One of the largest barriers to widespread data sharing in healthcare is overcoming privacy concerns. Many technical organizations have reduced this complex topic down to passing “consent flags” between systems. Many healthcare providers attempt to skirt the issue altogether by holding up their perceived privacy exemptions based on exchanging information for the delivery of care. These approaches may suffice for a time, but as healthcare information exchange becomes more prevalent, the need for sophisticated management of privacy policies will become very evident. Further, to make significant progress even in the short term, the industry needs to advance some approaches that satisfy very vocal privacy advocates in demonstrating serious considerations for privacy protections. Privacy management is needed at every level, not only at the patient level which often dominates the discussion due to its primary importance. Legislatures need a means to express, monitor and enforce privacy laws concerning clinical data. Similarly, organizations, like hospitals, have internal policies regarding sharing data that need to be represented. Regional collaborations, business associates, service providers, transaction intermediaries, and any other grouping that traffics in sensitive healthcare data will need a way for their policies to be expressed. Further, given the nascent state of healthcare data sharing, policies will likely evolve, giving rise to the need for manageable change procedures for the electronic representation of those policies. Vendor solutions have minimally addressed this variety of privacy management issues in today’s crop of healthcare IT products.
When evaluating a healthcare IT solution, you need to consider several litmus indicators before concluding that your privacy management infrastructure supports data protections appropriately through the expression of privacy directives. The following table lists some of these important considerations.
|
Litmus Indicator |
Description |
|
Privacy-Policy Construction |
Many healthcare IT systems essentially hardcode privacy policies into their applications rather than allow the expression of policies as an administrative function. This means that if policies get more complex over time, it requires software changes to change policies, which is inefficient and expensive. Policies will change rapidly as experience is gained in sharing healthcare data broadly. |
|
Privacy-Policy Enforcement |
While the construction and viewing of privacy policy has value unto itself, being able to have systems enforce policies is much more powerful. Vendor solutions should be able to prevent or allow the flow of healthcare data based on the privacy settings registered with the applications. |
| Data Granularity |
It is important to understand if an IT system can protect portions of a patient’s record, or treats all data the same. For example, can a patient’s HIV status be withheld while other clinical information is shared? Being able to protect select data elements also means that expression of privacy policies will be able to make these distinctions as well, thus enabling a richer vocabulary for |
|
Multiple Stakeholders, Multiple Policies |
There are potentially many organizations and patients in a networked healthcare environment. Each of these may have different tolerances and privacy preferences, and should be able to express them individually rather than be limited to one monolithic policy imposed on the entire network. If multiple sets of privacy policies are allowed, systems need to be able to detect conflicts and resolve them into a clear action on making data available or not. Systems that are not able to facilitate this heterogeneity will force every stakeholder to adopt the same policy at the same time, which may slow network growth. |
GSI Health Can Help You! GSI Health has extensive experience in testing healthcare IT systems, and focuses on data-driven testing for understandable and thorough test batteries. Our consultants can assist you in navigating the issues discussed in this paper, and provide the professional IV&V services you need to properly test your healthcare IT applications and architecture. Our testing methods account for adherence to national standards, and are extensible to accommodate local requirements. To learn more about how GSI Health can help make you successful in deploying a strong quality assurance program as a part of your healthcare IT project, please contact us by phone at 1-888-206-4237 or email HITvision@gsihealth.com.