Healthcare providers with electronic health-record systems will have a new wrinkle to contend with—data segmentation to protect patient privacy—thanks to the newly released omnibus federal privacy and security rule.
HHS' rule released last week puts regulatory flesh on the legislative bones of the more stringent privacy provisions of the American Recovery and Reinvestment Act of 2009. It includes a requirement restoring to patients a limited right of control over the sharing of their healthcare records.
A provision of the rule obliges providers to comply with a patient request that records of a treatment or procedure not be shared with his or her health plan, if the patient pays for that treatment out of pocket and in full.
Most of a patient's federal rights to control the movement of their healthcare records for treatment, payment and other healthcare operations were wiped out in 2002 by a revision by HHS of the privacy rule under the Health Insurance Portability and Accountability Act of 1996. But certain patient-consent requirements remained under federal laws governing treatment of veterans, and for nonveterans, for treatment at federally supported drug and alcohol treatment facilities, and under various state laws, which particularly cover sensitive conditions such as mental health, HIV/AIDS and other sexually transmitted diseases.
The ARRA provision, however, is not disease specific, applying to treatment for any medical condition. The effective date of the new rule is March 25, with compliance required within 180 days.
Federal rule writers recognized that compliance, from a technical standpoint, will be a bit of sticky wicket.
“Many commenters raised concerns with and requested guidance on how to operationalize a restriction,” they noted. “Several commenters were concerned with having to create separate records to ensure that restricted data is not inadvertently sent to or accessible by the health plan or to manually redact information from the medical record prior to disclosure to a health plan. Commenters argued that having to segregate restricted and unrestricted information or redact restricted information prior to disclosure would be burdensome as such a process would generally have to occur manually, and may result in difficulties with ensuring that treating providers.”
HHS noted this could be particularly problematic with electronic prescribing, since current systems aren't capable of flagging a downstream pharmacist that the bill for the prescription won't be sent to the patient's insurance plan. Thus, when “the provider electronically sends prescriptions to the pharmacy to be filled, the pharmacy may have already billed the health plan by the time the patient arrives at the pharmacy.”
“We agree that it would be unworkable at this point, given the lack of automated technologies to support such a requirement, to require healthcare providers to notify downstream providers of the fact that an individual has requested a restriction to a health plan,” the rule said.
One suggested work around would be for providers to revert to writing prescriptions on paper for those individuals wanting to withhold that information. Then, they said, it would be up to the patient carrying the prescription to inform the pharmacy that the prescription information should not be forwarded to their health plan.
Separate record systems are not required, but providers will “need to employ some method to flag or make a notation in the record” that the information is restricted. That shouldn't be an issue, according to HHS, given that HIPAA already requires covered entities to share only the “minimum necessary” amount of patient information to complete a given task, such as claims submission.
“Covered entities should already have in place, and thus be familiar with applying minimum necessary policies and procedures, which require limiting the protected health information disclosed to a health plan to the amount reasonably necessary to achieve the purpose of disclosure,” the final rule said. Thus, according to HHS, providers should already have “mechanisms in place” to limit requested patient records from being disclosed to a health plan.
Compliance is not optional.
A provider that discloses restricted protected health information to a health plan “is making a disclosure in violation of the privacy rule,” the HHS authors said, and is “subject to the imposition of possible criminal penalties, civil monetary penalties or corrective action.”
Meanwhile, some technical help could be on the way.
In September, a consortium of developers
working with the Veterans Administration, the Substance Abuse and Mental Health Services Administration of HHS and the Data Segmentation for Privacy Initiative by the Office of the National Coordinator for Health Information Technology at HHS demonstrated the use of meta-data tags to segregate and constrain for privacy patient records or record segments.
Harry Rhodes, director of health information management solutions at the American Health Information Management Association, is a member of the workgroup on data segmentation coordinated by Health Level Seven, a healthcare standards development organization.
“They've been working pretty much ever since the PCAST came out,” Rhodes said.
The group “is close to delivering on the first phase of this,” methods for meta-data tagging sensitive patient information and for ensuring data provenance, he said. A sensitivity tag could be attached to, say, a lab test result for HIV, while a provenance tag might be affixed to a record from a drug treatment center, for example. “The meta-data tags get attached to the data elements,” Rhodes said. “It actually goes with the information. It can trigger a security safeguard.”
Rhodes said the technology will again be demonstrated at the Interoperability Showcase section at the upcoming Healthcare Information and Management Systems Society trade show in New Orleans in March.