Search the KHIT Blog

Tuesday, July 26, 2011

What does "obtain consent" mean with respect to HIT?

Some assume that in Nevada "consent" axiomatically connotes a requirement of express (written) affirmative "opt-in" to override a comprehensive default circumstance of one having passively opted out.

Interesting. Really?
Well, consider...

Nevada does not provide a single, consistent approach to the privacy and security of health information. [pg 2]...

...Nevada does not have a comprehensive statutory framework in place to address health information and HIT issues. Instead, the existing statutes concerning these issues are scattered throughout NRS, and have often been adopted and amended independently of each other. In addition, these statutes, for the most part, do not specifically address issues involving electronic health information... [pg 14]

An interesting 98 page read traversing the gamut of Nevada statutes pertaining to PHI. It was the precursor to the May 23rd, 2011 Nevada HIE Strategic and Operational Plan I discussed my in prior post. Nothing I can find materially changed in the interim with respect to ePHI "consent." Let me add this to the Ops Plan excerpts I cited in my prior post:
The objectives related to these overarching [HIE] goals are to:

...Employ Nevada Open Meeting Law to ensure transparency and openness about policies, procedures, and technologies that directly affect individuals and/or their individually identifiable health information, including how that individually identifiable health information is collected, used, and disclosed and whether and how [emphasis mine] they can exercise choice over such collections, uses, and disclosures, in compliance with federal and state laws... [4.2 NV HIE Goals and Objectives, pp. 6-7]

The minimal regulatory/procedural mechanics of State HIE ePHI "consent" remain to be determined, IMHO. That, however, does not constrain the HealthInsight HIE from promulgating consent policies, with the knowledge that they may at some point(s) be in need of revision to conform to subsequent NAC and/or NRS requirements.


In a prior post I cited recent publishing and discussion regarding some of the heuristic liabilities that afflict "reasoning." A common one is that of "confirmation bias" -- i.e., most of us, even "experts," tend to stop shopping for evidence once we find enough that fits with what we already assume to be the case.

In my prior post I cited some details from the Nevada SB 43 pertaining to patient options with respect to ePHI disclosure consent for purposes of health information exchange.

To recap:
Sec. 7. 1. The Director shall by regulation prescribe standards:

(a) To ensure that electronic health records and the statewide health information exchange system are secure;

(b) To maintain the confidentiality of electronic health records and health-related information, including, without limitation, standards to maintain the confidentiality of electronic health records relating to a child who has received health care services without the consent of a parent or guardian and which ensure that a child’s right to access such health care services is not impaired;

(c) To ensure the privacy of individually identifiable health information, including, without limitation, standards to ensure the privacy of information relating to a child who has received health care services without the consent of a parent or guardian;

(d) For obtaining consent from a patient before transmitting the patient’s health records to the health information exchange system, including, without limitation, standards for obtaining such consent from a child who has received health care services without the consent of a parent or guardian...
Sec. 15. NRS 439.538 is hereby amended to read as follows:

439.538 1. If a covered entity transmits electronically individually identifiable health information in compliance with the provisions of [the]:

(a) The Health Insurance Portability and Accountability Act of 1996, Public Law 104-191; and

(b) Sections 2 to 12, inclusive, of this act and the regulations adopted pursuant thereto, which govern the electronic transmission of such information, the covered entity is, for purposes of the electronic transmission, exempt from any state law that contains more stringent requirements or provisions concerning the privacy or confidentiality of individually identifiable health information.

2. A covered entity that makes individually identifiable health information available electronically pursuant to subsection 1 shall allow any person to opt out of having his or her individually identifiable health information disclosed electronically to other covered entities, except:

(a) As required by the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.

(b) As otherwise required by a state law.

(c) That a person who is a recipient of Medicaid or insurance pursuant to the Children’s Health Insurance Program may not opt out of having his or her individually identifiable health information disclosed electronically...

Well, seems from all of those provisions that the precise legal/regulatory parameters of ePHI/HIE disclosure "consent" remain TBA in the wake of final passage of SB 43, no?

But, then, there's this contrary little wrinkle I'd missed:
Sec. 11. 1. Except as otherwise provided in subsection 2 of NRS 439.538, a patient must not be required to participate in a health information exchange. Before a patient’s health care records may be transmitted electronically or included in a health information exchange, the patient must be fully informed and consent, in the manner prescribed by the Director, to the transmittal or inclusion.

Section 11, which rather clearly infers a requirement for express affirmative (written?) "opt-in" consent that I'd failed to read (and might rightfully be construed as dictating what the Director "shall by regulation prescribe" regarding disclosure permission), seems to be at direct odds with 15(2)(c).*
* And, the fact that HIEs are not "covered entities" with respect to HIPAA is an irrelevant technicality. It will not be HIE employees in the providers' offices collecting consents. Moreover, HIEs are bound by the requisite Business Associates Agreements in any event.
I'm left with feeling a twinge of having fallen into the trap of "confirmation bias" in all of this, perhaps in part of function of the "Anchoring Effect" of having read so much HIE consent literature from other sources pertaining to the feds and other states. The convenience of "keyword/phrase" search has its hazards here as well; you think you've found what you need without reading every word.


