Health Care's Digital Privacy Debate

A new study points to distrust in government and private industry when it comes to electronic health records.

As President Obama has learned over the last year, Americans tend to get angry when you try to fix the country’s dysfunctional health care system. But even as the national debate over universal coverage drags on, there's another sticky issue ahead for health reform: digital privacy.

In a study released Monday by the privacy-focused Ponemon Institute, Americans registered a deep distrust of anyone in either the federal government or private industry who might store digital health records like those that the Obama administration has encouraged hospitals to create. Of the 868 Americans surveyed about their views on digitizing and storing health records, only 27% said they would trust a federal agency to store or access the data--the same percentage as those who would trust a technology firm like Google, Microsoft or General Electric.

That distrust, says the Institute's director Larry Ponemon, could represent a roadblock to the Obama administration's push for electronic health records, backed up by $19 billion in grants included in the economic stimulus package passed last February. "The takeaway message is that people still care about privacy," says Ponemon. "There's a lot of angst around centralizing this information, no matter whether it's managed by private enterprise or government."

To be fair, the current plan being discussed by the U.S. Department of Health and Human Services (HHS) likely wouldn't centralize health records in any single federal database. Instead, it would create a national network between smaller databases at hospitals, insurers and potentially Web-based portals run by Google, Microsoft or GE that could share the information over the Internet.

In fact, 71% of respondents to Ponemon's survey were amenable to letting hospitals, clinics or physicians store their health records. And 99% said a patient's own doctor should be able to access his or her digital health records stored in a national system. But only 38% said that a federal government agency should be able to access those records, and only 11% thought that private businesses should have access.

That means the biggest controversy over electronic health records may be aimed at tech companies' projects such as Microsoft's HealthVault or Google Health, both of which are designed to act as online interfaces to a Web user's medical information. Asked to rate the sensitivity of various types of personal information, users rated health records as far more sensitive than other information they typically share with Web companies. On a scale from one to seven, medical data received an average rating of 6.64, while credit card information received only a 4.27 and online search records just a 1.86.

Privacy concerns around electronic health records haven't taken Congress by surprise. The stimulus bill passed in February called for the Federal Trade Commission (FTC) and HHS to create new rules for how health records should be handled. Those restrictions would require consumers to be notified by mail about a possible exposure of their data any time their information left a company or agency's control, not just when there would be a "reasonable risk of harm," as most states' breach disclosure laws are worded.

But Pam Dixon, director of the World Privacy Forum, says those new rules still aren't enough. Though the FTC's strengthened protections would govern private companies, hospitals and insurers would fall under the far looser regulations created in May by HHS. Those rules allow the company to avoid breach disclosures if an audit firm decides that a breach didn't constitute a real privacy risk. "Health and Human Services have really watered down the provisions meant to protect patient privacy in the digital era," Dixon says.

Given the public's distrust of so many players in the medical ecosystem, she says that consumers need to be allowed to keep any sensitive information they choose out of a network that shares data between hospitals or insurers. "We're looking at a situation where you go to a doctor and your data can be exchanged with other doctors, other hospitals, or even government agencies inside or outside your state," she says. "Right now, we don't have the right to say no to that activity. And that's where the big privacy fight is happening."

Originally written by: Andy Greenberg at www.forbes.com/2010/01/25/digital-privacy-ponemon-technology-cio-network-healthcare.html