'Next Generation' of Privacy Needed for Health Information Technology Comprehensive Framework of Privacy Protections Needed

The Health Privacy Project at the Center for Democracy &
Technology today released a major policy paper calling for the adoption
of "next generation" privacy policies to be built into the nation's
rapidly advancing health information technology system. The recently
passed stimulus package included $20 billion to help jumpstart and
build out a nationwide health IT network and took several steps toward
addressing the public's privacy concerns.

The HPP paper, titled "Privacy As An Enabler, Not An Impediment:
Building Trust Into Health Information Exchange," is published in the
current issue of Health Affairs, the nation's foremost journal on
health policy. This issue is devoted to health IT and includes articles
from key stakeholders involved in the implementation of nationwide
health IT system.

For too long privacy issues have been seen as a barrier to the
adoption of electronic health information exchange, or have focused on
solutions that place the burden for protecting privacy on individuals,
a scenario that creates its own obstacles to sharing information for
important health care purposes. Next generation privacy policy is a
comprehensive framework that includes core privacy principles based on
fair information practices, network design that facilitates the
movement of information while protecting privacy, and strong oversight
and enforcement. That next generation framework should build on HIPAA,
filling its gaps, and include additional protections for the migration
of information out of the health care system, such as through personal
health records, known as "PHRs."

"Although some persist in positioning privacy as an obstacle to
achieving the promise of health IT, it is clear the opposite is true:
enhanced privacy and security will build the public trust and
confidence that are critical to the rapid adoption and implementation
of health IT," said HPP Project Director Deven McGraw.

HPP's paper makes a number of recommendations that were included in
the American Recovery and Reinvestment Act of 2009, the so-called
economic stimulus plan. Those recommendations include:

• Improved enforcement of HIPAA by ensuring that all those in the
  traditional health care system who access, use and disclose personal
  health information can be held accountable for compliance with the
  rules;
• Tightened rules against use of information for marketing purposes;
• Ensuring that individuals can easily and cheaply get electronic copies of their health information

"Those provisions take concrete steps toward establishing the common
framework of protections needed to build public trust in health IT,"
said CDT President Leslie Harris. "Appropriate implementation of these
provisions will be critical as we move into health reform," Harris
said. "Ensuring that these provisions remain strong during the
regulatory process is the critical next step."