Health Hazard

Warning: Patient privacy could complicate the blueprint for an electronic medical records system.

Implementing a nationwide system of electronic medical records as prescribed by President Obama's economic stimulus package is a herculean task that will require a complex new matrix of policies and standards. Two Health and Human Services Department advisory committees are hard at work on blueprints for both, but some worry privacy safeguards will be an afterthought.

Such a system would link doctors' offices, hospitals and other health care entities electronically so paper records eventually would become obsolete. The Obama administration and leaders on Capitol Hill endeavored to craft a bill that would bring down costs for everyone in the health care food chain-from providers to insurers to patients-while simultaneously curbing medical errors through more integrated information sharing. Obama's stated goal is for all U.S. residents to have e-health records within five years.

Much of the early work is being done by the HHS health IT policy and certification panels, which were created by the 2009 American Recovery and Reinvestment Act. The committees aim to send an array of recommendations to the agency's top brass-from guidelines for acceptable methodologies and technologies for protecting sensitive data to parameters for a network of regional health information exchanges and extension centers. Under the statute, HHS is required by Dec. 31 to adopt an initial set of health IT standards. About $17 billion in Medicare and Medicaid incentives will start flowing to doctors and hospitals in 2011 to encourage adoption of electronic records.

Members of the panels-chosen by the Government Accountability Office, HHS secretary and congressional leaders-represent health care providers, consumers, insurance carriers, technology and security vendors, researchers and agency officials.

Roger Baker, chief information officer at the Veterans Affairs Department, called attention to privacy risks at a summer meeting of the health IT policy committee to discuss what constitutes "meaningful use" of electronic medical records. Baker registered his concern that the debate glossed over the issue of patient privacy. The issue not only is critical to the group's mission, it's the "key to adoption," he told members.

"Sometimes you can recognize something is a key issue, but if you don't make it plainly and bluntly obvious, you'll lose the momentum to convince people," Baker said in an interview after the meeting. Agencies hold "an incredible amount of personally private information" and have gotten much better at protecting that data in recent years, he adds. Under the new, networked health care system the Obama administration envisions, their efforts will need to be redoubled, Baker said.

Privacy Perils

As pieces of the health IT puzzle come together, agencies will have to be keenly aware of situations that, at first blush, might not seem to put privacy at risk. "From a medical standpoint, we have to recognize that people's medical records are perhaps the most sensitive information anybody has left that they get to protect," Baker says. VA has been particularly vigilant against unintended disclosures since the 2006 theft of an agency computer that jeopardized the personal information of 26.5 million veterans.

"Since the laptop breach, we're taking a fastidious approach to seeing, disclosing, understanding and correcting any incident that could disclose information about an individual," Baker says. As part of that effort, he is on a mission to remove Social Security numbers everywhere possible and, when unavoidable, to only use the last four digits as an identifier.

"The amount of time we have to decide whether something is a breach of privacy or medically necessary is very small and the amount of information that can be gathered with a few keystrokes is very large," he says. "There's got to be a balance between individual control and medical necessity." In the context of a national health information exchange, Baker is looking to HHS for guidance on what responsibilities a provider like VA should have in deciding an entity's authority to obtain and protect data.

The Key Players

The man responsible for transmitting extensive guidelines to HHS Secretary Kathleen Sebelius is Boston physician David Blumenthal. He was named national coordinator for health IT in March and since that time has been working with the policy and standards committees to draft a framework for a nationwide infrastructure, including parameters for the exchange of patient medical information.

While he would not speculate about solutions to specific privacy issues that might arise during that process, Blumenthal told Government Executive he is acutely aware of the topic. "Our focus will be staying constantly alert to what those issues might be and reacting to them as fast as we can . . . whether it's through statistical techniques . . . or technologies to keep patient information secure," he says.

Blumenthal says he did not see any problems on the horizon that hadn't been flagged by privacy advocates and vetted in Congress during debate on the stimulus package. Much of the discussion concerned the inclusion of provisions that would ensure individuals could control use of their medical records and protect them from what consumer privacy watchdogs believe is a thriving industry of firms that share and sell medical data. "Congress has given us sufficient new authority and sufficient funding so we can substantially improve the security and privacy of existing systems and technology will give us more control and more power to protect privacy going forward," he says.

The Centers for Medicare and Medicaid Services will administer the health IT program and will communicate with Blumenthal's team as well as the HHS Office for Civil Rights, which helps administer the 1996 Health Insurance Portability and Accountability Act. The law specifies administrative, technical and physical security procedures for managing patient information. Privacy advocates, including Deven McGraw director of the health privacy project at the Center for Democracy and Technology, hope openness and transparency will be hallmarks of that relationship.

In August, Health and Human Services transferred HIPAA oversight duties from the Centers for Medicare and Medicaid Services to the Office for Civil Rights. The move was intended to eliminate duplication and increase efficiencies in protecting health data. It stemmed from a mandate in the stimulus package to make improvements to HIPAA.

