| Page # |
Line # |
Comments/Criticisms |
Suggested Alternatives |
| 1-39 |
|
General introductory comments:
The NYCLU appreciates the thoughtful effort that has gone into crafting this proposal, and laud the goals of streamlining and improving patient care. We also recognize the committee's efforts to balance these goals with the critical task of safeguarding patient confidentiality. However, we believe that the protections outlined in this document do not go far enough to protect patient privacy. This proposal represents the spectre of the collection and centralization of the most sensitive and private data at an unprecedented level. We fear that the system, once created, will be vulnerable not only to breach, but also to increasing demands for access to the information from parties other than the intended beneficiaries, for example, insurers, state institutions or facilities, pharmaceutical companies, and even potential defendants in civil cases: in other words, anyone who could face liability or stand to profit from an individual's health care choices. Such potential outcomes |
Every effort must be taken, at the administrative, regulatory, and statutory level, to build the strongest possible protections into the system to safeguard this highly sensitive data from unauthorized disclosure and inappropriate use. See suggestions below. |
| 3 |
31 to 33 |
The document states that this proposal is being implemented "live," and thus presents a "unique opportunity to stress test new concepts." But permitting the system to become operational without first ensuring that adequate safeguards are in place to protect confidential information runs an unacceptably high risk that the "stress test" will be conducted at the expense of patient privacy. |
RHIOs should not be permitted to commence sharing this information in the absence of uniformity of privacy protections and a comprehensive and complete system of accreditation. |
| 5 |
1 to 4 |
Personally identifying information is not necessary for most purposes related to most clinical informatics services (CIS) |
It should be specified that personally identifying information is not necessary for most CIS, and that efforts should be made to use de-identified information wherever possible |
| 7 |
13 to 20 |
The document recognizes that "consent policies must be accompanied by a full range of privacy and security protections to earn patient trust and enable successful health information exchange." |
We agree that this is critical, and trust that DOH will be consulting with qualified professionals who have expertise to ensure the strongest possible technical precautions are taken to protect this most sensitive data. |
| 7 |
42 |
The document states that "RHIOs can, and hopefully will, play an important role in enhancing consumer access to their own personal health information." This should be stated as a main purpose of the project, not as an aspiration or possibility. |
It should be made clear that increasing access for consumers to their own personal health info is central, not aspirational. |
| 8 |
30 to 31 |
Sensitive data is not defined. The document does provide examples of certain types of data that may be considered "sensitive," e.g. data on care related to mental health, HIV status, and genetic testing. Care related to reproductive and sexual health is omitted from this list, which could create confusion. In addition, different individuals may consider different types of data "sensitive." For example, any number of medical conditions that some people are perfectly comfortable sharing information about may be considered deeply humiliating or embarrassing to others, (e.g., that the individual wears a hearing aid, dentures, or a colostomy bag, has a skin condition or cancer, had breast reduction or gastric bypass surgery). For this reason, it is imperative that the determination of what constitutes "sensitive information" be left to the patient, and that the offer to decline consent to upload data in the first instance be required, rather than left within the discretion of the health care provider. |
Reproductive and sexual health care should also be included wherever these examples are given. The determination of what constitutes "sensitive information" must be left to the patient, and the offer to decline consent to upload data in the first instance should be required, rather than left within the discretion of the health care provider. |
| 14 |
12 |
This list of specially protected health care information omits information regarding reproductive and sexual health care, STI testing and abortion. |
Add "certain information regarding care related to reproductive and sexual health, including STI testing and treatment and abortion." |
| 16 |
18 to19 |
The document references "public meetings". This may be misleading. Were these meetings in fact open to the public? The document suggests that they were instead held by invitation, with only certain groups included. The document should clarify. |
Clarification needed. |
| 15 |
16 to 17 |
The principal mechanism for the implementation of this system is the establishment of "Regional Health Information Organizations" (RHIOs) that will serve as the repository of patient information. These are generally to be organized as "business associates" for purposes of HIPAA, which means they are in essence bound by HIPAA's privacy protections through the vehicle of their contract with a HIPAA-covered entity. The policy paper specifies, however, that RHIOs should not be required to be "business associates" because this might "stifle innovation." At the same time it recognizes that "permitting the aggregation of substantial amounts of health information in an entity that is outside the scope of state or federal privacy regulation raises significant privacy and consumer protections concerns." The solution, according to the paper, is the creation of a "cohesive state regulatory framework that applies directly to RHIOs." In the absence of such a framework for adequate accountability, however, operation o |
Patient privacy and accountability should trump the concern about innovation. In no circumstances would implementation in the absence of a regulatory or legislative framework be acceptable solution. The policy must specify that RHIOs must be structured in a fashion that ensures uniformity, accountability, and protection of patient privacy, using existing law as a floor. In no cirumcstance should they be permitted to operate in a fashion that evades the operation of existing privacy protections. Should new, specific regulations or laws be required to ensure these protections apply to a particular entity, then the state should not permit that entity to participate in the program prior to enactment of such a statutory or regulatory scheme. That entity should not be permitted to commence operations until it is clear that it is subject to confidentiality obligations that are at least as stringent as those that apply to covered entities under existing law. |
