[Med-privacy] HIT Policy Committee Meeting

peter marshall pwm@comcast.net
Fri, 18 Sep 2009 10:57:18 -0700 

--Apple-Mail-25-111532009
Content-Type: text/plain;
	charset=WINDOWS-1252;
	format=flowed;
	delsp=yes
Content-Transfer-Encoding: quoted-printable



FOR IMMEDIATE RELEASE

September 18, 2009

CONTACT:
Ashley Katz
akatz@patientprivacyrights.org
(512) 732-0033
(512) 590-2953

Written Testimony
Press Release
Watch the HIT Policy Committee Meeting Here (8:30 - 3:00 EDT)

PATIENT PRIVACY RIGHTS URGES THE HIT POLICY COMMITTEE:
REQUIRE PRIVACY VENDORS WILL BUILD IT, DOCTORS WILL BUY IT,
AND MOST IMPORTANTLY, PATIENTS WILL TRUST IT.

Washington, D.C. -- Patient Privacy Rights=92 Founder & Chair, Deborah =20=

Peel, MD, testifies before the Health Information Technology (HIT) =20
Policy Committee today to urge the Committee to ensure privacy and =20
patient engagement with HIT. Ensuring privacy, control of personal =20
information, is the only way to build trusted electronic health =20
systems and the only way to reap the incredible benefits technology =20
can bring to health.

=93Americans care deeply about privacy and controlling their personal =20=

information. Put simply, we want the power to decide who can see our =20
own private, personal medical records and what can be done with them,=94 =
=20
Deborah Peel, MD.

Dr. Peel highlights key findings from a final report just released =20
from the Agency for Healthcare Research and Quality that describes the =20=

results of twenty focus groups held across the country. The focus =20
groups explored consumers=92 awareness, beliefs and fears concerning HIT =
=20
and how consumers wish to be engaged with HIT . Of key significance:
A majority want to =93own=94 their health data, and to decide what goes =20=

into and who has access to their medical records (AHRQ p. 6).
There was near universal agreement that if medical data are stored =20
electronically, consumers should have some say in how those data are =20
shared and used. (AHRQ p.29)
A majority believe their medical data is =93no one else=92s business=94 =
and =20
should not be shared without their permission. This belief was =20
expressed not necessarily because they want to prevent some specific =20
use but as a matter of principle. (AHRQ p. 18)
Participants overwhelmingly want to be able to communicate directly =20
with their providers with respect to how their PHI is handled, =20
including with whom it may be shared and for what purposes. Most =20
believe they should automatically be granted the right to correct =20
misinformation (AHRQ p.33)
There was no support for the establishment of general rules that apply =20=

to all consumers. Participants thought they should be able to exert =20
control over their own health informationindividually, rather than =20
collectively. (AHRQ p. 29)
PPR asks the Committee to set a high bar for privacy that complies =20
with existing law and medical ethics, meets the historic new privacy =20
requirements in ARRA, and just as importantly, meets Americans=92 =20
expectations. The healthcare and health data mining industries will =20
not willingly build and use privacy-enhancing electronic health =20
records and systems unless you act to set a high bar.

The only legal and ethical way to get a complete and accurate picture =20=

of Americans=92 health and health data is to ask for permission to use =20=

the data up front; to obtain informed consent for specific information =20=

in records that patients have checked for accuracy, and explain for =20
what purpose, to whom and for how long the information will be used.

The only privacy policy to which everyone can agree is for each person =20=

to set their own policy.

=93We are not talking about blanket consents, coerced consents or =
all-or-=20
nothing policies,=94 says Peel. =93Patients want, expect, and are very =20=

capable of expressing their preferences about how their personal =20
information is used and who can use it. Patients are becoming more =20
savvy, not less. Don=92t underestimate the strong public will to control =
=20
sensitive health information.=94

Technology offers the solutions to ensure privacy and progress. =20
Technology is not an impediment. In fact, technology can offer =20
exquisite privacy empowering patients to segment their information and =20=

exercise the control they desire. =93Require privacy--Patients will =20
trust it. Require privacy--Vendors will build it. Require privacy--=20
Physicians will buy it,=94 says Peel.

