Electronic Health Records: Framework DetailsBy Ericka Chickowski | Posted 2008-06-30 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Many attribute slow uptake of electronic health records, or personal health records (PHR), as a sign of consumer mistrust of privacy practices and security technology.
The Common Framework is broken up into two major sections. The policy section makes key IT governance and policy recommendations, such as how the IT architecture should be built in a networked health information environment, what kind of authentication should be in place for system administrators, how to match patients with their records without individually identifying them, and what the guidelines are for notifying users when security breaches occur.
The technical section goes into further detail, standardizing how PHR information is to be exchanged. This section includes an architecture implementation guide, technical standards for the expression of medical history and laboratory results, recommendations on data quality assurance and consumer authentication requirements.
The Connecting for Health initiative had more than 30 partners and participants contributing to the framework, which took more than a year of collaboration to finalize. Some found the consensus-building activity of creating the framework so illuminating that they began implementing certain discussed privacy principles before it was rubber stamped. For example, both Microsoft and Google reported to the committee that they had begun to use lessons learned through their participation in their new PHR efforts.
"Thanks to the Internet, people can manage their finances, make purchases, book travel and more. However, the same level of access and convenience hasn't been offered for health services, in part, because privacy rules are unclear,” Peter Neupert, corporate vice president of Microsoft’s Health Solutions group, said in a statement. “This framework is a good start in articulating sensible privacy and security practices around the appropriate handling of personal health information and should help to increase consumer trust and adoption of emerging online health services."
Even if a company had already been following all of the practices laid out by the framework guidelines, some participants such as Dossia’s Evans say it adds another layer of legitimacy to PHR privacy efforts.
<p">“People need to know that [PHR technology and practices are] totally and completely private, that they can control access and they can decide what to do with it,” he says. “We made it very clear to employees that we're not going to loop into the data flow, but as a supplement to our statements, Connecting for Health is a very good external legitimization to prove that we're not making this stuff up; this is sort of an industry movement.” <p">
Perhaps the Achilles heel of the Common Framework is the matter of enforcement. Unlike HIPAA, this standard is not an enforceable government regulation. Nor is there legal and contractual leverage for compliance as is the case between retailers and credit card companies regarding PCI data security standards.
Instead, the Common Framework depends on the participant’s pledge to abide by the rules and a hopeful combination of other means of enforcement.
<p">“I think all of the endorsers agree that there is no one magic bullet [for] effective enforcement. It will have to come from a mix of government regulation, self-regulation and consumer watch dogging,” says Dempsey of the Center for Democracy and Technology. “You’re going to need some elements of all of that, and certain elements of the framework will be better enforced by different mechanisms.” <p"> <p">However, the details on how this will work remain sketchy. Consumer Reportshas said that it eventually expects to grade PHRs against the framework, much as it would rank car performance. But government regulators wouldn’t get involved until there were actual regulations created by lawmakers to benchmark against. <p">