By Neil Versel
September 3, 2008 | A former senior advisor in the Department of Health and Human Services (HHS) is heading up the first large-scale effort to certify health-IT products for adherence to privacy standards.
For the past month, William Yasnoff, has been the part-time chief executive and a board member of Patient Privacy Certified, a new, nonprofit affiliate of the Patient Privacy Rights Foundation (Austin, Texas). Deborah Peel, the founder and public face of Patient Privacy Rights, is serving as chair of the certification program.
“We come at the same issue from different perspectives,” Yasnoff tells Digital HealthCare & Productivity. Peel, a psychiatrist, has been adamant about protecting the confidentiality of information her patients confide in her, while Yasnoff, an advocate of health record banking, says trust is paramount to building an interoperable nationwide health-IT network .
“In order to make it work, you have to have trust, and in order to have trust, you have to have patient control,” says Yasnoff, the former senior advisor for what was then called the National Health Information Infrastructure at HHS, and now an Arlington, Va.-based consultant with a firm he calls NHII Advisors. “Privacy is absolutely essential to health record banking, and therefore absolutely essential to the success of health-IT,” he says.
For this reason, according to Yasnoff, privacy certification is about helping technology vendors meet consumer expectations for privacy of their health information.
Peel previously said that Microsoft HealthVault would be the first product to go through privacy certification testing and that electronic health records vendor e-MDs also has agreed to participate. Yasnoff says the HealthVault testing should take place fairly soon, though the criteria are “not quite finalized but nearly complete.”
He expects some public documents to be posted to a forthcoming Patient Privacy Certified Web site within 60 to 90 days.
Yasnoff does say, however, that Patient Privacy Certified is making security certification to either HIPAA or ISO 27002 standards a prerequisite for privacy testing. “A building can have good locks, but you can’t give everyone a master key,” he explains. “Our job is to figure out whether the right people are getting the keys and that no wrong people have the keys [to a patient’s health information].”
Privacy policies also must be in clear, easily understood language, with a minimum of passive voice. For example, Yasnoff explains, policies should not say, “This will happen,” but rather explain who is causing the action and why.
The privacy certification program will be funded solely by testing fees, paid in full in advance. “It can’t be large or we will not be able to be successful,” Yasnoff says of the yet-unannounced cost. Interoperability certification of ambulatory EHRs, through the Certification Commission for Health Information Technology (CCHIT), currently costs $28,000 for testing and the first year’s maintenance fees.
While CCHIT certification is good for up to three years, Yasnoff says that the privacy certification program likely will require annual testing as criteria evolve.