Search This Blog

Tuesday, May 20, 2008


In yesterday post, I quoted from a Computerworld article by Jay Cline that believes the needs of the medical community for personal health data will outweigh the privacy concerns within five years. Don’t know where the timing comes from, but my guess is it will happen sooner.

Cline hits all the right buttons on construction of the database, like limiting it to one location, simplification of files and patient access among them. But he lost me when he implied that there may be no limit to what might be included in the database. Like I pointed out yesterday, the junk mail data brokers started with small collections of information on consumers several years ago, and today there is very little they don’t know about American households. The problem with this is that they share it with government agencies almost at will, and sell it to the tune of $4 billion annually. A practice that has proven itself highly conducive to identity theft.

What really frosts me is a statement by the author that is tragically true: paraphrased, it indicates that the U.S. would have to look to European Union standards to meet the standards that privacy advocates would certainly ask for in this kind of program. They are:

• Consumer total awareness of what is in personal health records (PHRs)

• Complete user access

• Data integrity (common sense but sorely lacking in U.S.)

• Best available security.

• Voluntary participation

• Control over individual health information

• Strict enforcement for violators

This is perhaps one of the saddest commentaries on congressional leaders that have been totally inept in passing privacy legislation to protect their constituents.

Advocates are concerned what a user, other than the consumer whose data it is, might do with the information. Good point, and the way to solve this issue is to limit outside use to only that approved by the individual, unless under emergency conditions. Then, only the caregivers involved should be able access it.

Cline offers a coalition in healthcare similar to the retail industry’s Payment Card Industry Data Security Council. However, TJX (TJ Maxx, Marshalls) was in compliance with PCI standards when it lost 94 million credit and debit card holders’ account numbers to hackers trolling one of the TJX store’s parking lot with wireless equipment.

I am not for big government, but there are some things that are better handled at the federal level. Like the Federal Trade Commission’s Do-Not-Call registry with over 150 million people signed up. It is one of the FTC’s most outstanding success stories and could be repeated in the personal health records controversy (PHRs), possibly best in coordination with an agency like the National Institute of Health. The article does mention that PHRs are subject to consumer protection laws. That could bridge the gap until consumers are granted control over their names and private information, which should include their medical data.

Next post: What companies are competing for the personal health data, and how does the Health Insurance Portability and Accountability Act of 1996 (HIPAA) fit in the scheme of things?

No comments: