Comments by Claudia Williams Posted on February 1, 2008
These comments are submitted by the Markle Foundation based on its work with Connecting for Health and the Center for Democracy and Technology.
| Page # | Line # | Comments/Criticisms | Suggested Alternatives |
|---|---|---|---|
| 7 | 9 to 20 | We commend the New York HISPC team for taking a step in outlining policies to support statewide health information exchange. All too often this challenging work of setting information policies happens late in the process of developing technology or not at all. It is absolutely critical to adopt a shared set of policies and approaches to protect consumers and their health information early in the development of any health information exchange (HIE) effort. The New York HISPC team is clearly playing a much-needed policy development role, and we are grateful for the opportunity to provide our feedback below. | Once again, we commend New York for its efforts to establish a policy framework for statewide health information exchange. Furthermore, we appreciate the complexity of the task and the urge to accelerate implementation. But adopting this uniform consent approach in the absence of policies to address the remaining tenets of Fair Information Practices is not advisable. We encourage you to develop a comprehensive framework for statewide health information exchange that specifically: |
| Our suggestions center on the need for a more complete approach to privacy and security that gives broader guidance to entities participating in information exchange, minimizes the unintended consequences of a partial approach and creates more reliable protections for New York consumers. | 1. Addresses the nine foundational privacy principles 2. Implements privacy through technology | ||
| Considering Consent Policies in Isolation Is A Strategic Mistake | Connecting for Health (www.connectingforheath.org) is a collaborative of more than 100 leading private and public organizations including experts in clinical medicine, information technology, public policy and patient privacy. The collaborative is led by the Markle Foundation and funded by both Markle and the Robert Wood Johnson Foundation. | ||
| Addressing consent policies in isolation, without the full complement of principles reflected in Fair Information Practices, while well intentioned, can have the unintended effects of undermining public trust in health information exchange efforts and weakening consumer protections. It can also have the added effect of skewing project development away from privacy-protective technologies and principles that are equally if not more important than consent. New York's white paper recognizes the limits of consent when it states that a consent policy is only one of the policy elements that are needed to protect privacy. Although the need for such a "suite" of policies has been identified, however, New York has not yet addressed the other essential elements of this framework. | In 2006, the collaborative released the Connecting for Health Common Framework, a set of resources for implementing private and secure health information exchange (see Connecting for Health Common Framework: "P1: The Architecture for Privacy in a Networked Health Information Environment" and other documents indicated in footnotes below available at www.connectingforhealth.org.). The Markle recommendations could serve as the starting point for New York to adopt the needed framework addressing policies and approaches for: | ||
| In what follows, we underscore the need for a systematic and architectural solution and the reasoning behind it. Before finalizing the approach to consent, New York should consider the privacy principles and technical requirements needed to earn public trust in health IT. We urge you to take a leadership role in building the public's trust in statewide information exchange by adopting a comprehensive approach to privacy and security. If helpful to you, we stand ready to contribute to that effort. | Limits on the collection and use of data[1] Auditing access to and use of information exchange[2] Purpose specification[3] Authentication of system users[4] Remedies for breach or abuse[5] Approaches to data security and integrity[6] A decentralized "network of networks" approach to statewide information exchange[7] | ||
| Since 1973, implementation of Fair Information Practices (FIPs) worldwide has emphasized the interrelated principles required to protect patient information. These principles point to the need for policies not only on consumer choice, but also regarding setting limits on data collection and use, ensuring patients' access to information and providing rigorous user authentication and other appropriate mechanisms to address data security and breach. Considered and applied together with technology choices, the principles can produce an integrated and comprehensive approach to privacy. It is critical that the principles be applied as a cohesive package since elevating certain practices and principles over others can weaken the overall approach. Attempting to rely on consent alone to protect consumers without addressing the full set of privacy principles will result in several unintended consequences: | Taking this approach will mean stepping back from the particulars of consent and considering the broader set of issues in a more holistic and comprehensive way. Doing so will require time and effort, but will be a critical investment in the ultimate success of the state's vanguard information exchange efforts. We would like to work with New York and support its efforts to develop a framework that addresses the state's concerns and the policy and technology attributes that should be addressed at this key juncture. | ||
| Consent to what? The consumer faces the fundamental question: what am I consenting to? The "other" information policies for New York—thus far unspecified—should describe the permitted uses and controls on personal health information, as well as the processes that would mitigate or mediate abuse. Consumers can only provide meaningful consent when they are fully informed about when and under what circumstances their information will be shared and how it will be protected. | We believe that this approach will yield tangible rewards. A policy framework can reduce risks for new entrants and provide greater market certainty for investment. The long-term value in an open set of standards and policies can create low barriers to entry, encourage innovation, maximize competition for privacy and security protections and reduce costs. | ||
