeting of the health IT policy committee to discuss what constitutes "meaningful use" of electronic medical records. Baker registered his concern that the debate glossed over the issue of patient privacy. The issue not only is critical to the group's mission, it's the "key to adoption," he told members.

"Sometimes you can recognize something is a key issue, but if you don't make it plainly and bluntly obvious, you'll lose the momentum to convince people," Baker said in an interview after the meeting. Agencies hold "an incredible amount of personally private information" and have gotten much better at protecting that data in recent years, he adds. Under the new, networked health care system the Obama administration envisions, their efforts will need to be redoubled, Baker said.

Privacy Perils

As pieces of the health IT puzzle come together, agencies will have to be keenly aware of situations that, at first blush, might not seem to put privacy at risk. "From a medical standpoint, we have to recognize that people's medical records are perhaps the most sensitive information anybody has left that they get to protect," Baker says. VA has been particularly vigilant against unintended disclosures since the 2006 theft of an agency computer that jeopardized the personal information of 26.5 million veterans.

"Since the laptop breach, we're taking a fastidious approach to seeing, disclosing, understanding and correcting any incident that could disclose information about an individual," Baker says. As part of that effort, he is on a mission to remove Social Security numbers everywhere possible and, when unavoidable, to only use the last four digits as an identifier.

"The amount of time we have to decide whether something is a breach of privacy or medically necessary is very small and the amount of information that can be gathered with a few keystrokes is very large," he says. "There's got to be a balance between individual control and medical necessity." In the context of a national health information exchange, Baker is looking to HHS for guidance on what responsibilities a provider like VA should have in deciding an entity's authority to obtain and protect data.

The Key Players

The man responsible for transmitting extensive guidelines to HHS Secretary Kathleen Sebelius is Boston physician David Blumenthal. He was named national coordinator for health IT in March and since that time has been working with the policy and standards committees to draft a framework for a nationwide infrastructure, including parameters for the exchange of patient medical information.

While he would not speculate about solutions to specific privacy issues that might arise during that process, Blumenthal told Government Executive he is acutely aware of the topic. "Our focus will be staying constantly alert to what those issues might be and reacting to them as fast as we can . . . whether it's through statistical techniques . . . or technologies to keep patient information secure," he says.

Blumenthal says he did not see any problems on the horizon that hadn't been flagged by privacy advocates and vetted in Congress during debate on the stimulus package. Much of the discussion concerned the inclusion of provisions that would ensure individuals could control use of their medical records and protect them from what consumer privacy watchdogs believe is a thriving industry of firms that share and sell medical data. "Congress has given us sufficient new authority and sufficient funding so we can substantially improve the security and privacy of existing systems and technology will give us more control and more power to protect privacy going forward," he says.

The Centers for Medicare and Medicaid Services will administer the health IT program and will communicate with Blumenthal's team as well as the HHS Office for Civil Rights, which helps administer the 1996 Health Insurance Portability and Accountability Act. The law specifies administrative, technical and physical security procedures for managing patient information. Privacy advocates, including Deven McGraw director of the health privacy project at the Center for Democracy and Technology, hope openness and transparency will be hallmarks of that relationship.

In August, Health and Human Services transferred HIPAA oversight duties from the Centers for Medicare and Medicaid Services to the Office for Civil Rights. The move was intended to eliminate duplication and increase efficiencies in protecting health data. It stemmed from a mandate in the stimulus package to make improvements to HIPAA.

"It's arguably a good move to consolidate all enforcement of HIPAA in one place, since security and privacy are arguably two sides to the same coin. But it will only be useful if it means at least the same level of resources for enforcement overall and not a diminishment," McGraw says. It remains to be seen whether the CMS employees who worked on security enforcement will move to the civil rights office or will be detailed elsewhere within the agency.

Todd Park, who was named chief technology officer at HHS in August, will work with offices across the agency on health IT. A co-founder of electronic health systems firm Athena Health, Park most recently served as a senior fellow at the Center for American Progress, where he focused on health IT and broader health reform issues. "He'll bring some much needed technical expertise and new ideas about how to more rapidly advance the adoption of health IT," McGraw says.

Building Harmony

The implementation of health IT involves myriad agencies and programs. Another key player is the Food and Drug Administration, which is developing a system known as Sentinel that will communicate with various drug databases to detect higher-than-expected rates of adverse outcomes.

McGraw, who serves on the HHS health IT policy panel, says it will be important to harmonize the FDA project and public health surveillance efforts at the Centers for Disease Control and Prevention with the broader health privacy regime. Officials at the Centers for Medicare and Medicaid Services, the Food and Drug Administration and CDC declined interview requests. Officials at the Agency for Healthcare Research and Quality, which conducts health services research, already are thinking through some of the adjustments that will come as programs designed to facilitate health IT are rolled out. For starters, the topics that health care research analysts examine likely will change, according to Jon White, the agency's health IT director. "Hypothetically, if all doctors have electronic medical records, that brings up different types of questions," he says.

AHRQ initiatives include millions of dollars in grants and contracts in a number of states to support and stimulate investment in health IT, especially in rural and underserved areas. The agency works with hospitals and clinicians to provide research and information to government and the private sector organizations.

The scope of the research agency's work likely will shift from a focus on policymakers at the national, state, and local levels to individual doctors, hospitals and practices that would benefit from solid data from a trusted source, White says. Since February, the agency has been working closely with Blumenthal's staff and colleagues at CMS on creating a blueprint for how various offices will share, compare and protect potentially sensitive data. "It has affected the things we planned to do with those sister agencies and it has affected the kinds of questions we're asking," says White, who declined to provide specific examples.

"Privacy and security are the bedrocks of a well-functioning health care system," he says. Making sure not only that information is secure but that only the right people have access to it is a hurdle agencies, health care facilities and third-party providers alike will face, he adds. On the flip side, stakeholders must ensure critical data to keep patients healthy and safe reaches the right people in a timely, beneficial way. "Right now, there's lot of information trapped in paper charts and it doesn't get to where it needs to go," White says.

Andrew Noyes is a reporter for National Journal's CongressDaily.