Protecting Patient Privacy in the Era of Health Information Exchange Corinne A. Carey Senior Public...

Protecting Patient Privacy in the Era of Health Information Exchange

Corinne A. Carey

Senior Public Policy CounselNew York Civil Liberties Union

ACLU CLE

July 28, 2010

NYCLU: Protecting Patient Privacy in the Era of Health Information Exchange

2

What this CLE will cover

The basics

What is health information exchange (HIE)?

What are EHRs? What are PHRs?

How does HIE work?

Genesis of interoperable health information exchange

Privacy in the pre- and post-HIE world

How do patients interact with HIEs?

Why should we be concerned about protecting privacy in HIE?


3

The Basics

What is Health Information Exchange (HIE)?

What is an Electronic Health Record (EHR)?

What is a Personal Health Record (PHR)?

How is health information linked?


4

What is Health Information Exchange (HIE)? Individual electronic records (EHRs) linked via

electronic network Internal computer networks Internet Some parallel (private or public) structure

Into a network accessed by providers who may be Unaffiliated separated by geographic distance or by time maybe otherwise unaware that they have or have had

a patient in common


5

What is an Electronic Health Record (EHR)? computerized equivalent of patient’s existing medical

records created by provider or facility for use by medical staff content controlled by health care provider, property of

the health care provider can be siloed in one office or shared electronically

between providers (“networked”) standards for patient protections and rights of access

are (or should be) similar to paper records


6

What is a Personal Health Record (PHR)? AKA “Facebook for medical information”

E.g., Google Health/Microsoft Health Vault

created by patient for use by patient, potentially accessed by health care provider

standards for patient protections/access/control are complicated

currently NOT protected by HIPAA/state Law

currently regulated by FTC; potentially regulated by HHS

owned by vendor (legal rights are unclear) patient rights are largely be subject to contract w/vendor


7

How does an HIE link files?

Infinite number of configurations

Most are variations on these three general models:

Centralized Data Bank

Virtual Health Record (VHR) Approach

Health Record Bank/PHR Approach


8

Centralized Data Bank

Patient A’s whole file from Dr. B, her internist, is uploaded to a central server combined with her files from Dr. C (gynecologist), Dr. D (dermatologist), and Dr. E

(her allergist) Lab results; radiology reports; etc. ER/hospital inpatient files

In an actual physical file accessible by all participating providers for whom she

has given consent. Patient data can be “pushed” to providers (e.g., lab

tests automatically forwarded) or “pulled” by providers.


9

Virtual Health Record (VHR) Approach

Patient X’s EHR remains in his provider’s office.

Central server contains only identifying demographic information not actual patient medical information

Dr. B wants to access Patient X’s records from his visit to Dr. D:

she sends a query to the central server which pulls in the information from all the other providers he has seen, and assembles it in a temporary virtual health record, which is then downloaded by Dr. B and incorporated into Dr. B’s files

permanently - each provider with access creates an integrated complete medical record for patient.

Central registry maintains a record of the request and of what information was included in the VHR, but not the actual information.

No central database at risk of direct security breach; data remains property of providers.


10

Health Record Bank (PHR) Approach

System based on personal health records.

Patient Y sets up an HRB account which is under her control.

Drs. B, C & D all “push” information to the account or information is pulled by the account

Patient can add information to the account

Patient controls which doctors have access to the file and potentially granularity of information to which they have access.

Pilot program in Washington State

RED FLAG: reliance on software vendors who are not “covered providers” (not “HIPAA-covered”) vendor potentially owns, controls information, privacy controls (including access to information by marketers) held by vendor like other websites (see issues with Facebook privacy controls)

unclear whether MDs will accept information in patient-controlled PHRs


11

Genesis of interoperable health information exchange


12

How did this all start?

