nyclu_patientprivacy

7/30/2019 nyclu_PatientPrivacy

1/40

ProtectinPatientPrivacy:

StrategieS ForregUlatiNgeleCtroNiCHealtH reCordS

exCHaNge


2/40

NEW YORK CIVIL LIBERTIES UNION125 B S, 19h F

N Y, NY 10004

.nycu.

Mch 2012

ACKNOWLEdgEmENTS

This paper was written by Corinne A. Carey, NYCLU assistant legislative director, and Gillian Stern, volunteer attorney with the NYCLU.

Research assistance was provided by Erika Rickard and Andrew Napier. Special thanks to outside readers Gretl Rassmussen and Jeanne Flavin.

It was edited by Robert Perry, Jennier Carnig, Melissa Goodman and Helen Zelon.

Graphics were created by Willa Tracosis.

It was designed by L i Wah Lai.

ABOUT THE NEW YORK CIVIL LIBERTIES UNION

The New York Civil Liberties Union (NYCLU) is one o the nations oremost deenders o civil liberties and civil rights. Founded in 1951 as the New

York aliate o the American Civil Liberties Union, we are a not-or-proft, nonpartisan organization with eight chapters and regional oces and

nearly 50,000 members across the state. Our mission is to deend and promote the undamental principles and values embodied in the Bill oRights, the U.S. Constitution, and the New York Constitution, including reedom o spee ch and religion, and the right to privacy, equality and due

process o law or all New Yorkers. Fo r more in ormation about the NYCLU, plea se visit www.nyclu.org.


3/40

1 gLOSSARY OF TERmS

3 gRAPH IC: Who gets to See Your meical History?

4 INTROdUCTION

8 PART 1: The New Worl of Electronic Health Inforation Exchane8 wh Cm Bf

9 Mnnn Pcy Pcns n h Fc f N tchny

12 PART 2: developin New Yorks Electronic Health Inforation Exchane

13 Pn Cnsn incusn n Us f Mc rcs n n ecnc infmn echn

14 A new pa tien t consent protoco

15 Breaking the glass: patient privacy in a medical emergency

16 Pn Cn f infmn-Shn

17 Granular control o patient inormation

18 Patient control over sensitive health inormation

19 The mineield o adolescent consent

21 CONCLUSION

22 RECOmmENdATIONS

24 NYCLUS INVOLVEmENT IN HIE ImPLEmENTATION IN NYS

26 ENdNOTES

CoNteNtS

ProtectinPatientPrivacy:

StrategieS ForregUlatiNg eleCtroNiCHealtH reCordS exCHaNge


4/40


5/40

Protectin Patient Privacy:StrategieS For regUlatiNg eleCtroNiC HealtH reCordS exCHaNge

New York Civil liBertieS UNioN 1

BREak THE glaSS. A provision in New York

States policies and procedures that reers

to the ability o a health care provider or

other authorized user to access a patients

Protected Health Inormation (PHI) without

obtaining patient consent. NYS policies allow

a provider to break the glass in the case o a

medical emergency where a patient is unable

to give consent to access his or her health

inormation.

COVEREd ENTITY. Those entities that are required

to comply with ederal health inormation

privacy rules under HIPAA, which denes a

covered entity as (1) a health plan, (2) a

health care clearinghouse, or (3) a health

care provider who transmits any health

inormation in electronic orm or insurance or

reimbursement purposes.

daTa MININg. A process o pulling pieces o datarom a database or electronic network in order

to look or patterns and relationships. In the

context o health inormation technology,

data mining can be used or public health

purposes, or example, to identiy patterns

that reveal an epidemic. But it can also be used

or marketing purposes to determine where to

ocus promotional campaigns.

daTa SEgREgaTION/gRaNUlaR CONTROl.

The ability to separate out or sequester healthinormation, sometimes based on specially

protected sensitive health inormation but

not always. Data segregation or granular

control 1) allows patients to exert some

control over the type and level o inormation

that can be shared; 2) restricts inormation

access to specic individuals or entities; and

3) establishes preerences or time rame and/

or duration during which specic inormation

can be electronically accessed.

EHR (Electronic Health Record). A digital version o

the traditional paper-based medical record or

an individual either kept within a single acility,

such as a doctors o ce or a clinic (sometimes

reerred to as an electronic medical record

or EMR), or the o cial health record or an

individual that is shared among providers,acilities and agencies.

HEal-NY. New York State passed the Health Care

E ciency and Aordability Law or New Yorkers

Capital Grant Program in 2004, oten reerred

to as the HEAL NY Program, to support

the development and implementation o

New Yorks health inormation technology

inrastructure.

HIE (Health Inormation Exchange). Genericterm or any system that acilitates

electronic exchange o medical inormation.

Alternatively, HIE reers to the act o

transmitting or exchanging electronic

medical inormation among acilities, health

inormation organizations (HIOs) or HIEs, and

government agencies.

HIO (Health Inormation Organization). An

entity that acilitates electronic exchange

o medical inormation. A HIO is one type oHIE; or example, a RHIO, or Regional Health

Inormation Organization, is an HIE.

HIPaa.The Health Insurance Portability and

Accountability Act(HIPAA) was enacted by

Congress is 1996. The HIPAA Privacy Rule (45

CFR Part 160 and Subparts A and E o Part 164)

regulates the use and disclosure o personal

gloSSarY oF terMS


6/40

2 New York Civil liBertieS UNioN


health inormation (or Protected Health

Inormation) held by covered entities.

HIT (Health Inormation Technology).The storage,

retrieval, exchange and use o health

inormation in an electronic environment.

HITECH. Enacted as part o the American

Recovery and Reinvestment Act o 2009, the

Health Inormation Technology or Economic

and Clinical Health (HITECH) Act is designed

to promote the widespread adoption and

standardization o health inormation

technology. HITECH required the Department

o Health and Human Services (HHS) to amend

the HIPAA Privacy, Security, and Enorcement

Rules to strengthen privacy and securityprotections or electronic health inormation

sharing.

IT (Inormation Technology).The development,

implementation, and maintenance o

computer hardware and sotware systems

to organize and communicate inormation

electronically.

NCVHS. The National Committee on Vital and Health

Statistics (NCVHS) was established by Congressto serve as an advisory body to the Department

o Health and Human Services on health data,

statistics and national health inormation

policy.

NwHIN.The Nationwide Health Inormation Network

(NwHIN) is sometimes described as a network

o networks that allows participants (state

level exchanges, ederal entities, public health

entities and health inormation organizations)

to locate and exchange health inormationelectronically. The initiative is sponsored by the

Oce o the National Coordinator (ONC) or

Health Inormation Technology, which began

developing the NwHIN in 2004.

NYeC (The New York eHealth Collaborative). A

state designated not-or-prot public-private

partnership and statewide policy body ormed

in 2006 that is charged with the development

o policies and procedures governing the

implementation o the electronic exchange o

health inormation in New York State.

OHITT. New York States Oce o Health Inormation

Technology Transormation (OHITT) was created

in 2007 by the New York State Department

o Health to coordinate New Yorks Health

Inormation Technology eforts.

PHI (Protected Health Inormation). PHI is dened

by HIPPA (ederal law) as any inormation

held by a covered entity that concerns health

status, provision o health care, or payment or

health care that can be linked to an individual.

This is interpreted rather broadly and includesany part o an individuals medical record or

payment history.

PHR (Personal Health Record).An electronic health

record maintained by a patient that includes,

or example, patient-reported data, as well

as physician-generated data and lab results

(either entered by the patient or downloaded

rom the lab itsel ). A PHR difers rom an EHR,

which is maintained by provider or a health

inormation exchange.

RHIO (Regional Health Inormation Organization).

A group o organizations within a specic

geographical area that share health care-

related inormation electronically. A RHIO

typically oversees the means o inormation

exchange and develops health inormation

technology (HIT) standards.

SHIN-NY (Statewide Health Inormation Network

or New York). Described as an inormationsuperhighway, the SHIN-NY is the

technological inrastructure being designed by

New York to acilitate the exchange o health

inormation between and among providers,

consumers, payers and government agencies.


