Blog: Sensitive data still pose special challenges
Before the release of the omnibus privacy rule earlier his year, or passage of the more stringent privacy provisions of the American Recovery and Reinvestment Act of 2009, or even the main federal health information privacy law, the Health Insurance Portability and Accountability Act of 1996, there were state, federal and common law provisions in full force about the handling of particularly sensitive patient information.
That special class of patient information includes patient records about treatment for drug and alcohol abuse, mental health, HIV/AIDs and sickle cell.
A workgroup of the federally chartered Health IT Policy Committee spent the better part of an hour Tuesday going over its recommendations on how to handle the legal and ethical privacy concerns over the exchange of digitized patient records. The gnarliest problem, evidenced by the longest discussion, related to the exchange of these particularly sensitive types of patient information, some with unique legal protections that are far more stringent than the rather lax restrictions under the current HHS interpretation of HIPAA.
Recommendations to the HITPC by its privacy and security tiger team, as the workgroup is officially called, were formally accepted for two of three classes of exchange. From there, they will be forwarded to the Office of the National Coordinator for Health Information Technology at HHS. The HITPC was created by the American Recovery and Reinvestment Act of 2009 to give such advice to the ONC.
Approved were recommendations on routine, “targeted” exchanges between providers with established relationships, exchanges in the paper world long since covered by HIPAA. In these transactions, after a 2002 HHS rewrite of the HIPAA privacy rule, patient consent is no longer required when the exchange occurs for treatment, payment and—this is where the laxity comes in—a host of “other healthcare operations.”
Also approved—after the longest discussion—were recommendations on targeted queries involving those more sensitive types of patient information.
A vote on the third, nontargeted queries, where the provider or other organization issuing the query, requesting patient records, does not have an established business or professional relationship with the record holders, was delayed pending some additional work on the language of the recommendations.
Data holders and requesters must comply with the laws or policies that apply to each type of these more sensitive forms of information, according to Deven McGraw, the tiger team's chairwoman. McGraw, a lawyer, heads the Health Privacy Project for the Center for Democracy and Technology, a Washington think tank.
In some cases, requesters must obtain the patient's consent or authorization prior to a query, McGraw explained. The data holder must have the patient's consent or authorization prior to releasing the information.
“There should be a technical way to facilitate this back and forth communication,” McGraw said. “We think a service for this, a consent management service, could be used for this.”
Ideally, she said, checking a provider's records for a patient's privacy constraint directive or consent document agreement could happen automatically, McGraw said, but it's going to be a challenge. From what we hear, the standards are not necessarily quite mature, but the laws at least today are there.”
“The rules for sensitive data originally were developed for the paper world,” said HITPC member Judith Faulkner, CEO of Epic Systems. “How do we help the vendors be compliant, because the vendors don't know how to do this? It's not that the vendors don't want to be compliant, it's understanding how to do it.”
Fellow committee member Gayle Harrell, a Florida state legislator, conceded that developing the technology to “segment” sensitive data for special handling according to patient consent directives is “a huge problem for vendors, but it's not going to go away, because I can tell you states are not going to change their laws without absolute federal direction.” But if the feds try to pre-empt state privacy laws, “I can tell you they are not going to like it one bit because communities feel very strongly about theses issues.”
Harrell also pointed out that the federal rule covering privacy for drug and alcohol treatment records, commonly referred to by its position in the Code of Federal Regulations, 42 CFR Part 2, attaches the liability for a provider to obtain a patient's consent before sharing the data to the data itself, and so, when that record changes hands, the consent requirement flows with it.
ONC chief Dr. Farzad Mostashari said he would “have to give credit to the VA and SAMSHA” (the Department of Veterans Affairs and HHS' Substance Abuse and Mental Health Services Administration) for their demonstration of technology developed for data segmentation and tagging for patient consent management. Mostashari said he saw the demo at the “Interoperability Showcase,” special exhibit on health IT information exchange at the Health Information and Management Systems Society convention last month in New Orleans.
“I do want to acknowledge that the VA is trying to be a leader” in developing privacy protection technology, said policy committee member Dr. Theresa Cullen, chief medical information officer and acting deputy director of the integrated EHR program management office at the Veterans Health Administration, the VA's healthcare division. “We have been successful, but we are not in production. As we all know, there is a difference to go from a very limited data tagging for attributes for security to a large, standard way to do that from an enterprise perspective. We need to go there and we will.”
The omnibus federal privacy rule released in February, which fleshes out HIPAA privacy and security rule amendments in the ARRA, includes a new wrinkle, enforceable this September, which also adds a technical challenge addressable by data segmentation.
It gives patients the right to insist that their healthcare providers not share records of their healthcare treatment with their insurance plan if the patient pays for that care out of pocket. VA technologists who have developed the software say it can solve the problem.