The "consumer choice technology" demonstration that the federal Health IT Policy Committee's new privacy and security Tiger Team will host June 29 in Washington aims to showcase projects and systems that address one of healthcare reform's biggest IT challenges: balancing the opportunities of health-information sharing with the need to keep individual patients' data secure.
One such initiative scheduled to be presented is a Web-based record-keeping system called
Clinical Management for Behavioral Health Services, developed by the Texas Department of State Health Services.
The CMBHS system is designed to give behavioral-health patients some control over their medical records' release, letting patients mask specific data elements within their records, for example, and decide whether to release their complete medical history to all of their healthcare providers.
Many mental health and drug and alcohol treatment records are covered under federal privacy protections that require patient consent each time the data is transferred. Several states also have patient-consent laws.
Demand for such controls in healthcare IT systems, though, has been muted since a 2002 HHS interpretation of the Health Insurance Portability and Accountability Act's privacy provisions. Under HHS' revision of the 1996 HIPAA privacy rule, covered entities and their business associates received administrative authorization to share patient data for treatment, payment and other healthcare operations without patient consent.
The act, however, does not supersede the federal rule on mental health, drug or alcohol treatment records or more stringent state privacy laws.
Still, the federal government and the health IT industry have made little progress in creating policies or designing IT systems to accommodate existing patient-consent requirements. That could change soon, depending on how privacy policy is set in the coming months.
The long-simmering issue of patient consent was brought to the forefront by the American Recovery and Reinvestment Act of 2009, also known as the stimulus law, which accelerated an interest in data-sharing and patient privacy rights.
On the one hand, to be eligible to receive subsidies for implementing electronic health-record systems, providers must be able to demonstrate that they're sharing information to improve patient care. On the other hand, the stimulus law modifies HIPAA to let patients demand that their records for a specific treatment or service not be shared with their insurance company if they pay for the service out of pocket. The stimulus law also bans the sale of patient data. Commercial data mining, however, has long been a key driver for a more loosely configured data-sharing policy framework.
Federal officials almost ritually affirm that protecting patient privacy is key to developing a national health information exchange system that patients will trust. Doug Fridsma, acting director of the ONC's office of interoperability and standards, said in a June 16 keynote speech at the Government Health IT Conference in Washington, “We always put in here that privacy and security is paramount.” Government "plays an integral role in assuring trust and ensuring privacy and security of health information,” he added.
The ONC, however, has been
criticized in years past for paying lip service to privacy. Now, it's under pressure to get a privacy and security policy in place.
The first “payment year” for EHR-system subsidies under the Medicare portion of the stimulus law begins Oct. 1, and the ONC has several priorities—notably, establishing the Stage 1 criteria for meaningful use of EHR systems—demanding its attention. Already, the feds have pushed some privacy and security matters to the back burner while they deal with what they deem to be more pressing concerns in getting the stimulus-law subsidy program up and running.
Fridsma said ONC is “working very closely” with the federal Substance Abuse and Mental Health Services Administration, noting that SAMHSA has $4 million in its budget to address patient confidentiality issues. A solution will not be part of the Stage 1 meaningful-use requirements, Fridsma said.
Meanwhile, apart from establishing the Stage 1 meaningful-use criteria—a task expected to be completed by the CMS this month—HHS is working under its own authority to quickly develop NHIN Connect and NHIN Direct, two information-exchange platforms that providers can use to meet meaningful-use data-sharing requirements.
Asked how the work of the new Tiger Team will be integrated into other federal efforts, which are well under way, Fridsma replied that he'll look to Joy Pritts, ONC's chief privacy officer, for help in integrating privacy policies into the new health IT architecture.
“It's going to be an iterative, incremental approach,” Fridsma said. “We have a lot of moving parts. I've been trying to do as much as I can to support the work that's been going on with Joy's team and to at least keep the channels of communications open.”
All 15 members of the new privacy and security Tiger Team have served on at least one other Health IT Policy Committee or Health IT Standards Committee work group.
McGraw is a co-chair of the new Tiger Team and the former co-chair of the now-on-hiatus Health IT Policy Committee privacy and security workgroup. McGraw is a member of five other ONC work groups, more than any other Tiger Team member, according to membership lists posted on the ONC's website.
The other Tiger Team co-chair is Paul Egerman, the co-founder of health IT systems developer IDX Systems, now a part of GE Healthcare, and of eScription, a transcription services provider sold to Nuance Healthcare Solutions. He also served on the now-dormant Health IT Policy Committee privacy and security work group and serves on four other ONC work groups.
