Whose Information is this Anyway?

45
Whose Information is this Anyway? OR If I don’t trust you, I won’t tell you Treat the Patient Not the Chart

description

H. WESTLEY CLARK, MD, JD*, MPH DEAN’S EXECUTIVE PROFESSOR OF PUBLIC HEALTH SANTA CLARA UNIVERSITY * Member of the Washington, DC Bar

Transcript of Whose Information is this Anyway?

Page 1: Whose Information is this Anyway?

Whose Information is this Anyway?

OR

If I don’t trust you, I won’t tell you

Treat the Patient Not the Chart

Page 2: Whose Information is this Anyway?

H. WESTLEY CLARK, MD, JD*, MPHDEAN’S EXECUTIVE PROFESSOR OF

PUBLIC HEALTHSANTA CLARA UNIVERSITY

* Member of the Washington, DC Bar

Page 3: Whose Information is this Anyway?

Conflict of Interest Statement

I have no conflict of interest to disclose and no financial or other interest associated with patient privacy or any entity that has a pecuniary or tangible interest in patient privacy or the use of patient information for gain of any kind

H. Westley Clark, MD, JD, MPH

Page 4: Whose Information is this Anyway?

Obligations and Responsibilities

“I will respect the privacy of my patients, for their problems are not disclosed to me that the world may know.”

Modern version of the Hippocratic Oath:

Page 5: Whose Information is this Anyway?

Privacy is Not About Vanity and Confidentiality is not About Convenience

• There can be consequences of great significance to the person who comes to you for care.

• Therefore, that person should be asked if his/her information should be shared, as he/she knows if they can bear the burden of disclosure.

Page 6: Whose Information is this Anyway?

The Purpose of 42 CFR Part 2

The purpose of 42 CFR Part 2 and other regulations prohibiting disclosure of records relating to substance abuse treatment -- except with the patient’s consent or a court order after good cause is shown -- is to encourage patients to seek substance abuse treatment without fear that by doing so their privacy will be compromised.

Source: State of Florida Center for Drug-Free Living , Inc.,842 So.2d 177 (2003) at 181.

Page 7: Whose Information is this Anyway?

Many Patients in either Methadone or Buprenorphine Treatment are Self-Pay

Privacy, confidentiality, the fear of stigma and the fear of retribution all appear to influence the clinical decision making of patients who can afford to pay cash, leaving the poor to bear the brunt of clinical research findings.

Page 8: Whose Information is this Anyway?

Blaming the Elderly, the Vulnerable and the Poor for Interfering with Research

In their Perspective, “Protection or Harm? Suppressing Substance-Use Data”, Frakt and Bagley use the pages of the New England Journal of Medicine to take the Centers for Medicare and Medicaid Services (CMS) and the Substance Abuse and Mental Health Services Administration (SAMHSA) to task for respecting the confidentiality laws which protect the privacy of patient who seek treatment for substance use disorders.

Frakt, Austin B and Bagley, Nicholas, “Protection or Harm? Suppressing Substance-Use Data”, The New Engleand Journal of Medicine, http://www.nejm.org/doi/full/10.1056/NEJMp1501362?query=TOC

Page 9: Whose Information is this Anyway?

Distorting Surveys to AAttack Privacy Rules

Frakt, Austin B and Bagley, Nicholas, “Protection or Harm? Suppressing Substance-Use Data”, The New England Journal of Medicine, http://www.nejm.org/doi/full/10.1056/NEJMp1501362?query=TOC

Distortions of an NPR survey were used to contend that “most American want their health data to be available for research.” A look at that survey revealed that only 53% of the sample believed that it was okay to share health information for research. Furthermore, that same survey revealed that a minority (43%) of those 65 and older felt that it was okay to share health information for research.

http://www.npr.org/blogs/health/2015/01/09/375621393/poll-most-americans-would-share-health-data-for-research

Page 10: Whose Information is this Anyway?

DATA Distortions Occur When Only Data from Safety-Net Populations are Used

Frakt, Austin B and Bagley, Nicholas, “Protection or Harm? Suppressing Substance-Use Data”, The New England Journal of Medicine, http://www.nejm.org/doi/full/10.1056/NEJMp1501362?query=TOC

It was asserted that private insurers are unwilling to share their data. Thus, it is expected that the poor and the elderly should make up for this shortcoming.

We must recognize the social injustice in the implication that it is the responsibility of the poor and the elderly to shoulder the burden of information sharing when it is concluded that Medicare and Medicaid data were “our only way of gathering information about medical practice, patient outcomes and cost.”

Clearly, primarily using only data from Medicare and Medicaid creates the very problem of data distortion that removing substance use data creates.

Page 11: Whose Information is this Anyway?

