- In a letter to incumbent National Coordinator for Health Information Technology Jacob Reider, Patient Privacy Rights (PPR) founder Deborah Peel explained some privacy issues she and PPR have found with patient matching related to health data exchange. In addition to a reminder that the country is learning best approaches to health data exchange, PPR offered its perspective on patient matching and maintained that health data aggregators should be treated similar to HIPAA covered entities.
PPR asked that the Office of the National Coordinator (ONC) to not focus exclusively on best practices for the current environment and instead promote, and incentivize the rapid adoption of better patient matching technologies, as well as technology design based on FIPS.
Fuller patient participation, such as receiving electronic copies of PHI, means innovative technologies will develop to serve patient needs and interests, as well as comply with patients’ legal and ethical ‘ rights to health information privacy. However, the findings address today’s problems without anticipating where we will be tomorrow; they did not foresee that the Health Information Technology for Economic and Clinical Health (HITECH) Act and Meaningful Use (MU) requirements can be used to resolve many of today’s problems with patient identity and patient matching.
Additionally, PPR said that health data aggregators should provide Notice of Privacy Practices (NPPs), and real time Accounting of Disclosures (AODs) through patient portals while maintaining accountability and transparency. Examples of health data aggregators include:
- Master Patient Indexes (MPIs)
- Record Locator Services (RLSs)
- Health Information Exchanges (HIEs)
- Health Information Organizations (HIOs)
- Prescription Drug Monitoring Programs (PDMPs)
- Heath Insurance exchanges (HIXs such as Healthcare.gov)
- All Payer Claims Databases (APCDs)
- Pharmacies and prescription aggregators
- Clinical laboratories
- X-ray facilities
- Research health data aggregators
- State and national health registries and health data bases (such as Ambulatory Care and Inpatient Care data bases)
- Commercial data aggregators that collect and use PHI (such as Acxiom, credit bureaus, etc).
Health data holders and aggregators should provide:
- Notice of Privacy Practices (NPPs)
- Patient-controlled IDs that are voluntary, not coerced
- Patient and physician portals
- Direct Secure email between patients and physicians
- Blue Button Plus (BB+), automated view, download, copy
- Accounting of Disclosure (AODs), automated, in real time
- Right to electronic copies of PH
Especially as it relates to big data, patient identity matching will continue to be a pressing issue in 2014 and how the ONC responds to this advice will be worth watching.