Privacy is gaining ground as one of our most challenging technology policy issues. This was certainly made crystal clear at the recent Health Privacy Summit hosted by Georgetown University's O'Neill Institute for National and Global Health Law in Washington DC.
The conference was organized by Dr. Deborah Peel, Founder and Chair of PatientPrivacyRights (a consumer health privacy advocacy organization). It focused on patient centric privacy, and looked at some important issues: how much regulation is needed for electronic health records and systems? How much is too much? Does technology harm patients? How much risk do patients face in the era of "big data?"
The risk issues were highlighted at the start of the conference in an unusual panel, which included a talk by a woman who has a psychiatric disorder and who was appalled to discover that 200 pages of highly confidential clinical notes about her were electronically distributed to all member companies in a consortium of medical providers without her explicit permission or knowledge. She learned about this after she was confronted with information from these notes while seeking treatment for an unrelated physical illness by a doctor. The story she told of her humiliation was heartfelt and very compelling.
Was this breach of privacy (from her perspective) a failure of policy or a failure of technology - or both? Or as she said her psychiatric care provider told her, was this routine disclosure "good practice?" As she relayed the story, there were no security and privacy policies and controls in place to require compartmentalizing those parts of the psychiatric clinical notes that were more sensitive from the therapies that other medical professionals would routinely need to know. There was no additional authentication of identity or access controls for this more sensitive data. We have technologies to do these things, but policies didn't need to require implementation of the necessary controls. Adopting foundational technologies (networked medical records) without building in appropriate policies and necessary, granular identity, authentication and access controls is not a path to patient trust.
I was a member of the next panel, which was asked to address the question, "First Do No Harm. Does Technology Harm Patients" - a provocative topic. My fellow panelists were experts in various aspects of heath privacy - speakers from EPIC (Electronic Privacy Information Center), National Institutes of Health, Federal Trade Commission, Georgetown Law School, and the University of Texas.
Strong themes on my panel were "transparency" and enabling patients and health practitioners to have trust in networked electronic health systems. My focus was on the importance of standardized policies AND standards-based technical functionality that will enforce privacy rules and preferences predictably and securely. I talked about the new OASIS Privacy Management Reference Model and Methodology draft specification which opened for30-day public review on June 2 (the link on the OASIS web site is http://www.oasis-open.org/news/announcements/30-day-public-review-for-pmrm-v1-0). The PMRM specification is groundbreaking work. If you have interest in how technology can actually "make privacy operational," please take time to download the document and provide feedback to the technical committee.
It is interesting that in his conference keynote, Dr. Farzad Mostashari, National Coordinator for Health IT, noted the challenges of linking policy and technology and culture - with "patients at the center." He said that trust in systems and technologies is not a zero sum game, but the key issue is "privacy by design" - not layered on after the fact. He said that systems need to support privacy and provide a trusted bond between healthcare providers and patients.
My take away from the conference is certainly that there a lot of challenges. But I also learned that those of us developing standards - such as the PMRM - or building solutions such as the identity and access management technologies provided by CA Technologies - are in the trenches with both the healthcare and advocacy communities to help make that trusted bond between providers and patients a reality.