LISTSERV - CLICK4HP Archives - LISTSERV.YORKU.CA

MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID:  <[log in to unmask]>
Date:         Fri, 30 Jan 1998 10:25:33 -0500
Reply-To: [log in to unmask]
Sender: "Health Informatics in Int'l Development" <[log in to unmask]>
From: Dennis Melamed <[log in to unmask]>
Organization: Melamedia Editorial Services
Subject:      Health Information Privacy
To: [log in to unmask]

Health Information Privacy Alert
Update-Jan. 30, 1998


HCFA REVIEWS BAN
ON INTERNET TRANSMISSION OF BENEFICIARY DATA

HMOs and other vendors on contract to the Health Care Financing
Administration should continue to avoid the Internet as a medium for
sending Medicare and Medicaid beneficiary data, the agency informed
companies late last year. HCFA information security officials said
current encryption technologies were still not adequate to provide the
privacy protection required. Electronic transfers of data are allowable
only if the company has its own dedicated line and server.

However, HCFA is reviewing its policy in the wake of continuing
inquiries from the field. No deadline for a revised policy has been set,
and HCFA security systems managers also note that they do not want to
write impose requirements they cannot enforce.


HUMAN RESOURCES OPERATIONS THREATENED BY E.U. PRIVACY DIRECTIVE,
LACK OF U.S. ACTION
U.S firms with European operations could see their human resources
records entangled by an E.U. directive requiring more restrictive
handling of health data. Once the directive takes effect in October,
data flows of all sorts may be circumscribed if E.U. officials decide a
non-E.U. country's privacy protections are not equivalent to Western
European privacy safeguards.

When a nation lacks a comprehensive privacy law analogous to the E.U.'s,
the Europeans will look at how that country protects data in specific
sectors. If they decide that data do not receive sufficient protection
in a given area, they may bar transfer of such information between
Europe and the affected country.

The E.U. directive puts a strong emphasis on the protection of health
information, including company records related to employee health
benefits. If the E.U. implements its directive as forcefully as
possible, U.S.-based companies operating on the Continent would have to
make significant adjustments in their operations. The warning about
human resources files came from Peter Swire and Robert Litan, authors of
a forthcoming Brookings Institution book on the directive's impact
around the world.


EU DIRECTIVE CASTS SHADOW OVER
U.S. PHARMACEUTICAL, MEDICAL DEVICE MANUFACTURERS

U.S.-based drug and medical device marketing and research could be
severely disrupted when the European Union privacy directive takes
effect in October, even though the directive offers a few carefully
worded exemptions.

That is the word from authors of a forthcoming Brookings Institution
book on the directive's implications for the U.S. and other nations.
Controls on data transfer from Europe to third countries such as the
U.S. do not apply when the information is being used "for the purpose of
historical or scientific research" or for the practice of "preventative
medicine" by health professionals, note Peter Swire and Robert Litan,
whose book, None of Your Business: World Data Flows, Electronic
Commerce, and the European Privacy Directive, will appear this spring.
Swire teaches law at Ohio State University; Litan heads the economics
studies program at the Brookings Institution, which will publish their
book.

As a result of the directive's broad exclusions for information used in
research and treatment, clinical data for new pharmaceuticals or devices
- assembly of which can consume more than a decade and involve many
researchers working in numerous countries - may escape constraints
delineated in the directive.


NCVHS TOLD MORE SAFEGUARDS NEEDED ON REGISTRIES

Patient registries, such as those operated by patient advocacy groups,
are protected only by an unwritten code of ethics, and may need the
defenses that would be required by a health information privacy law,
patients rights advocates told the National Committee on Vital and
Health Statistics.

Many of the groups that make up the National Organization for Rare
Diseases (NORD) maintain data bases, whether to facilitate mutual
support activities, speed communication of news about those conditions,
or function as working registries to record and analyze morbidity and
mortality data, said NORD spokesman Michael Langan.

However, the only bulwarks against misuse of personally identifiable
information such as names, addresses, and telephone numbers is an
informal code of ethics, Langan told the Subcommittee on Privacy and
Confidentiality during a Jan. 29 roundtable discussion of what
constitute a registry. "Our member organizations have the names,
addresses, and telephone numbers of hundreds of thousands of people with
rare diseases," he said, estimating his organization represents 20
million patients.

"They have provided that information voluntarily, because they have a
great deal of trust," he said. "There is no way to explain how that
trust developed except by our record. They know that their names are not
going to land on the front page of the local paper as a result of any
action of ours."


CONTROLS ON PERSONAL IDENTIFIERS
PROVE ELUSIVE

Creating a regime to define and control personally identifiable
information in health records is proving a daunting task for lawmakers,
regulators and consultants. The difficulty will increase as  Congress
edges closer to protecting medical records confidentiality.

A roundtable on the issue's complexity was convened in late January by
the National Committee on Vital and Health Statistics. The leading
congressional proposals dance around the issue in different ways, but
wind up sharing an inescapable ambiguity, said panel chairman Robert
Gellman. Controllers of government data do little better than their
counterparts in private industry in their efforts to put labels and
parameters on the concept; they respond to the challenge by creating
entities to review data requests case by case. The National Center for
Health Statistics, for example, wrote a checklist of matters to consider
before releasing data; NCHS uses an intra-agency committee to review
information requests. The problem is intensifying, the privacy
subcommittee learned, as the Internet brings previously remote data
bases within easier reach.


ORGAN PROCUREMENT SYMIED
BY HOSPITAL PRIVACY CONCERNS

Medical records reviews would enhance accuracy in counting donors whose
organs are available to be re-used, but the possibility of having their
records scrutinized unsettles hospitals, the U.S. General Accounting
Office reported. Facility managers are concerned that wider records
review could mean trouble for them over patient privacy.

Improved technology and technique have expanded the population eligible
for transplants. At the end of 1996, the waiting list totaled 50,047,
GAO said. But organ supply has not kept pace, so GAO reviewed the
appropriateness of HCFA's population-based standard. That set of
criteria is supposed to gauge the extent to which organ procurement
organizations are doing their best to identify, procure, and transplant
organs and tissue.

For information on how to subscribe to Health Information Privacy Alert,
send an e-mail to [log in to unmask]