Are Privacy Standards Enough to Push Electronic Health Records? - Electronic Health Records: Framework Details
(
Page 3 of 4 )
Framework
Details
The
Common Framework is broken up into two major sections. The policy section makes
key IT governance and policy recommendations, such as how the IT architecture
should be built in a networked health information environment, what kind of
authentication should be in place for system administrators, how to match
patients with their records without individually identifying them, and what the
guidelines are for notifying users when security breaches occur.
The
technical section goes into further detail, standardizing how PHR information
is to be exchanged. This section includes an architecture implementation guide,
technical standards for the expression of medical history and laboratory
results, recommendations on data quality assurance and consumer authentication
requirements.
Also in
the framework are specifications on how a privacy policy should be written,
most notably that they should not exceed a fourth to sixth grade reading level
to ensure that legalese does not enter the equation.
The
Connecting for Health initiative had more than 30 partners and participants
contributing to the framework, which took more than a year of collaboration to
finalize. Some found the consensus-building activity of creating the framework
so illuminating that they began implementing certain discussed privacy
principles before it was rubber stamped. For example, both Microsoft and Google
reported to the committee that they had begun to use lessons learned through
their participation in their new PHR efforts.
"Thanks
to the Internet, people can manage their finances, make purchases, book travel
and more. However, the same level of access and convenience hasn't been offered
for health services, in part, because privacy rules are unclear,” Peter
Neupert, corporate vice president of Microsoft’s Health Solutions group, said
in a statement. “This framework is a good start in articulating sensible
privacy and security practices around the appropriate handling of personal
health information and should help to increase consumer trust and adoption of
emerging online health services."
Even if a
company had already been following all of the practices laid out by the
framework guidelines, some participants such as Dossia’s Evans say it adds
another layer of legitimacy to PHR privacy efforts.
“People need to know that [PHR technology and
practices are] totally and completely private, that they can control access and
they can decide what to do with it,” he says. “We made it very clear to
employees that we're not going to loop into the data flow, but as a supplement
to our statements, Connecting for Health is a very good external legitimization
to prove that we're not making this stuff up; this is sort of an industry
movement.”
Perhaps
the Achilles heel of the Common Framework is the matter of enforcement. Unlike
HIPAA, this standard is not an enforceable government regulation. Nor is there
legal and contractual leverage for compliance as is the case between retailers
and credit card companies regarding PCI data security standards.
Instead,
the Common Framework depends on the participant’s pledge to abide by the rules
and a hopeful combination of other means of enforcement.
“I think all of the endorsers agree that there is
no one magic bullet [for] effective enforcement. It will have to come from a
mix of government regulation, self-regulation and consumer watch dogging,” says
Dempsey of the Center
for Democracy and Technology. “You’re going to need some elements of
all of that, and certain elements of the framework will be better enforced by
different mechanisms.”
However, the details on how this will work remain
sketchy. Consumer Reports has said
that it eventually expects to grade PHRs against the framework, much as it
would rank car performance. But government regulators wouldn’t get involved
until there were actual regulations created by lawmakers to benchmark
against.
/ 7 
Health Care 