7/40



Who gets to see your medical history?Until the advent of electronic health information exchange, patients had the

ability to control which providers had access to what information about their

medical history. Even when a patient consented to allow a new provider to

access her records, what information went into those records depended on

what the patient wanted to tell her doctor, and then what the doctor chose to

send to the new provider. Unless exchange networks are carefully designed,electronic health records that can be shared at the click of a mouse can

threaten patient control over sensitive health information.

PROTECTING

PATIENT

PRIVACY

Traditional patient privacy controls

Patient privacy in an electronic world

STD CLINIC

ALLERGIST

It's important for

my new doctor to speak to my

primary care doctor and allergist,

but not to all of them.

NEW DOCTOR

PRIMARY CARE

ABORTION CLINIC

STD CLINIC

ALLERGIST

NEW DOCTOR

PRIMARY CARE

ABORTION CLINIC I dont think

you needed to

know all that.

ELECTRONIC

HEALTH

RECORD


8/40



Electronic health inormation technology is

transorming the health care system as we

know it. Like many aspects o our lives, the

medical o ce is going online. Doctors, health sys-

tems, insurers, care coordination systems, regulators,

governments and patients themselves are demand-

ing electronic access to health records. Near instan-

taneous sharing o inormation between and among

health care providers promises signicant benets

to both doctors and patients, including greater

coordination and e ciency in service delivery,

reductions in medical errors and misdiagnoses, and

convenience. Tese benets are also likely to im-

prove the e ciency and eectiveness o the health

care system more broadly.

However, this step orward poses signiicant

risks. Easily shareable electronic records threaten

patient privacy, and can lead to security breaches,

misuse o inormation, and most importantly, loss

o patient control over conidential and sensitive

health inormation. his threatens the coniden-

tial communication between doctors and patients

that has been a bedrock principle o modern

medicine. Conidentiality ensures that patients

seek out care, and that they are open and hon-

est with their providers. Fully inormed by the

totality o a patients circumstances, providers can

render the best care possible.1 Patients who ear

a loss o control over their private medical inor-

mation may lose aith in their doctorand in the

health care system. hey may ail to share critical

inormation with their treating providers or they

may avoid treatment altogether.

Guaranteeing condentiality and patient control

over sensitive health inormation is critical to the

success o electronic health inormation exchange.

Only with condence that personal medical inor-

mation will be shared in ways that benet them and

not cause them harm will patients ully engage in

this promising technological advancement.

New York State has taken a national leadership

role in transorming the manner in which patients

records are created and shared. Hard-copy docu-

ments and electronic records stored in an o ce

computer are now being converted into a compre-

hensive, statewide network o integrated, searchable

databaseswith the goal o ultimately linking to a

uture nationwide health inormation network.

A growing inormation-sharing network, guided by

the New York eHealth Collaborative, a public-pri-

vate partnership unded by the New York State De-

partment o Health, has invested more than $840

million towards developing health inormation

exchanges, or HIEs. A dozen existing HIE networks

will eventually permit providers and payers to gain

access to a patients aggregated medical records in

New York State and, ultimately, connect New Yorks

HIEs with a national network.

Te state has endorsed a set o privacy and security

policies and procedures or the implementation

o health inormation exchange.2 But these poli-

cies have signicant aws that pose challenges to

the integrity o electronic record-sharing in New

York State. Most signicantly, these policies do not

allow or patient control over the inclusion o their

health inormation in the network. In addition,

the technological inrastructure used by the states

HIEs represents an all-or-nothing approach: Once

a patient consents to allowing a provider to gain ac-

cess to his or her medical records, the provider sees

everything that was ever entered into the network

about that patient, regardless o whether the inor-

mation is relevant to current treatment.

iNtrodUCtioN


9/40



Te New York Civil Liberties Union supports

electronic sharing o medical records, but takes the

position that patients must be able to control who

has access to their medical inormation. Patients

must also be assured that those who do have access

receive only inormation that is relevant to their

treatment. Otherwise, those in need o medical

care may be reluctant to seek it or to give providers

consent to review their medical records. Patients

will have conidence in the states approach to

electronic health inormation exchange where

vigorous informed consentrequirements and

specic limitations on information-sharingprotect

sensitive inormation and ensure individual control

o personal medical records.

Te New York State Department o Health, theNYeHealth Collaborative, and the New York State

Legislature must take steps to protect individual

privacy and autonomy as the state develops a cen-

tralized electronic exchange o health and medi-

cal inormation. Te NYCLU oers the ollowing

recommendations in support o this goal.

nGive Patients and Providers Control Over

Access to, and Sharing o, Medical Records.

Inormation-sharing data systems must be

designed to sort and segregate medical inorma-tion to comply with privacy protections guaran-

teed under New York State and ederal laws. At

present they do not. Without such protections,

people who receive medical care that requires

strict condentialityor example, treatment o

conditions to which stigma attachesand the

providers who deliver that care may choose not

to share medical records in order to protect pri-

vacy. Tis increases the risk o harm to patients

and to the general public.

nOfer Patients the Right to Opt-Out Altogether.he state must adopt a policy that requires

providers to oer patients the option o de-

clining to participate in health inormation

exchange altogether, or at least ensure that a

patients identiying inormation is not ac-

cessible by those who have not obtained the

speciic consent o the patient.

nRequire Patient Consent Forms to OerClear Inormation-Sharing Options. Te

state must revisit its policy on consent to allow

greater patient control over how medical inor-

mation is shared. Consent orms should oer

patients three distinct options: to opt-in andallow providers access to their electronic medi-

cal records, to opt-out except in the event o a

medical emergency, or to opt-out altogether.

nRequire Notice to Patients When TeirProviders Become Data Suppliers. Te state

must adopt a policy mandating that providers

notiy patients when the provider links to an

HIE. In the absence o consent to upload patient

inormation, patients must be notied when

inormation about them rom their providerinitially becomes accessible through an HIE.

nGuarantee the Right o Patients to Correctand Amend Inormation. Current law permits

patients to review and submit amendments

to medical records held by individual provid-

ers. Te practice o correction and amendment

must be adapted to ensure that a correction to

any error is automatically sent to any provider

who has previously accessed the patients medi-

cal record through an HIE.

nProhibit, and Sanction, the Misuse o MedicalInormation. Te state should adopt a policy

that prohibits, and strongly sanctions, the

misuse o patient medical inormation obtained

through an HIE. New Yorks current all-or-noth-

ing data-sharing system gives providers access

to all o a patients medical recordsregardless

o how old the inormation or how relevant it is

or current treatment. New York must protect

patients rom bad actors: that small minorityo providers who may abuse inormation out o

ear, prejudice or malice.

nMandate Redisclosure Prohibitions or TirdParties. Current state policies do not require

HIEs to warn those who access patient health

inormation that redisclosing sensitive medical

inormation without patient consent violates the


10/40



law. State policy should require HIEs to explic-

itly communicate to third parties that redisclo-

sure is prohibited and that there are penalties or

violating this prohibition.

nProhibit Health Inormation Exchanges romSelling Data. Te New York State Legislature

should pass legislation prohibiting HIEs rom

selling patients private health inormation; this

prohibition should apply to records with or

without a patients personal identiers. Medical

inormation must not be used to target indi-

viduals or providers or promotional pitches

or advertising campaigns; nor should HIEs be

allowed to prot rom the sales and marketing

opportunities created by the release o inorma-

tion in patients medical records.

nCareully Regulate the Use o CommercialVendors o Personal Health Records. A num-

ber o commercial vendors now oer patients

the ability to collect, store and manage their own

medical inormation online. State and ederal

condentiality restrictions may not apply to

inormation held by these commercial vendors.

