Patient privacy and information security are becoming more important than ever as the volume of data collected and stored continues to grow. However, patients don't have access to their data, an issue that may disrupt the care delivery system.
In an opinion piece in the Wall Street Journal, David Brailer, MD, former national coordinator of health IT, wrote that the digitization of health records and the industry as a whole removes the ownership of health data from individuals and places it in the hands of providers and healthcare organizations.
HIPAA, Dr. Brailer wrote, requires providers, labs, pharmacies and all other "covered entities" to protect how data is stored and released, but those decisions are largely left to the discretion of the entities. "You can't force a covered entity to give your data to someone you choose, and you can't stop them from giving it to someone they choose," Dr. Brailer wrote.
Additionally, HIPAA was written to protect paper records, and its applicability to the current digital landscape is unclear, according to Dr. Brailer. He wrote, "In the digital world, health information isn't 'stored' and locked away. It is online, constantly on the move, and accessible to hundreds of legitimate users."
Add to the mix the issues involved with information blocking and the lack of interoperability, and patients are left without access to their data because IT vendors and providers don't want to subject themselves to competition from other vendors when they share data, wrote Dr. Brailer.
Dr. Brailer said health information policy and privacy rules need updating, and he outlines the following four key principles to guide new legislation.
1. Individuals should have total ownership of their health information, whenever they want. Dr. Brailer wrote individuals should be able to control who sees their information and whether or not those individuals or organizations can retain that information.
2. Individuals should be able to designate somebody to manage their information on their behalf, such as a spouse, hospital, health plan, pharmacy or a tech company. Dr. Brailer said these intermediaries would be responsible for ensuring the individuals' data is used to improve health status.
3. Raise standards for security protection. The standards, according to Dr. Brailer, should protect health information wherever it goes.
4. All covered entities interacting with health data should follow the same rules.
"The gold rush [for health data] is on," Dr. Brailer wrote. "Someone is going to benefit from the immeasurable wealth created from your health information and its capacity to extend and improve lives. It might as well be you."
More articles on health IT:
Teladoc to file for IPO: 5 things to know
Health data exchanges: We're doing it wrong
Partners HealthCare falls victim to email phishing attack compromising 3,300 patients' data