SILENCE WHEN THE MONEY FLOWED

Congress, vendors and eligible providers paid little attention to the importance of substance use disorders and mental illness when electronic health records (EHRs) and health information exchanges (HIEs) were being negotiated.

In fact, most behavioral health providers were locked out of the incentives associated with the promotion of electronic health records. Had ACOs and HIEs demanded confidentiality responsive EHRs, the vendors would have been forced to accommodate the demands of their clients.

http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/EHR_Medicaid_BegGuide_Stage1.pdf

Page 12: Whose Information is this Anyway?

WHERE WAS RESEARCH WHEN THE MONEY FLOWED

http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/EHR_Medicaid_BegGuide_Stage1.pdf

Few researchers called for the vendor community to rectify the omission in technology, preferring, instead, to demand that the vulnerable sacrifice their privacy rights for the convenience of a delivery system too cheap to push for a technological accommodation.

Page 13: Whose Information is this Anyway?

Technological fixes are possible

SAMHSA and, subsequently, a few EHR vendors were able to demonstrate that is possible to have EHR systems that are responsive to the federal confidentiality regulations, while sharing information, with the patient’s consent, across platforms

Page 14: Whose Information is this Anyway?

Neither Clinicians nor Researchers Will Suffer the Direct Harm

In short, the elderly and the poor have reason to fear breaches of their privacy, even if researchers think lightly of such concerns. It is not the researchers who will bear the brunt of such disclosures and short of some public notice, those very same researchers would have no knowledge of the consequences.

Liu, V, Musen, MA, and Chou, T, “Data Breaches of Protected Health Information in the United States”, JAMA, Vol 313, Number 14, April 14, 2015

Page 15: Whose Information is this Anyway?

Are Behavioral Health Organizations Ready for Prime Time HIT & Information Sharing

Should the question on the table be where are the resources for behavioral health to be participating in integrated information sharing while protecting the privacy rights of the individuals served by the behavioral health community?

Page 16: Whose Information is this Anyway?

The Current 42 CFR Part 2 Permits Data Sharing

“Patient identifying information may be disclosed for the purpose of conducting scientific research if the program director makes a determination that the recipient of the patient identifying information: (1) is qualified to conduct research, (2) has a research protocol under which the patient identifying information, (3) Will be maintained in accordance with the security requirements of the regulations.”“ A person conducting research may disclose patient identifying information obtained under paragraph (a) of this section only back to the program from which that information was obtained and may not identify any individual patient in any report of that research or otherwise disclose patient identities.” 42 CFR § 2.52(b)

42 CFR §2.52 (a)

Page 17: Whose Information is this Anyway?

Don’t Blame the Poor for the inconvenient truth

CMS, under Medicare and Medicaid, is a third party payer and is controlled under 42 cfr Part 2 by the current provisions which state that the restrictions on disclosure in the regulations apply to third party payers with regard to records disclosed to them by federally assisted alcohol or drug programs. 42 CFR §2.12 (d)(2)(i)

CMS could invest reasonable resources to facilitate the sharing of information from its databases to benefit researchers interested in the patterns of substance use by the elderly, the poor and those vulnerable populations that are dually eligible. Thus far, it has not. There are technological solutions that are possible.

Page 18: Whose Information is this Anyway?

42 CFR Part 2 is not the Problem for general health care

42 CFR Part 2 Only applies to information received from a federally assisted alcohol or drug program. It does not apply to alcohol or drug use information provided to a general health care facility or provider which does not hold itself out to be an alcohol or drug use program.

Page 19: Whose Information is this Anyway?

But Which Illicit Drug using Patients Are We Talking About Anyway?

The 27 million people 12 or Older who report past month illicit drug use?

The 44 million people 12 or Older who report past year illicit drug use?

The 130 million people 12 or Older who report using an illicit drug at least once in their life time?

Page 20: Whose Information is this Anyway?

But Which Alcohol using Patients Are We Talking About Anyway?

The 140 million people 12 or Older who report past month alcohol use?

The 177 million people 12 or Older who report past year alcohol use?

The 218 million people 12 or Older who report using alcohol at least once in their life time?

Page 21: Whose Information is this Anyway?

But Which Alcohol using Patients Are We Talking About Anyway?

Or Are we Talking about the 4.2 million people who receive treatment for illicit drugs or alcohol of some form in the past year?

Received Substance Use Treatment refers to treatment received in order to reduce or stop illicit drug or alcohol use, or for medical problems associated with illicit drug or alcohol use.

It includes treatment received at any location, such as a hospital (inpatient), rehabilitation facility (inpatient or outpatient), mental health center, emergency room, private doctor's office, self-help group, or prison/jail.

Page 22: Whose Information is this Anyway?

But Which Substance Treatment Programs Are We Talking About Anyway?

