Consumer Advocate’s View on E-Prescribing: Health Privacy

Consumer Advocate’s View on E-Prescribing: Health Privacy
Deven McGraw, J.D., L.L.M.
10/7/2008

Slide: 1
I am Deven McGraw. I am the Director of The Health Privacy Project at the Center for Democracy and Technology. We are a much smaller organization in Washington than AARP with 15 people. We were founded actually about little over 10 years ago when the internet first came on the scene to promote democratic values with respect to use of the internet, to make sure it remains open for the public to use and free but also to ensure that people’s privacy is protected as they use the internet for searches and other usage, and just about six months ago, The Health Privacy Project which existed and came into being around the time of HIPAA’s enactment, was merged into CDT to take advantage of the technology expertise at a time when we were talking about the trying to find the rights of privacy protections for health information as it moves increasingly in online and other digital formats, so we think it is a good merge so far but we are only six months in.

Slide: 2
We think that, like AARP, we think that Health-IT in general and e-prescribing in particular has again tremendous potential to improve healthcare both for individuals as well as for the population, and so we will not belabor the point. I think it has been covered well in this conference but many consumers, and I think providers as well, raise concerns about privacy when information moves electronically. There is a perception out there that when you have something that’s in a paper format, it’s somehow more safe and more under our control and I think to some extent that that’s true because from a volume prospective when you have a breach of data that is paper, you know you are usually talking about a box of records where a file cabinet of records as oppose to an electronic format where with an inappropriate touch of a button hundreds and thousands of records can be exposed. On the other hand, the technology actually gives us the tools to build in some stronger protections than for paper we can track use access the records with electronic technology. We can encrypt information with electronic technology. We can’t do that in a paper form. So, the aim of our project is really to develop workable policy solutions to make sure that we have privacy and security protections for data as it moves online and then includes in the e-prescribing context, so when we get to the point where we will have a little legal discussion, we will talk about sort of what the state of the law is with respect to protections for information that moves through e-prescribing networks and then where the challenges are and I will go into slightly more detail on the data mining point but Paul actually did a good job with talking about it.

Slide: 3
So, why should we care about the privacy issues? People really care about the privacy than prescription information? Well, yes, they do. They actually do want electronic health technologies but they are very concerned about privacy, 67% register at the significant concern level based on recent survey data and I will tell you that I gave a talk recently to a group of breast cancer survivors and a group of advocates women who are energized about advocating for more breast cancer treatment research money, most of them are breast cancer survivors, so I talked to them about how exciting it is that we have these e-health technologies and people with chronic conditions could have their care better coordinated and almost split down the matter, half of them think it’s a great idea and the other half are scared to death about the prospect of this information. Again, as it moves more freely for good purposes that means it can possibly move more freely for bad purposes if they don’t put the right set of protections in place. So, there I threw that one in. And the other two people did not get that little thing yet, so this is special, just for you guys. Thank you.

Slide: 4
So, how do those privacy concerns breakdown, 80% are worried about fraud and there is increasing incidence. We are hearing more and more about medical identity fraud in addition to the financial fraud that we are all fully aware of. 77% are concerned about the use of their information for marketing purposes. It is very upsetting, you give your information to people who might fill your prescriptions and who pay for your care and suddenly you start getting letters that are targeted to your particular condition. They don’t come from you providers, they come from people who just want to sell you the latest technology. You know that people are very concerned about that and as we move information more easily electronically, there is greater potential for that if we are not careful. 56% are concerned about employer access and 53% are concerned about insurer access. Those are the discrimination issues, which we are all really well aware of.