Interest in this for many years Intra- has existed for a long time

Kaiser health systems Large Hospital Systems

Inter- is relatively new NIH pilot project in 1994 (Regenstreif)

affiliated with Indiana University developed informatics that connected all

hospitals in the area


13

Bush Era

Big push for development of interoperable health information exchange

Objectives Increased efficiency Cost savings Improved patient care

Free market orientation Policy intended to remove obstacles to private

adoption of EHR/HIE Privacy (and liability for privacy protection) seen as

an obstacle


14

Bush Years

Executive Order 13335, issued April 27, 2004 goal of widespread adoption of interoperable EHRS by 2014

established the HHS ONC - Office of the National Coordinator for Health Information Technology

Objectives strategic plan to guide nationwide implementation of

interoperable HIT in both public and private sectors;

Coordinate federal HIT policy/programs & executive branch agencies;

conduit for grants for state HIE projects via HISPC (Health Information Security & Privacy Collaboration)


15

Obama Administration:New Funding, New Laws, New Policies

No radical reorganization of free-market structure

Starts with individual doctors offices

American Reinvestment and Recovery Act (ARRA) 2009 and post-ARRA

Advocates forced the Obama Administration to confront need for consistency and consumer protection

Big step in the right direction


16

Obama Administration

Feb 2009: ARRA/HITECH (Health Information Technology for Economic and Clinical Health)

Direct funding for HIT projects

Incentives via Medicaid and Medicare to encourage adoption and “meaningful use” of EHRs

Funding for state-level HIE activities, development of national standards, education and dissemination of best practices

Important privacy changes


17

Post-ARRA

Health Information Technology is a rapidly developing field

Administration has tapped into growing field of experts from many domains: advocacy, think-tank, tech/med professional, and academic worlds

Rethinking of level of need for privacy protection

Regulations, white papers, recommendations being developed almost daily


18

Transformation of ONC

ONC approach to privacy draws on the key advocates for patient privacy/control rights

Chief Privacy Officer: Joy Pritts, Georgetown Univ., O’Neill Inst. for National and Global Health Law academic focus is privacy of health information and

patient access to medical records

Co-Chair, Privacy & Security Workgroup: Deven McGraw, Center for Democracy & Technology Key author on privacy and consent issues in HIT


19

Transformation of ONC

ONC is currently revisiting basic policy on consumer consent, privacy, enforcement of HIPAA/HITECH protections, PHRs and privacy issues (also under consideration at FTC)

Discussion underway re: structure of NHIN - network of SHINs or direct linkage of EHRs nationally (NHIN Direct, now under development)


20

What’s happening in the states?

States in different stages of development & implementation

Some programs are already underway, policy is either not been developed or developed in various ways with varying degrees of consumer input

In places furthest along, policies are the most entrenched, either by design by default (lack of policy *is* policy)

So many models, we can’t address all, we’ll talk about general themes, and use NY as a reference point


21

What is the federal government’s role in shaping HIE? No legal requirement for what model will look like in states (e.g.,

no req’t that states set up policy boards, or adopt state regulation)

To-date, limited requirements for technological capability to ensure granular control of data

No requirement that it be state-run, or privately-run

And it appears that there are no requirements regarding patient consent to participate

Incentive-based system

Theory: Encourage many different models to see which will be the best. “Let 1000 flowers bloom” (or, as some say, “Let 1000 weeds fester.”)


22

Privacy in the Pre- and Post-HIE World

Existing federal and state laws protecting certain types of medical information

HIPAA

ARRA/HITECH


23

Pre-HIE sets the stage

Federal laws protecting patient confidentiality e.g., substance abuse treatment, genetic information

State laws protecting patient confidentiality General obligation of health care providers Special rules regarding:

Minors Substance abuse HIV/AIDS Mental health

HIPAA


24

HIPAA

HIPAA enacted in 1996

Initially required consent for dissemination of medical information for TPO (treatment, payment, and operations)

In 2002 (under Bush), HIPAA revised so that was no longer necessary.

Legacy is: great confusion

Bottom line is that, contrary to popular belief, HIPAA didn’t establish adequate protections for patient privacy


25

HIPAA “Protections”

MYTH: The HIPAA privacy rule requires stringent protections for all health information

FACT: Privacy protections are very limited and vary by who holds the information and why it is being shared. HIPAA protections apply only to information held by “covered entities”

“Covered Entities” - health care providers who transmits health information in electronic form, health care plans and clearinghouses.

Information held by any other organization or patient is not subject to HIPAA

No patient consent required for “uses” (within an organization) and “disclosures” (shared outside the organization) that are for purposes of “TPO” (treatment, payment, and operations…plus other authorized uses like government reporting, required by law, subpoena, and some others)


26

HIPAA “Protections”

MYTH: What you sign in the doctor’s office is a consent to disclosure

FACT: The paper you sign is only a notice of office practice regarding disclosure

* * *

MYTH: HIPAA limits use/disclosure to the “minimum necessary” to achieve purpose of use/disclosure

FACT: The “minimum necessary” standard is not applicable to disclosures to another health care provider for treatment purposes


27

HIPAA “Protections” MYTH: If you consent to allow your information to be sent to a

non-covered entity, HIPAA guards against redisclosure.