Location of Treatment Total (2014)[Numbers in Thousands]

Total Population 4,149Hospital – Inpatient 921Rehabilitation Facility- Inpatient 1,076Rehabilitation Facility- Outpatient 1,731Mental Health Center –Outpatient 1,157Emergency Room 521

Private Doctor’s Office 780Self-Help Group 2,210Prison/Jail 366

NSDUH Table 5.25A Locations Received Illicit Drug or Alcohol Treatment in the Past Year among Persons Who Received Illicit Drug or Alcohol Treatment in the Past Year:

Numbers in Thousands, 2014

Page 23: Whose Information is this Anyway?

But Which Treatment Programs Are We Talking About Anyway?

Or Are we Talking about the 2.61 million people who receive treatment for illicit drugs or alcohol in specialty treatment in the past year?

Received Substance Use Treatment refers to treatment received in order to reduce or stop illicit drug or alcohol use, or for medical problems associated with illicit drug or alcohol use.

It includes treatment received at a location, such as a hospital (inpatient), rehabilitation facility (inpatient or outpatient), or mental health center.

Page 24: Whose Information is this Anyway?

But Which General Medical Situations Are We Talking About Anyway?

Are we talking about the estimated 35 million admissions to the estimated 5,686 hospitals in the US?

Are we talking about the 744 Accountable Care Organizations covering 23.5 million lives, 7.8 million of whom are covered by Medicare ACOs.

http://healthaffairs.org/blog/2015/03/31/growth-and-dispersion-of-accountable-care-organizations-in-2015-2/

Page 25: Whose Information is this Anyway?

But Which General Medical Environments Are We Talking About Anyway?

Are we talking about the estimated 904,556 professionally active physicians in the US having access to treatment records for the 4.2 million people who receive treatment for SUD in the past year?

Page 26: Whose Information is this Anyway?

But Which General Medical Environments Are We Talking About Anyway?

The spectrum of substance use is quite broad from mere use, to hazardous/risk use, to dependence. When it comes to general health delivery, why don’t we just ask the patient what information to disclose?

What’s wrong with getting the patient’s permission to disclose?

Page 27: Whose Information is this Anyway?

27

Past Year Substance Use Disorder and Receipt of Treatmentfor Substance Use among People Aged 12 or Older: 2014

SUD = substance use disorder.

Page 28: Whose Information is this Anyway?

When you tell the people who needed treatment that their privacy is not assured, what will they do?

An estimated 19.8 million people needed treatment for alcohol or illicit drugs, but of them 19.07 million people did not feel a need for treatment.

In other words, 96% of the people who met criteria for needing treatment did not feel a need for treatment.

Source: SAMHSA, Center for Behavioral Health Statistics and Quality, National Survey on Drug Use and Health, 2013 and 2014.

Page 29: Whose Information is this Anyway?

MOST PEOPLE WITH SUDs DON’T PERCEIVE A NEED

Of the 19.8 million people who needed treatment for alcohol or illicit drugs, 19.07 million people did not feel a need for treatment.

In other words, 96% of the people who met criteria for needing treatment did not feel a need for treatment.

Page 30: Whose Information is this Anyway?

Methods for Health Records, Interoperability and Billing for SUD Treatment Facilities, Percent; (N=14,148 Facilities) (2013)

Computer/Electronic Only Paper Only Both Electronic & Paper N/A0

10

20

30

40

50

60

16.7

21.8

48.9

12.6

4.8

23.5

47.9

23.8

31

9.1

50.2

9.6

Health Records Interoperability Billing

Perc

enta

ge

Center for Behavioral Health Statistics and Quality, Substance Abuse and Mental Health Services Administration, National Survey of Substance Abuse Treatment Services (N-SSATS), 2013.

Page 31: Whose Information is this Anyway?

Has the Train Left the Station?

H.R. 2646 would allow information sharing within accountable care organizations, health information exchanges, health home, or other integrated arrangements (in existence before, on, or after the date of the enactment of the act) involving the interchange of electronic health records containing information protected by 42 cfr Part 2 for purposes of attaining interoperability, improving care coordination, reducing health care costs, and securing or providing patient safety.

§ 403 Confidentiality of Records, H.R. 2646, “Helping Families in Mental Health Crisis Act of 2015

Page 32: Whose Information is this Anyway?

.

INFORMATIONSECURITY

Page 33: Whose Information is this Anyway?

Privacy & Technology: Partners or Adversaries?

Data integration and aggregation, coupled with increased on-line accessibility and sophisticated hacking, tracking, and data mining technologies, increase the risk and the consequences of breaches of privacy and confidentiality.

In turn, these elevated risks & consequences increase our obligations for proper oversight, state-of-the science security, and rapid mitigation of unintended consequences.

Page 34: Whose Information is this Anyway?

