The economic stimulus package, signed into law last February, will pour an unprecedented $19 billion into health information technology. Many policymakers believe that broad use of this technology has the potential to improve health care quality, reduce costs, increase patient participation in decision-making, and prevent medical errors. However, it raises many concerns about the security and privacy of medical records.
On October 8, 2009, Brooklyn Law School's Center for Health, Science and Public Policy sponsored a theory-practice seminar, “eHealth? New Challenges for Information Privacy and Security.” Professors Karen Porter and Derek Bambauer introduced a panel of experts to discuss a range of policy changes that could enhance privacy protections.
Stefaan G. Verhulst, the Chief of Research at the Markle Foundation, described research on consumers’ views of technology and privacy issues. He said that there is a great deal of fear about loss of privacy and theft of medical information, yet, at the same time, there is a great deal of comfort with technology and willingness to use it. Verhulst emphasized the need for core privacy principles, sound network design, and government structures. He offered nine principles: openness and transparency, purpose specification, collection and use limitation, individual participation and control, data integrity and quality, security safeguards and controls, accountability and oversight, and remedies.
Deven McGraw, Director of Health Privacy at the Center for Democracy and Technology, is one of three appointees of Secretary of Health Kathleen Sebelius to serve on the Health Information Technology Policy Committee. She addressed the need for a "comprehensive framework that builds off of HIPAA," the Health Insurance Portability and Accountability Act of 1996. She said that systems that depend upon patients to determine the use of electronic health records do not work well in practice. She explained that individual patients often do not understand what the implications are of their consent decisions.
Adding to the conversation about the implementation of government protections was Rachel Block, Deputy Commissioner for Health Information Technology Transformation at the New York State Department of Health. The department is working with the New York eHealth Collaborative (NYeC) in a public-private partnership to create what Block calls an innovative strategy to build consensus among hospitals and health care providers on systems and standards. Once the regulations and network structures are in place, the representatives of medical facilities – from doctors to attorneys – will be on the frontlines of an interconnected system.
Maxine Fass ’80, Senior Vice President, Chief Legal Officer and General Counsel for New York-Presbyterian Hospital, provided a different perspective, as one who is on the frontlines, dealing with both regulatory and technological changes. She said that even with the most stringent protections in place, human error or greed can undo it all. In her experience, breaches of security have been very low-tech in nature. She recounted a story about a hospital employee who duplicated financial information in the simplest manner, on a copy machine, and sold it on the street. Technology in and of itself is not the issue, she said, and there is no technical solution that can ensure health care privacy.
by Christiane Culhane ’10