FACT: Once you consent to disclosure to non-covered entity, that information is no longer “protected” by HIPAA

* * *

MYTH: HIPAA ensures stringent audit trails and you can find out who has viewed your medical information

FACT: (Until HITECH) patients had limited rights to access logs/know who had accessed their records and when; no logging was required for TPO access.


28

ARRA/HITECH modified HIPAA

Substantially enhanced HIPAA protections for patients: Extension of HIPAA standards to “business associates” More stringent audit/access trail requirements Enforceable punishments for breach or misuse State AG enforcement power (already been exercised,

e.g. Conn) Increased patient rights to access own data Exclusion of services paid for “out-of-pocket” New restrictions on marketing


29

How Do Patients Interact with HIEs?


30

Pre-HIE: patient control in the world of paper records In general, patients control which information providers can

access Patient is main source of medical history/lifestyle information:

medical diagnoses, past and present lifestyle including alcohol, substance use, reproductive history,

sexuality, etc. medications, past and present names of other providers

Allows patient to decide which information to share with which provider. Exceptions: Information conveyed via referrals or consultations, generally

require patient consent (under some state laws) Intrafacility access to patient files; e.g., different departments of

same facility, affiliated facilities


31

Patients in the HIE World

What control do patients have over:

Inclusion of their information in “the system”?

Sharing of that information within an HIE network?

Wider dissemination of that information from the network to external entities?


32

Consent to participate: states follow four general models

Automatic inclusion with no option to opt-out of system.

“Opt-out”: Patient locator information &/or patient records are included in the system unless patient affirmatively refuses to participate.

“Opt-in”: Patient must consent before patient locator information &/or patient records are included in HIE system.

Partial opt-out or opt-in: Patient has option of either consenting to have partial information included or partial information excluded.


33

Consent to Share Information within HIE

All of patient’s providers have automatic access to patient’s records, no right to opt-out.

Opt-out: providers have access to records unless patient affirmatively opts out.

Opt-in: No records shared unless patient consents. Upon consent, all of patient’s providers have access.

Partial opt-out or opt-in: Patient has option of either consenting to have partial information shared or partial information made inaccessible.

“Break the Glass” provision: Where patient is in need of emergency treatment, provider can access records in absence of affirmative consent or despite affirmative refusal to participate, or can override other limits placed by patient or default policy.


34

All-or-Nothing Consent

At this time, “participation” in HIE generally means consent to sharing all information, or sharing none at all.

Patients cannot select which information they want to share.

However, some systems allow patients to choose which providers within HIE have access to all of their medical information


35

Granularization

Granularization: the degree of specificity of patient control over information included in system or shared with providers.

Consent regimes could allow patients to limit information included in the HIE or shared by the HIE.

Granularization operates in terms of:

Provider: To whom, from whom

Time: how far back?

Service, encounter, and condition: what do they get to see?


36

Civil Liberties Concerns

Experience should teach us to be most on our guard to protect liberty when the Government’s purposes are beneficent. Men born to freedom are naturally alert to repel invasion of their liberty by evil-minded

rulers. The greatest dangers to liberty lurk in the insidious encroachment by men of zeal, well-meaning

but without understanding.

Olmstead v. United States, 277 U.S. 438, 479 (1928) (Brandeis, J., dissenting).


37

Four Questions

1. Why should we be concerned about privacy in the context of health

information exchange?

2. What needs to be put in place to sufficiently address privacy

concerns?

3. What looming issues promise to complicate efforts to protect

privacy?

4. Where do we need to go from here?


38

Why should we be concerned about privacy in the context of health information exchange?

The way that information flows in & out of the system

The kinds of information that will be exchanged

The number of people with access to health information

Concerns about proxy/surrogate access to health information

System capability to shield sensitive health information

For the first time, you will have one complete medical file with everything in it. “This will go down in your permanent record.”

The impact of any error is exponentially more damaging


39

What goes into the system?