"It's arguably a good move to consolidate all enforcement of HIPAA in one place, since security and privacy are arguably two sides to the same coin. But it will only be useful if it means at least the same level of resources for enforcement overall and not a diminishment," McGraw says. It remains to be seen whether the CMS employees who worked on security enforcement will move to the civil rights office or will be detailed elsewhere within the agency.

Todd Park, who was named chief technology officer at HHS in August, will work with offices across the agency on health IT. A co-founder of electronic health systems firm Athena Health, Park most recently served as a senior fellow at the Center for American Progress, where he focused on health IT and broader health reform issues. "He'll bring some much needed technical expertise and new ideas about how to more rapidly advance the adoption of health IT," McGraw says.

Building Harmony

The implementation of health IT involves myriad agencies and programs. Another key player is the Food and Drug Administration, which is developing a system known as Sentinel that will communicate with various drug databases to detect higher-than-expected rates of adverse outcomes.

McGraw, who serves on the HHS health IT policy panel, says it will be important to harmonize the FDA project and public health surveillance efforts at the Centers for Disease Control and Prevention with the broader health privacy regime. Officials at the Centers for Medicare and Medicaid Services, the Food and Drug Administration and CDC declined interview requests. Officials at the Agency for Healthcare Research and Quality, which conducts health services research, already are thinking through some of the adjustments that will come as programs designed to facilitate health IT are rolled out. For starters, the topics that health care research analysts examine likely will change, according to Jon White, the agency's health IT director. "Hypothetically, if all doctors have electronic medical records, that brings up different types of questions," he says.

AHRQ initiatives include millions of dollars in grants and contracts in a number of states to support and stimulate investment in health IT, especially in rural and underserved areas. The agency works with hospitals and clinicians to provide research and information to government and the private sector organizations.

The scope of the research agency's work likely will shift from a focus on policymakers at the national, state, and local levels to individual doctors, hospitals and practices that would benefit from solid data from a trusted source, White says. Since February, the agency has been working closely with Blumenthal's staff and colleagues at CMS on creating a blueprint for how various offices will share, compare and protect potentially sensitive data. "It has affected the things we planned to do with those sister agencies and it has affected the kinds of questions we're asking," says White, who declined to provide specific examples.

"Privacy and security are the bedrocks of a well-functioning health care system," he says. Making sure not only that information is secure but that only the right people have access to it is a hurdle agencies, health care facilities and third-party providers alike will face, he adds. On the flip side, stakeholders must ensure critical data to keep patients healthy and safe reaches the right people in a timely, beneficial way. "Right now, there's lot of information trapped in paper charts and it doesn't get to where it needs to go," White says.

Andrew Noyes is a reporter for National Journal's CongressDaily.

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Sponsored by Brocade

    Best of 2016 Federal Forum eBook

    Earlier this summer, Federal and tech industry leaders convened to talk security, machine learning, network modernization, DevOps, and much more at the 2016 Federal Forum. This eBook includes a useful summary highlighting the best content shared at the 2016 Federal Forum to help agencies modernize their network infrastructure.

  • Sponsored by CDW-G

    GBC Flash Poll Series: Merger & Acquisitions

    Download this GBC Flash Poll to learn more about federal perspectives on the impact of industry consolidation.

  • Sponsored by One Identity

    One Nation Under Guard: Securing User Identities Across State and Local Government

    In 2016, the government can expect even more sophisticated threats on the horizon, making it all the more imperative that agencies enforce proper identity and access management (IAM) practices. In order to better measure the current state of IAM at the state and local level, Government Business Council (GBC) conducted an in-depth research study of state and local employees.

  • Sponsored by Aquilent

    The Next Federal Evolution of Cloud

    This GBC report explains the evolution of cloud computing in federal government, and provides an outlook for the future of the cloud in government IT.

  • Sponsored by Aquilent

    A DevOps Roadmap for the Federal Government

    This GBC Report discusses how DevOps is steadily gaining traction among some of government's leading IT developers and agencies.

  • Sponsored by LTC Partners, administrators of the Federal Long Term Care Insurance Program

    Approaching the Brink of Federal Retirement

    Approximately 10,000 baby boomers are reaching retirement age per day, and a growing number of federal employees are preparing themselves for the next chapter of their lives. Learn how to tackle the challenges that today's workforce faces in laying the groundwork for a smooth and secure retirement.

  • Sponsored by Hewlett Packard Enterprise

    Cyber Defense 101: Arming the Next Generation of Government Employees

    Read this issue brief to learn about the sector's most potent challenges in the new cyber landscape and how government organizations are building a robust, threat-aware infrastructure

  • Sponsored by Aquilent

    GBC Issue Brief: Cultivating Digital Services in the Federal Landscape

    Read this GBC issue brief to learn more about the current state of digital services in the government, and how key players are pushing enhancements towards a user-centric approach.

  • Sponsored by CDW-G

    Joint Enterprise Licensing Agreements

    Read this eBook to learn how defense agencies can achieve savings and efficiencies with an Enterprise Software Agreement.

  • Sponsored by Cloudera

    Government Forum Content Library

    Get all the essential resources needed for effective technology strategies in the federal landscape.


When you download a report, your information may be shared with the underwriters of that document.