As discussed in the FEHBlog, five members of the AHIC Consumer Empowerment Workgroup dissented against the Workgroup’s recommendation that there should be certification process for personal health records (PHRs). PHRs tend to be created by health plans and insurers based on claims records while electronic health records are created by health care providers. The dissenters argue that the PHR product is immature from a certification standpoint and that certification standards cannot assure privacy and security protections.

Modern Healthcare.com reports that the debate carried over to this week’s HITSP meeting. HITSP is the ANSI organization that creates interoperability standards for health information technology. HITSP has created its own security and privacy workgroup. The article accurately describes the debate as the “chicken-or-egg situation now faced by the government in its efforts to promote IT: Which comes first, the privacy protection policy or the privacy protection IT standards?” The HITSP workgroup is developing privacy and security constructs to support that AHIC work group use cases that have been approved, e.g., the electronic patient registration, electronic diagnostic test results. The HITSP workgroup is studying the patient consent issue which according to the article may be stricter than the HIPAA privacy rule. This reminds me of Governor Bredesen’s warning to the HIMSS conference about which I previously blogged — over complication is becoming a problem.