Currently, HR 2991 is stalled in the Health Subcomittees of the House Ways and Means and House Energy and Commerce. One might assume the House is waiting to attach it to a bigger bill.
That would be a mistake. First, it's likely that whatever it gets attached to is more contoversial, while HR 2991 is not and can stand on its own. Second, if there is a need to modify an aspect of HR 2991 in the future, then it won't be considered a risk for opening some larger can of worms.
Thursday, February 21, 2008
Why do we need IHRTs?
There is a lot of effort going into enabling the exchange of health information. Better exchange of health information can lead to better quality of care for the individual, improvements in the processes revolving around care, and quality improvements resulting of aggregation of health data at the regionals and national level. When there is an increase in quality there may also be an opportunity to reduce cost.
Google, Microsoft, WebMD, and others you're familiar with: They are already trying to access a peice of that pie. But the number of companies engaging in public/private initiatives across the country is large and growing. Without appropriate legislation, there may be opportunities for abuse of your health information far beyond what you've experienced with credit card fraud. Will legislation make you safe? No, but it is better to start off with legislation, than to add it as an afterthought. People are already voluntarily entering health profile data in Google. I hope they are reading that fine print! With appropriate laws, we won't have to rely on the fine print nearly as much.
Participation in IHRTs by patients, doctors, and other providers, should remain voluntary. To improve quality and lower cost, participation should not be disuaded by concerns over security.
Google, Microsoft, WebMD, and others you're familiar with: They are already trying to access a peice of that pie. But the number of companies engaging in public/private initiatives across the country is large and growing. Without appropriate legislation, there may be opportunities for abuse of your health information far beyond what you've experienced with credit card fraud. Will legislation make you safe? No, but it is better to start off with legislation, than to add it as an afterthought. People are already voluntarily entering health profile data in Google. I hope they are reading that fine print! With appropriate laws, we won't have to rely on the fine print nearly as much.
Participation in IHRTs by patients, doctors, and other providers, should remain voluntary. To improve quality and lower cost, participation should not be disuaded by concerns over security.
What is an Independent Health Record Trust?
There is much confusion over the definition of an Independent Health Record Trust. First, HR 2991 does not define trusts as data banks, either centralized or federated. The bill leaves implementation of a trust to various solutions. Yet, you'll find interpretations of the bill stating, incorrectly, that it establishes one or multiple data banks.
The bill's most technical wording is "nationwide health information technology network" and in the rest of the document establishes that such a network would consist of independent trusts.
In information technology, a Trust defines a secure relationship. The bill adds that the Trust is charged with fiduciary responsibility. In the context of HR 2991, a viable and practical implementation of a Trust could utilize a federated security model to guard indices to health data contained in medical records, profiles, etc. There is no need to start gathering up all the data. That would be difficult, to say the least.
The bill's most technical wording is "nationwide health information technology network" and in the rest of the document establishes that such a network would consist of independent trusts.
In information technology, a Trust defines a secure relationship. The bill adds that the Trust is charged with fiduciary responsibility. In the context of HR 2991, a viable and practical implementation of a Trust could utilize a federated security model to guard indices to health data contained in medical records, profiles, etc. There is no need to start gathering up all the data. That would be difficult, to say the least.
What is a Health Record?
As defined by the Agency for Health Record Quality (ahrq.gov), A "health record" is understood to be a collection of records concerning your health. It includes "medical records", which are those records held by hospitals (emergency records, radiology records, admissions records, etc...), doctors offices, clinics, insurance companies, etc. If you create a Google Health Profile or a Medstory Profile (purchased by Microsoft), or WebMD Profile if and when that becomes available, it too could logically be part of your health record.
HR 2991 establishes that it is the patient who should maintain control over access to a health record by establishing the concept of a Health Record Trust -- basically, a framework for establishing trust relationships between individuals and those who would access health data.
HR 2991 establishes that it is the patient who should maintain control over access to a health record by establishing the concept of a Health Record Trust -- basically, a framework for establishing trust relationships between individuals and those who would access health data.
Tuesday, February 19, 2008
No Philosophical Barriers
From my vantage point, I can see no reason to oppose HR 2991 regardless of your political leanings or otherwise.
It doesn't favor any particular party Democrat or Republican.
I don't think it favors any economic philosophy: whether you prefer nationalized or free market health systems. It should be compatible with either.
It doesn't favor any particular technology. It just sets policy.
It doesn't favor any particular party Democrat or Republican.
I don't think it favors any economic philosophy: whether you prefer nationalized or free market health systems. It should be compatible with either.
It doesn't favor any particular technology. It just sets policy.
Can't Un-Mix the Egg!!
