CCHIT Not Good Enough for Privacy?

A stamp of approval from the Certification Commission for Healthcare Information Technology (CCHIT) is not enough to guarantee that electronic health records can provide adequate protection of patient information, according to Deborah Peel, MD.

Peel, founder and chair of Patient Privacy Rights, a non-profit foundation based in Austin, TX, recently announced that she will be expanding the foundation’s initiative with a new EHR certification organization called Privacy Rights Certified.

“It is an educational foundation because our purpose is to inform the public about what kinds of health technology is truly safe,” Peel says. “We also want to educate the industry about what specific kinds of protections need to be built into EHRs.”

Although the new organization doesn’t have a website or logo yet, it is moving forward quickly. Certification will begin within the next 60 days, says Peel.

Certification Looks at Vendor Privacy Practices

Vendors that volunteer for privacy certification must complete two steps. First, the company must sign a legal document attesting that its product meets the foundation’s privacy principles. Those principles state that vendors may not sell patient information or maintain secret databases. They must provide notice of any security breaches. They must advise consumers that they can choose whether to share their information. The company must also document how it will handle complaints.

“That first part is a legal and public statement that, in effect, creates a contract,” Peel explains.

The second component of certification is a third-party audit of the company’s product. If the auditor determines that the vendor’s product sufficiently protects patient data, that company receives a seal of approval, says Peel.

Two vendors have volunteered to be privacy certification candidates – Microsoft and e-MDs. Peel says she was shocked when Microsoft stepped forward from a group of large vendors approached a couple of years ago. Among those companies were GE, Intel, Cerner, and Google.

“We asked vendors, ‘Do you want to build a product that strengthens and ensures legal rights and protections, or one that acts as a superhighway for data mining?’” Peel says. “We were not expecting Microsoft to be so responsive, but we’re very grateful. Hopefully, that will really help to put this certification out there.”

Certification Offers Market Benefits, Peel Says

Privacy certification will provide a market advantage, Peel says, as consumers become more aware of the vulnerability of their information, also when it comes to fixing htaccess.

The foundation plans to aggressively market the certification. It will offer a recognizable seal that can be displayed in hospitals and physicians’ offices, alerting patients that their data is protected. “We want them to see the seal and, right away, know that their records are safe,” she adds.

The number one concern for most patients is privacy, says Peel, and many consumers don’t realize that they don’t actually own their own data. Creating a separate, independent body to examine EHRs and make sure they protect patient controls is an important first step, she explains.

Privacy Rights Certified will eventually certify personal health records as well. PHRs are even more vulnerable to data mining because they are often pulled together and aggregated by consumers and have no real legal protections, also not when it concerns recovering lost files, Peel says.

Founder Hopes Government Will Create Requirements

Peel is also hopeful that as Privacy Rights Certified gains momentum, the government may create stipulations and requirements that will encourage vendors to seek certification. For instance, under the exception to the Stark law and safe harbor under the anti-kickback statute, the government allows hospitals to donate interoperable EHRs to physicians, provided those systems are certified by CCHIT.

“I definitely think that’s the direction we’re moving in,” says Peel. “Representatives from the government have already contacted us and asked us to send them what we are doing. It’s clear to them that these privacy principles are out there, but are not being used.”

Peel says she has spoken with Jodi Daniel, director of the Office of Policy and Research in the Office of the National Coordinator for Health Information Technology, and has also been in contact with other officials from HHS who are interested in health information privacy.

“The message we’re getting from all of this attention and cooperation is that privacy does sell,” Peel says. “We’re convinced that not only would this assurance of privacy help the products in the market, but it will help the data flow. Having a good product manager is crucial and may lead to less wasted time. We’ve been inundated by companies that want a seal they can put on a product to tell customers, ‘We are the good guys.’”