By Vince Kuraitis and Leslie Kelly Hall

The sharing of patient information in the US is out of whack — we lean far too much toward hoarding information vs. sharing it. While care providers have an explicit duty to protect patient confidentiality and privacy, two things are missing:

• the explicit recognition of a corollary duty to share patient information with other providers when doing so is the patient’s interests, and
• a recognition that there is potential tension between the duty to protect patient confidentiality/privacy and the duty to share — with minimal guidance on how to resolve the tension.

In this essay we’ll discuss:

1. A recent recognition in the UK

2. The need for an explicit duty to share patient information in the US

3. Implications of an explicit duty to share patient information in the US

1. A recent recognition in the UK

Last week a long-awaited study commissioned by the Department of Health was released. Here are a few key findings from The Information Governance Review Report (Caldicott Review):

“…safe and appropriate sharing in the interests of the individual’s direct care should be the rule, not the exception.”

People expect the various professionals in the care team to communicate with each other and to share the information that is needed to provide a safe and courteous service. There is no contradiction between demanding that services are rigorous in safeguarding the confidentiality of personal information and enthusiastic about sharing information among members of staff who need to co-operate to optimise the individual’s care. All health and social care organisations must succeed in both respects if they are not to fail the people they exist to serve.

An initial Caldicott Review report in 1997 had recommended 6 widely-accepted principles for information sharing. (See the Appendix for details and references)

The Caldicott Review released last week recommended the addition of a 7th principle — the recognition of an explicit duty to share patient information: 

7. The duty to share information can be as important as the duty to protect patient confidentiality.

Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.

2. The need for an explicit duty to share patient information in the US

Today many care providers think it’s still OK to hoard patient information.

Hospital CIOs are quoted in trade journals arrogantly proclaiming “Why would I want to share patient information with my competitors?”

FUD (fear, uncertainty, doubt) prevails among care providers. HIPAA — the Health Insurance PORTABILITY and Accountability Act — has had the unintended consequence of making care providers fearful of criminal sanctions if they share information inappropriately.

To date, we haven’t had the technology infrastructure to support sharing.

At best, today the duty to share patient patient is implicit. When duties are conflicting, which one wins out?

• An explicit duty of keeping patient information confidential — codified in HIPAA and many other state and Federal regulations
• An implicit duty to share patient information — something care providers kinda-sorta understand in their heart, but would have a hard time articulating the specifics that are in their head

Hoarding is not OK. We need to create a culture 0f appropriate sharing — a duty to share patient information.

3. Implications of an explicit duty to share patient information in the US

We’ve thought of some examples of where adopting an EXPLICIT duty to share would make a powerful statement.

• The American Medical Association’s Code of Ethics
• The list of advocacy issues of the American Hospital Association
• The Vision, Mission, and Purpose of Commonwell — a recently announced alliance among EHR vendors
• The Health IT Industry Code of Conduct promulgated by athenahealth
• An ONC emphasis on patient engagement and care coordination through the use of the Meaningful Use Objectives
• DIRECTTRUST.org rules of the road
• An HL-7 emerging Longitudinal Care Coordination standard for care plans and other technical standards
• Medicare ACO requirements
• VA Hospitals and TriCare providers code of conduct
• Catholic Healthcare Association Stewardship goals
• Your ideas?

As a starting place, we like the wording of the duty to share principle expressed in the recent Caldicott Review report:

The duty to share information can be as important as the duty to protect patient confidentiality.

Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.

An explicit recognition of the duty to share has many potential benefits:

• Sends a strong message to care providers about expected behaviors—hoarding patient data is not OK
• Provides protection to providers that want to do the right thing and share patient information in good faith
• Sends a strong message to patients about their rights
• Provides a potential cause of action for patients when their rights are violated
• Creates a more transparent environment

We understand that not everyone will agree with creating an explicit duty to share. That’s OK — we need to start the debate and air the issues.

