The work group, known as the privacy and security tiger team, met Monday and released what amounts to a consensus report on its recommendations, said Deven McGraw, co-chair of the tiger team and director of the Health Privacy Project at the Center for Democracy and Technology, a Washington think tank. The Health IT Policy Committee advises the Office of the National Coordinator for Health Information Technology at HHS.
According to the tiger team's
"All entities involved in health information exchange—including providers and third-party service providers like Health Information Organizations (HIOs) and intermediaries—follow the full complement of fair information practices when handling personally identifiable health information," according to the tiger team proposal.
One fair-information practice incorporated by the tiger team in its recommendations is the requirement that there should be "openness and transparency about policies, procedures and technologies that directly affect individuals and/or their individually identifiable health information."
Another fair-information practice cited in the tiger team recommendations involves individual choice: Individuals, it notes, "should be provided a reasonable opportunity and capability to make informed decisions about the collection, use and disclosure of their individually identifiable health information." (This is commonly referred to as the individual's right to identifiable health information exchange.)
But the tiger team, while pronouncing that patients should have a choice, also made recommendations that either did not support or limited patient choice under an array of common healthcare scenarios.
For example, the tiger team recommended that healthcare providers—as they do now with paper records—bear the responsibility of maintaining the privacy and security of EHRs. Providers that exchange identifiable patient information "should be required to comply with applicable state and federal privacy and security rules," the team wrote. But for what the tiger team members define as "direct exchange" between a patient's treating providers, the tiger team recommended that patient consent not be required, just as it is no longer required under the privacy rule pursuant to the Health Insurance Portability and Accountability Act of 1996.
Nor should a patient consent requirement be triggered by the direct exchange of particularly sensitive healthcare information.
In a direct exchange, unless otherwise required by certain federal or state laws, "the presence of sensitive data in the information being exchanged does not trigger an additional requirement to obtain the patient's consent in the course of treating a patient," according to the report.
Yet the chief federal privacy rule, a 2003 Bush administration revision of the privacy provisions of HIPAA, provides regulatory permission for the sharing of individually identifiable medical data for treatment, payment and a broad array of other uses lumped under the category of “other” health operations without patient consent. The initial Clinton administration privacy rule required patient consent for treatment, payment and other healthcare operations.
On June 29, the tiger team hosted a daylong conference
in which members heard presentations by private-sector and government developers of seven software systems designed to provide patients with some level of consent management and information control. But the tiger team concluded in subsequent deliberations that systems to provide patients with "granular" control over the exchange of their sensitive information would not meet current patient expectations
because they were either not widely distributed or technologically capable of providing patients with much help. As such, providers were warned not to oversell patients on the protections afforded by current technology, the tiger team concluded. The gist of those sentiments were repeated in the tiger team's final recommendations.
The tiger team, therefore, asked whether and "what actions ONC might take to stimulate innovation and generate more experience about how best to enable patients to make more granular consent decisions." Technology to support more granular patient consent is promising but is still in the early stages of development, the team noted.
“This is an area that should be a priority for ONC to explore further, with a wide vision for possible approaches to providing patients more granular control over the exchange and use of their information,” the report's authors wrote. “The goal in any related endeavor that ONC undertakes should not be a search for possible or theoretical solutions but rather to find evidence for models that have been implemented successfully and in ways that can be demonstrated to be used by patients and fulfill their expectations. ONC and its policy advising bodies should be tracking this issue in an ongoing way and seeking lessons learned from the field as health information exchange matures."
In the interim, the authors continued, "Patient education is paramount: Patients must understand the extent to which their requests can be honored and we encourage setting realistic expectations. This education has implications for providers but also for HIOs and government.”
Tiger team member David McCallie Jr. is a physician and the vice president of medical informatics at Cerner Corp., a Kansas City, Mo.-based developer of health IT systems. At a tiger team meeting this month, McCallie said current health IT systems are capable of parsing out a certain amount of sensitive information but are not yet ready to allow patients to do so.
"As per state law, the EHR vendor generically filters certain 'sensitive results,' " McCallie explained in an e-mail follow up to a question about the systems' capabilities. Data about HIV status and HIV-related drugs and laboratory work, for example, are taken out of the data stream before a patient's health information is sent to his or her personal health record or a health information exchange, he said.
"The filtering is done across all patients but does not support specific filtering at the individual patient level," McCallie said in the e-mail.
Additionally, most if not all EHR systems "support some form of 'role-based' filtering of data to the providers who use the EHR," he said. For these, the filtering is based on the provider's role and relationship to the patient, but generally they do not support the ability of a patient to influence those filter settings via direct control of the EHR's role-based filtering functions, he said. "And if that EHR is used to export data via an automated interface, the filtering is applied to all patients, but not to specific individual patients."
One issue the tiger team did not address was the definition of privacy.
In 2006, the federally chartered National Committee on Vital and Health Statistics, in a letter of recommendations to then-HHS Secretary Mike Leavitt on IT privacy and security matters, offered a definition mirroring that from the Institute of Medicine that privacy was "an individual's right to control the acquisition, uses, or disclosures of his or her identifiable health data."
In late 2008, however, the ONC, in a 12-page Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information, defined privacy merely as "an individual's interest in protecting his or her individually identifiable health information and the corresponding obligation of those persons and entities that participate in a network for the purposes of electronic exchange of such information to respect those interests through fair information practices." That definition didn't sit well
with privacy advocates at the time.
Since then, McGraw said, the definition hasn't come up as a question for the tiger team. "I don't think our folks necessarily sees it as a priority," she said.