Secure data, faxes and familiarity

Mary Stevens, Editor

Every day, patients, caregivers and office staff fax potentially sensitive information to other providers, agencies or payers, whose identity they haven’t verified. This type of easy-to-use electronic information exchange has been part of the healthcare landscape for decades. That longtime use, along with some HIPAA guidelines, have built a level of familiarity at least, if not trust.

Yet, many of the same people who routinely fax information are raising questions about the security and privacy of patient data residing in a health information exchange. It’s not that those questions aren’t valid—ensuring data stay private and secured is a make-or-break issue for every HIE that’s in place or on the drawing board. But the same level of scrutiny isn’t always applied to familiar systems and devices.

To gauge the level and breadth of public concern about the electronic exchange of health information, the Office of the National Coordinator for Health IT (ONC) will conduct a survey of attitudes toward HIEs and their associated privacy and security aspects.

“Electronic HIE promises an array of potential benefits for individuals and the U.S. healthcare system through improved healthcare quality, safety and efficiency. At the same time, this environment also poses new challenges and opportunities for protecting health information,” according to an HHS announcement in the March 19 issue of the Federal Register.

HHS said the survey will use computer-assisted telephone interviews to survey a representative sample of the general U.S. population during the course of eight weeks. The results will be interesting, but given that many people hang up when they hear the tell-tale pause of an auto-dialed connection, let's hope the survey conductors can get that representative sample. 

The ONC also is plumbing the public mindset on consent options in HIEs, in a whitepaper that looks at "whether, to what extent, and how individuals should have the ability to exercise control over their health information in an electronic HIE environment." The whitepaper looks at approaches and details policy options, considerations and analysis. "This whitepaper will serve as input to, and be reviewed by, the HIT Policy Committee's Privacy and Security Workgroup as it prepares to make recommendations related to consumer consent in an electronic health information exchange environment," the ONC stated. The office said the whitepaper is the first in a series of privacy and security reports developed by George Washington University under contract.

As for HIE providers, patient de-identification and limited information are the norm when data are exchanged among facilities. However, there have been few studies that investigate how effective patient de-identification actually is. In fact, many organizations implement de-identification policies without knowing about the risk of illicit re-identification, according to research in a recent issue of the Journal of the American Informatics Association.

For each state, the authors estimated the risk posed to hypothetical datasets protected by HIPAA’s Safe Harbor and Limited Dataset policies, if an attacker who was knowledgeable about patient identifiers obtained voter registries for each state. The percentage of a state’s population estimated to be vulnerable to unique re-identification ranges from 0.01 percent to 0.25 percent when protected by Safe Harbor, and from 10 percent to 60 percent when protected by Limited Datasets, according to the study.

More research like this is needed for a better assessment of HIE security issues. It might take a while for entirely electronic exchange of health information to get to fax-level familiarity, but identifying public concerns, finding and fixing vulnerabilities in data exchange, and getting everyone’s questions answered will expedite that process.

Mary Stevens, Editor
mstevens@trimedmedia.com