All providers in an affiliated network who the patient has seen

All electronic files

As far back as the provider has maintained electronic records

Currently HIE is region-wide; contemplation is statewide, and then NHIN.


40

Patient A: Ana

Ana obtains a surgical abortion from a Planned Parenthood clinic doctor in 2010. The clinic does not place this information into the system because there is no way to safeguard sensitive health information. Ana discusses her abortion with her PCP a year later when she is trying to get pregnant, and the doctor records the information in her record. Should Ana’s podiatrist have access in 2020 to information about the abortion she obtained without complication ten years earlier?


41

Who Gets to See?

All of an individual’s health care providers & their affiliates

Business associates Certain family members The patient’s health insurance company The patient’s life insurance company Government Potential Employers Marketers (Bad Actors)


42

Patient B: Benjamin

When he was in his early 20s, Benjamin struggled with his use of heroin and sought substance abuse treatment. Records of this treatment are protected by federal law, and were therefore excluded from HIE. However, his PCP at the time knew about his heroin addiction, and made a note of it in his charts. Ten completely sober years later, Benjamin develops a condition that causes him severe pain. His new doctor is reluctant to prescribe the most effective pain medication for Benjamin because, after reviewing his files, she is concerned that his reports of pain are “drug seeking behavior.”


43

Patient C: Candace

Candace is struggling with a worsening depression. She is reluctant to seek mental health treatment, and does not want to ask her primary care physician for help--particularly for any prescription medication to treat her condition--because she is afraid that her employer will gain access to her health records and it may affect her ability to move up in her company.


44

Ever Expanding Circle: More Information to More People

More people are getting access to more information.

The larger the pool of people with access to your health information, the likelihood of breach and misuse.

The greater the scope of information included, the greater the risk of misuse.


45

Original Data Holder

Slide courtesy of Latanya Sweeney, Ph.D., Trustworthy Designs for the Nationwide Health Information Network Electronic Privacy Information Center, May 28, 2010


46

Primary Sharing MAY have some Restrictions

1

11

1

1

Slide courtesy of Latanya Sweeney, Ph.D., Trustworthy Designs for the Nationwide Health Information Network Electronic Privacy Information Center, May 28, 2010


47

Secondary and Alternative Sharing Unbounded

1

11

1

1 2 3

2

2

2

3

3

4

4

5

Sweeney, L. Information explosion. Confidentiality, Disclosure, and Data Access: Theory and Practical Applications for Statistical Agencies,

Washington, DC, 2001.


48

Clayton, P., et al. For The Record. National Academy Press,1997.

Employer’s clinic & wellness program

Alice’s Health Record

Retail Pharmacy

Pharmacy Benefits Manager

Health Insurance Company Spouse’s

self-insured employer

Life Insurance Company

Medical Information

BureauLawyer in

Malpractice Case

Medical Researcher

State Bureau of Vital

Statistics

Consulting Physician

Managed Care Organization

Care Provider (physician, hospital)

Clinical Laboratory

Alice’s Employer

Accrediting Organization

Long-term repository

Short-term repository

Temporary Access

Flow of patient-identified health information

Flow of de-identified patient health information


49

Employer’s clinic & wellness program

Alice’s Health Record

Retail Pharmacy

Pharmacy Benefits Manager

Health Insurance Company Spouse’s

self-insured employer

Life Insurance Company

Medical Information

BureauLawyer in

Malpractice Case

Medical Researcher

State Bureau of Vital

Statistics

Consulting Physician

Managed Care Organization

Care Provider (physician, hospital)

Clinical Laboratory

Alice’s Employer

Accrediting Organization

Public Health

CDC

Clearing House

TranscriptionCoding

ICU Mgt

Outcomes Analytics

Workflow Analytics

Disease ManagementPatient Portal

Equipment Monitoring

Compliance Management

De-identification Review

Hospital Discharge

Ambulatory Discharge

Prescriptions Database

Pharmaceutical Companies Marketing


50

Patient D: Denise

Denise lives in a small town in upstate New York with her husband who is a doctor. Denise’s husband is physically abusive to her and their two children. After a particularly violent attack, Denise leaves and seeks assistance from a local domestic violence shelter. Denise is now concerned about seeking any medical care, even though she now lives in another county, because she suspects that some information about her and her children, including her address, may be available either to her husband or to her husband’s associates.


