Official: Panel wants privacy protection for electronic medical records

A federal advisory panel on patient privacy wants encryption, strong access controls and audits to protecting patients' medical records under the program advanced by the economic stimulus law, according to the co-chair of the group.

“The data will be encrypted and not set for easy access,” Steven Findlay, co-chair of the Health Information Technology Standards Committee’s Privacy and Security Workgroup, told Federal Computer Week July 23. “There will be a focus on access controls and audits.”

Under the economic stimulus law, the Obama administration and Congress are offering at least $17 billion in payments to doctors’ offices and hospitals that adopt and "meaningfully" use certified electronic health records (EHRs). Congress set up the Health IT Standards Committee to recommend standards for certification and meaningful use.

On July 21, the Policy and Security Workgroup, headed by Findlay, who is senior health policy analyst at the Consumers Union, and Dixie Baker, senior vice president of Science Applications International Corp., presented a framework of 37 technical standards to be implemented in 2011, 2013 and 2015. The presentation was made to the standards committee.

The workgroup initially surveyed available industry privacy and security standards, and determined their level of maturity, Findlay said. They suggested the schedule for implementation to roughly match the levels of maturity in the existing standards, he said.

However, a privacy advocate is raising concerns about the proposed schedule. Dr. Deborah C. Peel, founder of the Coalition for Patient Privacy, said the proposals put off implementation of consent management tools until 2015, a delay that might limit the effectiveness of the tools. The consent management tools are software and legal policies that allow patients to control access to their medical data.

Peel said consent management is one of the most urgent priorities for consumers. “The one thing that means the most to consumers is going to be delayed for five or six years,” Peel said. “This is a stunning defeat for consumer protection.”

She suggested that health IT industry members and vendors of legacy health IT systems on the standards committee are not eager to adopt consent management tools and give up control of patient data, and consumers are being left behind. “What we have are foxes designing the hen coops,” she said.

Findlay said the workgroup determined that consent management standards are not mature and likely will not be ready for implementation until 2015. “The standards do not currently exist to do the complexity of consent management that we would like to see,” he said.

Furthermore, he said, the workgroup believes that strong access controls and encryption are more important to consumers in protecting their medical data. “Consent management is not the way to achieve patient privacy,” he said.

The standards committee, which will meet August 20, is expected to forward a recommendation later this year to the Health and Human Services Department. That department is expected to publish one or more rulemakings on the health IT standards for meaningful use and certification under the economic stimulus law by year’s end.