I commercially available health records systems

are oered to New Yorkers as a way or them

to access and manage their own health inor-mation, the state must require that patients be

warned o privacy risks. Patients must also be

given access to their records without having to

resort to a commercial vendor.

nStep Up Public Outreach Eforts. Public healthocials must ully inorm New Yorkers about

the implementation o health inormation

exchanges (HIEs) in New York State. Under

current state policy, patient medical inormation

is linked to the system without patient notice orconsent. Patients require a better understanding

o what is at stake. Tis requires clear inormed

consent mechanisms and a robust public educa-

tion program that explains to people what they

need to know about electronic medical records

exchange before a visit to the doctors oce.


11/40



The art o medicine aces a technological

re-invention as record-keeping moves rom

ile cabinets and desk drawers to a web

o interconnected computer database systems.

As cumbersome paper records are supplanted

by ostensibly secure electronic networks, physi-

cians, insurers, health care coordination systems,

regulators, governments and patients themselves

are eager or rapid electronic access to health

records. Accordingly, New York State has begun

to transorm the procedures by which patient

records are created, stored and shared. Hard-copy

documents, once stashed in a older or stored in

an oice computer, are now being converted into

a comprehensive, statewide electronic network o

integrated, searchable databases that will one day

link to a national health inormation network.

Since 2004, New York State has been working to

develop electronic health inormation exchanges

(HIEs) via the New York eHealth Collaborative, a

public-private partnership unded by the New York

State Department o Health. In many parts o the

state, shareable electronic health record systems

are already up and running. welve regional health

inormation organizations (RHIOs) in New York

permit providers to share patient records with

other providers in their networks. Eventually, all

o New Yorks RHIOs will be linked to a statewide

health inormation network (or SHIN-NY).3 Other

types o health inormation organizations will be

able to access this network, and it will soon become

directly accessible by individual providers.

Rapid inormation sharing promises signicant

benets to health care providers and patients. Te

advent o electronic inormation exchange will also

benet the health care system. Services can be bet-

ter coordinated and more eciently delivered, and

the incidence o medical errors and misdiagnoses

can be reduced as inormation becomes more ac-

cessible and convenient or both patients and pro-

viders. But networked electronic records create the

potential or security breaches,4 misuse o inorma-

tion, and loss o patient control over condential

and sensitive health inormation.

Privacy protection and inormed patient consent

must be the oundational principles o a air, eec-

tive electronic health inormation exchange. With-

out guarantees o privacy, shared networks will

ail.5 I private medical inormation is vulnerable

to public dissemination and inspection, medi-

cal consumers may avoid care. And i signiicant

numbers o patients decline to participate, the

personal and public health beneits o HIE will be

diminished. he potential or public backlash is

greatone need look no urther than the periodic

public uproar over changes in Facebooks privacy

practices as an example.6 Robust and enorce-

able privacy protections and consent procedures

must be in place rom the start in order to ensure

patient conidence.

What Came Beore

Patient privacy has been paramount in medical

care at least since Hippocrates amous oath, which

impels physicians to keep condential any inorma-

tion obtained in the course o treating a patient.

7

Until very recently, patient inormation was kept

in physical orm; thus, saeguarding privacy was

relatively simple. o share patient inormation

with another provider, the doctor would secure

the patients permission, copy the relevant portion

o the patients le and send it along. Consent was

required or each communication, and the patient

retained the ability to control which providers had

Part 1: th N w f ecncHh infmn echn


12/40



access to what inormation. Even when records

were shared, the inormation that went into those

records was limited by what the patient wanted to

tell the doctor; and subsequently what the doctor

chose to send to another provider. A patient visit-

ing a podiatrist might understandably choose not

to disclose his prior psychotherapy, or example.

When asked about past surgeries, he may share

that hes had an appendectomy but omit mention o

hemorrhoid surgery.

Moreover, the actual sharing o records by doc-

tors has always involved a second screening step.

Doctors and acilities rarely i ever transmit entire

patient records to a second providerthey omit

extraneous inormation, and they requently sae-

guard sensitive inormation at the request o thepatient. As in the example above, the general prac-

titioner would inorm the podiatrist o a diabetes

diagnosis, but would not pass on the name, or even

the existence, o the patients psychotherapisti

the general practitioner even knew it.

Indeed, the conidentiality o individual medical

records has long been mandated by proessional

practice standards, and by ederal and state laws.

All modern medical schools administer oaths that

impose the duty o conidentiality on physicians.8

Nationally, a basic right to conidentiality was

codiied in ederal law in the Health Insurance

Portability and Accountability Act (or HIPAA);9

even stronger protections were extended by the

recent American Reinvestment and Recovery

Act.10 Additional privacy saeguards protect

speciic categories o sensitive inormation like

amily planning services, substance abuse treat-

ment and genetic testing.11 Federal laws set the

minimum standard; state laws requently impose

even more stringent conidentiality protections.12

All o these patient privacy protections are rooted

in the understanding that compromising patient

privacy means compromising individual care and

the public health.

New York State has long been a national leader in

protecting the conidentiality o personal medical

inormation. State law has strict privacy stan-

dards or medical records.13 Unlike HIPAA, New

York requires patient consent beore a physician

can disclose an individuals medical inorma-

tion to another treating physician.14 It also limits

disclosure to immediately relevant inormation.15

Even stronger protections restrict the release o

certain especially sensitive inormation regarding

genetic tests,16 mental health,17 medical treatment

o adolescents18 sexually transmitted inections19

and HIV.20

Maintaining Privacy Protections in the

Face o New Technology

Advances in technology do not void existing state

laws or eclipse the ethical concerns that gave riseto those laws. Rapidly evolving inormation tech-

nology requires that the state undertake a compre-

hensive in-depth analysis to determine (1) whether

current policies and procedures governing HIEs

comply with existing laws; and (2) whether laws

protecting the condentiality o patients medical

inormation are sucient in light o new techno-

logical capabilities.

New York State laws governing personal medical

inormation were drafed or the world o paper re-cords; inherent in these laws is a presumption that

patients control the dissemination o their medical

records and that a physical human lter in the

doctors oce decides what inormation is shared

with third parties. Electronic systems that share

entire records at the click o a mouse cannot help

but undermine these controls.

Nowadays, the challenge o protecting condential-

ity is exacerbated by the complexity o the modern

health care system where records migrate beyondthe connes o the doctors oce. Existing law has

been amended to require that medical inormation

is kept condential not only by the doctor but by

the array o other entities that have access to private

medical inormation: HMOs, the laboratories that

process medical tests, the hospital system in which

the doctor participates, the doctors or hospitals

records management company, the patients insur-


13/40



ance company, and the medical underwriter who

insures that insurance company.21

Failing to extend the strong medical privacy

protections that exist in current law to electronic

health inormation exchange creates a serious risk

o harm to individual patients. However, the great-

est danger is to public health in the broadest sense.

Should patients decline to give their providers ac-

cess to their medical records, misrepresent medical

inormation or avoid treatment altogether, New

York may lose both the individual and commu-

nity-wide benets health inormation technology

promises. Both individual patient records and

aggregated public health data will be increasingly

susceptible to error due to incomplete or inac-

curate inormation. Doctors may unwittingly basediagnoses on alse or misleading inormation,

leading to treatment decisions that are not in the

patients best interestor that cause actual harm.

Data compiled or the purpose o analyzing public

health issues will be skewed, underreporting in-

ormation rom the records o those patients with

greater privacy concerns. In turn, this phenom-

enon would lead to the awed assessment o public

health problems and trends.

Americans want their medical inormationwhether in paper or electronic ormto be held

in private with their medical providers.22 Most

patients expect that medical privacy is ar more

vigorously protected by law than it actually is.23

All health care consumers have an interest in the

condentiality o their medical records; but or

some, privacy saeguards are essential when they

seek treatment and services or sensitive health care

issues related to HIV/AIDS diagnosis and treat-

ment, reproductive health, substance abuse, mental

health, genetic conditions, sexual assault, and do-mestic violence.24 Minors seeking care have perhaps

the greatest need o assurance that their medical

inormation will be held in condence.25 Studies

indicate that minors will avoid or delay seeking

care i they believe that their parents will nd out.26

As records become electronically linkedoce

to oce, region to region and ultimately state to

statethe need to ensure that adequate privacy

protections are in place grows in proportion to the

sheer number o people, including legions o non-

medical personnel, who have push-button access to

a patients entire medical history.

