Most Patients Do Not Know They Are in CRISP

By Christopher Williams, MPH

Southwest Voice Editor-in-Chief and Public Health Educator

Southwest Voice urgently calls for DC Council to initiate an investigation of CRISP DC - a web-based health information exchange application containing highly sensitive information on 1.4 million patients. Few of those patients are likely aware that that their hospital and outpatient data are available beyond their provider's electronic medical record. A CRISP representative stated to us, "Most patients do not know that they are in CRISP." That would suggest that they know even less about their privacy rights — to opt-out, to request a list of people who have viewed their healthcare information, to know that their provider should provide a Notice of Privacy about CRISP participation, or to know that their provider should notify them of unauthorized access. DC Council should immediately seek to assess patients' level of awareness and acceptability about CRISP data sharing, privacy rights, security risks, adequacy of security mitigation protocols, and successful or attempted breaches. It should make a determination whether increasingly common internet threats present a reasonable basis to eschew centralizing patient data of this magnitude across all District hospitals.

Data breaches in the US have doubled in the last five years. Healthcare-related breaches increased 25% in 2020 alone. CRISP DC contains patient data and medical conditions that, if compromised, will have immeasurable harm on patients, particularly where that information may be sold, posted publicly, or made available on the dark web following a partial or full security breach. CRISP DC is a massive data sweep whose goals are ill-defined and do not fall in the scope of a specific public health area of interest. On its website, CRISP DC states that its "main goal is to deliver the right health information to the right place at the right time to enable safe, timely, effective, equitable, and patient-centered care." Given the salient security and privacy concerns, it is not clear why the program is not targeted to a specific public health challenge such as managing care for housing insecure patients or certain vulnerable populations. In addition, a website-based application poses significant concerns with internet cookies that are built specifically to track a user across websites and save information about each user's session.

CRISP DC is a health information exchange that contains highly sensitive information, but provides little public transparency on the number of data points per patient, actual or potential secondary uses, and how patients can request their CRISP record. Over 12,500 healthcare providers and 900 organizations can access patients' health records, imaging results, diagnosis and treatment, medications, discharge summaries, social determinants of health screening in real-time, among a host of other clinical and personal data. There are many limitations and safeguards mentioned in a YouTube demo video such that users will receive a warning if unauthorized access if suspected and that CRISP regularly monitors user behavior. "Certain sensitive information, such as addiction treatment details, can only be shared with your written consent." However, these caveats provide little reassurance to the public. According to the CRISP DC website, all hospitals in the District of Columbia are participating.

CRISP DC was formed in 2016 and is a private Maryland membership corporation which is a 501(c)(3) tax exempt organization. In 2016, DC Mayor Muriel Bowser established the HIE Policy Board to "provide recommendations on the (security) and protected exchange of health information in the District". The Board's meeting minutes and presentation slides are available here. A review of these materials reveals the creation of a data-driven infrastructure and bureaucratic web of complexity that have little direct attention on or demonstration of clinical outcomes and meaningful public health improvement. We are skeptical that more data gathering will yield significant change to affect deep racial health inequity in Washington, DC. What DC lacks is political will to commit to an inclusive public health agenda defined by directly confronting the social determinants of health that are the major barriers to improved public health. It should start by providing a pathway for African Americans to benefit entrepreneurially and in career and skills development from a rapidly growing, gentrified city and to provide robust public funding for strengthening a community health workforce and community leadership development initiatives.

The DC Department of Health Care Finance states that CRISP DC is intended "to improve individual care, population health management, and the public’s health." Yet, aside from providing data on DC's COVID-19 admission rate, it is not clear how the District is using CRISP to improve public health and why it requires de-anonymized data to do this. Southwest Voice could not find any other uses for CRISP or whether the District intends to leverage health data for increasing health resources in vulnerable communities.

We cannot assume that CRISP DC is " infallible and all-powerful," to borrow a phrase from George Orwell's 1984 - a dystopian novel on the cautionary tale of mass surveillance and concentration of state power. The shift in technological advancement should be equally met with legislative oversight and tightening in regulation. The scale and scope of CRISP DC does not justify its potential collection of hundreds of data points per patient. We are gravely concerned that CRISP DC does not position DC to meet the measure for accelerating health equity.