Lessons from the Leaders

"[The] National eHealth Collaborative (NeHC) recently conducted a study of 12 fully operational HIEs that demonstrate through their innovative strategies and business models that HIEs can benefit multiple stakeholder groups, and can, in the process, become growing, self-sustaining business enterprises."

From "Critical Success Factors" in the Executive summary:
...Consent and security policies and mechanisms must meet the requirements of various types of stakeholders and, in some cases, variations in regulations among multiple states. The HIE’s information infrastructure and operations must also ensure that patient information is accurate and reliable. Managing the framework of trust can be daunting for an HIE, as data originating from a variety of disparate locations must be verified in a way that is simple and efficient, with no margin for error. One executive interviewed calls health information exchange a “zero-defect” business...

Also from the Executive summary, numero uno in the "Barriers" piece:

Policies and procedures designed to meet complex privacy requirements tend to impede an Hie’s efforts to achieve the critical mass of patient records needed to accelerate adoption. Managing patient consent in particular is a major challenge that gains complexity as the footprint of these HIEs expands. With one exception, the HIE teams raising consent as an issue believe that requiring patients to opt-in to the HIE is a barrier to progress. In contrast, operating in an environment where opt-out consent is accepted by the community was identified as an important factor of success.

Interesting. The report goes on to discuss the "consent management" issues (where applicable) confronted by and policies of:
  • Availity
  • Big Bend RHIO
  • HealthBridge
  • HealthInfonet
  • Inland Northwest Health Services
  • MedVirginia
  • Quality Health Network
  • Rochester RHIO
  • Sandlot
  • SMRTnet
  • Taconic Health Information Network and Community
  • U.S. Department of Veterans Affairs
I'm still reviewing all of this at the moment. One example (Availity):
Patient consent. Managing patient consent is a significant challenge that will persist and become more complex as Availity’s geographic footprint and number of users expands. Tracking consents and revocations at the source of the data in a multi-state environment where laws, policies, and preferences often vary, requires significant investments in expertise, collaboration with stakeholders, and education of distributors and consumers.

One more (Rochester RHIO):
Complex patient consent requirements. The complexity of policies to protect patients’ privacy and consent procedures in New York presented significant challenges that the Rochester RHIO needed to overcome to achieve its healthcare provider adoption and consumer participation goals. To streamline the consent process while making the most information available in the shortest period, the Rochester RHIO has implemented the New York Department of Health-approved patient consent model, known as “consent to view.” All patient data available electronically from the RHIO’s data distribution partners is accessible by the HIE regardless of patients’ consent. However, a specified patient’s data cannot be viewed by a user without an informed consent from the patient on file authorizing that user to access that patient’s information. With this model, as soon as a patient grants consent, all historical information on that patient available from data suppliers via the HIE can be accessed by his or her providers. To streamline the process, patients can complete informed consents online. Leadership at the Rochester RHIO considers it vitally important to invest the resources necessary to assist physicians’ offices to operationalizing the patient consent procedures. These strategies have helped the Rochester RHIO obtain consent for more than one-third of the market’s patient population to date.

Big Bend RHIO:
Patient education. Big Bend has found that it is necessary to help patients understand and accept the policy options related to patient opt-in versus opt-out models.

Consensus on patient consent management. Achieving consensus among the community’s stakeholders for an opt- out patient consent model is considered to be an important factor in growth of clinician adoption. HealthInfoNet will remove all clinical data belonging to a patient who decides to opt-out of the HIE. As of early 2011, approximately 6,000 patients – less than 0.6 percent of patients in the database – have opted-out of the HIE. Patients are able to opt-out of the HIE via an online form available at HealthInfoNet’s website.

And, finally, the Veterans Administration:
Patient consent requirements. Sharing of veterans’ health information with private sector entities requires patients to explicitly provide consent (i.e., opt-in). Every VA region requires a different approach and outreach to veterans to invite their participation in VLER, which is a worthy but significant effort and investment.



Recall back in April I'd made some observations about "Comparative Effectiveness Research" (CER, cited earlier here as well)? The potential Big Picture long-term data-mining payoff of HIE? Well, recently from the Pacific Research Institute:

...under conservative assumptions, R&D investment in new and improved pharmaceuticals and devices and equipment would be reduced by about $10 billion per year over the period 2014 through 2025, or about 10-12 percent. This reduction in the advance of medical technology would impose an expected loss of about 5 million life-years annually, with a conservative economic value of $500 billion, an amount substantially greater than the entire U.S. market for pharmaceuticals and devices and equipment. This finding suggests that an expanded CER process may be very unwise in a policy context and that a renewed emphasis upon a “bottom-up” process of experimentation by many millions of practitioners and patients would be a more fruitful approach for the acquisition of information about the comparative effectiveness of alternative clinical approaches...