New concerns will arise as electronic networks al-

low patients direct access to their own medical re-

cords, via provider-created portals or through con-

tracts with ree-standing Personal Health Record

(PHR) systems such as Microsof Health Vault.27

Patients may also have access through smart phone

applications and other means not yet envisioned.28

Tese powerul tools will permit patients to iden-

tiy and correct errors in their records, collate and

track their own health inormation retained in

multiple sources, and ultimately enter their own

health-behavior inormation in electronic data-bases.29 Some regional health inormation organi-

zations have already considered providing patients

access to their own health inormation via the use

o commercially-available PHRs.

he prolieration o personal health records raises

questions about privacy that have been largely

unexamined and wholly unresolved. Which sorts

o records are governed by New York State privacy

laws, which by HIPAA, and which by the Federal

rade Commission? Can patients rely on the sameprotections o medical inormation held by PHRs

as they do or inormation held within a doctors

ile cabinet or computer? What protections do pa-

tients have against disclosure or data mining 30 by a

third-party vendor o a smart phone app when the

vendor may not be required to comply with ed-

eral privacy standards?31 Would such inormation

be protected i requested pursuant to subpoena?

What i records are accessed or downloaded by a

patient on his or her employers computer? New

York State must thoughtully and deliberatelyconsider the issues raised beore entering this

uncharted territory.


14/40


15/40



Eorts to create a network o shared electronic

health records began in earnest in April

2004 with an executive order rom the Bush

administration setting adoption o interoper-

able electronic health records by 2014 as a na-

tional goal.32 he executive order also established

the Oice o the National Coordinator or Health

Inormation echnology in the Department o

Health and Human Services, and a strategic

plan and unding streams or state and national

HIE programs.

During the Bush years, national policy or de-

veloping an electronic medical records system

ocused largely on market-based, ree-enterprise

strategies and on initiatives undertaken by indi-

vidual states. he Obama administration brought

signiicant resources to this undertakingin-

cluding unding, policy guidance and national

organizationthrough the Health Inormation

echnology or Economic and Clinical Health

Act (HIECH), passed in February 2009.33 While

HIECH greatly increased unding or health

inormation technology, it also transormed the

ederal governments approach to privacy and

consent, establishing new protections or person-

al health privacy and substantially extending the

limited protections o HIPPA.34

New York States health inormation technology

initiatives also date to 2004, with passage o theHealth Care Eciency and Aordability Law or

New Yorkers Capital Grant Program (HEAL NY).35

HEAL NYs primary objective was implementing

a 21st Century health inormation inrastructure.36

New York State established the Oce o Health

Inormation echnology ransormation in 2007 to

begin building an inrastructure to share clinical

inormation between patients, providers, payers

and public health entities. Tis inrastructure will

ultimately be integrated into a statewide network

and into the planned national network.37 New York

State has since invested more than $840 million to

develop HI networks throughout the state.38 A

state-unded grant program now unds 12 Regional

Health Inormation Networks (RHIOs) that acili-

tate patient record-sharing.39 At present, more than

65,000 health care providers participate in RHIOs.40

As New York State began to develop the health in-

ormation exchange, the state introduced a process

or developing policies and procedures that govern

patient consent and privacy.41 Stakeholder meetings

took place even as some RHIOs recruited providers

and patients. Te accelerated policy development

process lef little time or careul consideration o

policy debates about privacy and consent happen-

ing at the ederal level and across the country, or o

rapidly evolving technological capabilities.

Te states operational plan acknowledges that

New York State currently has a ragmented legal

and regulatory ramework or the exchange o

Health Inormation.42 Nevertheless, New York has

not carried out a comprehensive analysis o state

law as it relates to the states own HIE policies and

procedures governing patients privacy interests.43

Likewise, the state has not provided any legal

analysis or guidance to RHIOs, HIEs or providers

to ensure that they implement HIE in ways thatcomply with existing law.44

New York aces a daunting challenge: creating an

electronic inormation exchange while making

prudent choices in design and policy that en-

sure compliance with state and ederal laws, and

incorporating evolving technological capacity to

segregate and protect patient data. Tis balancing act

Part 2: dpn N Ys ecncHh infmn echn


16/40



is no small eat. However, two early, critical policy

choices made by the statewide collaborative process

have created signicant problems aecting elec-

tronic record sharing in the state: (1) an inadequate

patient consent protocol that gives patients little

choice in whether and how to participate in health

inormation exchange; and (2) an all-or-nothing

approach to data sharing that prevents participat-

ing patients rom controlling the dissemination o

their medical inormation.

Patient Consent to Inclusion and Use

o Medical Records in an Electronic

Inormation Exchange

Administrators o an HIE could employ any oneo a variety o patient-consent models to allow

or greater or lesser deerence to patients wishes

regarding the inclusion o their medical inorma-

tion in a network and the ability o providers or

other entities to gain access to that inormation.45

Most models give some measure o control to pa-

tientsan option to opt-in or to opt-out. With

opt-in models, patients must do just thatprovide

explicit consent that their records can be linked to

a network or electronically accessed. In an opt-out

model, all patient records are automatically sharedunless the patient opts out by electing to withdraw

rom the program. New York State describes its

patient consent protocol as an opt-in model,46 but

it is actually a hybrid that incorporates elements o

the two models just described.

Tere are two stages in New Yorks protocol or

establishing access to electronic medical records:

First, patients are linked to a patient registry (or

patient locator system) and their records become

accessible through an HIE. Second, a provider orother entity seeks access to those records. When a

health care provider joins an HIE, inormation that

identies each o the providers patients is automat-

ically linked to a search system that permits those

who have access to the network to identiy patients

in the network. Identiying inormation could be

demographic (an address) or some kind o unique

patient identier. At this point, patient inormation

is accessible through the HIE. Patient consent is

not sought at this stage.47

New York, in e ect, requires the automatic en-

rollment o all patients o providers participating

in an HIE. Patients may not opt out (and there-

ore their identiying inormation is available to

those with access to the network); and they are

not notiied that their inormation is now avail-

able through the HIE.

New York employs an element o the opt-in mod-

el once a provider or other entity seeks access to

a patients inormation through the HIE. In the

course o ordinary treatment, a patients airma-

tive consent is required beore a provider can

access that patients records through the HIE.48

Generally, patients are presented with a consent

orm or release o their medical inormation

with the paperwork illed out upon arriving in

a providers oice, along with a pamphlet that

explains the beneits o the electronic record-

sharing program and provides a short statement

about potential risks.49

New York State has adopted a model consent orm,

but HIEs across the state may use a variation o

this orm provided it conorms to basic minimumstandards.50 Te consent orm asks the patient to

opt-into permit the provider to access all o the

patients records available throughout the network.

In addition, New Yorks model patient-consent

orm cautions patients that by placing their signa-

ture on the orm, they surrender any and all rights

under New York and ederal law regarding the dis-

semination o, and access to, sensitive inormation

in their medical records that is accessible through

an HIE.51

Patient consent, in this context, serves as blanket

permission to release all medical inormation,

notwithstanding the type o treatment received;

the date it was provided; the acility at which

treatment was received; or even the relevance

to the medical condition or which treatment is

sought. (See discussion o patient control and

granularity below.) Whats more, depending on


17/40

the consent orm used by the HIE, the patient

may be consenting to access by ailiated provid-

ers as wellranging rom the doctors practice, a

hospital, ailiated health acilities or to all pro-

viders in the network.52

On the surace, the distinction between mandatory

inclusion o patient inormation in an HIE and the

option to allow a provider access to that inorma-

tion may seem slight. However, there are two key

issues to consider: First, some patients may seek

to avoid being included in a patient locator system

by going to a provider who is not enrolled in the

network or by paying or services out o pocket.53

Some may reuse care altogether to avoid being

part o a state or national listing.54 Second, and,

perhaps more important, some patients may aceactual harm rom inclusion in a patient registry

that reveals demographic inormation such as a

residential address.

