Seems like the comments being made on posts and being emailed to me have been really interesting lately. As I often like to do, I want to highlight those that provide interesting stuff in the comments since many people don’t read all the comments. Here’s one such comment from ip-doctor on my post about de-identified healthcare data.
I am interested in knowing how readers answer John’s question re position on use of de-identified data. My guess is that people don’t know it’s going on and will object to it happening in principle.
Securing PHI feels a lot like Y2K. No doubt breaches occur, and, when they do, they are certainly costly for the offending HCO, but how many examples are there of leaked information being used to harm someone? Seems like the same proscriptions vs. extortion, blackmail, and libel would prevent individuals from using illegally obtained PHI to harm patients.
In fact, the odds that there is a Person A who wishes to harm Person B AND who somehow comes up with Person B’s sensitive PHI AND is able to use it to harm Person B without Person B having ample legal recourse against Person A are hopelessly LONG. Breaches of thousands/hundreds of thousands/millions of records are too large and unspecific to be “used” for nefarious purposes.
We need to secure PHI, but we are hoisting ourselves on our own petards if we let legitimate concerns about the use of patient data block or slow our adoption of EMRs and HCIT for ACOs and PCMHs. Just as there are real benefits associated with use of de-id’ed patient data, there are (significant, hidden) costs with not sharing health data.
The irony here is that the most common, undeniably harmful use of sensitive PHI has been to deny coverage to patients with pre-existing conditions. Kind of makes sense. It is, after all, health information.
Nothing like sharing a post about the fears and challenges associated with sharing data and privacy and following up with a post that talks about how it might not be as big of a risk as many like to make it. Of course, the happy place is somewhere in the middle where we do a good job securing the data while as HIPAA outlines, we avoid placing an undue burden on patient care.
OptumInsight has deep expertise in working with PHI and de-identified data, and so we recently published a practial guide to help physicians better understand the issues and take steps to secure data used in their practices. Here is a link: http://www.optuminsight.com/resources/browse/articles/optuminsight-offers-simple-steps-physicians-can-follow/.
I hope this is helpful.
More irony – based on the changes made to regulations in the health insurance industry, by January 1st, 2014 (I believe) insurance companies will no longer be able to deny coverage for pre-existing conditions, thus removing that argument against information sharing from the equation (in theory!). See http://www.healthcare.gov/law/timeline/index.html for more.
Information security appropriately applied will easily contain all requirements for compliance…At issue today is the minimalist view of information systems built to meet compliance requirements which becomes the measure of PHI being properly secured, which is completely wrong-headed.
Jon,
You bring up a good point. Will we care if the insurance companies get our information if they can’t deny us insurance? I haven’t looked at the law, but just because they can’t deny us doesn’t mean they can’t jack up our insurance rates so high that they effectively deny us, right? Or does the law have a provision for that too?