Online Extra: Protecting Patients' Privacy

The President's health-tech czar has a plan to ensure that health records stored on a national network don't fall into the wrong hands

By Timothy J. Mullaney

As the Bush Administration pushes forward with the creation of an electronic database to hold health info for millions of Americans, a key concern for many patients is emerging: Will my records be safe from prying eyes? Credit-card companies and online retailers promised tight security but have seen their systems repeatedly penetrated by determined hackers. What will make the planned National Health Information Network any different -- and how worried should you be about the security of your health-care records?

David Brailer, Bush's health-technology czar, is racing to answer those questions and has a plan for putting worried consumers at ease. Brailer, with help from top tech companies, is developing sophisticated technology aimed at protecting privacy (see BW, 10/31/05, "This Man Wants to Heal Health Care").


 Not all the answers are final, but the amorphous community of doctors, hospitals, regulators, and advocates shaping the NHIN has built a consensus about the key safeguards. The details are being fleshed out under a series of contracts awarded by the government on Oct. 6, and the most important steps will be in place by next year, Brailer says.

So what's the government's answer to protecting patient data? Scatter it around. The NHIN will use peer-to-peer file-sharing technology similar to that popularized by the first version of music-sharing service Napster.

Your data will remain on the separate computers where it's now stored -- your doctor's office, pharmacy, or hospital. To see it, a doctor would log onto the network, be told where to look, and then connect to the specific computer for the exact data needed for care -- without getting irrelevant private information. The rare hacker who might gain access wouldn't be able to get a complete picture of your health without hacking all of your different care providers' systems separately.


  By contrast, credit-card companies and financial institutions often keep records for millions of people in a single system, where they can theoretically be hacked all at once. "There's not a single proposal to create a government-run database in the basement of the Health & Human Services Dept.," says John Holamka, chief information officer at Harvard Medical School and a key consultant on the NHIN.

Beyond that, different regional health-information networks are already building security strategies that will likely filter up to the national network. Strong encryption of information in transit is a given. As for access, some regional networks are examining biometrics, electronic tokens, digital certificates, and other methods to identify the people who try to consult patients' records.

An even bigger potential problem than hackers is unauthorized access by employees. That can easily occur now with paper records or non-networked computers.

"Every hospital has security or privacy violations that result in one or two [employee] dismissals a year, but with paper records you never know," Holamka says. To prevent such in-house snooping, the NHIN is likely to include requirements for frequent audits of who looks at what records.


  On most issues, the emerging plan corresponds roughly to what privacy advocates have asked for. In comments filed with HHS in January, the Privacy Rights Clearinghouse called for a Napster-like network that spreads out the information, with controls on what information can be accessed by health-care workers.

Brailer was urged to avoid creating a national patient ID number for every American -- which HHS doesn't plan to do. Instead, regional networks rely on basic facts like name, birth date, and Zip code.

In fact, many of them let consumers opt out of having their data accessible over the network at all. That option could work itself into still-evolving rules for the national network as well.


 The creation of the national network also raises policy-related privacy issues. Specifically, can health information be used for research or other purposes that don't relate directly to care?

Privacy advocates want strict controls on how data can be accessed by researchers, to make sure records can't be traced back to an individual patient. They also want rules governing access by the spate of new intermediaries that are expected to spring up to help consumers manage their personal health records.

In particular, privacy advocates want to make sure intermediaries are covered by existing federal and state laws that prevent doctors and hospitals from disclosing health data. They also don't want Washington to preempt more protective state laws -- including laws that give consumers the right to sue for privacy violations –- in the name of expediting the national network's development. "Privacy has been a very low priority," says Privacy Rights Clearinghouse Director Beth Givens.


  On Oct. 10 a consortium of consumer groups organized by the Markle Foundation recommended a list of consumer-protection principles to build confidence in the emerging, more open world of health-information sharing. Markle's two key ideas are letting consumers review who has been accessing their medical info to spot possible violations and making sure consumers are represented on governing bodies of the regional networks that will be linked to create the national system.

Markle also released a poll showing that 72% of Americans approve of the idea of the NHIN -- if privacy rights are protected. Another key finding: 68% wanted the network's rules to make sure employers can't use the network to learn personal information about their health.

Brailer is determined that unease about privacy not undermine public confidence in electronic health records. While he says the health-care industry considers even some parts of the existing law cumbersome and not cost-effective, he remains open to adding specific protections and controls as the network gets built.

"There might be, in the end, a need for new privacy laws or protections," Brailer says. "Right now, I think our privacy infrastructures are on track to get us where we're going."


  Letting doctors access data about test results, prescriptions, and the like could save thousands of lives a year. And automating medicine will save consumers time.

Eventually, the days when every visit to a new doctor means spending quality time with a clipboard and reams of paperwork will give way to a simple card swipe to grant the doctor permission to see your medical history and insurance information before you walk right in.

"Patients who are worried about this should opt out," says Stephen Carson, medical director of the San Diego County Medical Society, which announced plans for a regional health-data network on Oct. 3. "They're going to wait a lot longer to get in, and their doctor will say: 'We don't have your test results, so you need another appointment.' And those things will push patients to take a risk."

Ultimately, consumers will have to decide whether to let their information be accessible over the network. Some will find the privacy concerns insurmountable. But if Brailer has anything to say about it, there will be even more compelling reasons to opt in.

Mullaney is BusinessWeek's e-commerce editor in New York

    Before it's here, it's on the Bloomberg Terminal.