Civil liberties group criticizes health information exchanges over privacy

A report by the New York Civil Liberties Union examining health information exchanges in the state questioned the legalities of the patient privacy policies in place and criticized the exchanges for not doing enough to protect patients.

The findings are applicable to health information exchanges across the country, the report’s author says, because there are no established best practices for the sharing of data through HIE organizations. New York is often viewed as a leader in such exchanges, as it had some of the first ones in the nation.

Corrine Carey, assistant legislative director of the NYCLU and author of the report, said because information can be uploaded to an HIE without patient consent, the NYCLU and other patient privacy groups have argued that these policies are not consistent with state law, which requires physicians to get consent from a patient before transferring records to a third party. Patients do, however, have to give consent before those files can be accessed by another physician, which makes the policies consistent with the law, according to the New York State Dept. of Health.

The report also criticized the state’s “all-or-nothing” approach to consent, which doesn’t allow for patients to choose what data can be shared or kept private. Carey said a concern about the rule was brought to her attention by the many physicians she spoke with while drafting the report. They were concerned that if all of a patient’s information is made available to every treating physician, each doctor could be held accountable for taking every bit of information into consideration when treating a patient.

“So, for example, if there’s something that they missed on page 1,234, will they be held liable for missing that detail?” Carey asked. “So it’s a case of ‘Be careful what you wish for,’ because on the one hand, it sounds like a good idea to have all of the conceivable information that you need about a patient. But when you actually think about the reality of getting someone’s entire medical record, I’m not so sure how happy physicians are going to be once they see what that capability is going to produce.”

Peter Constantakes, spokesman for the New York State Dept. of Health, said the department “believes that our current policies comply fully with federal and state laws, and that patient information is well protected under the current set of policies, but we are always looking for ways to improve the system.”

Carey said there is nothing stopping physicians from implementing their own best practices when it comes to data exchange. They should explain clearly to patients what it means to be a part of a HIE and what they are consenting to when they grant access to their records.

“Our recommendations for New York are absolutely applicable to every state’s exchanges and, in fact, to the Nationwide Health Information Network,” Carey said.

Constantakes said there is an “ongoing process to review all policies related to the exchange,” and that the NYCLU’s comments and others will be taken into consideration.

The nonprofit New York eHealth Collaborative, which advocates health information exchange, announced on March 29 that it is partnering with the New York State Dept. of Public Health to form a committee to update and create policy measures to protect personal health information.

Until recently, Carey said, “People haven’t been thinking about protecting privacy in the health exchanges, or if they have thought about it, it was very, sort of, initial thoughts and so there wasn’t a developed privacy analysis from a consumer perspective.”

Although there was a dialogue starting at the federal level, New York began implementing its health information exchanges while that dialogue was going on and before policies were agreed upon.

At its Annual Meeting in June 2011, the American Medical Association House of Delegates adopted policy calling on the AMA to study the issue of data usage and privacy and draft model legislation.