One potentially nettlesome provision of the new omnibus federal healthcare privacy rule involves patient consent rights over the disclosure of their medical information if they self-pay.
The 563-page rule published last month by HHS
devotes more than 20 pages to explaining a new provision. The rule says that if a patient pays a provider for a healthcare treatment or service “out of pocket,” the patient can request and the provider or other HIPAA-covered entity must comply with the request, not to disclose a record of that encounter or service to his or her insurance company, or even a business associate of the health plan, for payment or other healthcare operations.
The new rule fleshes out most of the more stringent privacy protections in the HITECH section of the American Recovery and Reinvestment Act of 2009.
The new rule could—and to some technologists as well as privacy advocates, should—accelerate the implementation of privacy-protecting technology long under development, including, by the Veterans Affairs Department and the Substance Abuse and Mental Health Services Administration at HHS, Health Level 7, among others.
The work by the VA and SAMSHA is just one of four pilot projects in the Data Segmentation for Privacy Initiative
sponsored by the Office of the National Coordinator for Health Information Technology at HHS, according to lawyer Scott Weinstein, a fellow in the Chief Privacy Office at ONC. Feedback from those pilots will be used by the federally chartered HIT Policy and HIT Standards Committees for possible inclusion in the criteria for the EHR incentive payment programs under the ARRA, Weinstein said.
The rule could have a significant impact on electronic prescribing, now in widespread use. In public comments to HHS privacy rule makers, respondents were “generally unaware of any system that would alert a pharmacy of restrictions electronically,” drafters of the new final privacy rule released in January noted. “In time, more advanced” systems may allow providers to notify pharmacies and other “downstream” providers of a restriction, “but these commenters stressed that such systems are not widely available at this time.”
Meanwhile, computer programmer Duane DeCouteau is jumping up and down waving his hands.
Back in June 2010, DeCouteau joined with developers
from six other companies or government organizations in testimony before a privacy workgroup of the federally chartered Health Information Technology Policy Committee in presenting consent management technologies in actual use or under development. One, a web-based system used by 250 providers with the Clinical Management of Behavioral Health Services system in Texas, was more than 10 years old at the time. Back in 2010, the VA and Kaiser Permanente in San Diego were working on a pilot consent management system.
In September, he demonstrated at a Health Level 7 conference in Baltimore a privacy and security classification and coding system developed by HL7 using the Direct messaging protocol developed by the ONC in collaboration with private-sector partners. The HL7 coding system creates a standardized way for a provider to “tag” sensitive data elements, such as an HIV lab test result, so that software can find and deal with it in keeping with a patient's privacy instructions.
If the technology isn't available by the privacy rule's Sept. 23, 2013 compliance date, rule makers talk about a possible work around—going back to paper records, for example—for prescriptions, rather than electronic prescribing. That's a bad option, according to DeCouteau.
“The HITECH protections for those who pay for their services, it really puts the onus on the electronic health records,” DeCouteau said. “As far as going back to paper, that doesn't make any sense at all. You should just change the message and say this is being paid out of pocket. The public is not going to buy into going back to the paper process. That's just insane.”
The VA and SAMSHA will be demonstrating the data tagging technology at the Interoperability Showcase at the Healthcare Information and Management Systems Society convention in New Orleans, this time with HL7's privacy coding system.
“This self-pay issue is just another way to make privacy preferences on how they want their information handled,” said Mike Davis, security architect for the Veterans Health Administration, the healthcare arm of the VA, who's been the project leader for DeCouteau. Davis is a member of an HL7 workgroup on data segmentation for privacy. HL7 already has developed standardized vocabulary of healthcare terms tagged for their sensitivity.
It's working on a Healthcare Privacy and Security Classification system, a “container for the vocabulary,” Davis said, to convey those patient-applied restrictions. “Where we are is, proving the concept, that it can be done. We're showing it's not impossible and it's not hard. The second level you need to show is, can it run in an organization of millions of patients? Well, I'm in an organization that has millions of patients and a need for data segmentation, so it's time. It's past time.”