In a letter to national coordinator of health IT Farzad Mostashari, MD, the committee addressed issues involving the secondary use of EHR data that were raised by HHS' recently proposed rules on the protection of human subjects in medical research. In its advance notice of proposed rulemaking, HHS said that patient consent should be required for any secondary use of patient-identifiable EHR data in healthcare services research.
Following the lead of its security and privacy workgroup, known as the Tiger Team, the Health IT Policy Committee noted that the use of EHR data in this kind of research is essential for healthcare reform, including quality improvement and population health management. To facilitate this work, it said, physicians should be allowed to use individually identifiable data without patient consent to improve healthcare delivery. However, the data would have to remain under the control of the physician or institution.
According to the committee, the rules on secondary use of EHR data should exempt using "provider entities' EHR data for treatment purposes or to evaluate the safety, quality, and effectiveness of prevention and treatment activities." Examples include comparative effectiveness research, early detection of patient safety issues, evaluation of interventions to increase provider compliance with clinical guidelines, and outreach efforts to increase patient adherence to recommended care.
[The looming deadline for healthcare organizations to transition to electronic claims procedures has a lot of people concerned. See E-Transaction Standards Deadline Worries Grow.]
Deven McGraw, chair of the Tiger Team and director of the Health Privacy Project at the Center for Democracy & Technology, told InformationWeek Healthcare that it would be counterproductive to require the same type of patient consent for the use of EHR data in health services research that is required in clinical trials. One reason, she said, is that the type of blanket consent that researchers typically seek from patients does not sufficiently protect how their data is used. So, in her view, it's better to hold physicians and healthcare organizations directly responsible for safeguarding privacy when EHR data is utilized for quality improvement.
Second, she pointed out, it's hard to explain healthcare services research to patients, who tend to think that their providers are already delivering high-quality care. As a result, requiring patient consent can create an unnecessary barrier to efforts that are desperately needed to improve healthcare.
"We need to think about our shared and collective interest in getting healthcare that works better and that delivers value for the amount of money that we're paying. And we need to do all of that in the most privacy-protected way possible. People tend to trust their own doctors and their own institutions with respect to data. If we're doing the data analysis under the control of the institutions we trust, we're accomplishing a lot of good with minimal risk to patient privacy."
But, after the data has been analyzed, McGraw added, all patient identifiers should be removed from the results before they are shared with the public or with other institutions.
She also drew a distinction between two types of comparative effectiveness research. In any randomized, prospective study that compares two drugs or interventions, patient consent must be obtained upfront. But that should not be required where researchers are using retrospective EHR data to compare the outcomes from different treatment approaches, she said.
While advocating that HHS loosen the patient consent rules, the Health IT Policy committee also recommended that the department enhance privacy protection by incorporating the fair information framework of the Office of the National Coordinator of Health IT. Among the tenets of this framework are: the ability of patients to access and correct their health information; limitations on the number of people who can view the data in the course of research; assurance of data integrity and completeness; and prevention of unauthorized disclosure or use of data.
"At the end of the day, each provider or institution that takes a retrospective look at their EHR data for quality, safety, and effectiveness research is responsible to the public to do it in a responsible way," McGraw concluded. "You don't want to sacrifice that accountability. But you want to do it without regulatory requirements that might pose an obstacle."