Deven McGraw is the Director of the Health Privacy Project at the Center for Democracy and Technology and a member of the HHS Health IT Policy Committee where she serves on the Meaningful Use Workgroup and co-chairs the Health Information Exchange Workgroup. She recently sat down with ExecutiveBiz to discuss how security regulations need to change to incorporate health data exchange. She also spoke about how “meaningful use“ will change the implementation of health IT.
ExecutiveBiz: How is the Center for Democracy and Technology involved in healthcare IT?
Deven McGraw: We are making sure that as federal efforts move forward to promote use of electronic medical records and build a health IT infrastructure for the nation there are strong and effective protections in place for privacy and security. We do think that this effort has tremendous potential to improve our nation's health care system. But if we don't acknowledge the increased risks to privacy and effectively address them, patients and providers won't trust the new e-health systems and the effort will fail. We provided technical assistance to legislative staff during the consideration of the economic stimulus legislation and, we are continuing to play an active role in implementing the provisions, focusing in particular on those dealing with privacy and security.
ExecutiveBiz: I know you are an advocate of de-identified data. Can you describe that and how it differs from our current system?
Deven McGraw: What I'm an advocate for is using the minimum amount of data that is necessary in order to accomplish a particular appropriate healthcare goal. The de-identification or the anonymization issues are not as relevant when you are talking about use of information to treat an individual ““ but they do arise when you are talking about gathering data for public health, biosurveillance, comparative effectiveness or to measure the quality of care that is provided by a certain physician or hospital institution. For a number of those purposes we don't need to use fully identified data in order to accomplish that task. It is much more privacy protective to access data in what I will call “lesser identified form“ ““ where identifiers are masked or stripped out of the data or, even better, the data is protected by strong cryptography or other techniques ““ and yet the data is still useful for its intended purpose. We do have a de-identification standard in the HIPAA privacy rules, but it is in need of an update. In the five years since that standard was initially adopted the amount of publicly available data that is available has greatly increased and yet the standard for ensuring that data cannot be easily re-identified has never been revised. We need to update and strengthen our standards for de-identification and ensure we have greater accountability for re-identification.
ExecutiveBiz: Are there any legal obstacles? What laws or regulations could be changed?
Deven McGraw: We have begun the process of updating our privacy and security laws to meet the challenges raised by the new e-health environment, but there is still a lot of work to do. For example, we have “personal health records“ being offered by companies that are not part of the traditional health care sector ““ which means the potential ways that they will use the information in these records raises privacy risks that would be insufficiently addressed by our existing federal privacy rules. If people cannot trust that the data they put in their personal health records is protected, they won't use these tools ““ and the potential of these tools to facilitate greater patient engagement with the health care system will be lost. The absence of a federal privacy and security framework of rules to protect individuals who use these tools is one reason why they have had very low uptake to date. The other area where we need more work is with respect to these new health information exchange networks, and having some more clear policies regarding how data can be accessed from and shared through these networks ““ and of course, who is going to be responsible for setting and enforcing those rules. HIPAA sets a baseline of rules to govern internal uses of data by health care institutions, but it doesn't address all of the issues that arise with respect to these networks. For example, HIPAA allows for doctors and hospitals to access data for treatment, payment, and healthcare operations but what is a healthcare operation for a regional health information organization? Do they have a legitimate, independent need to access data? What should be the rules with respect to using these networks for research? There are a host of questions that will need to be addressed as we move to more widespread adoption of these electronic tools and electronic health information exchange.
ExecutiveBiz: Vish Sankaran has come out and said that we need a “FISMA lite“ or a “HIPAA plus“ program. How do you think we could modify those regulations to make realistic security standards?
Deven McGraw: He is right that we need a stronger set of security rules to address the increased risks of an electronic environment, but they shouldn't be “lite.“ The healthcare industry is a little bit behind other industries that depend on sensitive data, especially with respect to security. Most industries that routinely handle personal data and even administrative agencies will encrypt it to protect it from inappropriate access. Encryption is a widely used security technology that is also relatively cheap to implement, and yet it's use in healthcare is relatively rare. The perception among many in the healthcare industry is, “well if we have to encrypt this data, then it will slow down the transactions.“ My understanding from talking to individuals in other industries, as well as security experts, is that the speed of the transaction is not slowed to an appreciable amount to outweigh the benefits in additional security that you get through encryption. Too many in the health industry have been using and sharing data in ways that are not very secure. Given that we are trying to push all of health care into an electronic realm where it is more vulnerable, we need to be thinking much more seriously about security requirements.
ExecutiveBiz: What are you doing in the Health IT Policy Committee to come up with new security regulations and criteria?
Deven McGraw: A number of the entities impacted by the stimulus legislation are covered by HIPAA, and upgrading the HIPAA and improving its enforcement are critical to improving how the health care industry addresses data security. But there are also are ways to use the stimulus funds to leverage greater improvements in security, and the Policy Committee will be taking up those issues this year. We have focused most recently on the criteria for “meaningful use“ ““ and we have already recommended that CMS consider requiring compliance with HIPAA and a security assessment to satisfy the meaningful use requirement in 2011. On our agenda for the calendar year how privacy and security will need to be addressed by e-health systems in order for them to be certified (and therefore eligible for federal incentives), as well as what will be the privacy and security components of “meaningful use“ in 2013 and 2015. Many of these questions invoke both policy and health IT standards, so we hope to be working closely with the HIT Standards Committee to help develop and implement strong policies in this area.
ExecutiveBiz: How do you think the “meaningful use“ criteria are going to affect the adoption of health IT?
Deven McGraw: The meaningful use criteria are critical and are the way we ensure that the stimulus money is directed at transforming the health care system through the use of technology and not merely funding the purchase of something that sits on a desk and is never or is only ineffectively used. The criteria must be tied to achieving healthcare goals because health IT is really just a tool of healthcare reform. Otherwise all we are doing is just digitizing the current silos of care that exist today in paper form and spending more money in the process. We must use the “meaningful use“ provisions in the statute to drive the use of technology in ways that will ultimately improve the health of individuals and the health of the populations.
ExecutiveBiz: What do you see as the biggest obstacle in adopting health IT?
Deven McGraw: There are a couple of very big issues to address. The first, of course, is ensuring we have a comprehensive privacy and security framework in place that builds public trust in these new e-health systems. The other big obstacle is getting providers to willingly share data about their patients with other providers. There is almost a financial disincentive to share data that has to be overcome, and the payments that are made through the economic stimulus legislation are only a partial solution. We also need to address this through payment reform and health reform. We need to direct financial incentives at achieving good health outcomes, so that there are incentives to share data so that the patient's care can be better coordinated and there are incentives to use electronic records that will better enable physicians and other care providers to make better treatment decisions. Only then will we start to see some success in breaking down the financial barriers that are as big an obstacle as those created by gaps in privacy and security.