Te linking o ones medical records to an elec-

tronic network may provoke ear o unauthorized

access or breach that could allow a hacker to gain

access to patient identities or entire medical histo-

rieseither as a wholesale medical records thef or

in pursuit o inormation about a specic patient.

And this ear may be well ounded. Te mere inclu-sion o demographic inormation in a directory o

existing records, regardless o whether complete

medical records are made accessible, can pose an

unacceptable risk to patients. ake, or example,

those patients at risk o domestic violence, harass-

ment, stalking or with other special concerns about

condentiality, such as public gures or crime

victims.55 Te ability to glean an address or indeed

any inormation that may reveal a patients location

may cause irreparable harm.

New York maintains that this two-stage process

satises the myriad laws that require patient

consent beore inormation can be shared with a

third party.56 Tis is highly debatable. Inormed

consent requires prior notice that is clearly com-

municated: presenting the consent orm amidst a

shea o insurance documents, HIPAA releases and

other paperwork ails to meet this basic criterion.

Whats more, the automatic disclosure o patient

identiying inormation to an HIE most likely

constitutes a violation o New York State law, which

requires patient consent whenever patient inorma-

tion (including patient identiying inormation) is

disclosed to a third party.57

In many respects New Yorks patient consent proto-

col represents a radical departure rom current law

and practice. Te protocol eectively eviscerates

decades o careully considered and crafed law,

replacing special consent requirements and con-

dentiality protections or inormation related to

sensitive conditions such as HIV, substance abuse

and others with one all-or-nothing consent orm.58

New Yorks share-rst, ask-later approach is basedon a questionable interpretation o the law.59 Under

this reading o the law, HIEs and RHIOs would be

exempt rom rules regarding third-party disclosure

because they are considered practitioners or other

personnel employed by or under contract with the

acility[.]60 o date, no case law recognizes orga-

nizations like HIEs and RHIOs as exempt rom the

prohibitions against third party disclosure. Tere

is, however, a considerable body o law that up-

holds the restriction on dissemination o patients

records to third parties.61

A new patient-consent protocol

Once provided with inormation and guidance re-

garding health inormation exchange, patients must

be aorded clear options regarding the inclusion o

their identiying inormation and medical records

in an electronic health inormation network, and

or sharing that inormation.

In light o the concerns outlined here, it is the posi-

tion o the NYCLU that the state should revisit its

policy on uploading individual medical inormation

to a shared network and adopt a requirement that

such inormation cannot be uploaded without a-

rmative patient consent. Should the state reject this

reorm, it should at least allow patients to arma-

tively opt out o the system at any time so that their




18/40

BREakINg THE glaSS:

PaTIENT PRIVaCY IN a MEdICal EMERgENCY

In a medical emergency where a patient is unable to authorize access to his or her medical records,

New Yorks policy purports to create a limited exception to the law that patient consent is required

beore the release o such records. Under the states break the glass policy, a provider who asserts a

need to see a patient s medical record in such an emergency can access the patients entire medical

records without consent.64 In addition to the lack o clear authority to promulgate such an exception,

the break the glass exception poses myriad problems. Even sensitive medical inormation subject

to speciic state and ederal conidentiality protections may be accessed, regardless o whether the

provider needs to see such inormation in order to treat the patient.

In all circumstances, New York law requires patient consent beore medical inormation can bereleased to a third party; there is no emergency exception to the law s straightorward requirement.65

Patients and providers may see the value in giving an emergency care doctor access to medical

inormation that could improve patient care. However, only the legislature has the authority to

create an exception under the law or emergency care. Should the legislature choose to do so, such

an exception should be limited to allowing providers access to only that inormation that is relevant

to the emergency.



medical inormation is not included in the network.

Patients should also be aorded the opportunity to

mask or exclude demographic inormation rom a

patient registry or locator system while retaining

the ability to share medical records with specic

providers.62 Indeed, one can easily choose to have

an unlisted telephone number; why not have un-

listed medical records as well?

Once a patients medical inormation is included

in the network, the state should oer three

clear options regarding provider access to

such inormation:63

Opt in: Patients consent to make inormation

in their medical records available to specic,

designated providers through electronic inor-mation networks.

Opt out: Patients prohibit under all circum-

stances access to their medical inormation

through electronic inormation networks.

Opt out with exception: Patients consent to

make inormation in their medical records

available through electronic inormation net-

works only in the case o a medical emergency.

In addition to oering these patient consent

options, patients must be notiied in advance o a

providers joining an electronic records exchange.

his notice must clearly explain the manner in

which electronic medical records will be ac-

cessible, as well as the steps a patient can take

to exclude or limit the release o their medical

inormation through an HIE. his same notice

requirement should apply when the network o

providers with access expands, as or example,

when a hospital that has previously obtained

consent rom a patient adds new ailiates. Undercurrent consent policies, these ailiated providers

may gain access to the patients records. It should

not be let to the patient to continually check a

website to ind out whether new providers have

joined an exchange network.


19/40

The states just iication or this policy appears to be based on another section o the publ ic health

law, which in act only permits an exception or providing emergency treatment in the absence o

inormed consent,66 not access to records. Even i the law could be interpreted to give a provider access

to medical inormation by virtue o his authority to treat without inormed consent, the provider

would only be entitled to inormation material to emergency treatment. But the inrastructure o

New Yorks network (an all-or-nothing approach to inormation sharing, as described herein) does

not provide a means to separate out and allow access to only that inormation that is directly

relevant to emergency treatment.

New Yorks model consent orm allows patients to decline consent or medical providers to access

their electronic medical records in a medical emergency. But exercising this option is predicated

on knowing that the networkand the break the glass policyexists. Patients are likely unaware

that their demographic inormation is electronically accessible or that their medical inormationcan be accessed in an emergency without their consent. Consider the patient whose doctor links

his practice to the electronic network the day ater the patients annual visit. The patient will not

learn that his records are part o an electronic system until his next annual check-up, a year later.

The only routine opportunity a patient has to decline provider access to her medical records in a

break the glass scenario will be during some later medical visit long ater the records have become

accessible through the system.

Individuals may not ully appreciate the potential

harm in having their health inormation accessible

until they no longer have the ability to reduce that

risk. Consider the patient who chooses a provider

or treatment o a sensitive, personal nature be-

cause the provider does not participate in an HIE,

only to learn at a later date that the provider sub-

sequently made his patient les available through

a medical records network. Te same concern may

arise when records in a regional health inorma-

tion exchange are included in a statewide network.

Patients who are willing to include their medical

inormation in a local HIE may want to prevent,

or to limit, the dissemination o that inormation

through a regional, state or national health inor-

mation network.

Patient Control o Inormation-Sharing

New York State has made two critical policy

decisions in creating the states electronic health

inormation exchange inrastructure. he irst

was to allow patient inormation to be uploaded

to the network without patient consent. he

second was to adopt an all-or-nothing model o

sharing inormation.67 When a patient consents to

allow a provider to access her medical inorma-

tion through an HIE, that provider will receive

any and all inormation contained in her record,

regardless o who provided the treatment; the

type o care received; the date it was provided; or

even its relevance to current medical treatment.

Consent automatically coners access to all inor-

mation in the patients record, including sub-

stance abuse treatment, mental health conditions,

abortion and other reproductive health care, and

testing and treatment or sexually transmitted in-

ections. In addition, consent is generally granted

to entire acilities; patients cannot speciy whichdoctors mayor may notaccess their records.

his kind o blanket consent stands in stark

contrast to the nuanced controls possible in the

world o paper records. And despite New York




20/40

gRaNUlaR CONTROl OF PaTIENT INFORMaTION

The ability o an electronic data-sharing system to sort and segregate inormation is oten reerred to

as granular control or data segmentation. Patients and providers have the ability to exercise granular

control over health data when they can speciy which pieces o data rom a patients medical record to

include or block when that record is conveyed to a third party. In systems capable o granularization,

personal health inormation ideally can be sorted by data type (e.g., a blood test, a diagnosis, a

procedure); by provider (e.g., a gynecologist, a psychologist, an internist; or medical providers vs. oce

sta ); by time range (e.g., between x date and y date, within fve years, or or a 24-hour period or

emergency treatment); and by purpose (e.g., payment, care delivery, quality improvement, clinical

research or health services research).