...This finding suggests that an expanded CER process at the federal level—a top-down process—may be very unwise in a policy context, and that a renewed emphasis upon a “bottom up” approach of experimentation by many millions of practitioners and patients would be a more fruitful vehicle for the acquisition of information about the comparative effectiveness of alternative clinical approaches.

So many Straw Men, so Little Time. So, clinical practice advances wrought by data mining from in-the-trenches clinical results (however imperfect) will make us signifcantly worse off? "CER kills"? Basically, they're accusing the government of an inexorable cost-driven biased agenda essentially characteristic of the old "Soviet Science."

I ran this stuff by the esteemed Joe Flower and J.D. Kleinke. Have yet to hear back from J.D. but here's how Joe responded.

I haven't read the study. I don't need to, since it is so obviously true, if we just make certain assumptions, such as:

  • Every dime spent on R&D for drugs and devices is wisely spent, on advances that will save and improve lives.
  • Every dime spent on finding out whether those drugs and devices actually work as advertised, and don't actually kill people, and do it better or cheaper than other drugs and devices, is a dime wasted. CER just slows down legitimate, helpful research.
  • Experience does not show us any examples of wasteful or unnecessary drugs or devices. Those multiple peer-reviewed research papers showing that we waste hundreds of billions of dollars every year on useless complex back surgeries, the 22% of implanted defibrillators that are unnecessary, tens of millions of unnecessary scans, coronary stents put in people with stable heart disease and no heart pain, the heartburn surgeries that work no better than over-the-counter drugs—those studies are all false, wrong, some kind of mumbo-jumbo that we can safely ignore.
If we just make those few simple assumptions, the study has a valid point. If we don't accept those assumptions, we have to wonder about the mental state, motivations, and personal finances of someone who would cook up such an obvious bit of flim-flam.

See Joe's post "Comparative effectiveness research kills?"

BTW, Joe's post quickly got picked up by The Health Care Blog. My subsequent comment:
OK, I’ve been closely through the entire “study” with yellow highlighter and red pen for underlining and margin notes. It could have been done as a short Powerpoint deck of the usual [1] “ell ‘em what you’re gonna tell ‘em, [2] tell ‘em, [3] and finish by telling them what you told them” format.

In sum:
  • Government BAD;
  • unfettered for-profit markets GOOD.
Y’see we can’t trust “the government” to produce unbiased scientific CER findings owing to their imperative to cut costs — inexorably at the expense of patients’ interests and market “innovation” and profits. BUT (implicitly), no such conflict of interest biases exist in the free market.

That’s really the essence of this paper, extensive footnotes, neat-o ECON algebra, and Blinding Glimpses of the Obvious undergrad 101 psych and biz school theory assertions (“incentives,” “ROI,” “opportunity cost,” “efficiency,” etc).

Gotta love the repetitive hedging phrase “to the extent that…” too.

This kind of stuff is akin to that of the “Concern Troll.”

To The Extent That my hops improve materially, I will be hammer-dunking during pickup.

The author's closing assertion (returning to where he began, verbatim):

a “bottom up” approach of experimentation by many millions of practitioners and patients would be a more fruitful vehicle for the acquisition of information about the comparative effectiveness of alternative clinical approaches.

The final sentence in the paper. Permit me to ask: the aggregate "study designs" and scientifically administrative coordination of all these ad hoc, silo'ed n=1 experiments will be accomplished precisely how and by whom?

Simply "Let a Million Clinical Thomas Edisons and Ben Franklins Bloom"?

The author begs off that
...problems of analysis and application are not the central focus of this paper. Instead, we concentrate here on the implications of the CER process on R&D investment in new and improved medical technologies, as driven by federal policy-making in the context of the incentives of public officials...[pg 12]

"Not the central focus"? Forgive me for failing see where they're substantively addressed at all (with the exception of one briefly cited investigation -- the University of Texas ALLHAT Study).

UPDATE: I've asked the fine folks at to take a fresh whack at this topic.


More to come...

Wednesday, July 13, 2011

Nevada HIE kickoff event

My company has been designated as the not-for-profit administrator of the new Nevada Community Based HealthInsight Health Information Exchange (HIE). Today at Cashman Center in Las Vegas we held an intense day-long kickoff event comprised of founding stakeholders, our HIE consultant firm Strategies for Tomorrow, and key staff of our HIE vendor Axolotl (just recently renamed OptumInsight). Very nice turnout of extremely talented and committed people. It is an ambitious undertaking. Lots to think about and report on.