In addition, in order for the Committee to assure patient engagement, =20=

choice, and trust PPR recommends the following broad policies:
No protected health information should be =93exchanged=94 without the =20=

informed consent of the patient.
The patient has a right to designate a place where their provider must =20=

send a copy of their electronic medical information shortly after each =20=

encounter at no charge;
All access to patient records via HIEs must be with the explicit =20
permission of the patient, and must include the ability of the patient =20=

to selectively prevent the release of specific information to specific =20=

providers at specific times.
PPR recommends that the HIT Policy Committee engage privacy-innovative =20=

vendors and organizations that build, use, and develop privacy-=20
enhancing products and HIT systems. Both open source and proprietary =20
solutions being used today permit segmentation at a granular level, =20
easy to read audit trails, easy to understand privacy =93profiles=94 so =20=

consumers have models of how to set their own defaults or profiles, =20
and other consent management solutions.

PPR also urges the Committee to address specifically all other privacy =20=

protections in the HIPAA and the ARRA to ensure that taxpayer dollars =20=

are not used to fund EHRs that do not comply with existing law. These =20=

important protections have real deadlines some past, and some that are =20=

as early as February 2010. To highlight the privacy requirements the =20
HIT Policy Committee has not yet addressed:
Patients must be able to keep their information from being shared with =20=

a health plan if they pay for the care privately (required by the =20
ARRA). Patients must be able to keep their information from being =20
disclosed without consent if their provider agrees (required by the =20
HIPAA). This requires segmentation and a need to register a patient=92s =20=

choice.
Covered entities and business associates must first get a patient=92s =20=

valid authorization before selling PHI. This requires that all =20
disclosures of PHI are tracked via audit trails so that the presence =20
of a valid authorization for data sale can be proven.
For EHRs purchased in 2009 or later, entities must provide an audit =20
trail to patients of all disclosures as early as 2011 and no later =20
than 2013.

###

About Patient Privacy Rights:

Patient Privacy Rights is the nation=92s leading health privacy =20
watchdog. Our mission is to ensure the right to control your medical =20
privacy to protect jobs and opportunities. Patient Privacy Rights has =20=

over 10,000 members in all 50 states. We lead the trans-partisan =20
Coalition for Patient Privacy representing over 10 million Americans.






--Apple-Mail-25-111532009
Content-Type: text/html;
	charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable

<html><body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><div><div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; "><br></div> </div><span =
class=3D"Apple-style-span" style=3D"border-collapse: separate; color: =
rgb(0, 0, 0); font-family: 'Comic Sans MS'; font-size: medium; =
font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-align: =
auto; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; =
-webkit-border-vertical-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"font-family: =
Verdana, Arial, Helvetica, sans-serif; font-size: 10pt; =
background-color: rgb(255, 255, 255); margin-top: 0px; margin-right: =
0px; margin-bottom: 0px; margin-left: 0px; "><table cellspacing=3D"10" =
style=3D"font-family: Arial, Helvetica, sans-serif; font-size: 12px; =
color: rgb(0, 0, 0); line-height: 12px; width: 705px; height: 571px; =
position: static; z-index: auto; "><tbody><tr style=3D"font-family: =
Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); =
line-height: 12px; "><td style=3D"font-family: Arial, Helvetica, =
sans-serif; font-size: 12px; color: rgb(0, 0, 0); line-height: 12px; =
"><table cellspacing=3D"4" cellpadding=3D"4" width=3D"688" =
style=3D"font-family: Arial, Helvetica, sans-serif; font-size: 12px; =
color: rgb(0, 0, 0); line-height: 12px; border-right-color: rgb(0, 0, =
0); border-right-width: 1px; border-right-style: solid; =
border-top-color: rgb(0, 0, 0); border-top-width: 1px; border-top-style: =
solid; border-left-color: rgb(0, 0, 0); border-left-width: 1px; =
border-left-style: solid; width: 688px; border-bottom-color: rgb(0, 0, =
0); border-bottom-width: 1px; border-bottom-style: solid; height: 547px; =
position: static; z-index: auto; "><tbody><tr style=3D"font-family: =
Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); =
line-height: 12px; "><td style=3D"font-family: Arial, Helvetica, =
sans-serif; font-size: 12px; color: rgb(0, 0, 0); line-height: 12px; =
"><div align=3D"center">&nbsp;</div></td></tr><tr style=3D"font-family: =
Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); =
line-height: 12px; "><td style=3D"font-family: Arial, Helvetica, =
sans-serif; font-size: 12px; color: rgb(0, 0, 0); line-height: 12px; =
padding-right: 8px; padding-left: 8px; padding-bottom: 8px; padding-top: =
8px; "><table style=3D"font-family: Arial, Helvetica, sans-serif; =
font-size: 12px; color: rgb(0, 0, 0); line-height: 12px; "><tbody><tr =
style=3D"font-family: Arial, Helvetica, sans-serif; font-size: 12px; =
color: rgb(0, 0, 0); line-height: 12px; "><td style=3D"font-family: =
Verdana, Arial, Helvetica, sans-serif; font-size: 13px; color: rgb(0, 0, =
0); line-height: 15px; text-align: left; ">FOR IMMEDIATE =
RELEASE<br><br>September 18, 2009<br><br>CONTACT:<br>Ashley Katz<br><a =
title=3D"E-mail akatz@patientprivacyrights.org" =
href=3D"mailto:akatz@patientprivacyrights.org" style=3D"color: blue; =
">akatz@patientprivacyrights.org</a><br>(512) 732-0033<br>(512) =
590-2953<br><br><a =
href=3D"http://www.patientprivacyrights.org/site/R?i=3DTUniufr0DMSOcuTAZnH=
ptw.." style=3D"color: blue; ">Written Testimony</a><br><a =
href=3D"http://www.patientprivacyrights.org/site/R?i=3DKvmKeqkgc-V0gskUXaK=
8pA.." style=3D"color: blue; ">Press Release</a><br><a =
href=3D"http://www.patientprivacyrights.org/site/R?i=3Ds0OqVQpuhqIYRwm_ML4=
2ZA.." target=3D"_blank" style=3D"color: blue; ">Watch the HIT Policy =
Committee Meeting Here (8:30 - 3:00 =
EDT)</a><br></td></tr></tbody></table><br><table align=3D"center" =
style=3D"font-family: Arial, Helvetica, sans-serif; font-size: 12px; =
color: rgb(0, 0, 0); line-height: 12px; "><tbody><tr style=3D"font-family:=
 Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); =
line-height: 12px; "><td style=3D"font-family: Verdana, Arial, =
Helvetica, sans-serif; font-size: 15px; color: rgb(0, 0, 0); =
line-height: 17px; text-align: center; "><strong>PATIENT PRIVACY RIGHTS =
URGES THE HIT POLICY COMMITTEE:<br>REQUIRE PRIVACY VENDORS WILL BUILD =
IT, DOCTORS WILL BUY IT,<br>AND MOST IMPORTANTLY, PATIENTS WILL TRUST =
IT.<span =
class=3D"Apple-converted-space">&nbsp;</span></strong><br></td></tr></tbod=
y></table><table style=3D"font-family: Arial, Helvetica, sans-serif; =
font-size: 12px; color: rgb(0, 0, 0); line-height: 12px; "><tbody><tr =
style=3D"font-family: Arial, Helvetica, sans-serif; font-size: 12px; =
color: rgb(0, 0, 0); line-height: 12px; "><td style=3D"font-family: =
Verdana, Arial, Helvetica, sans-serif; font-size: 13px; color: rgb(0, 0, =
0); line-height: 15px; text-align: left; "><br>Washington, D.C. -- =
Patient Privacy Rights=92 Founder &amp; Chair, Deborah Peel, MD, =
testifies before the Health Information Technology (HIT) Policy =
Committee today to urge the Committee to ensure privacy and patient =
