Apost-mortem report on the now-defunct Santa Barbara County Care Data Exchange found that patient privacy was among its weak points. “Liability-related disputes increased when tests showed that several data providers had sent confidential information to the exchange — including information about HIV patients and minors — thereby violating privacy laws,” stated an August 2007 report by the California HealthCare Foundation.

The Santa Barbara situation is not unusual. Across the country, health information exchanges (HIEs) are grappling with privacy and related security and ID authentication issues. Differences over how legislation should address privacy concerns also have slowed work on health information technology bills in Congress.

“The federal government is trying to help define how patient information can be shared with the appropriate protections without mandating how it should be done,” explains Shannah Koss, vice president of Washington, D.C., consulting firm Avalere Health LLC. “But some privacy advocates feel the federal government hasn't done enough and are pushing legislative proposals around this.”

Working groups sponsored by the federal government, such as the Health Information Security and Privacy Collaboration (HISPC), are making steady progress on a tangle of legal and regulatory concerns. “Yet we are still a long way from nationwide common privacy and security standards, especially as they deal with RHIOs,” stresses health privacy and security consultant Chris Apgar, the former HIPAA compliance officer with Providence Health Plans (Portland, Ore.).

The president of Apgar and Associates in Portland says HISPC's first phase found a lack of trust between providers. “There is no mechanism for authentication,” he says. If a physician in rural Oregon sends his patient to Oregon Health and Science University hospital in Portland, and then calls the hospital to ask how the patient is doing, how can OHSU authenticate that the person calling really is the patient's primary care doctor? “They have real liability concerns around that,” Apgar says.

Situations like the one in Santa Barbara spurred members in the statewide CalRHIO process in October 2007 to form the California Privacy and Security Advisory Board (CalPSAB), a collaborative process to identify health information privacy and security standards and policies.

“We realized that the reason some efforts died is that they got mired in legal and privacy issues, and once attorneys got involved it just paralyzed the effort,” says Cassie Birnbaum, director of health information and privacy officer at the 233-bed Rady Children's Hospital of San Diego, a CalRHIO participant.

As health information exchange policy standards continue to emerge in 2008, there's a growing consensus that privacy issues need to be addressed in the early stages of collaboration, and it is essential that the process be as inclusive as possible.

Surveys of CalRHIO participants showed why CalPSAB's creation was necessary, says Birnbaum, who also co-chairs the Certification Commission for Healthcare Information Technology (CCHIT) Privacy and Compliance Expert Panel. “There was no consensus on how to handle consent for inclusion in a patient record locator, for instance,” she says. “So there is still a lot of work to be done, but if you don't work through those things before the launch, you are setting yourself up for failure.”

Yet when they do ask for early input, health information exchange groups find that the average consumer sometimes isn't all that concerned. That's not true for more specific areas, such as mental health, where the desire for privacy may be much higher. “But often they have legitimate concerns,” Apgar says, “or they will point out laws you have to follow.” For instance, in Oregon providers must have specific permission from patients to share any mental health information. Apgar says mental health advocates have valid questions for RHIOs — “how are you going to guarantee you are meeting those privacy statutes?”

Another part of the privacy equation will come from CCHIT encouraging software vendors to create easier ways to identify and redact sensitive information from patient records, Apgar says. “What we are seeing some providers do now is print out hard copies, redact sensitive information by hand and then fax it, which is not the most elegant of solutions.”

On the individual healthcare organization level, some CIOs and privacy officers are taking a proactive approach to monitoring their workforce's access to patient health information. At Rady Children's Hospital of San Diego, Birnbaum has helped establish a privacy subcommittee of the board, a detailed methodology for investigating any breaches, and a strong educational program. Birnbaum says a series of audits turned up cases of inappropriate access and suggested where more employee education and better safeguards were necessary.

“Security isn't just techies sitting in a room monitoring systems,” Apgar says. “You have to teach appropriate behaviors. Employees have to know enough not to open a laptop with protected patient data at a Starbucks where everyone walking past can read over their shoulder.”