Below, our Nevada Executive Director Deborah Huber.

Above, our Nevada Vice President of Medical Affairs Jerry Reeves, MD.

I've been designated to serve on the HIE Privacy and Security Task Force, something I will relish. No shortage of issues to be resolved. I'm already Loaded for Bear on the topic.


As our kick-off event concluded, the foregoing was asserted during the final session. I thought "I must have missed something with regard to the final cut of SB 43." Someone else echoed that vocally as well, but the moment passed. I was too busy at the time playing Press Photographer for the event as well as staff participant.

SB 43 is Nevada Senate Bill 43 (PDF), the state's HIE legislation that emerged this year in the wake of Nevada having received ONC funding for a state HIE (which, btw, is not us; a publicly funded and administered NV HIE does not yet exist). The salient excerpt as it pertains to "opting in/out":
Sec. 15. NRS 439.538 is hereby amended to read as follows:

1. If a covered entity transmits electronically individually identifiable health information in compliance with the provisions of:

(a) The Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 [,] ; and
(b) Sections 2 to 12, inclusive, of this act and the regulations adopted pursuant thereto, which govern the electronic transmission of such information, the covered entity is, for purposes of the electronic transmission, exempt from any state law that contains more stringent requirements or provisions concerning the privacy or confidentiality of individually identifiable health information.

2. A covered entity that makes individually identifiable health information available electronically pursuant to subsection 1 shall allow any person to opt out [emphasis mine] of having his or her individually identifiable health information disclosed electronically to other covered entities, except:

(a) As required by the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.
(b) As otherwise required by a state law.
(c) That a person who is a recipient of Medicaid or insurance pursuant to the Children’s Health Insurance Program may not opt out [emphasis mine] of having his or her individually identifiable health information disclosed electronically.**

As used in this section: “covered entity” has the meaning ascribed to it in 45 C.F.R. § 160.103.

[** I have to say that it would not break my heart for the ACLU or some other rights entity to successfully challenge this "2nd class citizen" clause.]

My subsequent internal response upon reflection:
Notwithstanding that HIE “opt-in” is not explicitly required by SB 43 (the word “opt” only appears twice in SB 43, each time followed by the word “out” – see Section 15), HealthInsight HIE is nonetheless at liberty to establish affirmative “opt-in” as policy. There are good reasons. See the attached, sent to me the other day by Kahreen Tebeau of the Oregon Health Authority Office of Health IT.

The Nevada Administrative Code (NAC, the NV equivalent of the federal CFRs) may well at some point clarify the vagueness in SB 43 with respect to “opt whatever,” but, IMHO, “…shall allow any person to opt out of having his or her individually identifiable health information disclosed electronically to other covered entities” at 15(b)(2) is not the express semantic equivalent of “opt in.” (but, then, that’s why we have lawyers on the P&S Task Force).

Interestingly, my colleague Kevin Jones pointed me to Section 7 of SB 43. My response:
Nice catch. So, Section 7 looks to possibly be at some odds with Section 15 (“opt out”). Noteworthy is this:

The Director shall by regulation prescribe standards [emphasis mine]:

Sec 7(d) For obtaining consent from a patient before transmitting the patient’s health records to the health information exchange system, including, without limitation, standards for obtaining such consent from a child who has received health care services without the consent of a parent or guardian;

“by regulation” -- Which, as I said, goes eventually to the Nevada Administrative Code (NAC); “obtaining consent” does not, IMO, unequivocally dictate “opt-in.” Grants of “consent” are routinely obtained via active or passive opt-out. What this all says to me is that it is as yet undecided what state “administrative” procedural policy will be.

I've done some tedious probing of the Nevada Administrative Code, looking for anything generally pertaining to "consent" requirements related to health care information in our state. Not finding anything precisely relevant thus far. But, then, IANAL.

OK, it may be useful to consult with SB 43's antecedent, linchpin, ONC-approved HIE Strategic & Ops Plan.

A few salient excerpts pertaining to "consent" and "opting":

4.3.6 Patient/Consumer Engagement
While the initial phases of the NV HIE will likely exclude services that enable patients/individuals to have direct access to the NV HIE information services, during the early phases, the patient/consumer engagement will focus on education. Initial education will likely be directed towards views on how NV HIE increases integration of care for children and those with disabilities and improves outcomes, as well as issues such as guarding private data, information-sharing standards, and personal responsibility.