| Weaker consumer protections. Consent policies, taken alone, can undermine other elements of the framework, resulting in weaker consumer protections [1]. Privacy and meaningful consumer control are established by a combination of practices—and rarely by consent alone. It is impractical to expect that consent will work on its own to protect consumers. This approach places an unfair burden on consumers—rather than on systems, rules and processes—to protect and safeguard personal health information. | How should this translate into next steps for New York? Rather than promulgating a uniform consent approach as a stand-alone policy, perhaps the state could evaluate an alternative phased process for developing a more complete policy framework. As a possible first step in this process, health information exchange entities receiving new state funding could be informed about the state's desire to fulfill the principles articulated in FIPs. As part of the application or contract process, in addition to describing the technical approach, the HIE would also be asked to answer the questions outlined below addressing the nine core privacy principles. With these assessments completed, the exchanges could then be asked to participate in a collaborative process, led by the state, to share ideas and develop new strategies to address gaps, identify challenges and ultimately contribute their experiences and ideas to the development of a comprehensive policy framework for statewide exchange. | ||
| All or nothing" blanket consents. Used alone, the operational requirements of obtaining consent often lead to the use of blanket consents that lack the granularity or specificity to address both the consumers' individual concerns and those of the data holders who may have differing views on the levels of protections that their participation in an HIE may require. Blanket consents give consumers "all-or-nothing" choices and no meaningful ability to "parse" and control how they want to share information and with whom over time. The "all-or-nothing" paradigm reflects the public debates that took place during the 1990s regarding opt-in versus opt-out. As we learned in those debates, the better question in assessing privacy and security protections is "what specific practices or policies am I being asked to opt into or out of"? | This approach to policy development would be practical and collaborative, taking advantage of the relatively early development stage of many of the state's exchanges. The "bottom-up" strategy for policy development might also foster competition for the best ideas, generate buy-in from participating entities and allow the state to test different approaches to satisfying the nine core privacy principles before determining statewide policy. | ||
| Reduced use of privacy-protective technology and policies. Focusing solely on consent also risks reducing the incentives to use privacy-protective technology choices. The use of consent on its own, and the sense of immunity it creates for the data holder, can have the effect of reducing motivation to adopt and implement other policies and technologies that can work in tandem to protect the consumer. For example, by adopting federated and distributed approaches to information exchange, entities can offer an additional layer of protection and control to consumers. They may be discouraged from continuing or adopting these approaches if one-time blanket consent models make these practices less necessary or seemingly more cumbersome. While the state indicates a desire to remain neutral on technology models, the unintended consequence of a singular focus on consent may well dictate the technology choice at this early and formative stage of HIE development, pushing entities into one-size-fits-all technical solutions that centralize patient data. A better approach would be to use a more complete | [1] See "P2: Model Privacy Policies and Procedures for Health Information Exchange" in the Connecting for Health Common Framework [2] See "P7: Auditing Access to and Use of a Health Information Exchange" in the Connecting for Health Common Framework [3] See "P2: Model Privacy Policies and Procedures for Health Information Exchange" in the Connecting for Health Common Framework [4] See "P5: Authentication of System Users" in the Connecting for Health Common Framework [5] See "P8: Breaches of Confidential Health Information" in the Connecting for Health Common Framework [6] See "T1:The Common Framework: Technical Issues and Requirements for Implementation" in the Connecting for Health Common Framework [7] See "T1:The Common Framework: Technical Issues and Requirements for Implementation" in the Connecting for Health Common Framework | ||
| policy framework to encourage privacy-protective technology and architectural choices that can mitigate the magnitude of privacy spills in the event of a breach. | |||
| New York Should Adopt A Comprehensive Approach to Foster Trust | |||
| In order to protect patient privacy, establish public trust and ensure the success of statewide health information exchange, New York should develop a comprehensive approach to privacy and security that addresses core privacy principles and includes strategies to implement privacy through technology. | |||
| I. Core Privacy Principles | |||
| New York's statewide information exchange efforts should be based on a comprehensive set of policies reflecting the core principles of Fair Information Practices. For each principle, we have suggested one or more questions that could serve as assessment criteria for the needed policy framework to support the state's health information exchange efforts: | |||
| 1. Openness and Transparency (Is it easy to understand what policies are in place, how they were determined, and how to make inquiries or comment? Is it clear who has access to what information for what purpose?) | |||
| 2. Purpose Specification and Minimization (What is the purpose of gathering these data? Are the purposes narrowly and clearly defined?) | |||
| 3. Collection Limitation (Are only those data needed for the specified purposes being collected, and are subjects fully informed of what is being collected?) | |||
| 4. Use Limitation (Will data only be used for the purposes stated and agreed to by the subjects?) | |||
| 5. Individual Participation and Control (Can an individual find out what data has been collected and exercise control over whether and with whom it is shared?) | |||
| 6. Data Integrity and Quality (How are data kept current and accurate?) | |||
| 7. Security Safeguards and Controls (How are the data secured against breaches, loss or unauthorized access?) | |||
| 8. Accountability and Oversight (Who monitors compliance with these policies? How is the public informed about violations?) | |||
| 9. Remedies (How will complaints be handled? Will consumers be able to respond to or be compensated for mistakes in decisions that are based upon the data?) | |||
| These principles for trusted information exchange should be addressed in policies that can be adopted by data sharing bodies, in the contracts among entities binding parties to their enforcement and finally in the technology tools used to support statewide exchange of data. | |||
| The privacy principles also emphasize the need for policy guidance on a range of issues including: | |||
| Limits on the collection and use of data | |||
| Mechanisms for audit | |||
| Purpose specification | |||
| Authentication of system users | |||
| Remedies for breach or abuse | |||
| Approaches to data security and integrity |