Finally, we also expect that expressing a general principle of a duty to share likely would lead to many next-level questions and discussions:

1. What actions are sufficient to fulfill a duty of sharing? e.g., Is it sufficient to say “I tried faxing the patient’s info to Dr. Smith twice” vs. “I sent Dr. Smith a DIRECT electronic message and here’s the confirmation.”

2. How should a clinician weigh potentially conflicting duties of sharing patient information vs. protecting patient confidentiality? What if the clinician believes it’s in the patient’s best interests to share information, despite patient expressed preferences for confidentiality?

3. How should provider organizations develop policies and procedures specifying the duty to share?

4. Who is on the patient’s care team? What information should be shared with various members of the team?

5. Can care coordination happen without sharing?

6. If patients knew who what where and when their data was shared beyond their doctor of record, would that allay privacy issues?

7. How might a duty to share vary under differing local health IT architectures, e.g., the availability of push vs. pull (query based)

8. …and many others

Care providers share only two things: patients and information. We must remember that patients are the end, and that information is the means; patients are paramount, information is subordinate. If privacy and confidentiality were held paramount, the patient might sustain harm and unnecessary costs; our health system would continue to be fragmented.

It’s time to do the right thing: let’s create an explicit duty to share patient information.

Vince Kuraitis, JD, MBA, is a health care consultant and primary author of the e-CareManagement blog, where this first appeared. Leslie Kelly Hall is the senior vice president of Healthwise, a nonprofit committed to helping people make better health decisions by partnering with health plans and hospitals to provide consumer friendly patient education.

APPENDIX — The Caldicott Review

History of the Caldicott Principles in the UK (from the Caldicott Review):

In 1997, the Review of the Uses of Patient-Identifiable Information, chaired by Dame Fiona Caldicott, devised six general principles for information governance that could be used by all organisations with access to patient information.

The 1997 report did not consider the issue of whether professionals shared information well, in the interests of patients, because that was not regarded as a problem at the time….There was widespread support for the original Caldicott principles, which are as relevant and appropriate for the health and social care system today as they were for the NHS in 1997. However, evidence received during the review has persuaded the Panel of the need for some updating, and inclusion of an additional principle.

In May 2012, Dame Fiona convened a Panel of 15 experts to conduct the review…. Between May to October 2012, the Panel took evidence from a wide range of stakeholders, holding 49 individual evidence sessions, taking evidence from over 230 people and receiving more than 200 pieces of written evidence.

The revised list of Caldicott principles therefore reads:

1. Justify the purpose(s)

Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed, by an appropriate guardian.

2. Don’t use personal confidential data unless it is absolutely necessary

Personal confidential data items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s).

3. Use the minimum necessary personal confidential data

Where use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data is transferred or accessible as is necessary for a given function to be carried out.

4. Access to personal confidential data should be on a strict need-to-know basis

Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the data items that they need to see. This may mean introducing access controls or splitting data flows where one data flow is used for several purposes.

5. Everyone with access to personal confidential data should be aware of their responsibilities

Action should be taken to ensure that those handling personal confidential data — both clinical and non-clinical staff — are made fully aware of their responsibilities and obligations to respect patient confidentiality.

6. Comply with the law

Every use of personal confidential data must be lawful. Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements.

7. (NEW) The duty to share information can be as important as the duty to protect patient confidentiality.

Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.

ADDITIONAL INFORMATION

Review recommends duty to share data when in patient’s best interests
BMJ; April 25, 2013

Health Secretary to strengthen patient privacy on confidential data use
Press release, Gov.UK, Department of Health; April 26, 2013

Information: to share or not to share?
Caldicott2 Website, UK Department of Health

Caldicott: NHS workers should ‘have the confidence to share information’
‘As important as duty to protect patient confidentiality’
The Register; April 26, 2013

Caldicott recommends ‘duty to share’
ehi Primary Care; April 11, 2013

This Is A Really Interesting Development In Information Sharing. The UK Adds A Duty To Share Information – With Safeguards
Australian Health Information Technology; April 28, 2013