Multiple EHR certifying entities proposed

While people are kicking around certifying EHR systems, core issues of consent have not been adequately addressed. So what are we certifying — that System A will comply with laws and standards that stripped you of your right to control who has access to your electronic health records?

Initial recommendations of the federal HIT Policy Committee’s certification/adoption workgroup could spell the end of the Certification Commission for Healthcare Information Technology’s monopoly on certifying electronic health records systems. But the group leaves the door open to having existing systems certified under CCHIT criteria deemed certified in 2011. That’s when Medicare/Medicaid incentives authorized under the American Recovery and Reinvestment Act start.

The workgroup recommends that multiple organizations be allowed to perform “HHS Certification” testing and provide certification. HHS Certification means a certifying process that is limited to the minimum set of criteria necessary to meet functional requirements of ARRA and achieve the law’s meaningful use objectives.

Read more on Health Data Management.

The Coalition for Patient Privacy had submitted comments to the HIT Policy Committee on “meaningful use” on June 26. Their statement said, in part:

The KEY CRITICAL FUNCTION needed in every EHR to enable “meaningful use” of EHR data is the ability for patients to control the uses and disclosures of all protected health information (PHI). We recommend adopting existing open source technology that enables detailed control over disclosures as a baseline model or floor for consent technologies. The millions of members in our organizations want granular control over disclosures of their electronic health records, analogous to the ethical principles that have long governed our control over disclosures from paper health records.

The Meaningful Use Workgroup recommended to the Health IT Policy Committee that proposed “meaningful use” functions in EHRs should be “ultimately linked to achieving measurable outcomes in patient engagement, care coordination, and population health.”

We believe that only if patients are willing to participate in the healthcare system and trust doctors with their most sensitive concerns will they disclose complete and accurate information necessary to achieve measurable and reliable outcomes.

One of the major weaknesses of current legislation (enacted and to-be-enacted) is that it does not give patients the kind of granular control on disclosures described above. As one consequence, patients do not get to determine who may access their information.  Under “meaningful use,” providers would disclose to the patient — upon request — to whom their details have been provided for treatment, payment, or “health care operations” purposes.  Revealing disclosures after the fact is not enough.  Providers should be required to get permission before disclosures are made.

In a recent group email discussion with others interested in these issues, I raised the example of a community hospital that goes bankrupt and is bought out by others who intend to keep it operating as a hospital. Under the existing federal regulations, protected health information (i.e., the patients’ records) can be transferred from the bankrupt hospital to those taking it over because transfer between one covered entity and another is permitted. But consider these scenarios:

Scenario 1: Patient Jane Doe is an adolescent seen at the community hospital’s child and adolescent psychiatric unit. When the hospital goes bankrupt and is bought out by a physician’s group, her records are among those transferred to the new group. But the new hospital won’t have a child and adolescent psychiatric unit, so why should they have her records? And what if one of the doctors who bought out the hospital is a relative and Jane Doe would not want them having access to her records under any circumstances?

Scenario 2: Celebrity patient John Doe is aware of the problems a hypothetical hospital has had with employee snooping on celebrity records. When he learns that his hospital has been bought out by the same chain that operates the hypothetical hospital, he worries about the security of his records and wonders why no one asked him his permission to share his records.

In contrast to those who argue that some privacy advocates (presumably myself included) worry too much about “informed consent,” I think that Congress has not done enough to incorporate and respect the core issue of consent that is crucial to trust between health care providers and patients. Has Congress caved in to pressure from businesses who make money selling or sharing our health information? It would appear so. And the current pressure to go “electronic” and “interoperable” in the absence of adequate security and privacy protections is a recipe for disaster.

Deborah Peel, M.D., founder of, had this to say:

The HIT Policy Committee simply does NOT get the fact that Americans want the same controls Face Book users have over postings on their walls: the right to keep whoever they want from seeing personal information. The HIT Policy committee is dominated by industry appointees and researchers intent on wiring every electronic health record in the nation for data mining and use without informed consent. None of the policies or requirements proposed for certified EHRs include robust informed consent. The only way health IT systems will ever be trusted or succeed is if Americans control who can see and use their electronic health records. This committee is a bunch of foxes designing hencoops; the chickens will never trust them.”

Well, I wouldn’t hold Facebook up as an appropriate comparison, as there are certainly plenty of privacy issues around Facebook, but I do understand her point. I would strongly encourage everyone to write to their senators and representatives and tell them that control and consent must be restored. ARRA’s “meaningful use” allows too much that when all is said and done, is probably only “meaningful” to data miners and marketers and not to the patient.  No commercial entity should ever be given protected health information without the express and direct informed consent of the patient.


About the author: Dissent

Comments are closed.