These initial efforts of patient engagement will be essential to the final opt-in/opt-out/hybrid model for the NV HIE patient data information governance, which has not been finalized due to ongoing legislative activities. [pg 13] Patient/Consumer Smart Media Technology
Nevada will implement HIPAA-compliant ―health information‖ smart media technology (smart cards, flash drives, cell phone patient medical apps) for those individuals who choose to opt-out of the HIE, and as a method of supporting and protecting the electronic exchange of health-related information. [pg 69]

12.1 NV HIE Business and Governance Formation (Stages 1-3)
…In addition to the importance of having a sustainable, non-profit business to govern and operate the HIE services, we believe that the NV HIE Business formation will establish the essential ―rules of the road necessary to implement the information sharing technologies of the envisioned HIE services. For example, how will NV residents opt-out of (and possibly opt back in) having their data shared across the HIE? While this may appear simple on the surface, the question is non-trivial when considering the various channels that may need to be afforded to the individual (e.g., customer portal, primary care office, emergency room, hospital, pharmacy) and how to make patient information providers aware that data sharing is not allowed for a specific individual (with the exception of reportable public health requirements and certain Medicaid/Medicare alternatives). It is these information governance and other similarly complex requirements that will need to be understood and established prior to implementing HIE technologies or certifying existing HISPs/RHIOs for supporting HIE services in the State. [pg 74] Consent
Consumer or patient consent is the process by which consumers control the exchange of their health information through an HIE and can be a tool to allow health care providers access to more complete health information, thereby strengthening the provider‘s ability to provide informed care and improving care coordination amongst providers.

The NV HIE Legal/Policy Workgroup will provide input to the creation of policies that will dictate to what extent, and how consumers should be able to control the exchange of their health information while balancing privacy considerations with the overall vision of the NV HIE and its potential impact on public health, the coordination of care, improved health care quality and ultimately, improved health outcomes as supported by better access to more robust patient data. [pg 82]

(bold/italic/red emphases mine)

How does another Nevada agency treat such things (the DMV)?

Interesting. I guess we can comfortably infer from this that a Nevada agency has the lawful discretion to require explicit, affirmative, documented "opt-in" to override a default presumption of one's having opted out via inaction. Moreover, I take it as a given that the HealthInsight HIE will have to comply with (or exceed) any final NAC consent regulations issued by DHHS pursuant to SB 43.

The issue of whether, to what extent, and how individuals should have the ability to exercise control over their health information represents one of the foremost policy challenges related to the electronic exchange of health information. The current landscape of possible consent models is varied, and the factors involved in choosing among them are complex. States and other entities engaged in facilitating the exchange of electronic health information are struggling with a host of challenges, chief among them the establishment of policies and procedures for patient participation in their exchange efforts. While some have adopted policies enabling patients to exercise individual choice, others have prioritized the needs and concerns of other key stakeholders, such as providers and payers. The purpose of this paper is to discuss in detail the issues, nuanced considerations, and possible tradeoffs associated with the various consent options to help facilitate informed decision making.

Core consent options (abbreviated) for electronic exchange include the following:
  • No consent. Health information of patients is automatically included—patients cannot opt out;
  • Opt-out. Default is for health information of patients to be included automatically, but the patient can opt out completely;
  • Opt-out with exceptions. Default is for health information of patients to be included, but the patient can opt out completely or allow only select data to be included;
  • Opt-in. Default is that no patient health information is included; patients must actively express consent to be included, but if they do so then their information must be all in or all out; and
  • Opt-in with restrictions. Default is that no patient health information is made available, but the patient may allow a subset of select data to be included.
As these definitions illustrate, a range of consent models can be applied in different contexts of electronic exchange in the U.S., and it is possible for there to be further permutations depending on the level of choice granularity allowed. There is also considerable variation in the type of information exchanged, ranging from the more basic (e.g., lab results) to the more mature and complex (e.g., a wide array of health information).

The consent model selected for electronic exchange, as well as the determination of which types of health information to exchange, affects many stakeholders (e.g., patients, providers, and payers). These decisions also have consequences for national policy goals, such as improving the quality of healthcare, promoting public health, engaging patients in their health care, and ensuring the privacy and security of personal health information. This discussion requires not only an appreciation of the sometimes competing interests of various stakeholders, but also consideration of the interests of the individual relative to those of society as a whole.

" is possible for there to be further permutations depending on the level of choice granularity allowed."

Indeed. Let's recap. As I ruminated on amid my June 18th post, ePHI privacy issues traverse four principal categories of concern -- and vary greatly from state to state:
  • Data ownership;
  • Rights of access (and accountability);
  • Disclosure restrictions;
  • Records retention requirements.
There has been much grumbling within the provider community with respect to envisioned "granularity," in particular as it pertains to proposals for patients having disclosure veto power at the datum level (e.g., "yes, you can share my CBC results, but not my latest lipid panel or pap smear or PSA. And forget about my BP or BMI").


"The lawyers freak out," said Calman, agreeing that attorneys, including malpractice lawyers, are often more resistant than doctors to the idea of providing patients with access to their full medical information--and especially the notion of patients being able to include their own comments in their records...[click here for the full article]
Interesting. BTW, I've been studying "privacy" issues since grad school, albeit in a couple of different contexts. See "Privacy and the 4th Amendment amid the "War on Terror".


