- Concerns over HIE security and how patient data may be shared or accessed could lead to patients withholding some of their personal information, according to Commonwealth Fund President David Blumenthal, MD, MPP.
Blumenthal explained in a recent op-ed on for The Milbank Quarterly that such fears over patient data sharing will likely continue to increase as more providers utilize HIE options.
“HIE consists of a largely unrealized capability to move individuals’ health information around the health system for clinical, administrative, and investigational purposes,” Blumenthal wrote. “This raises the prospect that sensitive data may be both routinely and intentionally shared in ways that patients find concerning. More troubling, data on the move may be inherently less secure than data stored behind institutional firewalls.”
Withholding information could have several potential negative outcomes, he added. For example, patient care could become less accurate and complete.
“From the patients’ standpoint, this may compromise the quality of care they receive,” Blumenthal explained. “From the clinicians’ standpoint, data withholding may increase the frustration and risks of clinical practice. Clinicians take pride in their profession and are demoralized when missing information compromises their skills.”
HIE has numerous benefits, stated Blumenthal. The nation’s healthcare expenses could be reduced because unnecessary diagnostic and therapeutic interventions may be avoided. Additionally, stronger research can be facilitated “by means of accessing and analyzing patient data repositories created through HIE.”
Blumenthal recommended that providers recognize the HIE security concerns, and ensure that all worries are properly addressed.
“Research is required to document the nature and extent of patients’ failure to share health information: to understand who withholds data, what they withhold, and how often they do so,” he wrote. “The epidemiology of the phenomenon may suggest important ways to minimize it.”
Working to minimize the potential risk in new technologies is an essential step to ensure that those technologies are properly utilized. Providers must create the most secure environment possible for data sharing, Blumenthal noted.
“The most common reason for highly publicized data breaches in health care is not malicious hacking, but health care providers’ bad data hygiene,” he observed. “Many health professionals and organizations do not observe the most basic security precautions, such as requiring and training their employees to observe basic security procedures.”
Patients must also be educated on data sharing benefits, the potential risks, and what may occur from data withholding. This way, patients can give meaningful consent or non-consent with their providers participating in data sharing.
It is also important to note that tools designed to increase patient control over their own data, such as patient portals, could be beneficial.
“If patient portals and other devices through which patients access their health information can offer them choices on what they are willing to share, and with whom, they may feel more confident in the integrity of the data systems that store their health information,” Blumenthal concluded.
Overall, patients have a right to their individual health data, and how that data is used. Both patients and providers must understand HIE security risks, as well as the potential benefits so information can be securely shared.
The Office of the National Coordinator (ONC) has been working to ensure that both patients and providers understand how patient information can be safely shared under HIPAA regulations.
Toward the end of 2016, ONC released a fact sheet highlighting several situations where health data sharing is permissible. Individuals may not take advantage of electronic health record data because of confusion surrounding HIPAA rules, ONC Chief Privacy Officer Lucia Savage and CDC Director of the Public Health Law Program, Office for State, Tribal, Local and Territorial Support Matthew Penn explained in a blog post.
“ONC has highlighted the many circumstances in which HIPAA supports electronic exchange of PHI for treatment and specific kinds of health care operations,” Savage and Penn wrote. “The new fact sheet provides examples about how HIPAA supports the electronic exchange of information, including contagious disease tracking, provider participation in cancer registries, and monitoring the health of children who have experienced lead poisoning.”
For example, ONC and OCR explained that data may need to be exchanged in the reporting of a disease at a hospital or healthcare provider. The agencies discussed the pretend Healthy Hospital to discuss how data sharing may benefit of public health.
“Healthy Hospital may use health IT certified by the ONC Health IT Certification program (certified health IT) to disclose PHI to the CDC in response to the request and may reasonably rely on CDC’s request as to the PHI needed,” the fact sheet stated. “Healthy Hospital must meet the requirements of the HIPAA Security Rule if providing electronic PHI to CDC.”