engagement with HIT. Ensuring privacy, control of personal information, =
is the only way to build trusted electronic health systems and the only =
way to reap the incredible benefits technology can bring to =
health.<br><br>=93Americans care deeply about privacy and controlling =
their personal information. Put simply, we want the power to decide who =
can see our own private, personal medical records and what can be done =
with them,=94 Deborah Peel, MD.<br><br>Dr. Peel highlights key findings =
from a final report just released from the Agency for Healthcare =
Research and Quality that describes the results of twenty focus groups =
held across the country. The focus groups explored consumers=92 =
awareness, beliefs and fears concerning HIT and how consumers wish to be =
engaged with HIT . Of key significance:<ul style=3D"font-family: Arial, =
Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); =
line-height: 12px; "><li style=3D"font-family: Verdana, Arial, =
Helvetica, sans-serif; font-size: 13px; color: rgb(0, 0, 0); =
line-height: 15px; text-align: left; ">A majority want to =93own=94 =
their health data, and to decide what goes into and who has access to =
their medical records (AHRQ p. 6).</li><li style=3D"font-family: =
Verdana, Arial, Helvetica, sans-serif; font-size: 13px; color: rgb(0, 0, =
0); line-height: 15px; text-align: left; ">There was near universal =
agreement that if medical data are stored electronically, consumers =
should have some say in how those data are shared and used. (AHRQ =
p.29)</li><li style=3D"font-family: Verdana, Arial, Helvetica, =
sans-serif; font-size: 13px; color: rgb(0, 0, 0); line-height: 15px; =
text-align: left; ">A majority believe their medical data is =93no one =
else=92s business=94 and should not be shared without their permission. =
This belief was expressed not necessarily because they want to prevent =
some specific use but as a matter of principle. (AHRQ p. 18)</li><li =
style=3D"font-family: Verdana, Arial, Helvetica, sans-serif; font-size: =
13px; color: rgb(0, 0, 0); line-height: 15px; text-align: left; =
">Participants overwhelmingly want to be able to communicate directly =
with their providers with respect to how their PHI is handled, including =
with whom it may be shared and for what purposes. Most believe they =
should automatically be granted the right to correct misinformation =
(AHRQ p.33)</li><li style=3D"font-family: Verdana, Arial, Helvetica, =
sans-serif; font-size: 13px; color: rgb(0, 0, 0); line-height: 15px; =
text-align: left; ">There was no support for the establishment of =
general rules that apply to all consumers. Participants thought they =
should be able to exert control over their own health =
information<strong>individually, rather than collectively.</strong><span =
class=3D"Apple-converted-space">&nbsp;</span>(AHRQ p. 29)</li></ul>PPR =
asks the Committee to set a high bar for privacy that complies with =
existing law and medical ethics, meets the historic new privacy =
requirements in ARRA, and just as importantly, meets Americans=92 =
expectations. The healthcare and health data mining industries will not =
willingly build and use privacy-enhancing electronic health records and =
systems unless you act to set a high bar.<br><br>The only legal and =
ethical way to get a complete and accurate picture of Americans=92 =
health and health data is to ask for permission to use the data up =
front; to obtain informed consent for specific information in records =
that patients have checked for accuracy, and explain for what purpose, =
to whom and for how long the information will be used.<br><br>The only =
privacy policy to which everyone can agree is for each person to set =
their own policy.<br><br>=93We are not talking about blanket consents, =
coerced consents or all-or-nothing policies,=94 says Peel. =93Patients =
want, expect, and are very capable of expressing their preferences about =
how their personal information is used and who can use it. Patients are =
becoming more savvy, not less. Don=92t underestimate the strong public =
will to control sensitive health information.=94<br><br>Technology =
offers the solutions to ensure privacy and progress. Technology is not =
an impediment. In fact, technology can offer exquisite privacy =
empowering patients to segment their information and exercise the =
control they desire. =93Require privacy--Patients will trust it. Require =
privacy--Vendors will build it. Require privacy--Physicians will buy =
it,=94 says Peel.<br><br>In addition, in order for the Committee to =
assure patient engagement, choice, and trust PPR recommends the =
following broad policies:<ol style=3D"font-family: Arial, Helvetica, =
sans-serif; font-size: 12px; color: rgb(0, 0, 0); line-height: 12px; =
"><li style=3D"font-family: Verdana, Arial, Helvetica, sans-serif; =
