Patient security absent in Stage 2, privacy rights group says
Stage 2 and Stage 3 criteria for meaningful use are missing the ability to control who can see and use personal health information and the ability to segment information so it can be selectively shared, according to the Patient Privacy Rights (PPR).
“Segmentation is essential to protect sensitive information, but also is absolutely critical for patient safety, so that erroneous health information can be kept from disclosure,” the Austin, Texas-based health privacy watchdog wrote in a letter to the HIT Policy Committee.
PPR, a consumer group with more than 12,000 members across the U.S., focuses on building health IT systems.
The Health IT Policy Committee’s Privacy & Security Tiger Team has “failed to make any recommendations about privacy and security in meaningful use Stage 2,” a move the organization believes is “disappointing.”
Implementing meaningful use criteria without simultaneously laying down a comprehensive privacy framework for data use and exchange "will lead to disaster," PPR stated. "Requiring the use of EHRs that do not have informed consent tools and privacy protections will lead to widespread data exchange and violations of patient privacy."
Meaningful use criteria must be revised to explicitly require design for privacy at the outset, according to PPR.
The HIT Policy Committee should recognize that HIPAA is the "floor" for privacy, and Stage 2 criteria must enable individuals to selectively share parts of their health information only with people they choose, preventing others from having access, with rare exceptions under the law, PPR commented.
“We urge the HIT Policy Committee Meaningful Use Workgroup to revise the Stage 2 and 3 criteria and proceed cautiously to realize the public's expectation of individual control over health information and make robust data privacy, consent and segmentation a reality,” the letter concluded.
“Segmentation is essential to protect sensitive information, but also is absolutely critical for patient safety, so that erroneous health information can be kept from disclosure,” the Austin, Texas-based health privacy watchdog wrote in a letter to the HIT Policy Committee.
PPR, a consumer group with more than 12,000 members across the U.S., focuses on building health IT systems.
The Health IT Policy Committee’s Privacy & Security Tiger Team has “failed to make any recommendations about privacy and security in meaningful use Stage 2,” a move the organization believes is “disappointing.”
Implementing meaningful use criteria without simultaneously laying down a comprehensive privacy framework for data use and exchange "will lead to disaster," PPR stated. "Requiring the use of EHRs that do not have informed consent tools and privacy protections will lead to widespread data exchange and violations of patient privacy."
Meaningful use criteria must be revised to explicitly require design for privacy at the outset, according to PPR.
The HIT Policy Committee should recognize that HIPAA is the "floor" for privacy, and Stage 2 criteria must enable individuals to selectively share parts of their health information only with people they choose, preventing others from having access, with rare exceptions under the law, PPR commented.
“We urge the HIT Policy Committee Meaningful Use Workgroup to revise the Stage 2 and 3 criteria and proceed cautiously to realize the public's expectation of individual control over health information and make robust data privacy, consent and segmentation a reality,” the letter concluded.