To what degree should the federal government hold entities that possess patient data accountable for what they do with the data?

That's a complex question being considered by the Privacy & Security Tiger Team, a new workgroup comprising members of the HIT Policy and Security Committees, which advise the Office of the National Coordinator for Health Information Technology.

The debate intensified on June 22 as Tiger Team workgroup members met to consider recommendations that would require encryption for direct exchanges of data from Point A to Point B, and new limits on the retention and reuse of protected health information. Member also are considering the degree to which intermediaries must track the data, enabling more transparency about who is seeing it and why.

Members early in the debate agree that intermediaries that use patient data--such as clearinghouses, electronic prescribing networks, labs, referral/approval entities, insurers, database/analytics firms and others--need to be much more transparent about what they do with the information.

The concept being put forward is that patients have a right to know what is happening with their data, says National Coordinator David Blumenthal, M.D.  For instance, electronic prescription network operator Surescripts doesn't just move transactions from one point to another. It opens the message, reformats it, uses the data inside to conduct safety and formulary checks, and then transmits the message to the intended recipient.

But Blumenthal notes that Surescripts, after handling a prescription, sends it to a pharmacy which fills the script and then sells the data to pharmaceutical database firm IMS Health or other entities.

That's why workgroup members need to look at data use issues from the perspective of patients, says Gayle Harrell, who represents consumers on the workgroup. "Patients become very disconcerted to learn that their data is sold to another entity for other purposes," she adds. "They need to know that clearly up front."

That raises additional issues for the workgroup, such as whether provider notices of privacy practices should give more detailed explanations of how patient data is used.

This article can also be found at