| 15 |
27 |
The document acknowledges that HIPAA serves as a "floor" for privacy protections. This deserves even greater emphasis. For many years, New York has served as a leader in establishing robust protections for autonomy of medical decisionmaking and confidentiality of personal medical information. This strong public policy is expressed in numerous statutes and regulations and has been repeatedly reaffirmed by the State legislature. |
As New York embarks on this process, every effort must be made to ensure that these protections are preserved and that our role as a national leader in respect for privacy and personal autonomy is not compromised. |
| 18 |
24 to 25 |
Sensitive health information is not defined. A single consent at the point of access does not adequately protect confidentiality of sensitive patient information. A patient should not be forced to forego the benefits of the system with respect to all medical information related to a particular visit because some of the information may relate to "sensitive" care. In other words, it should not be an all or nothing consent. This is particularly critical in a primary care setting, where sensitive health services may be included in a range of services provided. |
The determination of what information is considered "sensitive" should be left to the patient. All providers should be required (not merely permitted) to offer patients the opportunity to opt out of uploading any or all of the information in the first instance, as well as at the point of access by a third party. The patient should be permitted to consent specifically to release of non-sensitive information only, but to withhold consent to the release of sensitive information. |
| 20 |
10 to 11 |
The document correctly states that patient consent is not generally required for reporting mandated by law (e.g. child abuse, certain STI information). It should be noted, however, that informed consent for HIV testing includes information on reporting obligations. This statement, is therefore, not entirely correct. Written informed consent is also required for genetic testing. Given the emphasis on public trust and truly informed consent, informing patients of these exceptions/requirements would be advisable. |
Include mention that written informed consent for HIV testing and reporting and for genetic testing is in fact required by law. Include requirement that specific information regarding mandated public health reporting requirements be included in the informed consent form. |
| 20 |
43 |
Providers "may, at their discretion, also seek consent prior to disclosure of personal health information, but are not required to do so." |
The determination of what information is considered "sensitive" should be left to the patient. All providers should be required (not merely permitted) to offer patients the opportunity to opt out of uploading any or all of the information in the first instance, as well as at the point of access by a third party. The patient should be permitted to consent specifically to release of non-sensitive information only, but to withhold consent to the release of sensitive information. |
| 21 |
21 to 23 |
The paper contemplates upload of patient information to a RHIO without patient consent. We are deeply concerned that the system as proposed requires consent to access care, rather than to upload the data in the first instance. In addition, the consent provided is to release of the entire medical record or nothing at all, unless the provider him/herself opts to withhold it or to seek consent from the patient. While the proposal permits providers within their discretion to offer to withhold certain information from being uploaded to the system, this leaves patients vulnerable to the release of information they consider sensitive. |
All providers should be required (not merely permitted) to offer patients the opportunity to opt out of uploading any or all of the information in the first instance, as well as at the point of access by a third party. The patient should be permitted to consent specifically to release of non-sensitive information only, but to withhold consent to the release of sensitive information. |
| 21 |
44 |
The document states "information uploaded to a RHIO will not be viewed by other entities." This omits mention of the emergency exception. |
Document should be amended to state "information uploaded to a RHIO will not be viewed by other entities absent the patient's consent, except in emergencies." |
| 22 |
20 to 34 |
Level 1: The definition of "Quality Improvement and Disease Management" is broad, and includes, inter alia, "case management and care coordination, contacting of healthcare providers and patients with information about treatment alternatives, and related functions." This appears to permit broad, possibly unwanted intrusion for management of patient care (e.g. would it permit disclosure to the state for interventions in care for conditions like diabetes/HIV?). This raises civil liberties and privacy concerns and should be clarified. |
Clarification needed. |
| 22 to 23 |
41 to 10 |
Level 2: Marketing is defined as "communication about a product or service that encourages recipients to purchase or use the product or service…" We believe that it is inappropriate for the State to sanction the collection of personal medical data for marketing purposes. Moreover, an individual may wish to consent to have data available for research purposes (assuming that this is medical, rather than marketing research) but not for marketing. |
Eliminate marketing from the acceptable purpose of use of the data. At a minimum, institute a "level 3" consent that is specific to marketing, to permit individuals to consent to medical research who may not wish to consent to marketing. |
| 23 |
22 to 37 |
Sensitive health information is not defined. A single consent at the point of access, as opposed to the point of upload, does not adequately protect confidentiality of sensitive patient information. A patient should not be forced to forego the benefits of the system with respect to all medical information related to a particular visit because some of the information may relate to "sensitive" care. In other words, it should not be an all or nothing consent. |
The determination of what information is considered "sensitive" should be left to the patient. All providers should be required (not merely permitted) to offer patients the opportunity to opt out of uploading any or all of the information in the first instance, as well as at the point of access by a third party. The patient should be permitted to consent specifically to release of non-sensitive information only, but to withhold consent to the release of sensitive information. |