font-size: 13px; color: rgb(0, 0, 0); line-height: 15px; text-align: =
left; ">No protected health information should be =93exchanged=94 =
without the informed consent of the patient.</li><li style=3D"font-family:=
 Verdana, Arial, Helvetica, sans-serif; font-size: 13px; color: rgb(0, =
0, 0); line-height: 15px; text-align: left; ">The patient has a right to =
designate a place where their provider must send a copy of their =
electronic medical information shortly after each encounter at no =
charge;</li><li style=3D"font-family: Verdana, Arial, Helvetica, =
sans-serif; font-size: 13px; color: rgb(0, 0, 0); line-height: 15px; =
text-align: left; ">All access to patient records via HIEs must be with =
the explicit permission of the patient, and must include the ability of =
the patient to selectively prevent the release of specific information =
to specific providers at specific times.</li></ol>PPR recommends that =
the HIT Policy Committee engage privacy-innovative vendors and =
organizations that build, use, and develop privacy-enhancing products =
and HIT systems. Both open source and proprietary solutions being used =
today permit segmentation at a granular level, easy to read audit =
trails, easy to understand privacy =93profiles=94 so consumers have =
models of how to set their own defaults or profiles, and other consent =
management solutions.<br><br>PPR also urges the Committee to address =
specifically all other privacy protections in the HIPAA and the ARRA to =
ensure that taxpayer dollars are not used to fund EHRs that do not =
comply with existing law. These important protections have real =
deadlines some past, and some that are as early as February 2010. To =
highlight the privacy requirements the HIT Policy Committee has not yet =
addressed:<ul style=3D"font-family: Arial, Helvetica, sans-serif; =
font-size: 12px; color: rgb(0, 0, 0); line-height: 12px; "><li =
style=3D"font-family: Verdana, Arial, Helvetica, sans-serif; font-size: =
13px; color: rgb(0, 0, 0); line-height: 15px; text-align: left; =
">Patients must be able to keep their information from being shared with =
a health plan if they pay for the care privately (required by the ARRA). =
Patients must be able to keep their information from being disclosed =
without consent if their provider agrees (required by the HIPAA). This =
requires segmentation and a need to register a patient=92s =
choice.</li><li style=3D"font-family: Verdana, Arial, Helvetica, =
sans-serif; font-size: 13px; color: rgb(0, 0, 0); line-height: 15px; =
text-align: left; ">Covered entities and business associates must first =
get a patient=92s valid authorization before selling PHI. This requires =
that all disclosures of PHI are tracked via audit trails so that the =
presence of a valid authorization for data sale can be proven.</li><li =
style=3D"font-family: Verdana, Arial, Helvetica, sans-serif; font-size: =
13px; color: rgb(0, 0, 0); line-height: 15px; text-align: left; ">For =
EHRs purchased in 2009 or later, entities must provide an audit trail to =
patients of all disclosures as early as 2011 and no later than =
2013.</li></ul><br><table align=3D"center" style=3D"font-family: Arial, =
Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); =
line-height: 12px; "><tbody><tr style=3D"font-family: Arial, Helvetica, =
sans-serif; font-size: 12px; color: rgb(0, 0, 0); line-height: 12px; =
"><td style=3D"font-family: Verdana, Arial, Helvetica, sans-serif; =
font-size: 13px; color: rgb(0, 0, 0); line-height: 15px; text-align: =
center; ">###</td></tr></tbody></table><br><u>About Patient Privacy =
Rights:</u><span =
class=3D"Apple-converted-space">&nbsp;</span><br><br>Patient Privacy =
Rights is the nation=92s leading health privacy watchdog. Our mission is =
to ensure the right to control your medical privacy to protect jobs and =
opportunities. Patient Privacy Rights has over 10,000 members in all 50 =
states. We lead the trans-partisan Coalition for Patient Privacy =
representing over 10 million Americans.<br><br><ol style=3D"font-family: =
Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); =
line-height: 12px; "></ol></td></tr></tbody></table><img =
src=3D"http://www.patientprivacyrights.org/site/PixelServer?j=3DGzvZih3K1_=
ExTDBvLB5LoA.." height=3D"1" width=3D"1"></td></tr><tr =
style=3D"font-family: Arial, Helvetica, sans-serif; font-size: 12px; =
color: rgb(0, 0, 0); line-height: 12px; "><td style=3D"font-family: =
Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); =
line-height: 12px; "><p align=3D"center" style=3D"font-family: Arial, =
Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); =
line-height: 12px; =
"><br></p></td></tr></tbody></table></td></tr></tbody></table></div></span=
></div><br></body></html>=

--Apple-Mail-25-111532009--