Federal and state law provisions mandating confdentiality or certain types o medical inormation make

granularity an essential component o electronic health inormation exchange. Beyond the confdentiality

rules that apply to narrow categories o medical inormation like HIV and substance abuse treatment,

patients may have a desire to exercise granular control over inormation that they deem sensitive or a

variety o reasons, including ear o discrimination or misuse, a personal preerence or privacy, a valuation

o undamental autonomy, or because the inormation is erroneous. Likewise, providers may appreciate

granularity so that they can limit the vast amount o inormation they may be expected to review or any

given patient. On the other hand, providers may have concerns about the level o confdence they can

have in relying on an incomplete medical record where certain inormation may be restricted rom their

view at the request o a patient.

Allowing or granular control in health inormation exchange presents technological, conceptual, and

implementation challenges that policymakers must careully grapple with to achieve a balance that

satisfes legal requirements, the need or patient acceptance and engagement, and provider confdence.70

State and ederal law requirements that providers

share only that inormation which is medically

necessary or the patients current treatment,

New Yorks current policies and procedures do

not allow the sharing o inormation to be lim-

ited in this way. It is possible, however, to realize

the public health beneits o an electronic health

inormation network without requiring patients

to completely surrender control over inormation

contained in their medical histories. hese two

interests are not irreconcilable; they must

be balanced.

Tis principle o balance inorms an emerging na-

tional model regarding the collection and dissemi-

nation o medical records in electronic inormation

networks.68 Tis model recognizes that patients

must have discretion regarding which inorma-

tion is shared with what health care providers. And

patient choice, in this context, requires the capacity

to segregate data. Policy technicians use the phrase

granular control to describe this concept.69

Afer exhaustive deliberationsincluding no ewer

than nine public hearings conducted over the course




21/40

PaTIENT CONTROl OVER SENSITIVE HEalTH INFORMaTION

Once a patient consents to allow a provider to gain access to his or her medical records, the provider

gains access to everything in that patients recordsthere is no way to ensure that the provider only

sees inormation that is relevant to current treatment. This all-or-nothing approach to data sharing

orces patients to choose between giving a current provider access to their medical records and

maintaining uture control over sensitive health inormation. Once sensitive inormation enters into

the patients general medical record, there is no way to exclude it again. When patients are unable

to exercise granular control over inormation in their health records, there are serious ramiications.

Sexual Assault Care

Consider, or example, a patient who was raped in her twenties, and briely took antidepressants

to cope with trauma. New Yorks all-or-nothing system does not allow her to restrict access to

this sensitive inormation to those providers or whom it is medically relevant. I she were to seektreatment or a skin condition, she cannot share current medical inormation with her dermatologist

without also revealing this traumatic incident in her past. Each time the need or medical care

arises, she must determine whether or not to provide access to her medical records because her

assent means inorming the provider that she had been the victim o rape.

Reproductive Health Care

Abortion is controversial or some, yet 3 in 10 adult women will have an abortion at some point

in their lives.73 A woman who terminates a pregnancy may be concerned about making that

inormation available to anyone with access to an electronic network that contains her medicalinormation. She may want her current medical providers to have access to any inormation in her

medical history that may be relevant to her treatment, but she cannot do so without losing the

power to shield inormation about her abortion rom uture providers 10 years hence.

Substance Abuse Treatment

The level o stigma that attaches to those who have struggled with substance abuse is proound.

For this reason, inormation about substance abuse treatment is accorded the most stringent

conidentiality protection by law. While inormation about that treatment may be relevant or a

period o time, it becomes irrelevant or the medical provider treating that patient or a whollyunrelated condition 10 sober years later. The indiscriminate release o that medical history could

undermine both personal and proessional relationships, and the potential harm is not limited to

social stigma. Including inormation about past treatment opens the door to misuse o medical

inormation. A provider may rerain rom prescribing medically appropriate pain relie to a patient

who has been treated or substance abuse many years in the past based upon an assumption that

the patient is exhibiting drug-seeking behavior.




22/40

THE MINEFIEld OF adOlESCENT CONSENT

For adolescents and their care providers, the ailure to allow or patient control o sensitive medical

inormation poses an insurmountable obstacle to the delivery o essential medical care. In New York

State, minors can consent to specifc types o health care, including reproductive health and certain

mental health treatment, without parental involvement (sometimes reerred to as minor-consented

services).75 While parents have a right to access their childrens medical records generally, parents and

uture providers may not obtain inormation about such minor-consented services, and doctors may

not share such inormation, without the minors permission. Ideally, a system should allow access only

by health care providers who have received the minors consent, while shielding that inormation rom

parents who routinely access their childs other medical records. New York does not allow segregation

o data in this way. As a consequence, many RHIOs simply exclude the medical records o all minors

between the ages o 10 and 18 rom the network altogethera practice that protects minors privacy

rights but deprives them o the potential benefts o health inormation exchange.76

In the case o a 15-year-old seeking testing and treatment or herpes, or example, his pediatrician would

like to enter this inormation in his chart. But the doctor has no way to prevent his patients parents

rom gaining access to this inormation when they request copies o their sons medical records. In a

world o paper records, the pediatrician could record this inormation on separate pages in the fle but

not release the confdential portion o her patients records when she provides a copy o the records

to a parent. In an electronic inormation-sharing system, the only way to protect this young persons

confdentiality is to exclude the patient rom the electronic-records system altogether. However,

excluding only those minors who have exercised their right to consent on their own to certain types o

medical care would signalto providers, parents and othersthat the minor has exercised that right,

which then compromises the right. A system that allows or granular control o medical inormation

would allow all minors to ully beneft rom participation in HIEs, while ensuring that those who need it

are assured confdentiality when they receive medical care o a sensitive nature.

o six yearsthe National Committee on Vital Sta-

tistics (NCVHS) concluded that patients condence

and trust in the integrity o an electronic health

inormation network is essential to its eectiveness;

and that creating trust in this enterprise requires

giving patients control over the release o personal

medical inormation. In 2010 the chairperson o the

NCVHS sent a letter to Kathleen Sebelius, secre-

tary o the U.S. Department o Health and Human

Services, making a strong case that the capacity to

segregate (and thereore the ability to restrict) the

release o patients health care inormation must be

context specic, and that granular segregation o

that inormation must be responsive to the specic

concerns o patients.71 Te Oce o the National

Coordinator o Health Inormation echnology, a

unit in the U.S. Department o Health and Human

Services, has taken a position that is consistent with

the analysis set out in the NCVHS letter.72

New York policymakers insist that existing

technological inrastructure does not have the




23/40

capacity to allow patients to control access to

medical inormation by data type, provider, time

range or purpose. But the vendors o electronic

health-inormation technology maintain that the

capacity to segregate data in health records is well

within reach.74 he technological and logistical

challenges o developing this data-segregation ca-

pacity are not insigniicantbut neither are these

challenges insurmountable.

National experts insist that the capacity to

achieve granular segregation o patient health

care inormation is a key goaland a critical

success actorin the implementation o health

inormation networks. Should the ederal gov-

ernment mandate as a condition o unding that

states develop the capacity to segregate patienthealth inormationa likely possibilityNew

York States electronic health inormation ex-

change system may ind itsel out o money and

lagging well behind the emerging consensus

regarding best practices.




24/40



Electronic sharing o health records promises

signiicant beneits. Ensuring that patients

are able to control who has access to what

parts o their medical histories is vital to this

endeavor. Providers and public health advo-

cates consider indispensible unettered access to

individual medical records that technology now

makes possible.

