Another privacy survey /
HHS plans survey on IT privacy, security issues
HHS plans to finance a public opinion survey on attitudes about health information privacy and security, but several privacy advocates are wondering why bother, given the predictability of the results from previous surveys.
Last month, the Office of the National Coordinator for Health Information Technology at HHS posted without fanfare a public notice regarding its intent to conduct for the survey under the project title, “Attitudes Toward Electronic Health Information Exchange and Associated Privacy and Security Aspects.”
According to HHS, “Based on findings from a comprehensive literature review, little is known about individuals’ attitudes toward electronic health information exchange and the extent to which they are interested in determining by whom and how their health information is exchanged.”
The ONC noted it plans to obtain a representative, nationwide sample of opinion based on computer-assisted telephone interviews conducted over an eight-week period. The ONC also plans to hold a Web seminar prior to posting the final survey report online—at healthit.hhs.gov.
The declaration that the ONC conducted a “comprehensive literature review” but found that “little is known” about public attitudes toward privacy and security in health information exchange left several health privacy advocates puzzled.
Pam Dixon, founder and executive director of the World Privacy Forum, termed the HHS conclusion “an intriguing result from a supposedly comprehensive literature survey.”
Off the top of her head, Dixon rattled off the work of the California HealthCare Foundation and the National Committee on Vital and Health Statistics as examples of recent healthcare privacy studies that she thought might be pertinent to HHS’ line of inquiry.
Mark Rothstein is the founding director of the Institute for Bioethics, Health Policy and Law at the University of Louisville (Ky.) School of Medicine. He is a past member of the NCVHS, an HHS advisory body, and from 1999 through 2008 served as chairman of the NCVHS subcommittee on privacy and confidentiality.
In June 2006, the NCVHS submitted a report to then-HHS Secretary Mike Leavitt titled Privacy and Confidentiality in the Nationwide Health Information Network making 26 recommendations. In it was included a definition of health information privacy as “an individual’s right to control the acquisition, uses or disclosures of his or her identifiable health data.”
Rothstein, in an interview for this story, concurs, in part, with Dixon.
“There have been a number of studies on the issue of the electronic health record,” Rothstein says. “I don’t know how many studies on the narrower issue of health information exchange.”
In addition to its place in the NCVHS’ work, patient concern over healthcare information privacy and patients’ expectation of a right to exercise control over who sees their health information have been recurrent—almost universal—themes in public opinion surveys, Rothstein says. Those two well-documented, baseline beliefs make the ONC’s quest for more information on the subject a bit puzzling.
“The only thing I can think of is they’ve got in their minds some specific thing they want to study that nobody else has done,” Rothstein says. “That’s the only thing I can think of that would make sense, so otherwise, why reinvent the wheel because pretty much all of the studies say the same thing.”
Among several other studies, HHS’ Agency for Healthcare Research and Quality last summer contracted for and released its 75-page Final Report: Consumer Engagement in Developing Electronic Health Information Systems.
Based on knowledge gleaned from 20 focus groups held across the country, the AHRQ study concludes that a majority of participants want to “own” their health data and decide what goes into and who has access to their medical records. There was “near universal agreement in all the groups” that consumers should have a say in how their data are shared and used, according to the AHRQ report.
The report states that “the public is very concerned about the privacy and security of their medical data. With only a few exceptions, this concern is a matter of principle—a feeling that one’s medical data is “no one else’s business.” In addition to its own work, AHRQ researchers also conducted a review of previous studies done by others, concluding, “Past surveys have confirmed that healthcare consumers’ most important concerns about health IT revolve around the issues of privacy and security.”
So far, HHS has not conceded that patients should have a right to control their healthcare information. In December 2008, in the waning days of the George W. Bush administration, the ONC issued its 12-page Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information, which apparently rejected the NCVHS’ recommendation on a privacy definition.
In it, the ONC defined privacy not in terms of a patient’s right to control his or her information, but as, “An individual’s interest in protecting his or her individually identifiable health information and the corresponding obligation of those persons and entities, that participate in a network for the purposes of electronic exchange of such information, to respect those interests through fair information practices.”
Jodi Daniel, director of the Office of Policy and Planning at ONC, says RTI International, the contractor hired by HHS to perform the work to create the Health Information Security and Privacy Collaborative, performed the scan of privacy and security literature and will complete the survey under the “tail end” of a contract that dates back to 2006. The new survey was deemed necessary to gain a larger scale than the AHRQ study and to more specifically address information exchange, she says.
Steven Posnack, the ONC project officer on the survey, says the survey will cost approximately $400,000, including data analysis and reports. Posnack said he hopes to have a final report by Oct. 1.