Comments by THINC RHIO, Inc. Posted on January 31, 2008
Page # | Line # | Comments/Criticisms | Suggested Alternatives |
---|---|---|---|
30 | 39-42 | The document states: "By requiring a simple access consent on a State approved form that covers all types of health information, the recommended policies adopt a straightforward and easily implementable solution for provider organizations that mirrors the process already in place." THINC RHIO's Comment: THINC RHIO is concerned about the practicality of the proposed solution because it does not mirror a key element of the patient-provider relationship that is currently in place. As noted in the White Paper on page 14, line 10, consent to share a patients' health information in New York "may be verbal or even implied for most types of health information." It is our experience that the majority of physicians currently rely on consent that is implied in order to disclose common types of health information. In order to comply with the proposed consent approach, providers and their staff will have to change existing procedures and commit additional resources beyond their current practice of obtaining implied consent and acknowledgement of patients' review of the HIPAA privacy practices. Some providers may decide that the additional administrative overhead for participating in a RHIO is not commensurate with the potential benefits. If this holds true, many physicians (especially those in small and medium sized practices) may choose not to participate in RHIOs and instead rely on their current data exchange mechanisms (e.g., via mail, phone, fax, or electronically through other one-to-one mechanisms). |
In light of the potential unintended consequences of deterring physician participation in health information exchange, we recommend the State consider the following options:
|
7 | 13-20 | THINC RHIO agrees that the success of health information exchange will depend upon the extent to which patients trust the proposed health information exchange. A number of surveys demonstrate that consumers are concerned about the privacy of their health information in the context of it being available via health information exchange. According to results of a study conducted for AARP in February 2006, Americans are concerned about the risks introduced by the use of electronic health information systems. In 2005, a Harris survey showed that 70 percent of Americans are concerned that an electronic medical record system could lead to sensitive medical information being exposed because of weak security, and 69 percent are concerned that such a system would lead to more personal health information being shared without patients' knowledge. These studies suggest that consumers are primarily concerned about the risks of weak security mechanisms and controls of the systems that maintain their data. Based on these data and the collective experience of THINC RHIO's Privacy and Consumer Committee, we believe that "consent," while important, may not be the most critical element to building consumer trust. |
We believe that this section of the White Paper should reference the rules for notification of unauthorized disclosures in accordance with the New York Information Security Breach and Notification Act of December 2005. In addition, the State should issue policy directions requiring funded grantees to implement a common set of practices that address:
|
26 | 21-23 | The document states: "RHIOs and participants must make available to the consumer upon request an audit trail of the consumer's health information accessed through the RHIO." THINC RHIO's Comment: THINC RHIO believes that the availability of access logs will be an important element to consumers' trust of health information exchange in New York. We believe that additional information regarding what constitutes an audit trail and its availability would serve to augment this important component. |
We recommend the inclusion of additional details that require audit logs to include information on who has accessed a patient's record, when was it accessed, and what data were accessed. We also recommend the audit rules include requirements that: (1) consumers be informed of this capability in the consent forms they sign, and (2) consumers have readily-available mechanisms to obtain their health information audit logs. We are aware of and suggest the State assess the efficacy of tools like the PatientSite, which was created by the Boston-based CareGroup healthcare system and has a simple consumer audit log browser that is widely utilized. |