Slide: 5
The consequences to not paying attention to this are significant. Without privacy, we need for this information to move. These technologies have tremendous benefit, but if people are afraid to have their information in these systems, again already one in six people with the low uptake that we have with e-health technologies already report practicing what are called privacy protective behaviors where they are afraid to tell their doctors about care. They ask their doctors not to put information in their records so that it cannot be accessed by someone in appropriate use or they use multiple providers so that their care is not all in one record. Of course, as we become more interconnected, that’s not going to be terribly helpful. Similarly, with paying for drugs and care out of pocket, again that is actually not all that helpful in an e-prescribing context whereas Paul already mentioned even if you take care your paper prescription to the drug store, the likelihood that that information ends up in electronic databases is extremely high. In fact, I don’t know how you will keep it out.

Slide: 6
Again, as I said earlier that tools of technology can better protect privacy but we have to make sure that we are using them. The privacy concerns are really along two dimensions, one is privacy and one is security. Security being largely about inappropriate access from the outside into health systems or inappropriate access from the inside where somebody has authorization to look at records for certain purposes and somehow gains authorization to look at them for not permissible purposes. When I say privacy protections, what I mean are sort of fair information practices. Rules about how information can be used and rules that prohibit information from being used for purposes that are not treatment, payment, or health care quality related and ways to enforce that.

Slide: 7
So, HIPAA, I am sure all of you are pretty familiar with it and if you are not we all believe the point it is very complicated law as everyone is well aware, but it does apply to e-prescribing just as you does with paper prescriptions. If it is not taking shoes based on the format that the information is in, it protects the information when it is held by a covered entity, so a provider, hospital, pharmacy, or payer. Now, it is does not directly apply actually to the PBMs or the transmitters of the e-prescriptions like SureScripts being one of them, I know they are only one. However, those companies sign business associate agreements with the covered entity in order to be able to receive the data in the first place. PBM can generate its own prescription. It has to get that script from a covered entity. You know, so again, the way that those entities that are not directly covered by HIPAA but are in the e-prescribing network have to comply with it but it is by contract. They also have to abide by state law which is not often as tailored to the type of entity holding the information. Often times, the state laws apply to the information regardless of who holds it. So, all of that, you know there are no exceptions. We have some laws in place. In my own view, as the privacy advocators that we have some work to do to improve those laws, but nevertheless, there certainly is not necessarily anything unique about the e-prescribing that we are talking about today, which is to get more providers to use the system, a system that already is basically electronic at the payer and prescription benefit management level.

Slide: 8
The data mining issue is one that we need to pay attention to but not necessarily as a sort of caution, let’s not move forward with this again, because these prescriptions are already moving and they are in storage electronically. What we are talking about today is getting increased physician adoption so that the physicians can start sending the prescriptions and be able to benefit from decision support tools that we hope will be increasingly part of this. When I talk about data mining, it is a broad term that basically refers to any type of sort of aggregate data gathering. Often, it is data that de-identified script that certain patient identifiers that take it out of the protections of HIPAA and that are used for various purposes, but it is not all easy to identify. There has been some publicity lately in national newspapers and magazines about the use of identifiable prescription drug information largely for insurance benefit determinations. People applying for insurance coverage often have to authorize the gathering of their identifiable health information and prescription drugs. Because it is one of few areas where we actually have a fair amount of electronically digitally available data that is often the first place for a lot of insurance companies go to get a sense of sort of what type of applicant they have and what kind of risks today present, how expensive are they likely to be in the future etc. So, those concerns, again they exist with or without e-prescribing. So, while, you know as a privacy advocate, I think we have some work to do generally with respect to health IT and improving privacy. There are certainly nothing again with respect to e-prescribing that would cause me to stand up and say we should be doing this, but at the same time, I really relished the opportunity to come here today because I think we need to continue to pay attention to these issues. We need to see the general accounting offices not for the government accountability office, but I am stuck on the old name because the kept the acronym as opposed to CMS at least when it changed it went from HCFA to CMS. If we cannot call it HCFA anymore, everybody knows basically you are out of it ... . It is the same study that Paul was talking about, the GAO study on data mining, I think, will help to give us a good grounding if we are going to propose some legislative or regulatory fixes to this, where are the real problems and where should we focusing our resources.