Currently, trade groups from the Health Care and IT industries are pushing new legislation (H.R. 3800 "Promoting Health Information Technology Act" and H.R. 1693 "Wire for Health Care Quality Act") that would expand the interoperability of health systems (read as access to your health records!). The privacy provisions of these bills are very weak! Their other qualities may or may not be good. I did not review them from any perspective but privacy and security. From those perspectives, they do not measure up to HR 2991 "Independent Health Records Trust Act" whose sole purpose is privacy and security.
Reason for acting on HR 2991 NOW: Once this egg is mixed it may be impossible to un-mix!! Retroactively implementing security policy could be extremely difficult and may require relaxation of the would-be provisions of HR 2991 as compared with making these guarantees up front!
Studies by the Markle Group (www.markle.org) strongly suggest that policy issues in health IT easily become legal entanglements (so IT issues become settled by lawyers--not good). Security & privacy policy must be strong and comprehensive before broadly implementing health record technology.
Reason for acting on HR 2991 NOW: Once this egg is mixed it may be impossible to un-mix!! Retroactively implementing security policy could be extremely difficult and may require relaxation of the would-be provisions of HR 2991 as compared with making these guarantees up front!
Studies by the Markle Group (www.markle.org) strongly suggest that policy issues in health IT easily become legal entanglements (so IT issues become settled by lawyers--not good). Security & privacy policy must be strong and comprehensive before broadly implementing health record technology.
Will we end up saying "It's too bad..."?
It's too bad congress could not foresee the potential for credit card fraud prior to the massive dissemination of credit cards and set governing policy that protects privacy and security...
It's too bad congress could not foresee the potential for social security fraud and set appropriate governing policy before the massive dissemination of social security IDs...
It's too bad congress could not foresee the potential for health record fraud and set appropriate governing policy before the massive aggregation of personal health records...Wait a minute! We can foresee this potential!
The question is will congress listen?
Will we end up saying "It's too bad..."?
It's too bad congress could not foresee the potential for social security fraud and set appropriate governing policy before the massive dissemination of social security IDs...
It's too bad congress could not foresee the potential for health record fraud and set appropriate governing policy before the massive aggregation of personal health records...Wait a minute! We can foresee this potential!
The question is will congress listen?
Will we end up saying "It's too bad..."?
First Things First!! -- Privacy assurances must come first!
When a business sets policy regarding information technology it is best advised to do so without specifying technical solutions. Instead, the policy makers for that business set guidelines for what the technology is to acheive and how it should be constrained. When our legislators set policy regarding information technology, the need to follow this practice is is hightened since that policy becomes the law of the land. When legislators fail to abide by this practice, you end up with bad policy like FISA (the 1978 Foreign Intelligence Surveillance Act). FISA is bad because it specifies technology--outdated circuit-based technology--directly in law. Now, FISA is very difficult to interpret, and is the source for serious debates over surveillance effectiveness and privacy.
Currently, there are massive efforts to harness health information technology. The objectives overlap: decreasing cost, increasing quality, identifying profit opportunities, enabling better management of personal health information, and more. Each U.S. Senator, including some with aspirations of higher office, wants to be the first to put their name on legislation that somehow taps into those efforts. They have not learned from past mistakes and will unwittingly put your security and privacy at risk.
HR 2991, The Independent Health Record Trust Act, abides by the policy practice mentioned above. Its aim is to acheive privacy and security in health IT and place constraints on those efforts already underway.
Currently, there are massive efforts to harness health information technology. The objectives overlap: decreasing cost, increasing quality, identifying profit opportunities, enabling better management of personal health information, and more. Each U.S. Senator, including some with aspirations of higher office, wants to be the first to put their name on legislation that somehow taps into those efforts. They have not learned from past mistakes and will unwittingly put your security and privacy at risk.
HR 2991, The Independent Health Record Trust Act, abides by the policy practice mentioned above. Its aim is to acheive privacy and security in health IT and place constraints on those efforts already underway.
Summary of HR 2991 IHRT Act
Essentially, HR 2991 establishes that you are the owner of any electronic health information about you, and that posession of that information cannot be the basis for equitable interest in that
information (in other words, they can't own you since they've got your data). In addition, it provides for your control over access to that information, placing primary importance on privacy. It is written well, covering policy, not technology.
Fulfilling Americans' desire for affordable health care depends on their participation in forthcoming health information technology services, however if they do not trust those services with their personal security and privacy then their reluctance to participate may only result in more expenses added on to health care.
information (in other words, they can't own you since they've got your data). In addition, it provides for your control over access to that information, placing primary importance on privacy. It is written well, covering policy, not technology.
Fulfilling Americans' desire for affordable health care depends on their participation in forthcoming health information technology services, however if they do not trust those services with their personal security and privacy then their reluctance to participate may only result in more expenses added on to health care.
Subscribe to:
Posts (Atom)