Confidentiality, Privacy & Security Workgroup: June 2007 Meeting Materials

I am responding to questions 4(c) and 1. The working hypothesis is completely unworkable and unenforceable as written.

First, it fails to accurately define privacy. "Privacy" is an individual's right to control the acquisition, uses, or disclosures of any data derived from that individual (irrespective as to whether the data can be tied identifiably to the person, or not). Privacy is far more than anonymity.

The late Senator Daniel Patrick Moynihan had a famous quote about "defining deviancy down."

What the federal government keeps wrongfully doing as to privacy in the health care arena is "defining privacy down." Doing so is wrong, and will not further the goals of a national network.

Second, HIPAA is far too process-oriented to be useful in an interoperability environment. See the article: National Review of HIPAA Compliance Finds Rampant Confusion, Mistakes at http://www.aishealth.com/Bnow/050907a.html

"He also thought that the findings should prompt policymakers to abandon the idea that HIPAA is a useful foundation for a future national network. "Perhaps more than anything, the report strongly suggests that in the rollout of the nationwide health information network, it would be a mistake to put too much reliance on the existing regulatory framework of the Privacy Rule," he said. "New approaches will be needed to deal with the increased scope of health record networks and the interoperability of health records."

What is needed instead, for ANY health information (either anonymized or identifiable), is: (a) control over the use or disclosure placed with the individual; (b) enforcement of that control accomplished through technological, not process-oriented, means; and (c) deviations from that individual control identified and permitted only after societal consensus on the value of overriding privacy in a given instance in favor of a more compelling value (e.g. the need for wound reporting, or biosurveillance).

The "minimum set of confidentiality, privacy, and security protections that [I] think everyone should follow" is technologically based, rendering it (in all but the most narrow, consensusdriven rare circumstances) a technological impossibility to override an individual's control of information (anonymized, or not) about him- or her self.