What do the healthcare information exchanges in all of our neighboring states know that the Connecticut Health Information Technology Exchange does not? Those states realize that it is critical to obtain meaningful consent from citizens before transmitting their information into a state-run exchange and that sensitive health information deserves more, not less, protection.
Why the difference? Perhaps it is because the board of directors is packed with special interests, who appear to be far more concerned with their constituents’ profit and convenience than in maintaining the privacy and security of Connecticut’s citizens, especially our most vulnerable ones, such as those suffering with HIV, mental illness or substance abuse.
There are three simple principles that Connecticut’s exchange needs for a sound foundation: (1) a commitment to obtaining explicit consent from patients, (2) a mandate for robust privacy and security mechanisms and (3) recourse for individuals victimized by a data breach.
To obtain meaningful consent from their citizens, all of Connecticut’s neighbors have adopted an opt-in policy. This requires obtaining unambiguous written permission from patients before their protected healthcare information is transmitted to and possibly stored in an exchange. The HITE-CT has pushed for the reverse – all data will be sent to the exchange unless the patient has explicitly refused to participate. In fact, patients will not actually have to consent to anything. They will just be given a notice of their right not to participate in the exchange.
Worse, to adopt the proposed consent mechanism, Connecticut must first amend all state statutes that currently prohibit transmission or disclosure of very sensitive healthcare information without a patient’s specific and separate written consent. True, the current HITE-CT plan is not to release such information from the exchange without the patient’s authorization, but how reliable is such a promise, especially since the exchange will be operated by an outside service provider? This is yet another level of potential insecurity. Recent breaches of confidential information by consultants to other agencies in Connecticut have called into question the wisdom of outsourcing sensitive functions. There is time to correct this mistake in judgment and insist on the meaningful consent that results from an opt-in policy.
A key part of the federal HITECH Act creates a safe harbor for protected healthcare information that meets particular standards for access, storage and transmission.
For example, if a hacker penetrates a database containing health information encrypted to the specified federal information processing standard, there is no data breach because the actual information cannot be read by the intruders. The same is true for an encrypted network transmission, even over an insecure network such as the public Internet. The Connecticut legislature need only mandate that the HITE and entities connecting to it meet the same standards.
The third principle addresses the remedies available to an individual who has been victimized by the negligence that leads to a data breach. Current state plans offer no recourse to individuals harmed by such a breach. Yet basic fairness dictates that a patient who has suffered material and demonstrable loss should be permitted to sue for damages. Such a provision would do much to assure Connecticut patients that entities participating in the HITE-CT will maintain a high level of security for their electronic health records.
Fortunately, there is a new administration in Hartford and a new sheriff in town at the HITE-CT. As chairperson of the board of directors, the newly sworn-in Commissioner of the Department of Public Health, Dr. Jewel Mullen, has an opportunity to rein in the special interests that have dominated the HITE-CT to date and to work instead on behalf of Connecticut’s citizens. Some effective first steps would be to open the HITE’s increasingly opaque process, and engage in a bona fide dialogue with the people of Connecticut. Let’s see how patients feel about meaningful consent and the privacy of their health information.
Helen George has been a member of the Legal & Policy Committee of the HITE-CT from its inception and is president of Nexus Resources.