@ONC_HealthIT 'The contracts governing #EHR systems cultivate nontransparency expressly (for example, gag clauses) and indirectly (for example, allocating tort liability in ways that disable the revealing effects of pretrial discovery).’ #ONC2020

@ONC_HealthIT 'The substantive provisions in EHR vendor contracts prevent information relevant to patient safety from being disclosed to or discussed with health care providers who are considering purchasing EHR systems.’ #patientsafety #ONC2020 @ONC_HealthIT

@ONC_HealthIT 'Another powerful piece of leverage vendors have over health care providers who may want to sue is that the vendor can prevent the health care provider from using the #EHR system.'

@ONC_HealthIT 'Nontransparency in the context of EHRs also threatens patient data privacy. EHRs, by their very nature, facilitate new and more extensive forms of data sharing that patients may not have authorized, may not approve of, and may never know
occurred.’ #ONC2020 @ONC_HealthIT

@ONC_HealthIT 'Health care providers frequently are entering contracts that allow business associates and EHR vendors to exploit de-identified data.’ 'According to industry lawyers, almost all EHR vendor contracts contain clauses allowing the EHR vendor to de-identify and use the data.'

@ONC_HealthIT 'As an example, one EHR vendor includes following clause in its vendor contracts: “[Vendor] maintains the right to de-identify
personal information placed on its Internet site, and to use, disclose, sell and otherwise commercialize de-identified information without restriction."'

@ONC_HealthIT Another #EHR contract: 'Client acknowledges and agrees that
de-identified information is not Protected Health Information as defined in the applicable regulations and that [the EHR Vendor] may use such de-identified information for any lawful purpose.’ #ONC2020 @ONC_HealthIT

@ONC_HealthIT 'The normal safeguard for patient privacy is the Privacy Rule, but in the case of deidentified data, the Privacy Rule does nothing to stop business associates or EHR vendors from sharing patients’ information without their authorizations or knowledge.’ #ONC2020 @ONC_HealthIT

@ONC_HealthIT 'the Privacy Rule’s protections, such as a patient’s right to receive an accounting for data disclosures,64 do not apply to disclosures of de-identified data.’ [but in this era is there really de-identified data … in reality]

@ONC_HealthIT 'Disclosure of de-identified data by business associates and EHR vendors creates a risk of harm to patients because other parties may be able to use the data to re-identify patients.’ #ONC2020 #PrivacyDay

@ONC_HealthIT 'As big data sets become more common & accessible to more people, HIPAA’s rules written more than 10y ago will have increasingly little effect. ...make it more likely that de-identified data obtained through #EHR vendor relationships will used to reidentify
patients.’ #PrivacyDay

@ONC_HealthIT 'In addition... disclosure of de-identified data undermines patient autonomy. Patients may dislike their data contributing to research to
which they object..., or they may be adverse to certain commercial enterprises exploiting their data to increase sales.’ #PrivacyDay

@ONC_HealthIT 'Also, by using de-identified data without patient knowledge,
business associates and EHR vendors capture considerable value from the data, despite the fact that the health care provider assembled it and the patient ultimately was the source of the data.’ #PrivacyDay #ONC2020

@ONC_HealthIT 'This practice allows many uses of patients’ data to remain hidden. In addition to undermining economic freedoms of patients & providers, creates environment of nontransparency about data uses that are occurring & privacy & reidentification risks to which patients are exposed.'

@ONC_HealthIT ‘...three relatively simple
legal interventions could improve patient privacy in this context. First, HIPAA’s accounting for disclosure provision could be amended to require tracking and accounting for disclosures of de-identified information.’ #PrivacyDay #ONC2020

@ONC_HealthIT 'Second, HHS could issue new standard provisions for BAAs that discourage covered entities from allowing business associates to make secondary use of deidentified
data.'

@ONC_HealthIT Third...'require health care providers to disclose to patients in plain language 1)terms of their BAAs & #EHR vendor contracts; 2)health care providers’, their business associates’, & their EHR vendors’ practices regarding use, disclosure, & sale of de-identified data.’ #ONC2020

@ONC_HealthIT 'Even after info blocking regulations come into force, transparency challenges that surround #EHR systems, which are multifaceted, will likely require more comprehensive oversight than yet been proposed. Ultimately interests of patients should be central…’ #ONC2020 #PrivacyDay