However, well-established law and policy have rec-

ognized that patients have the right to control access

to their private medical inormation. And indeed,

patients have always controlled access to their medi-

cal records. Whether one doctor even knew that her

patient was seeing another doctor depended entirely

on what the patient chose to share.

Allowing patients to retain a measure o control

over their medical records will increase condence

in the systems ability to saeguard condentiality.

Tis, in turn, will likely result in increased patient

and provider willingness to participate in electronic

health inormation exchange.

It is the position o the NYCLU that the state

should revisit policy choices that aect the ability

o patients to control the dissemination o their

personal medical inormation. Accordingly, we

oer 10 speciic recommendations designed to ac-

commodate patient concerns, and in turn, create a

more reliable inormation-sharing system.

CoNClUSioN


25/40



reCoMMeNdatioNS

1.Ensure Patient and Provider Control

o Access and Inormation-Sharing.

Te state must require that the electronic

systems employed by HIEs have the capability to

sort and segregate medical inormation in order to

comply with guaranteed privacy protections o New

York and ederal law. Te inability to exercise this

kind o granular control over data poses an intrac-

table barrier to realizing the ull benets o healthinormation exchange. Tis limitation jeopardizes

patient condence, and it has led to the exclusion o

young peoples records rom the network. Without

the ability to exercise granular control over data in

the network, people who receive medical care that

requires strict condentialityor example, treat-

ment o conditions to which stigma attachesand

the providers who deliver that care may choose not

to share medical records in order to protect privacy.

Tis increases the risk o harm to both patients and

to the general public.

2.Ofer Patients the Right to Opt-Out

Altogether. Te state should revisit its

decision to upload patient inormation to

the system without patient consent. Barring that, the

state must adopt a policy that would allow patients

to a rmatively opt-out o the system so that their

medical inormation is not included in the network.

Te state should also ensure that a patients identiy-

ing inormation is not accessible by those who have

not obtained the specic consent o the patient.Providers who seek access to a patients medical

records do so by accessing a patient locator system

that contains the names o patients and some other

identiying inormation. Patient locator systems vary

by HIE, with some HIEs utilizing patient addresses.

For some, like domestic violence survivors, public

gures, crime victims and celebrities, allowing that

inormation to be accessible absent consent poses

a signicant risk o harm. For this reason patients

must be oered the option o being unlisted in

patient locator systems.

3.Require Patient Consent Forms to

Ofer Clear Inormation-Sharing

Options. Te state should revisit its policy

on consent to allow greater patient control over how

medical inormation is shared. Most consent ormsused by New York State RHIOs are inadequate. Tey

do not make clear that i the patient declines to sign

the orm, their inormation remains available in

an emergencyrustrating both patients who want

only emergency access and those who do not want

even emergency access. Consent orms should oer

patients three distinct options: to opt-in and allow

providers access to their electronic medical records,

to opt-out except in the event o a medical emer-

gency, or to opt-out altogether.

4.Require Notice to Patients When Teir

Providers Become Data Suppliers. Te

state must adopt a policy mandating that

providers notiy patients when the provider links

to HIE. In the absence o consent to upload patient

inormation, patients must be notied when inor-

mation about them rom their provider initially

become accessible through an HIE.

5.Guarantee the Right o Patients to

Correct and Amend Inormation.Current state law allows patients the right

to review and submit amendments to health inor-

mation held by individual providers.77 Te practice

o correction and amendment must be adapted to

ensure that a correction to any error is automati-

cally sent to any provider who has accessed the

patients medical records through an HIE. With

paper records, a patient need only correct inorma-


26/40



tion in one doctors le. But the implementation o

electronic records exchange amplies the impact o

any error, and erroneous inormation in a medi-

cal le can have a devastating impact on a patients

subsequent care.

6.Prohibit, and Sanction, the Misuse o

Medical Inormation. Te state should

adopt a policy that prohibits and strongly

sanctions the misuse o patient medical inorma-

tion obtained through an HIE. Providers misuse

health inormation when they use that inorma-

tion to discriminate against, mistreat or withhold

treatment rom patients. New Yorks all-or-nothing

system gives providers access to all o a patients

medical recordsregardless o how old the inor-

mation or how relevant it is or current treatment.State policies have rightly ocused attention on the

potential or breach as the state moves toward an

integrated statewide network o medical records,

but have not addressed the potential or the misuse

o such inormation. New York must protect pa-

tients rom potential bad actorsthat small minor-

ity o providers who may abuse inormation out o

ear, prejudice or malice.

7.

Mandate Redisclosure Prohibitions or

Tird Parties. Current state policies donot require HIEs to warn those who access

patient health inormation that redisclosing sensi-

tive medical inormation without patient consent

violates the law. While some RHIOs provide this

notice as a matter o course,78 state policy should

require HIEs to explicitly communicate to third

parties that redisclosure is prohibited and that

there are penalties or violating this prohibition.

8.

Prohibit Health Inormation Exchanges

rom Selling Data. Te New York StateLegislature should pass legislation

prohibiting HIEs rom selling patients private

health inormation. Tis prohibition should ap-

ply to records with or without a patients personal

identiers. Medical inormation must not be used

to target individuals or providers or promotional

pitches or advertising campaigns; nor should HIEs

be allowed to prot rom the sales and marketing

opportunities created by the release o inormation

in patients medical records.79

9.Careully Regulate the Use o

Commercially Available Personal

Health Records (PHRs). A number o

commercial vendors now oer patients the ability to

collect, store and manage their own medical inor-

mation online (such as Microsof HealthVault80).

Under existing law, it is unclear to what extent and

under what circumstances these commercial entities

are bound by HIPAA or New York State condenti-

ality laws.81 State law should extend condentiality

obligations and protections to private entities that

oer PHRs. I commercially available health records

systems are oered to New Yorkers as a way or them

to access and manage their own health inormation,the state must require that patients be warned o

privacy risks. Patients must also be given access to

their records without having to resort to a commer-

cial vendor.

10.Step Up Public Outreach Eforts.

Te state should engage in a ro-

bust and eective public outreach

campaign to ully inorm New Yorkers about the

implementation o HIEs. Tis public outreach and

education program must not be a mere promotion-al campaign.82 Patients require a basic understand-

ing o what is at stake, both in terms o risks and

benets, beore their medical inormation is linked

to an HIE. Tis is particularly important because

current New York State policy does not require

consent beore linking a patients medical records

to the network, and does not provide patients with

an option to decline participation. Inormed con-

sent must be the cornerstone to health inormation

exchange in New York, as has long been the case

with sharing physical records. Consent cannot beconsidered inormed i patients rst learn about

New Yorks network when they arrive at their doc-

tors oce.


27/40



NYClUS iNvolveMeNt iN HieiMPleMeNtatioN iN NYS

The New York Civil Liberties Union at-

tended one o a series o early stakeholder

meetings convened by the New York State

Department o Health (DOH) in 2007 to garner

community input about the creation o an elec-

tronic health inormation exchange inrastruc-

ture. DOH has been the lead agency heading up

this state eort, but the department delegated

authority to develop the inrastructure and poli-

cies and procedures governing health inormation

exchange to the New York eHealth Collaborative

(NYeC). NYeC is a non-proit organization that

was ormed in 2006 to guide the development

o the states health inormation exchange and is

described as a public-private partnership.

NYeC and the DOH ormed the New York State-

wide Collaboration Process (SCP) to guide imple-

mentation and policymaking activities. Te SCP is

comprised o six work groups (Consumer and Pro-

vider Engagement, SHIN-NY Architecture, Privacy

and Security, Public Health, Collaborative Care,

and EHR Implementation) along with a Policy

and Operations Council (POC), which reviews the

activity o the work groups and reports directly to

DOH and NYeC.