| 23 |
30 to 33 |
The document states that standards on the exchange of substance abuse information is [sic] expected to mirror other specially protected health information." However, information cannot be uploaded to RHIOs "pending" the guidance at all because electronic transfer of such information is currently proscribed by federal law. |
Clarification needed that electronic transfer of such information must await the change in federal regulations, and may not be implemented in the interim. |
| 23 |
15 to 17 |
The penalties for the prohibited uses listed are not spelled out. In addition, we are particularly concerned about denials of care based on a patient's real or perceived failure to comply with treatment regimen in the past or his/her need for repeat care. |
The document should specify that the information may not be used as a basis for denial of care based on a patient's real or perceived failure to comply with treatment regimen in the past or his/her need for repeat care. It should also specify that any regulatory structure enacted to implement this program should specify penalties for non-compliance beyond loss of benefits (see further comments below). |
| 24 |
15 to 16 |
Reproductive health care is not included. |
Add reference to care related to reproductive and sexual health. |
| 24 |
27 |
The document is unclear at to what circumstances would permit redisclosure in the first place. |
Clarification needed. |
| |
|
Under what circumstances would it be acceptable for a RHIO to benefit financially from the exchange of information? |
Clarification needed. |
| 25 |
35 to 37 |
The document permits RHIOs to set their own policies regarding costs for responding to requests from consumers for access to their own medical records. |
The document should recommend that a provision be included in the regulations providing that low income individuals must be permitted to obtain their medical records even if they do not have the ability to pay |
| 26 |
32 to 33 |
We are concerned that specification of the penalty of loss of access to HEAL funds or Medicaid data is weak in proportion to the severity of consequences to the patient of a breach of confidentiality. We are also concerned that the existence of these inadequate penalties could be used to attempt to undermine other, more stringent penalties for breaches of patient privacy. |
Penalties should be stronger than loss of these benefits. This may include specification in the regulations that the their enactment does not abridge other existing penalties, and/or a clearly delineated and effective path of recourse for patients whose privacy is breached (such as establishment of a private right of action that explicitly applies to RHIOs). |
| 28 |
4 to 30 |
The document is correct in noting that patients may have legitimate concerns about the release of their health care information, and that this may lead them to "avoid treatment or attempt to mask information in the care relationship." For this reason, we believe that a single consent at the point of access, as opposed to the point of upload, does not adequately protect confidentiality of sensitive patient information. Patients must be offered the opportunity to opt out of uploading certain information in the first instance. Moreover, a patient should not be forced to forego the benefits of the system with respect to all medical information related to a particular visit because some of the information may relate to "sensitive" care. In other words, the system should not require an all or nothing consent. This is particularly critical in a primary care setting, where sensitive health services may be included in a range of services provided. |
All providers should be required (not merely permitted) to offer patients the opportunity to opt out of uploading any or all of the information in the first instance, as well as at the point of access by a third party. The determination of what information is considered "sensitive" should be left to the patient. The patient should be permitted to consent specifically to release of non-sensitive information only, but to withhold consent to the release of sensitive information. |
| 29 |
9 to 16 |
Concerns about use of data in underwriting decisions are valid. Use of data for these purposes can lead not only to consumer "confusion and dissatisfaction," but also the potential for abuse. This is precisely why stronger protections are necessary. |
See above. |
| 29 |
26 to 43 |
The document states that the policy "promotes uniformity." However, if each RHIO is permitted to develop its own system for obtaining patient consent, there is a risk that privacy of health information will be compromised. |
There should be uniform standards regarding patient consent and health record confidentiality. |
| 32 |
20 |
The document acknowledges that issues surrounding minors and informed consent remain to be resolved. This is true. New York law permits minors to consent to some medical services (such as STI testing and treatment, contraception, or abortion) without parental involvement, and records related to such care are not disclosable to parents or guardians without the minor's consent. Without a requirement that minors be offered the opportunity to opt out of uploading such information in the first place, not all providers will choose to offer young people this option (or know to withhold the information themselves). If information related to confidential care makes it into the RHIO database, there is a high risk that parents would be inadvertently granted the ability to access that information, even in the absence of a legal right to do so. Unless there are specific provisions in place, inadvertent disclosure is likely, presenting a risk of harm to the minor. |
Provisions protecting the confidentiality of medical information relating to a minor's health care must be explicitly preserved in the implementation of this system. As experts in the field of confidential reproductive and sexual health care for minors, NYCLU requests that we be included in the development of these policies. |
| 32 |
14-22 |
Other omissions from the document include issues of consent that may be specific to (1) individuals in state facilities/institutions such as mental hospitals, jails or prisons, and juvenile detention and (2) individuals who lack capacity to provide informed consent. |
Issues specific to such individuals require further exploration and explicit discussion. This analysis should be conducted in the context of providing utmost protection for the rights to privacy, dignity, and personal autonomy. |
