Comments

Health Affairs encourages readers to engage in discussion via comments on our Web site.

• To RESPOND to a particular article: Click on the link "Submit a response to this article" in the box at the top right-hand corner of the article.
• To READ responses to a particular article: Click on the link "View responses" in the box at the top right-hand corner of the article.

Comments to:

Deven McGraw, James X. Dempsey, Leslie Harris, and Janlori Goldman Privacy As An Enabler, Not An Impediment: Building Trust Into Health Information Exchange Health Affairs, March/April 2009; 28(2): 416-427. [Abstract] [Full Text] [PDF] [Appendix] [Reprints & Permissions]

Comments:Submit a response to this article

Comments published:

Fair Information Practices: Fair To Whom, And By What Standards?

Jim Kretz   ( 12 March 2009 )

Fair Information Practices: Fair To Whom, And By What Standards? 12 March 2009
Jim Kretz, President Kretz Consulting Send comment to journal: Re: Fair Information Practices: Fair To Whom, And By What Standards? jimkretz{at}gmail.com Jim Kretz	The authors' wholesale acceptance of the Connecting for Health framework based upon "fair information practices" is misleading and unfortunate. It is misleading because neither the authors nor the Markle Foundation ever get around to explaining to whom these practices are fair or by what standard. Their acceptance of these practices is unfortunate because the "Core Privacy Principles -- Every information-sharing effort must provide" simply assumes that parties beyond the patient and their health care provider have a legitimate stake in the information collected or generated as a result of a clinical encounter. For example, in explicating the "openness and transparency" principle, the Connecting for Health framework offers "Communicate policies to participants and individuals" and "Involve stakeholders in developing information sharing policies." Who these non-individual participants or stakeholders are supposed to be who have a right to participate in these matters is not specified. Under the rubric of individual participation and control, the principles include "allow individuals to find out what data have been collected and who has access, and exercise meaningful control over data sharing" and "give individuals access to information about them, and the ability to request corrections and see audit logs." The former certainly sounds as if access preceedes control in the normal flow of information and control, and "meaningful control" suggests something between "complete or exclusive control" and "trivial influence on these matters" -- sounding somehow similar to the notion of "being a little bit pregnant." The entire section on strengthening HIPAA protections seem truly beside the point without including a return to the privacy rule before the need for patient consent for purposes of treatment, payment, and health care operations was eliminated. Interestingly, to this day, every insurance claim form for professional services and every hospital admissions office protocol involves obtaining the patient's signature authorizing the release of clinical information for the purpose of having the claim paid. Experimental research continues to require informed consent and IRB approval. One might argue that by simply appearing with a copy of one's EHR in hand on flash drive or paper, a sort of constructive consent might be assumed. A final comment on "fair information practices": it fails to deal with care provided by publicly supported substance abuse clinics whose patient privacy is guaranteed by 42 CFR 2, dealing with a separate federal law much more rigorous in reserving to the patient control of information about themselves. Indeed, the framework is not consonant with the laws of at least twelve states, whose privacy protections far exceed those of HIPAA. I do quite agree with the authors that patient consent by itself is insufficient to protect patient privacy, and that nondiscrimination for refusal to consent should be guaranteed by law.