In 2008, the SCP issued a white paper outlining

consumer consent policies and procedures, and

the NYCLU responded to SCPs call or public

comment. In response to the NYCLUs comments,

and our organizations expertise regarding minors

right to condential health care, the NYCLU was

invited to participate in a subgroup ormed by the

Privacy and Security Work Group (PSWG), deal-

ing solely with issues o minors condentiality

and consent. Te NYCLU participated in a smaller

task orce ormed rom that subgroup (the minor

consent iger eam), charged with identiying

solutions to the problem o protecting minors

condentiality in HIE. Te iger eam submit-

ted a white paper in July 2010 calling or ederal

guidance on the issue to the O ce o the National

Coordinator or Health Inormation echnology

(ONC). In February 2011, the NYCLU secured

a position with the PSWG where it advocates on

behal o consumer privacy interests in the states

ongoing process o developing privacy and security

policies and procedures.


28/40


29/40



eNdNoteS

1 Mark A. Rothstein, The Hippocratic Bargain and Health Inormation Technology, 38 Journal o Law, Medicine

& Ethics, 7, 7-8 (2010) (In efect, physicians and patients entered into a Hippocratic bargain. Physicians,explicitly or implicitly, said to their patients: Allow me to examine you in ways that you would never

permit any stranger, and tell me the most sensitive inormation about your body, mind, emotions, andliestyle. These intrusions upon your privacy are essential in providing you with sound medical care.).

2 The Statewide Collaboration Process, Privacy and Security Policies and Procedures or RHIOs and theirParticipants in New York State Version 2.2 (April 1, 2011) (NYS Privacy and Security Policies), available at

http://nyehealth.org/images/les/File_Repository16/pd/nal%20pps%20v2.2%204.1.11.pd.

3 New York State Health Inormation Exchange Operational Plan , New York eHealth Collaborative (NYEC)(NYs Operational Plan) 6-10 (Oct. 26, 2010), available athttp://www.nyehealth.org/images/les/File_Repository16/pd/nys_hie_operational_plan_2010.pd; New York Regional Health Inormation

Organizations (RHIOs), New York eHealth Collaborative (NYEC), last visited May 20, 2011, available athttp://www.nyehealth.org/index.php/resources/rhios. New York State has chosen to accomplish this through a

public-private partnership rather than through regulation or law.

4 Security breaches have increased as the adoption o electronic medical records exchange has increased:the number o reported breaches has increased by 32 percent between 2010 and 2011. Each securitybreach costs a culpable institution an average o $2.2 million. Ponemon Institute, Second Annual

Benchmark Study on Patient Privacy and Data Security(December 2011), available at http://www2.idexpertscorp.com/assets/uploads/PDFs/2011_Ponemon_ID_Experts_Study.pd.See also Nicole Perlroth,Digital Data on Patients Raises Risk o Breaches, N.Y. Times (Dec. 18, 2011) (reporting on the thet o alaptop computer rom an employee o the Massachusetts eHealth Collaborative which potentially

exposed over 13,500 patients private dataan identity thet gold mine.). Liability or security breachesoten rests on health care providers who entrust not-or-prot groups like RHIOs because under ederallaw, the legal burden o protecting patient data alls on . . . physicians and hospitals. Id. See also Kevin

Sack, Patient Data Posted Online in Major Breach o Privacy, N.Y. Times (Sept. 8, 2011) (HHS revealed thatthe PHI o more than 11 million people has been improperly exposed during the past two years alone.

Since passage o the ederal stimulus package, which includes provisions requiring prompt publicreporting o breaches, the government has received notice o 306 cases rom September 2009 to June

2011 that afected at least 500 people apiece. A recent report to Congress tallied 30,000 smaller breachesrom September 2009 to December 2010, afecting more than 72,000 people. The major breaches a disconcerting log o stolen laptops, hacked networks, unencrypted records, misdirected mailings,

missing les and wayward e-mails took place in 44 states.); Kevin Sack, Patient Data Landed Online

Ater a Series o Missteps, N.Y. Times (Oct. 5, 2011) (The medical records o close to 20,000 patients wereposted online or nearly a year because the hospitals billing contractors marketing agent used anelectronic spreadsheet with patient data as part o a skills test or a job applicant, who then posted the

data on a public website. The marketing agent explained the breach as a chain o mistakes which are artoo easy to make when handling electronic data.).

5 See National Consumer Health Privacy Survey 2005, Caliornia Healthcare Foundation, 17-21 (2005) (notingthat one 1 o every 8 people surveyed engaged in some type o privacy-protective behavior such as

going to a new doctor to avoid telling their regular doctor about a condition, paying their doctor not torecord their health inormation, or deciding not to be tested out o concern that others might nd out);


30/40



Deborah C. Peel, Your Medical Records Arent Secure, The Wall Street Journal (Mar. 23, 2010), available at

http://online.wsj.com/article/SB10001424052748703580904575132111888664060.html.

6 See Jenna Wortham, Facebook Glitch Brings New Privacy Worries, N.Y. Times (May 5, 2010). Ater a spate ochanges to privacy settings on Facebook, millions o users voiced their unease with the companys privacy

policies. A leading privacy group led suit against the company with the Federal Trade Commission;

settlement o the dispute now requires Facebook to obtain armative express consent beore allowingpersonal data to be shared more broadly than a user species. See Somini Sengupta, F.T.C. Settles Privacy

Issue at Facebook, N.Y. Times (Nov. 29, 2011). See also Frances Martel, Facebook Privacy Settings AttractAnother Congressional Inquiry, Mediaite.com (Feb. 5, 2011), available athttp://www.mediaite.com/online/

acebook-privacy-settings-attract-another-congressional-inquiry.

7 Rothstein, supra note 1. The classic oath contained the wise dictum: What I may see or hear in thecourse o the treatment or even outside o the treatment in regard to the lie o men, which on noaccount one must spread abroad, I will keep to mysel, holding such things shameul to be spoken

about. See Peter Tyson, The Hippocratic Oath Today(March 27, 2001), available athttp://www.pbs.org/wgbh/nova/body/hippocratic-oath-today.html (translation rom the Greek by Ludwig Edelstein,

citing The Hippocratic Oath: Text, Translation, and Interpretation, by Ludwig Edelstein. Baltimore: JohnsHopkins Press (1943)). A modern version o this portion o the oath holds: I will respect the privacy o

my patients, or their problems are not disclosed to me that the world may know. Id. (The modern oathwas written 1964 by Louis Lasagna, Academic Dean o the School o Medicine at Tuts University andhas been used in many medical schools).

8 Audiey C. Kao & Kayhan P. Parsi, Content Analyses o Oaths Administered at U.S. Medical Schools in 2000,

79.9 Academic Medicine, 882-87 (2004), available athttp://journals.lww.com/academicmedicine/Fulltext/2004/09000/Content_Analyses_o_Oaths_Administered_at_U_S_.15.aspx?WT.mc_

id=EMxALLx20100222xxFRIEND# (stating 129 o a total 141 medical schools in the United States explicitlyaddressed the need or physicians to protect a patients condentiality in the oath administered tostudents); In addition, the AMA describes its own Code o Medical Ethics directive on condentiality in

this way: Inormation disclosed to a physician during the course o the patient-physician relationshipis condential to the utmost degree. See Patient Physician Relationship Topics: Patient Confdentiality,

American Medical Association, last visited May 18, 2011, available athttp://www.ama-assn.org/ama/pub/physician-resources/legal-topics/patient-physician-relationship-topics/patient-condentiality.page.

9 Health Insurance Portability and Accountability Act, Public Law (PL) 104-191, 110, 1936 (1996); SeeAngela Choy, Leigh Emmart, Joanne Hustead, & Joy Pritts, The State o Health Privacy: A Survey o State

Health Privacy Statutes, Health Privacy Project, Georgetown University (2002), available athttp://ihcrp.georgetown.edu/privacy/pds/statereport1.pd (part 1) & http://ihcrp.georgetown.edu/privacy/pds/

statereport2.pd (part 2).

10 American Recovery and Reinvestment Act (ARRA), Public Law No. 111-5, 13401-13424 (2009) (codiedat 42 U.S.C. 17935).

11See e.g., conidentiality

nyclu_patientprivacy

Documents