Cisco Systems, Inc.
Privacy and Personal Health Records:
Context, Issues and Challenges
Draft – 31 January 2001
Presented by
Jane Sarasohn-Kahn
Management Consultant and Health Economist
The Conundrum of Privacy and Health Care:
Some Thoughts to Consider
“In many respects, the battle for health privacy has already been lost.”
Robert Gellman, National Committee on Vital and Health Statistics
“You have zero privacy anyway. Get over it.”
Scott McNealy, Chairman and CEO, Sun Microsystems
“In the end, privacy is personal, and…depends on you, the individual involved.”
Esther Dyson in her Foreward to The Hundredth Window by Charles Jennings and Lori Fena, Founders of TRUSTe
79% of Americans agree that the word “privacy” should be added to the Declaration of Independence.
Louis Harris & Associates survey, 1990
The Context for the Medical Privacy Challenge
“Every day, our private health information is being shared, collected, analyzed and stored with fewer federal safeguards than our video store records.”
Donna Shalala, Secretary of Health and Human Services
That our personal health information doesn’t have the same privacy protection as details about our rental from the latest Blockbuster speaks volumes about the medical privacy debate that has brewed in the United States in the 1990s. In the last decade of the 20th century, we experienced a growing openness of medical information systems, transforming stacks of paper locked in cabinets to digital data accessible through an ever-growing list of portals and channels. At the same time, Americans are reaching out and clicking for medical advice in cyberspace, often without understanding the privacy policies of the 13,000 websites dispensing the information.
A data-rich society can offer many benefits: personalization, time-saving, convenience, and customization. As Etzioni points out in the Limits of Privacy, some violations of medical records privacy can serve various common goods, such as medical research, public health, public safety, and quality assurance.
When violations of medical records privacy do occur, ownership of the data is a key issue. Many providers consider the records in their systems to be their property, while patients argue that their medical information is their own (Annas). A distinction is often made between ownership of the physical record and the right to access or duplicate data that are stored in it. Policies on health data ownership differ substantially between delivery networks, states and indeed, globally (Schoenberg).
A recent court case highlights the contentious issue of medical record ownership. A federal appeals court reinstated a claim against the Social Security Administration (SSA) brought by a man who alleged he had the right to see his medical records without designating a physician to receive them on his behalf. The Seventh Circuit asserted that the current SSA regulations are “incompatible” with the clear mandate of the Privacy Act. The patient, who was diagnosed with AIDS, had been seeking his medical records for three years (Source: AIDS Litigation Reporter, Bavido v. Apfel, No. 98-4046, 7th Cir., June 13, 2000).
Americans are very sensitive about keeping their health information private. As the table details, the only information more closely-held than medical information is an individual’s Social Security Number, credit card information, phone number, and income (AT&T Labs).
Privacy of personally identifiable health information matters. And when personally identifiable health information can be married with personally identifiable information of other sorts (e.g., financial information), the linkage of that data can get very personal, indeed. Many e-health business models depend on identifying and tracking users for a variety of purposes, often without the person’s knowledge or consent (FTC Workshop).
The mining of personal information has already begun, marrying the details of our private lives that are distributed in various networks. Our personal information is scattered around the Internet, from book purchases and preferences to airline ticket reservations and drug prescriptions. Organizations can use these data and assemble profiles on individuals that lead a path right to your door (or e-mailbox) in the form of marketing or more onerous intrusions into our lives (Garfinkel).
Defining the PHR
In the past several years, there has been a proliferation of products available to health care consumers and providers which fall under the umbrella of “Personal Health Record” (PHR). As an emerging market, there is no definition accepted by the industry, nor is there common terminology used across PHRs. In the current marketplace, these products are referred to in a variety of ways: consumer health records, patient medical records, patient health records, personal medical records, and personal health records. Appendix I presents an inventory of the PHR vendors currently on the market. All but a few are beyond a beta-stage.
Generally speaking, the PHR can be defined as a repository for storing information that helps describe an individual's health status and is accessible by the patient (and when designated by the patient, a provider or other third party) at a subsequent time. While many PHRs are web-based and Internet-accessible, there are also PHRs that are loaded from CD-ROMs for consumer use that do not link with online databases. At the other end of the spectrum, a few companies are trying to create a continuum between the electronic medical record as maintained in a physician office or hospital and the consumer/patient.
Functions vary across PHRs. Some Internet record services focus on basic emergency information; many go further, adding information on diet, exercise and disease-specific content. Some provide tools for disease management utilizing health diaries, reminders, and online communication of health measurements (e.g., blood pressure, blood sugar levels, etc.). 4HealthyLife.com even has a place to keep your pet's health record.
PHRs vary by several key factors:
· Who provides the information in the PHR?
· Who maintains the information in the PHR?
· Who secures the information in the PHR?
· Who has access to the information in the PHR?
· What functions does the PHR perform and/or support?
The Internet may be a new place to store medical records, but the idea of having an easily accessible, portable record is not new. For years, military personnel have carried their complete paper medical history with them as they moved from billet to billet. Since 1956, the nonprofit MedicAlert Foundation has provided bracelets and pendants alerting emergency personnel of patients' medical conditions. MedicAlert serves about 2.3 million members in the United States and has affiliates in 12 countries overseas, and the company is developing their version of a PHR.
Other non-Internet emergency medical records systems entail simply carrying a card with medical conditions, medications and dosages, allergies, and a copy of an ECG in the wallet or in a pendant around the neck. Communities like Sun City, AZ, have portable medical information forms for seniors that include both clinical data and advance directives.
While most PHRs to-date rely solely on patients to provide content, some request records directly from physicians. The most sophisticated systems get information directly from physicians' electronic medical records.
