Just recently data breaches from a hospital system and a medical practice were reported in the media, sparking fears that this turn of events might slow down the passage of health information technology bills in Congress and progress made by regional health information organizations and health information exchanges.
Still, the people hard at work on these initiatives have, from the beginning, paid particular attention to the secure and confidential exchange of healthcare data and want those outside the industry to know what they have done to address these critical issues.
The Mendocino Health Records Exchange did not reach out to engage any privacy groups during its formative stage, according to Will Ross, project manager for technology consulting firm Mendocino Informatics. However, the demonstration project, which comprises two rural counties of mostly solo practices, is sticking “very closely” to the Connecting for Health’s Common Framework.
The Common Framework provides a set of technology and policy resources for implementing private and secure health information exchange. Health privacy law and policy experts have contributed their knowledge to the Common Framework, which has been in prototype since mid-2005.
Besides Mendocino, Boston and Indianapolis RHIOs have been implementing the Common Framework, which includes a policy for responding to privacy spills. They have also engaged in an aggressive investigation on how to solve privacy problems. “The Common Framework’s recommendations go above and beyond HIPAA and state privacy laws,” Ross explained.
“We’ve been extremely careful in that the only records we handle are the lab-to-physician records,” he said. Mendocino’s system was developed to recognize log-ons only from known Internet addresses over known virtual private networks. Mendocino engaged in a lengthy process to replicate Indiana’s efforts to authenticate records sent to known sites.
The one privacy “hole” that Ross said can’t be plugged to date is the untethered personal health record, or a patient record that is not authenticated by a doctor. “We haven’t advanced the understanding that a particular individual is the patient,” said Ross, regarding security confirmation of untethered personal health records.
The experts contributing to the Common Framework will continue to hammer away at these “privacy holes,” and they will no doubt crack that code in due time.