Well, as of this week we have four words: "Rupert Murdoch Hacking Scandal." Then there's stuff like this:
Today’s globally networked society places great demand on the dissemination and sharing of person-specific data for many new and exciting uses. Even situations where aggregate statistical information was once the reporting norm now rely heavily on the transfer of microscopically detailed transaction and encounter information. This happens at a time when more and more historically public information is also electronically available. When these data are linked together, they provide an electronic shadow of a person or organization that is as identifying and personal as a fingerprint even when the information contains no explicit identifiers, such as name and phone number. Other distinctive data, such as birth date and ZIP code, often combine uniquely and can be linked to publicly available information to re-identify individuals. Producing anonymous data that remains specific enough to be useful is often a very difficult task and practice today tends to either incorrectly believe confidentiality is maintained when it is not or produces data that are practically useless...

- 2001, Dr. Lataya Sweeney (PDF), now with the ONC HIT Policy Committee.
That was a decade ago. Think about how much more data are available today, and how much easier they are to capture, merge, and mine.

A bit more on Dr. Sweeney. And, relatedly, how about this?
Mr. X lives in ZIP code 02138 and was born July 31, 1945.

These facts about him were included in an anonymized medical record released to the public. Sounds like Mr. X is pretty anonymous, right?

Not if you're Latanya Sweeney, a Carnegie Mellon University computer science professor who showed in 1997 that this information was enough to pin down Mr. X's more familiar identity -- William Weld, the governor of Massachusetts throughout the 1990s.

Gender, ZIP code, and birth date feel anonymous, but Prof. Sweeney was able to identify Governor Weld through them for two reasons. First, each of these facts about an individual (or other kinds of facts we might not usually think of as identifying) independently narrows down the population, so much so that the combination of (gender, ZIP code, birthdate) was unique for about 87% of the U.S. population. If you live in the United States, there's an 87% chance that you don't share all three of these attributes with any other U.S. resident. Second, there may be particular data sources available (Sweeney used a Massachusetts voter registration database) that let people do searches to bootstrap what they know about someone in order to learn more -- including traditional identifiers like name and address. In a very concrete sense, "anonymized" or "merely demographic" information about people may be neither. (And a web site that asks "anonymous" users for seemingly trivial information about themselves may be able to use that information to make a unique profile for an individual, or even look up that individual in other databases.)

Many contemporary privacy rules and debates center on the notion of "personally identifiable information" (PII). The PII concept is used by several legal regimes and many organizations' privacy policies; generally, information that identifies a particular person is considered much more sensitive than information that does not....

...research by Prof. Sweeney and other experts has demonstrated that surprisingly many facts, including those that seem quite innocuous, neutral, or "common", could potentially identify an individual. Privacy law, mainly clinging to a traditional intuitive notion of identifiability, has largely not kept up with the technical reality.

Above, from the 2001 Sweeney paper. This goes to the whole "data mining" goal of HIE -- e.g., "CER", "comparative effectiveness research," the "big picture" end of clinical data exchange (ostensibly using "de-identified" data), beyond the more loudly touted initial end of "24/7 anytime-anywhere point-of-care data access."

Below, Dr. Sweeney explains:
For twenty dollars I purchased the voter registration list for Cambridge Massachusetts and received the information on two diskettes [20] in an attempt to complete the re-identification. Figure 15 shows that these data included the name, address, ZIP code, birth date, and gender of each voter. This information can be linked using ZIP code, birth date and gender to the medical information described in Figure 14, thereby linking diagnosis, procedures, and medications to particularly named individuals. The question that remains of course is how unique would such linking be.

The 1997 voting list for Cambridge Massachusetts contained demographics on 54,805 voters. Of these, birth date, which is the month, day, and year of birth, alone could uniquely identify the name and address of 12% of the voters. One could identify 29% of the list by just birth date and gender; 69% with only a birth date and a five-digit zip code; and 97% when the full postal code and birth date were used...

...In Massachusetts, the Group Insurance Commission (GIC) is responsible for purchasing health insurance for state employees. GIC collected de-identified patient-specific data with nearly one hundred fields of information per encounter along the lines of the fields discussed in the NAHDO list for approximately 135,000 state employees and their families. Because the data were believed to be anonymous, GIC gave a copy of the data to researchers and sold a copy to industry [21]. William Weld was governor of Massachusetts at that time and his medical records were in that data. Governor Weld lives in Cambridge Massachusetts. According to the Cambridge Voter list, six people had his particular birth date; only three of them were men; and, he was the only one in his five-digit zip code.

Clearly the risks of re-identifying data depend both on the content of released data and on other related information. Most municipalities and states sell population registers such as voter lists, local census data, birth records and motor vehicle information. There are other sources of population registers such as trade and professional association lists. Such information can often be uniquely linked to de-identified data to provide names, addresses, and other personal information [pp 49 - 51].


Maine Reverts Back to Opt-Out Approach for HIE
Posted by Helen Oscislawski on June 13, 2011

In my previous post (April 26, 2011), I discussed legislation proposed by privacy advocates in Maine which would require, among other things, that patients "opt-in" before any information could be collected, accessed or disclosed through Maine's HIE HealthInfoNet. Although HealthInfoNet currently operates under the "opt-out" approach, privacy advocates had pushed for the legislation in order to more adequately safeguard patient privacy. Stakeholders had decided early on in the HIE's development that opt-in was not practical and as such, patients would be automatically enrolled in the HIE. Patients could then exercise their choice to opt-out and have their information deleted from the HIE's central data repository...

The challenges are legion, are they not?

Awesome blog, btw, Ms. Oscislawski.

But, wait, there's MORE!

News from
For state HIE, patient opt-out a thorny technical issue

For all state health IT coordinators, providing patients with privacy and control of their health data is a priority. For many, it's also a legal mandate, with data privacy rules differing from state to state. However, building the IT back-end to support this flexibility in state health information exchanges, or HIEs, isn't a simple undertaking, said speakers in a session at the Health IT Connect conference in Washington D.C...

...The toughest part for state HIE architects who must support partial opt-out policies may very well be giving patients the ability to shield the disclosure of conditions such as HIV/AIDS, substance abuse or behavioral health treatment. Robinson said it's one thing to make an HIV test invisible, but someone seeing a health record might be able to figure out a person has HIV in other ways -- for example, by seeing that he takes a particular medication...

...Amy Zimmerman, chief of health IT for the Rhode Island Department of Health, said her state HIE's consent model is opt-in, with no data going into the HIE unless a patient enrolls. There are three levels of access the patient can choose upon enrolling -- full but temporary access for emergency treatment, the minimum to which all enrollees consent; a "HIPAA consent" level that gives access to all providers in the course of treatment, and a third consent level that gives permissions to individual providers.

It took 18 to 24 months of discussions with community stakeholder groups to arrive at this model, she said. It was a compromise, because in those discussions Rhode Island authorities found that each group -- providers, patients, and a legal advisory board -- were divided in their feelings toward an "all-or-nothing" opt-in approach to sharing patient data...

18 to 24 months? Yikes. We have, uh, like three? Well, in fairness, we're not the "state HIE," either. Our State government HIT entity can't even get their Medicaid provider Meaningful Use attestation portal up and running (rumor is it's going to be yet another year or more, all while an increasing number of states are taking attestations and disbursing incentive funds).

And the hits just keep on comin'...

Medical Privacy Issue: FICO Medication Adherence Score Coming
By George Gombossy | Last updated Jun 24, 2011, 11:05 am

Think you have little privacy now, wait until FICO, the company whose credit scores are frequently used to guage your credit worth, launches a new program that will allow companies to determine how likely you are to take your medicine properly.

In a recent New York Times article, FICO has “developed a new FICO Medication Adherence Score that it says can predict which patients are at highest risk for skipping or incorrectly using prescription medications.”

“We started thinking about how do consumers behave as patients,” Mark Greene, the chief executive of FICO, based in Minneapolis, told the Times. “The problem, from a math standpoint, is not all that different from banking and other industries.”...

Jeez.., I laughed when I saw that headline, even though it's not really funny. I used to work in credit risk modeling and management. See here and here.

Hmmmm... have to wonder where they'll get their data for mining and modeling?


An Indiana man says a blood donation center rejected him as a donor because he appears to be gay--even though he isn't. Aaron Pace, 22, recently visited Bio-Blood Components Inc., in Gary, which pays up to $40 for blood and plasma donations. But during the interview process, he said, he was told he couldn't give blood because he seems gay. Though Pace is "admittedly and noticeably effeminate," according to the Chicago Sun-Times, he says he's straight. "It's not right that homeless people can give blood but homosexuals can't," Pace told the paper. "And I'm not even a homosexual."...
OK, what, you might ask, does that have to do with HIT/HIE?

Well, consider this?

By jsimmons
Created Apr 7 2011 - 10:54am

Using electronic health records (EHRs) to gather data on sexual orientation and gender identity in federally funded surveys could help providers address specific healthcare issues among lesbian, gay, bisexual, and transgendered (LGBT) individuals, according to a new report released by the Institute for Medicine (IOM).

These questions about sexual orientation and gender identity, however, should be standardized to allow for the comparison and combination of data across large studies to analyze the unique needs of the LGBT population, added the report, which was prepared for the National Institutes of Health (NIH) to examine specific research needs.