51

Patient Control vs. Provider Confidence: A False Dichotomy

Patients have always had some degree of control

The myth of the “complete record” Liability concerns Relationship between patient and provider

one of “mutual trust” (“Hippocratic Bargain”) Integrity of system patient “buy in”

improved delivery/health outcomes & efficiency


52

Limitations in technology and policy create perverse result

Those who may benefit the most may decline to participate, or may be excluded under state policy

Mental health services recipients

Substance abuse services recipients

Patients of reproductive health clinics

Some minors (in NY, those between 10 and 18 are excluded by policy)


53

Minors: Concerns about Surrogate/ Proxy Access Parental consent is generally required for minors to

receive health care In some states (like NY) minors have the right to

receive health care without parental consent under certain circumstances (e.g., STI care; post sexual assault care)

Who has the right to see the records? In most instances, parents have the right to access all

of their children’s medical records In some states, it is the person who consents to health

care (the minor, not the parent) who can access records regarding that care


54

Surrogate/Proxy Access

In those states where confidentiality is preserved for minors such that parents are not permitted access to records of care that a minor received without parental consent the problem is:

Technological inability to separate minor-consented information from parent-consented information

HIE presents a challenge: how to build a system that guards against undesirable disclosure to otherwise authorized agents


55

Patient E: Evan

Evan has been receiving care from his pediatrician since he was born. His parents consent to this care, and as a result, have access to his health information. When he starts becoming sexually active, he confides in his doctor. After one sexual encounter he regrets, he requests the Gardasil© vaccine and an STI test.


56

What needs to be put in place to address privacy concerns?

Granularization

Patient Ability to Correct/Amend EHRs

Protections against Breach & Misuse

A Critical Examination of Consent

Effective Public Outreach


57

Granularization

Person or entity: who gets to see?

Time: how far back?

Service, encounter, and condition: what do they get to see?


58

Granularization by Provider

By Provider patient can choose to restrict/include information based on which provider is source

Patient A chooses not to include records from visits to her gynecologist in order to ensure that testing for STIs is not included in her HIE-accessible record.

To Provider patient can choose to allow/exclude specific providers from accessing HIE record

Patient B chooses to allow her internist to access records from her gynecologist to ensure coordinated treatment, but chooses to exclude her podiatrist from access to her record.

Potentially allows limiting access to specific providers within a practice.


59

Granularization by Time

Time Frame: Patients can choose to include/exclude records based on when they were created Include only information from a limited look-back period

Patient A restricts information to the last 5 years, ensuring that her negative HIV-test from 10 years ago remains private.

Exclude information from a specific time period

Patient B excludes a 4 month period from his records, to ensure that his in-patient treatment for substance use remains private.


60

Granularization by Service, Encounter, or Condition “Sensitive Information” - patient can choose to exclude sensitive

information from system or to restrict which providers have access

“Sensitive information” can be defined as specific types of information or as defined by patient. Patient A chooses to omit references to his anorexia, preferring to

tell individual providers himself as necessary. Type of data: choose to include/exclude specific categories of

data (lab tests, MD notes, etc.) Patient B chooses to exclude/include medications to keep his

history of psychotropic medications private. Additional possibilities: visit-by-visit opt-in or opt-out; choice to

exclude/include different information within a single visit


61

Consequences of failing to ensure granularization

Patient trust in the system suffers, patients opt out

The solution adopted by New York to preserve minors’ legal rights to confidential care excludes minors from the benefits of HIE altogether

HITECH requires some degree of granularization (for treatment paid for out-of-pocket).

In systems that can’t accommodate this degree of granularization, patients must either give up their rights under HITECH, or decline to participate altogether.


62

Current New York State Capability on Granularization

No granularization below the group/facility level: if one provider in group has access, other treating providers in that group will have access.

No granularization by time frame, type of data, type of condition.

No granularization by information: Consent to access records extends to all records, including HIV-related information and other sensitive data that might otherwise require specific consent under state or federal law.


