CP7

Purpose

Recent Connecting for Health public opinion research found that more than half of respondents were "very concerned" that employers or health plans would gain access to electronic information intended for PHRs.¹  Worry about possible employment or insurance discrimination likely drives these high numbers.

CT1: Technical Overview discusses "business data streams" and "consumer data streams." Business data streams consist of transactions of personal health information among business partners conducted without a consumer view or participation. For example, consumers generally don't see the transactions between their doctor's office and the insurance company, or between the insurance company and its data warehouse, etc. Consumer data streams involve transactions of information into or out of a consumer-accessible application, such as a PHR.

In addition to the enforcement of existing anti-discrimination laws, any organization acting as Consumer Access Service or PHR supplier should maintain a "firewall" between consumer data streams and business data streams to ensure that data captured or stored in consumer applications are not used as a basis for discrimination.

Our Work Group recommends that all network participants treat consumer data streams distinctly – with higher levels of protection than existing business streams of health data. This practice area recommends tough language to bar discrimination or "compelled disclosures" – such as when the consumer's authorization for release of data is required in order to obtain employment, benefits, or other services.

Discrimination

It is important to recognize that consumer data streams and networked PHRs may lead to a commingling or at least co-existence of data from a variety of sources, including the consumer. It would threaten the consumer's trust in the entire network if the PHR were used as the source of information, no matter its origin, that affected an underwriting or employment decision. The Connecting for Health Common Framework policies for health information exchanges prohibit use of information for discriminatory purposes.²  Similarly, employer groups have publicly stated that they will never access individually identifiable information generated and stored in the PHR services that they offer to their employees.

Recommended Practice

The preferred practice is to guarantee that none of the information made accessible to or from the consumer's application – that is, none of the consumer data stream – can ever be used to discriminate against consumers. In addition to complying with all anti-discrimination laws and regulations, all entities that access information in a consumer data stream should make public statements, and develop internal practices against using information in consumer data streams for purposes of discrimination. When appropriate, Consumer Access Services and PHRs should include anti-discrimination clauses in their contracts with partners. The best means of preventing information from being used for discrimination is to put in place strong policies and access control procedures.

It is noted that some organizations, particularly HIPAA-Covered Entities such as health plans and self-insured employers, collect personal health information to perform their business operations (i.e., as part of the business data stream) as well as offer Consumer Access Services. In addition to complying with all anti-discrimination laws and regulations, such organizations should use prudent practices such as implementing a "firewall" between consumer data streams and business data streams in order to prevent even the appearance of being able to use information in consumer data streams for purposes of discrimination.

Compelled Disclosures

According to the chair of the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics: "Each year, as a condition of applying for employment, insurance, loans, and other programs, millions of individuals are compelled to sign authorizations permitting employers, insurers, banks, and others to access their personal health information for non-medical purposes. These authorizations are nominally voluntary; individuals are not required to sign them, but if they do not, they will not be considered for the particular job, insurance policy, loan, or benefit. In addition, for most of these authorizations, no limits are placed on the scope of the information disclosed or the duration of the authorization."³ 

Few laws or regulations place limits on such compelled disclosures. To date, most information released under such circumstances comes from what we call business data streams, e.g., from official medical records, etc.

If consumer data streams and PHRs are opened to such compelled authorizations, it will seriously undermine the public confidence in these new tools. If consumers fear that information in their networked PHR must be released to third parties considering their applications for employment, benefits, loans, etc., many will avoid health information services that might otherwise help them manage their health.

Recommended Practice

Absent statutory protection from compelled disclosures, the emerging industry of Consumer Access Services should take a strong public and legal stand against third parties seeking to make their own access to consumer data streams and networked PHR information a condition of an individual's employment, benefits, or other services important to the well-being of individuals.

__________

1. Lake Research Partners and American Viewpoint, commissioned by Connecting for Health. Survey Finds Americans Want Electronic Personal Health Information to Improve Own Health Care. December 2006. Available online at the following URL: http://www.markle.org/publications/1214-survey-finds-americans-want-electronic-personal-health-information-improve-own-hea.
2. Connecting for Health Common Framework, Model Privacy Policies and Procedures for Health Information Exchange. June 2006, p. 10-11. Available online at: http://www.markle.org/sites/default/files/P2_Model_PrivPol.pdf.
3. Rothstein, Mark, June 2006 Letter to HHS Secretary Leavitt. Accessed online on October 9, 2007, at the following URL: http://www.ncvhs.hhs.gov/060622lt.htm. See also Compelled Disclosure of Health Information: Protecting Against the Greatest Potential Threat to Privacy. JAMA, Volume 295(24), 28 June 2006, p. 2882-2885.