Thus, there is as yet no standard definition of a PHR. A few analysts are tackling the challenge. The National Committee on Vital and Health Statistics has identified 3 dimensions of a National Health Information Infrastructure (NHII): the personal health dimension, the health care provider dimension, and the community health dimension. These three dimensions are not records, per se, but rather virtual information spaces. Each space is defined by what it encompasses, whom it serves, how it is used, and who has primary responsibility for content and control (NCVHS).
The Personal Health Dimension (PHD) supports the management of individual wellness and health care decision making. It comprises data about health status and health care in the format of a PHR. PHD information can be supplied by both the individual and/or health care providers. According to the NCVHS, core elements of the PHD would include:
· Patient identification information
· Emergency contact information
· Lifetime health history
· Lab and diagnostic test results
· Emergency care information, e.g., allergies, current medications, medical/surgical history summary
· Provider identification and contact information
· Treatment plans and instructions
· Health risk assessment
· Health insurance coverage information.
In addition, optional elements include correspondence between patients and providers; instructions about access by other persons and institutions; audit log of individuals/institutions who access electronic records; self-care diaries; personal library of reliable health information resources; and, health care proxies, living wills and durable power of attorney for health care.
The NCVHS emphasizes that there is no single place in the NHII where all content will reside. The PHR could be stored in one repository: on the consumer’s home computer, on a smart card, on a health plan or provider server, or with a third-party infomediary (e.g., online health portal or Lifeline).
However, the NCVHS argues that the optimal value of the PHR is allowing information to be “available for the right person at the right time and the right place.” The consumer ultimately will decide which information will be kept under her control, and which information can be shared with others.
Sittig, et. al., also support the NCVHS approach. They contend,
“Internet-based, personal health care records have to the potential to profoundly influence the delivery of health care in the 21st century by changing the loci and ownership of the record from one that is distributed amongst the various health care providers a patient has seen in his lifetime to one with a single source that is accessible from anywhere in the world and under the shared ownership and control of the patient and his provider(s).”
Based on this vision, Sittig, et. al., developed a comprehensive definition of the PHR. In their paper, the authors categorize PHRs into three segments: personal health records, internet-based medical records, and personal health profiles. These are defined as follows:
“Personal health records (PHRs) are created and maintained by an individual patient, or healthcare consumer, based upon their own understanding of their health conditions, medications, problems, allergies, vaccination history, etc. Useful features of PHRs include the ability to enter and record important health events, calculate health risk indices, do simple medication interactions, and perhaps print a copy to take to the physician's office or on vacation. Such a record can help a patient concisely explain their health problems when they meet with their doctor. In addition, it could help document information that may be useful when filing health insurance claims.
“Internet-based medical records are a sub-set of the physician's actual medical record as maintained in an electronic medical record (EMR), which is created on the Internet by the provider in a secure web site and shared by patient and physician alike. Features of the internet-based record include all of those of the PHR plus the ability for the patient to communicate with one's providers, request prescription refills and appointments, view a sub-set of the true medical record, see who has accessed the EMR (audit report), serve various electronic commerce requests such as prescription fulfillment at an Internet pharmacy, perform highly personalized and tailored information retrieval for a patient based on their true diagnoses and medications or interests, do automated claims submission and coordination, etc.
“Personal Health Profiles are a medical knowledge-based characterization of a user of a medical information service. Such a technology facilitates convenient and personalized access to knowledge produced by medical practice--the primary knowledge construction process. Therefore, a personal health profile enables exchange, debate, and reasoning about personal experiences with disease and the health care system, as a secondary knowledge construction process. A user can also be directed to specific chat rooms and message boards where patients and caregivers debate and exchange information regarding their personal experiences with disease and health care.”
Another typology has been developed by First Consulting Group (FCG) which defines five types of PHRs.
· Patient-maintained personal medical record. The largest numbers of providers of consumer health records are in this category. The focus of these products is to track medication consumption and health events.
· EMR extension. This is an extension of the physician’s electronic medical record onto the Internet, where the consumer/patient can look at the record and check on its content. The record is maintained by the physician and by the medical organization, and is available to the patient in an online format. The major physician medical record vendors are all developing their version of the EMR extension. MedicaLogic has led this pack with its Logician and AboutMyHealth/98point6 product.
· Provider-sponsored data management. This service is offered by health providers. There are several home-grown examples of this type of PHR, including the PCASSO project at the University of Southern California and a project at Columbia-Presbyterian Medical Center in New York.
· Personal Web site. This is a variation on the patient-maintained personal medical record . It is sponsored by the physician and creates a communication vehicle between physician and patient that can include things like reminders for immunizations or flu shots or allow for appointment scheduling or prescription refills. Very often, personal Web site products offer monitoring tools for programs like disease management programs, in which regular collection of data from the patient is desired.
· Patient interface. This PHR variant is problem- or disease-focused and sometimes also involves interactive voice-response technology as well. Like the personal Web site, this product/service allows for regular communication between physician and patient and the regular collection and exchange of data and information.
The PHR is clearly in a state of market emergence. The next few years will see substantial market consolidation as those consumers (and some physician, plan and provider sponsors) who adopt the PHR will be voting with their feet and pocketbooks. As consolidation and market adoption occurs, it will become clearer what consumers (and, particularly, segments of consumers) demand.
One key obstacle to PHR adoption is the thorny issue of medical privacy. This will be addressed in the next section.
Privacy and Personal Health Information:
Invasion of the Record-Snatchers
Most of us recognize that our privacy is at risk. According to a 1996 nationwide poll conducted by Louis Harris & Associates, 24 percent of Americans have “personally experienced a privacy invasion.”
But what is privacy, particularly as it relates to personal health information? The National Research Council’s report, For the Record: Protecting Electronic Health Information, provides this definition: An individual’s right to limit the disclosure of personal information (National Research Council).