Risks of Personal Data Collection

Key risks include:• Re- identification attacks• Inaccurate data or models• Unfair use of sensitive inferences• Chilling effects on individual behavior• Excess government power over citizens• Large- scale data breach

Weitzner et al. 2014. Consumer Privacy Bill of Rights and Big Data:

Response to the White House OSTP RFI.

Page 35: Whose Information is this Anyway?

Are We Relying on HIPAA to Substitute for 42 CFR Part 2

It appears that behavioral health field is willing to sacrifice 42 cfr Part 2 at a time when the rest of the general health care field is exercising caution.

The cyber security threat gets understated by those in the behavioral health field advocating for the dilution of 42 cfr part 2, revealing, perhaps, a lack of understanding about the cyber technology that they want to embrace with alacrity and dispatch.

Page 36: Whose Information is this Anyway?

DATA Breaches are real

Liu et al note that between 2010 and 2013, data breaches reported by HIPAA-covered entities increased, involving 29 million records. This report noted most breaches occurred via electronic media, often laptop computers or portable electronic devices, the very systems that a researcher would rely upon in conducting data mining/claims data analysis. Furthermore, Liu et al noted that the combined frequency of breaches “resulting from hacking and unauthorized access or disclosure increased form 12.1% in 2010 to 27.3% in 2013.

Liu, V, Musen, MA, and Chou, T, “Data Breaches of Protected Health Information in the United States”, JAMA, Vol 313, Number 14, April 14, 2015

Page 37: Whose Information is this Anyway?

Are We Relying on HIPAA to Substitute for 42 CFR Part 2

What is also interesting is that 57% of a sample of general health care executives see HIPAA violations and compromises to patient privacy as an information security concern

“Health Care and Cyber Security: Increasing Threats Require Increased Capabilities”—KPMG, 2015

Page 38: Whose Information is this Anyway?

Are We Relying on HIPAA to Substitute for 42 CFR Part 2

"Some organizations may not realize the sophistication of hackers and their means to infiltrate confidential patient data networks. Interconnectivity of data in healthcare holds huge promise for health outcomes – improving both quality and efficiency of medicine. The risks associated with interconnectivity are also great, however. The nature, depth and consequences of cyber-attacks in healthcare have all changed, and the approach to containing those threats has to change and align with a healthcare organization’s objectives, as well."

“Health Care and Cyber Security: Increasing Threats Require Increased Capabilities”—KPMG, 2015

Page 39: Whose Information is this Anyway?

“Health Care and Cyber Security: Increasing Threats Require Increased Capabilities”—KPMG, 2015

Externa

l Atta

ckers

Sharin

g Data

with

Third P

arties

Employe

e Brea

ches/

Theft

Wire

less C

ompu

ting

Inade

quate

Fire W

alls

0%10%20%30%40%50%60%70% 65%

48%

35% 35%27%

Greatest Vulnerabilities in Data Security in General Healthcare

Page 40: Whose Information is this Anyway?

“Health Care and Cyber Security: Increasing Threats Require Increased Capabilities”—KPMG, 2015

Malware

infec

ting s

ystem

s

HIPAA Viol

ation

s/com

promise of

patien

t priv

acy

Intern

al Vuln

erabil

ities (e

mployee

theft/ne

gligen

ce)

Medica

l dev

ice se

cuirty

Aging IT

hardw

are0%

10%20%30%40%50%60%70%80%

67%57%

40%32% 31%

TOP INFORMATION SECURITY CONCERNS IN GENERAL HEALTHCARE IT

Page 41: Whose Information is this Anyway?

In General Healthcare “My Organization has Adequate IT Security Resources for the following:”

“Health Care and Cyber Security: Increasing Threats Require Increased Capabilities”—KPMG, 2015

0%

10%

20%

30%

40%

50%

60%

70%

80%70%

60%55% 53%

49%

35%

Page 42: Whose Information is this Anyway?

Do we expose our patients to harm while we wait for the promise of ACOs

http://healthaffairs.org/blog/2015/03/31/growth-and-dispersion-of-accountable-care-organizations-in-2015-2/

“Accountable care organizations range from relatively small, primary-care physician groups to large, multi-state integrated delivery networks. Such disparate organizations have different capabilities, different needs, and different opportunities. There are many pathways that organizations can take to effectively bear risk, but shorter-term success is more likely to be achieved by focusing on maximizing what the organization has the ability to do well, as opposed to trying to develop new capacities.”

Page 43: Whose Information is this Anyway?

What do you tell your patient about confidentiality?

Changing 42 cfr Part 2 by regulation or legislation will shift the burden of unintended consequences of disclosure to the clinician for failure to warn of those foreseeable and harmful acts that result from disclosure.

Page 44: Whose Information is this Anyway?

Whose Information is this Anyway?

OR

If I don’t trust you, I won’t tell you

Treat the Patient Not the Chart