Among one of the recommendations in the IOM report is that the Office of the National Coordinator (ONC) of Health IT include the collection of data of sexual orientation and gender as part of its Meaningful Use objective for EHRs to record demographics: This would mean that data on sexual and gender minorities would be included within the demographic information in the same way that race, language, and ethnicity data are now collected ...
That will be interesting. The "social conservative" howling, outraged opposition attack lines just write themselves. Beyond that, there will be major discomfort in many provider offices simply asking for such information. I brought it up to a doc yesterday, and she affirmed that concern.


My REC blog is now a bit more than a year old. If you Google "rec blog" without the quotation marks, you get 77.5 million results. The first of which is my blog. Encase the phrase in quotes and the number drops to 50,400. Again, the first of which is mine. Pretty pleased with that.

Didn't cost me a penny. Meta-tags, baby. My relative handful of reciprocal links don't hurt, either, but it's mainly my tags "under the hood."



July 11, 2011

CareSpark Ceases Operations of Regional Health Information Exchange

CareSpark’s Board of Directors voted recently, with regret, to cease operations. CareSpark, despite great effort, was unable to transition from a grant and contract based nonprofit organization to a user subscription and revenue sustained entity. The Board believes this is a great loss to the region and believes that other resources needed to provide exchange services, assist providers in meeting meaningful use requirements and CareSpark’s core mission of regional health improvement through health information sharing will need to develop.

CareSpark was formed in 2005 after a two year health improvement planning process and is a regional 501(3)c non-profit organization to improve health for people in northeast Tennessee and southwest Virginia. In May CareSpark took its services offline to finish developing a new infrastructure that it hoped would meet the needs of local healthcare providers and bring additional value that providers would be willing to support financially. Because the level of financial support for this new infrastructure was not available, it was not brought online. In expectation of this new infrastructure all connections have been terminated.

CareSpark is working to contact the 38 health organizations with whom it had data sharing agreements to arrange a meeting to complete planning for a secure and orderly transition. CareSpark remains committed to safeguarding the data entrusted to it and to be transparent and community focused as it wraps up its affairs over the next several months. In addition to the data participants, CareSpark is contacting all other parties with which it has contractual relationships.

CareSpark is deeply appreciative of the more than 250 volunteers from around the region and beyond who invested their time and talent in this regional collaborative vision that achieved an operational standards-based technical infrastructure, nationally recognized data exchange capabilities and an exceptional community driven governance structure. CareSpark gained national visibility as one of nine communities involved in the development and demonstration of a Nationwide Health Information Network. These milestones were achieved so that no matter where or when a patient received care in the region and beyond, the information would be accessible to diagnose and treat patients optimally to improve care outcomes, lower stifling health care costs and reduce disproportionately high rates of diseases in the region.

During this period of winding up its affairs, the CareSpark Board of Directors remains in place to oversee the proper and orderly dissolution and termination of CareSpark’s business. All alternatives to closing have been, and will continue to be, investigated.

Wow. A cautionary tale.


During one of my earlier posts (last year) I alluded to reports of calls for FDA regulation of EHRs as de facto "medical devices." Well, this was in the news earlier this week:
...the FDA has begun regulating EHRs as medical devices because, according to the agency, health IT has advanced so far that the professional intermediary is no longer required or used. Thus, under the Federal Food, Drug and Cosmetic Act, health IT is characterized as a medical device. Per voluntary reports from patients, clinicians and user facilities, the FDA has cited data indicating 260 reports of health IT-related adverse events, including 44 reported injuries and six reported deaths, resulting in the agency issuing its final rule in February classifying “Medical Device Data Systems” as low Class 1 medical devices, requiring post-market surveillance.

Oh, really? I checked with the FDA.

To answer your question, FDA’s role for EHR is not finalized. Role of FDA and other federal agencies with regards to safety of EHRs is being discussed and led by Office of the National Coordinator ( ONC)

Should you have further questions, please feel free to contact us. Thank you.

VJ Huang
Consumer Safety Officer
International Relations and External Affairs Staff
Division of Small Manufacturers, International and Consumer Assistance, OCER
Center for Devices and Radiological Health
U.S. Food and Drug Administration (FDA)

The operative CFR Final Rule pertaining to "Medical Device Data Systems" at this point is 21 CFR 880 (see page 8647, 2/15/11):
EHR and PHR systems are not included in this rulemaking, and RIS are already regulated and would not be affected by this final rule.

OK. Whatever. See also "Integration of HIT & Medical Devices."


Health Information Exchange moves closer to reality in Nevada
John Seelmeyer, 7/25/2011

Supporters of a system that will allow hospitals, physicians and others in Nevada to share patient information in real time across digital networks are confident they’ve found the right technology to get the job done.

Now they need to get often-competitive, often strongly opinionated hospital executives, physicians and others in the health care industry to break down the walls that have kept them from sharing information in the past.

HealthInsight Nevada, a Las Vegas-based nonprofit that spearheads efforts to improve the quality of health care delivery in Nevada, this month launched its community-based health information exchange in the state...