The national Privacy Rule for health information is a sorry beast in many ways. Promises to patients are conveyed in complex notices, largely unintelligible even to designated privacy officers. The Health and Human Services Department’s reliance on voluntary compliance and its refusal to impose fines on violators leaves consumers in the dark and believing the rules are not enforced at all.
Personal health records systems, unless tied to a provider or plan, are usually not covered under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which is the foundation of the Privacy Rule. The law does not allow individuals to sue for redress of breaches — another trust-breaker.
So what can be done to increase trust in e-health and improve acceptability? Here are a few suggestions.
- We need meaningful notices of privacy practices. They should be written at appropriate literacy levels and should be brief and to the point. Layering privacy notices with complete wording in a full notice underlying a more friendly layer would engender trust while increasing awareness of the value of the e-health services offered.
- Prevalent “click here to accept” practices should be forbidden. Providers should meet the needs of people with certain disabilities and those who don’t read English.
- All personal health records providers should abide, at a minimum, by applicable HIPAA privacy and security regulations, regardless of the entity’s status under HIPAA.
- Employers and health plans should be encouraged to develop personal health records services for those they insure, but we must insist that all patient-level and patient-created information is fully masked from the sponsor’s view.
- We must take a critical look at how personal health information is used and disclosed. Just because a covered entity is allowed to use personal health information in a particular manner may not be reason enough to do it.
- The federal government should not be allowed to pre-empt more stringent state privacy laws. The old saw that the states are the laboratories of democracy has never been truer. The Office of the National Coordinator for Health Information Technology will organize much of its work this year around state- and regional-level exchanges. The assertion that information technology vendors cannot afford to negotiate the differences among the laws of multiple jurisdictions is just plain wrong.
- The feds should use existing enforcement mechanisms to show they mean business. They should fine violators and get the word out. Good actors should be able to differentiate their services from those provided by those who can’t or won’t get it right.
- Customer service models should be based on respect. Don’t ask busy providers to add new e-health tasks without helping them eliminate some old ones. Ask patients and their caregivers what they need, and prioritize those things. For example, returning injured and disabled warfighters find a labyrinth of forms and processes they must navigate to move to veterans’ health services, in large part because the Defense and Veterans Affairs departments’ systems are not fully interoperable. Does this fuel trust and send a message of respect? We can do better.
With important new personal health records product launches this year, people will learn about the value of health IT and be open to considering them. We have a chance to get people on board now, but only if we add stringent privacy protections and meaningful notice about the rules of engagement.
Autor(en)/Author(s): Paul Feldman
Quelle/Source: Government Health IT, 18.04.2007
