Part two of a two-part series

The online culture is changing, shifting toward affording individuals more control over their personal information, as evidenced by the rollout last week of revisions to the privacy and security policies and technological framework by Facebook, a popular personal media site.

Privacy and IT industry experts interviewed for this story say the fine-grained levels of personal control incorporated by Facebook demonstrate a “proof of concept” that a similar, so-called “granular” consent-management system could provide a template for personalized privacy protection in the healthcare industry.

For now, though, both policymakers at HHS and members of Congress are wrestling with a number of national health information privacy issues, including, but not limited to, those involving patient consent management.

Time is of the essence as HHS is under growing pressure to implement an estimated $34 billion electronic health-record subsidy program under the American Recovery and Reinvestment Act of 2009.

Linchpin definitions are due to be released this month on the “meaningful use” criteria that providers must meet to be eligible for the EHR subsidies. And yet, key privacy and security policies and rules also required under the stimulus law are not yet firmly in place.

In August, HHS issued a controversial interim final rule to flesh out a new federal healthcare data breach-notification scheme mandated by the stimulus law. Six House leaders responded critically to the new breach rule in an Oct. 1 letter to HHS Secretary Kathleen Sebelius. The legislators called for either the revision or withdrawal of portions of the rule, which privacy advocates contend weakened the breach notification law and the legislators said violated the will of Congress.

In October, David Blumenthal, the physician head of HHS’ Office of the National Coordinator for Health Information Technology, ordered the creation of a privacy and security work group under the auspices of the Health IT Policy Committee. He also called for a pause in the work of that committee, a federal advisory panel created under the stimulus law.

Blumenthal said the time out was needed because ONC officials realized, when it came to privacy and security, the nation didn’t have “a set of principles that make sense.”

The privacy and security work group met for the first time Tuesday via conference call in a meeting closed to the public. The ONC has not responded to multiple requests to explain why this and other work group meetings were held outside of public view, or why a portion of a scheduled future work group meeting will be held behind closed doors.

In a privacy policy prepared under Blumenthal’s predecessor at the ONC, physician Robert Kolodner, privacy was defined as patients’ “interest” in controlling access to their healthcare information. But a list of IT privacy policy recommendations submitted in June 2006 by the National Committee on Health and Vital Statistics included a definition of privacy taken from the Institute of Medicine that defined privacy as a patient’s “right” to control the disclosure of his or her healthcare information.

Aside from the definition of privacy, another privacy “hump” to get over is how to implement the provision in the stimulus law that will require hospitals, physicians, pharmacies and other “covered entities” as defined under the Health Insurance Portability and Accountability Act of 1996 to honor a patient’s request not to disclose to payers treatment information if the patient pays out-of-pocket for healthcare. That consent requirement was added to existing federal law on information about a patient’s treatment at federally supported-care programs for patients with drug, alcohol and mental health problems. That information can’t be moved without the patient’s consent.

All of these requirements point toward the need to add switching capabilities in electronic systems to accommodate these patient controls.

Heretofore, patient control, if it is accommodated at all by healthcare IT systems, is often reduced to a binary choice of either the patient opts in or out of a data-sharing network. Anything further has been deemed too cumbersome, too complicated, particularly for patients, too costly and, finally, technologically infeasible.

And yet, Facebook always has had granular privacy functionality to control access to a user’s information as they see fit, according to Ruchi Sanghvi, the social media site’s product manager for privacy, in a message introducing the new privacy controls rolled out last week after a beta testing launch this summer.

With the new technology, Facebook users also will be able to “choose an audience for each piece of content” they post at the time they post it. The first time members use this new function, they will receive a message from Facebook explaining how it works.

“We’re also taking this opportunity to require all 350 million people who use Facebook to review and update their settings,” Sanghvi said.

Kevin Bankston, a senior staff lawyer specializing in free speech and privacy law with the Electronic Frontier Foundation, gave the changes a mixed grade. In a review of the new Facebook policy posted Wednesday on the foundation’s Web site, Bankston lauded the effort to simplify what had been “Facebook’s notoriously complex privacy settings.”

“Perhaps most importantly,” Bankston wrote, “Facebook has added a feature that we and many others have long advocated for: the ability to define the privacy of your Facebook content on a per-post basis. So, for example, if you only want your close friends to see a particular photo, or only your business colleagues to see a particular status update, you can do that “using a simple drop-down menu that lets you define who will see that piece of content.”

But Bankston and other reviewers he quotes have worries about the default settings on the radio buttons used in the new design that typically switch a user’s existing and possibly more stringent privacy settings to a share with “everyone” option.

Privacy advocate Pam Dixon said she agrees with Bankston, “The default settings could have been better.” But, she said, “The granular controls, that is where the culture is headed, so we have to experiment with it.”

“This throws the bar very high for the healthcare sector,” Dixon said. “It says, “Quit complaining the technology isn’t there yet.’ I don’t think healthcare gets to hide behind, “Oh, this can’t be done, it’s too expensive.’”

“If Facebook can allow hundreds of thousands of user to redact, per post, why can’t we in healthcare? There is no reason,” she said.