63

Patient Ability to Correct/Amend Health Information

Errors in a Patient’s Record may be result of Pure error Identity theft Information that later proves untrue (e.g., positive toxicology)

Patients are already guaranteed the right (via HIPAA, HITECH, and state law) to review medical records and insert additional information and amendments

Complications Difficulty tracking in a system with wide dissemination Impact of error greater; transformed by larger record with

wider dissemination If it is a widely linked record, the corrective mechanism

cannot be local


64

Patient Ability to Correct/Amend

Must be assurance that there is a mechanism for correcting/amending record in each location where it is held

through audit trail

ability to send out correct information to each individual/entity that has accessed the record when errors are identified

assurance that record is correct going forward


65

Protections against breach & misuse

Breach is a “red herring” in privacy discussions

Biggest concern: someone hacking into your medical records and violating your privacy or “the government will get your info”

There are strong protections in state policies and procedures and in federal regulations regarding breach


66

Misuse & Other Harms

Breach is information leaving the system without your consent; misuse is info leaving WITH your consent.

Misuse is the bigger concern WITHIN the system, and when it LEAVES the system.

Examples of misuse:

Prejudicial impact on treatment

Use by authorized user for non-medical purpose


67

A Critical Examination of “Consent”

Ensure the adequacy of consent forms

Determine whether consent is: Informed Truly consensual

Begin to think about protecting use vs. access


68

Public Outreach

Outreach currently designed to encourage patients to “sign up”

A more responsible public outreach campaign would: Tell patients that HIE is happening now

That information is capable of being shared/accessed How information can be accessed

Explain to patients how they fit in by: Explaining benefits Explaining risks Educating them about how to manage risk


69

When Health Information Moves Outside the Network

Moving Beyond the Patient-Provider Paradigm

Personal Health Records

Marketing & Commercial Data Harvesting


70

Moving Beyond the Patient-Provider Paradigm

HIE holds the promise of improved patient care and efficiency

There are public health goals that could be achieved through access to EHRs not related to patient care or efficiency: System Accountability Research Public Health Monitoring/Government Access


71

System Accountability

Theoretically, access to EHRs could assist in Medicaid fraud investigations Quality control of physician care

To what extent should HIE allow for this level of access?

What patient consent should be required?

State policy under development in this area


72

Research

E.g., NYS policy allows for use for research with a higher level of consent

De-identified data from EHRs is accessible

Challenges

Defining “research”

How to ensure against re-identification of de-identified data (e.g., small population/small health dep’t, sensitive issues; increasing ability to identify de-identified data, e.g., SSNs)


73

Public Health Monitoring/State Access

What is the state to do when it has identified a public health threat?

When will a health department feel compelled to intervene? common vector suspected intentional transmission

If the state is the provider/custodian, when will unconsented-to access seem like a good idea? Incarcerated individuals Residents of homeless shelters Recipients of public assistance

State policy under development in this area


74

Personal Health Records

Standards for patient protections/ access/control are complicated Owned by vendor (legal rights are unclear)

patient rights are largely be subject to contract w/vendor

Currently NOT protected by HIPAA/State Law except: Some are already business associates of

HIPAA-covered entities (e.g., patient portals), and so are therefore subject to HIPAA

Currently regulated by FTC; potentially regulated by HHS

Some changes in HITECH will apply


75

Marketing & Commercial Data Mining What is “informed consent” in the context of consent

to release to marketers?

E.g., what does a patient give up by consenting to Rx discount program offered by a pharmaceutical company?

Comprehensive medical information kept in one place is a highly valuable commodity: vulnerable to unauthorized access and exploitation Concerns about re-sale of health information

State policies under development


76

Where do we go from here?

Technology and implementation developing faster than policies & procedures

Policies and procedures developing faster than our ability to identify all of the repercussions

Public participation in identifying threats to privacy has been little


77

We have a long way to go…

To decide whether and how to revise state laws to deal with the full implications of sharing records formerly kept on paper now that they are shareable electronically

To strengthen protections against patient mistreatment, medical/disability discrimination

To strike the proper balance between patient control and provider control


78

What can an ACLU affiliate do?

Be on lookout for issues in your own region/state

Understand what’s happening at state level

Play a role in state policy-making

Be aware of how private entities are entering the field

Consider contributing to consumer/ patient/stakeholder voices on national scene

Revisit internal policies on consent


79

For more information, contact Corinne A. Carey

Senior Public Policy CounselNew York Civil Liberties Union

[email protected] 607 3327

Protecting Patient Privacy in the Era of Health Information Exchange Corinne A. Carey Senior Public...

Documents

Transcript of Protecting Patient Privacy in the Era of Health Information Exchange Corinne A. Carey Senior Public...